Bug 46303 - [SNB] segfault in intel_miptree_release()
Summary: [SNB] segfault in intel_miptree_release()
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/DRI/i965 (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Chad Versace
QA Contact:
: 46739 (view as bug list)
Depends on:
Reported: 2012-02-19 16:08 UTC by nobled
Modified: 2012-03-23 12:05 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

compiz stacktrace (25.68 KB, text/plain)
2012-02-19 16:08 UTC, nobled
full compiz stacktrace (28.69 KB, text/plain)
2012-02-20 12:57 UTC, nobled
Piglit test case (4.41 KB, text/x-csrc)
2012-02-21 14:11 UTC, Anuj Phogat
log with chadv's debug branch (149.59 KB, text/plain)
2012-03-16 11:12 UTC, nobled
intel: fix null deref processing HiZ buffer (1.75 KB, patch)
2012-03-20 01:01 UTC, nobled
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description nobled 2012-02-19 16:08:19 UTC
Created attachment 57285 [details]
compiz stacktrace

Mesa git: e86d90eb

Occasionally, compiz crashes after opening a new X window and it ends up calling intelSetTexBuffer2, like in the attached stacktrace.
Comment 1 nobled 2012-02-20 12:57:09 UTC
Created attachment 57365 [details]
full compiz stacktrace

(With all debug symbols this time.)
Comment 2 Anuj Phogat 2012-02-21 14:11:01 UTC
Created attachment 57425 [details]
Piglit test case

Reproduced this issue on SNB. Attaching the piglit test case to reproduce the issue. Test case will also be posted on piglit mailing list for review.
Comment 3 Anuj Phogat 2012-02-22 11:55:36 UTC
Intel driver is unable to map large textures. which generates GL_OUT_OF_MEMORY error and a segfault/assertion failure later on. This issue is closely related to Bug:44970.

Piglit test case error log:

GL_TEXTURE_2D, Maximum allowable texture size = 8192
Mesa: User error: GL_OUT_OF_MEMORY in glTexSubImage2D
GL error 1 while testing GL_TEXTURE_2D, texture size = 4097, internal format = GL_RGBA8
intel-miptree-release: intel_regions.c:310: intel_region_release: Assertion `region->map_refcount == 0' failed.

Program received signal SIGABRT, Aborted.
0x00110416 in __kernel_vsyscall ()
(gdb) bt
#0  0x00110416 in __kernel_vsyscall ()
#1  0x4dc3698f in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x4dc382d5 in __GI_abort () at abort.c:91
#3  0x4dc2f6a5 in __assert_fail_base (fmt=0x4dd6fc48 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x29a949 "region->map_refcount == 0", 
    file=0x29a85f "intel_regions.c", line=310, function=0x29a9b1 "intel_region_release") at assert.c:94
#4  0x4dc2f757 in __GI___assert_fail (assertion=0x29a949 "region->map_refcount == 0", file=0x29a85f "intel_regions.c", line=310, 
    function=0x29a9b1 "intel_region_release") at assert.c:103
#5  0x001f4b52 in intel_region_release (region_handle=0x83203bc) at intel_regions.c:310
#6  0x001f1def in intel_miptree_release (mt=0x8328d2c) at intel_mipmap_tree.c:299
#7  0x001f1cab in intel_miptree_reference (dst=0x8328d2c, src=0x831f1f8) at intel_mipmap_tree.c:276
#8  0x001fa117 in intel_alloc_texture_image_buffer (ctx=0x80c8aa0, image=0x831d3b8, format=MESA_FORMAT_ARGB8888, width=4098, height=4098, depth=1) at intel_tex.c:104
#9  0x003f9815 in _mesa_store_teximage3d (ctx=0x80c8aa0, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, depth=1, border=0, format=6408, 
    type=5126, pixels=0x0, packing=0x80ce530) at main/texstore.c:4280
#10 0x001fb3ac in intelTexImage (ctx=0x80c8aa0, dims=2, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, depth=1, format=6408, type=5126, 
    pixels=0x0, unpack=0x80ce530, imageSize=0) at intel_tex_image.c:227
#11 0x001fb479 in intelTexImage2D (ctx=0x80c8aa0, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, border=0, format=6408, type=5126, pixels=0x0, 
    unpack=0x80ce530) at intel_tex_image.c:256
#12 0x003e16ec in teximage (ctx=0x80c8aa0, dims=2, target=3553, level=0, internalFormat=32856, width=4098, height=4098, depth=1, border=0, format=6408, type=5126, 
    pixels=0x0) at main/teximage.c:2535
#13 0x003e193c in _mesa_TexImage2D (target=3553, level=0, internalFormat=32856, width=4098, height=4098, border=0, format=6408, type=5126, pixels=0x0)
    at main/teximage.c:2587
#14 0x0806bedb in piglit_display () at /home/anuj/projects/piglit/tests/bugs/intel-miptree-release.c:109
#15 0x0806c6d7 in display () at /home/anuj/projects/piglit/tests/util/piglit-framework.c:56
#16 0x4d13a3c3 in ?? () from /usr/lib/libglut.so.3
#17 0x4d13ddc7 in fgEnumWindows () from /usr/lib/libglut.so.3
#18 0x4d13a86e in glutMainLoopEvent () from /usr/lib/libglut.so.3
#19 0x4d13b0b8 in glutMainLoop () from /usr/lib/libglut.so.3
#20 0x0806ce59 in main (argc=1, argv=0xbffff1d4) at /home/anuj/projects/piglit/tests/util/piglit-framework.c:304
Comment 4 nobled 2012-03-16 06:03:38 UTC
Are you sure that's the same issue? When you disable asserts, does it go on to hit a bad memory access because rb->mt == NULL and it calls intel_miptree_release(&rb->mt->hiz_mt), which then dereferences it first thing?
Comment 5 nobled 2012-03-16 11:12:04 UTC
Created attachment 58573 [details]
log with chadv's debug branch

Here's the stderr output from a run of compiz with this branch:
Comment 6 nobled 2012-03-20 01:01:05 UTC
Created attachment 58726 [details] [review]
intel: fix null deref processing HiZ buffer

Does this patch look fine?
Comment 7 Chad Versace 2012-03-22 09:45:05 UTC
The patch looks perfect. It has my
Reviewed-by: Chad Versace <chad.versace@linux.intel.com>.
Comment 8 Chad Versace 2012-03-22 09:45:46 UTC
Assigning to self.
Comment 9 nobled 2012-03-22 13:59:45 UTC
*** Bug 46739 has been marked as a duplicate of this bug. ***
Comment 10 nobled 2012-03-22 14:04:24 UTC
Committed to master as 8d9decb75f0df564abaf9888d9fc5c77de8059cd.

It's a day too late to make it into 8.0.2 unfortunately.
Comment 11 nobled 2012-03-23 12:05:04 UTC
And cherry-picked to the 8.0 stable branch as 89e796aef5ca1b35ca4ff6fce9231b4125e07037.

Here's to 8.0.3?

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.