Created attachment 57285 [details] compiz stacktrace Mesa git: e86d90eb Sandybridge Occasionally, compiz crashes after opening a new X window and it ends up calling intelSetTexBuffer2, like in the attached stacktrace.
Created attachment 57365 [details] full compiz stacktrace (With all debug symbols this time.)
Created attachment 57425 [details] Piglit test case Reproduced this issue on SNB. Attaching the piglit test case to reproduce the issue. Test case will also be posted on piglit mailing list for review.
Intel driver is unable to map large textures. which generates GL_OUT_OF_MEMORY error and a segfault/assertion failure later on. This issue is closely related to Bug:44970. Piglit test case error log: GL_TEXTURE_2D, Maximum allowable texture size = 8192 Mesa: User error: GL_OUT_OF_MEMORY in glTexSubImage2D GL error 1 while testing GL_TEXTURE_2D, texture size = 4097, internal format = GL_RGBA8 intel-miptree-release: intel_regions.c:310: intel_region_release: Assertion `region->map_refcount == 0' failed. Program received signal SIGABRT, Aborted. 0x00110416 in __kernel_vsyscall () (gdb) bt #0 0x00110416 in __kernel_vsyscall () #1 0x4dc3698f in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0x4dc382d5 in __GI_abort () at abort.c:91 #3 0x4dc2f6a5 in __assert_fail_base (fmt=0x4dd6fc48 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x29a949 "region->map_refcount == 0", file=0x29a85f "intel_regions.c", line=310, function=0x29a9b1 "intel_region_release") at assert.c:94 #4 0x4dc2f757 in __GI___assert_fail (assertion=0x29a949 "region->map_refcount == 0", file=0x29a85f "intel_regions.c", line=310, function=0x29a9b1 "intel_region_release") at assert.c:103 #5 0x001f4b52 in intel_region_release (region_handle=0x83203bc) at intel_regions.c:310 #6 0x001f1def in intel_miptree_release (mt=0x8328d2c) at intel_mipmap_tree.c:299 #7 0x001f1cab in intel_miptree_reference (dst=0x8328d2c, src=0x831f1f8) at intel_mipmap_tree.c:276 #8 0x001fa117 in intel_alloc_texture_image_buffer (ctx=0x80c8aa0, image=0x831d3b8, format=MESA_FORMAT_ARGB8888, width=4098, height=4098, depth=1) at intel_tex.c:104 #9 0x003f9815 in _mesa_store_teximage3d (ctx=0x80c8aa0, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, depth=1, border=0, format=6408, type=5126, pixels=0x0, packing=0x80ce530) at main/texstore.c:4280 #10 0x001fb3ac in intelTexImage (ctx=0x80c8aa0, dims=2, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, depth=1, format=6408, type=5126, pixels=0x0, unpack=0x80ce530, imageSize=0) at intel_tex_image.c:227 #11 0x001fb479 in intelTexImage2D (ctx=0x80c8aa0, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, border=0, format=6408, type=5126, pixels=0x0, unpack=0x80ce530) at intel_tex_image.c:256 #12 0x003e16ec in teximage (ctx=0x80c8aa0, dims=2, target=3553, level=0, internalFormat=32856, width=4098, height=4098, depth=1, border=0, format=6408, type=5126, pixels=0x0) at main/teximage.c:2535 #13 0x003e193c in _mesa_TexImage2D (target=3553, level=0, internalFormat=32856, width=4098, height=4098, border=0, format=6408, type=5126, pixels=0x0) at main/teximage.c:2587 #14 0x0806bedb in piglit_display () at /home/anuj/projects/piglit/tests/bugs/intel-miptree-release.c:109 #15 0x0806c6d7 in display () at /home/anuj/projects/piglit/tests/util/piglit-framework.c:56 #16 0x4d13a3c3 in ?? () from /usr/lib/libglut.so.3 #17 0x4d13ddc7 in fgEnumWindows () from /usr/lib/libglut.so.3 #18 0x4d13a86e in glutMainLoopEvent () from /usr/lib/libglut.so.3 #19 0x4d13b0b8 in glutMainLoop () from /usr/lib/libglut.so.3 #20 0x0806ce59 in main (argc=1, argv=0xbffff1d4) at /home/anuj/projects/piglit/tests/util/piglit-framework.c:304
Are you sure that's the same issue? When you disable asserts, does it go on to hit a bad memory access because rb->mt == NULL and it calls intel_miptree_release(&rb->mt->hiz_mt), which then dereferences it first thing?
Created attachment 58573 [details] log with chadv's debug branch Here's the stderr output from a run of compiz with this branch: http://cgit.freedesktop.org/~chadversary/mesa/log/?h=8.0-bug-46739-log1
Created attachment 58726 [details] [review] intel: fix null deref processing HiZ buffer Does this patch look fine?
The patch looks perfect. It has my Reviewed-by: Chad Versace <chad.versace@linux.intel.com>.
Assigning to self.
*** Bug 46739 has been marked as a duplicate of this bug. ***
Committed to master as 8d9decb75f0df564abaf9888d9fc5c77de8059cd. It's a day too late to make it into 8.0.2 unfortunately.
And cherry-picked to the 8.0 stable branch as 89e796aef5ca1b35ca4ff6fce9231b4125e07037. Here's to 8.0.3?
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.