Bug 46303 - [SNB] segfault in intel_miptree_release()
Summary: [SNB] segfault in intel_miptree_release()
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/DRI/i965 (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Chad Versace
QA Contact:
: 46739 (view as bug list)
Depends on:
Reported: 2012-02-19 16:08 UTC by nobled
Modified: 2012-03-23 12:05 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

compiz stacktrace (25.68 KB, text/plain)
2012-02-19 16:08 UTC, nobled
full compiz stacktrace (28.69 KB, text/plain)
2012-02-20 12:57 UTC, nobled
Piglit test case (4.41 KB, text/x-csrc)
2012-02-21 14:11 UTC, Anuj Phogat
log with chadv's debug branch (149.59 KB, text/plain)
2012-03-16 11:12 UTC, nobled
intel: fix null deref processing HiZ buffer (1.75 KB, patch)
2012-03-20 01:01 UTC, nobled
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description nobled 2012-02-19 16:08:19 UTC
Created attachment 57285 [details]
compiz stacktrace

Mesa git: e86d90eb

Occasionally, compiz crashes after opening a new X window and it ends up calling intelSetTexBuffer2, like in the attached stacktrace.
Comment 1 nobled 2012-02-20 12:57:09 UTC
Created attachment 57365 [details]
full compiz stacktrace

(With all debug symbols this time.)
Comment 2 Anuj Phogat 2012-02-21 14:11:01 UTC
Created attachment 57425 [details]
Piglit test case

Reproduced this issue on SNB. Attaching the piglit test case to reproduce the issue. Test case will also be posted on piglit mailing list for review.
Comment 3 Anuj Phogat 2012-02-22 11:55:36 UTC
Intel driver is unable to map large textures. which generates GL_OUT_OF_MEMORY error and a segfault/assertion failure later on. This issue is closely related to Bug:44970.

Piglit test case error log:

GL_TEXTURE_2D, Maximum allowable texture size = 8192
Mesa: User error: GL_OUT_OF_MEMORY in glTexSubImage2D
GL error 1 while testing GL_TEXTURE_2D, texture size = 4097, internal format = GL_RGBA8
intel-miptree-release: intel_regions.c:310: intel_region_release: Assertion `region->map_refcount == 0' failed.

Program received signal SIGABRT, Aborted.
0x00110416 in __kernel_vsyscall ()
(gdb) bt
#0  0x00110416 in __kernel_vsyscall ()
#1  0x4dc3698f in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x4dc382d5 in __GI_abort () at abort.c:91
#3  0x4dc2f6a5 in __assert_fail_base (fmt=0x4dd6fc48 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x29a949 "region->map_refcount == 0", 
    file=0x29a85f "intel_regions.c", line=310, function=0x29a9b1 "intel_region_release") at assert.c:94
#4  0x4dc2f757 in __GI___assert_fail (assertion=0x29a949 "region->map_refcount == 0", file=0x29a85f "intel_regions.c", line=310, 
    function=0x29a9b1 "intel_region_release") at assert.c:103
#5  0x001f4b52 in intel_region_release (region_handle=0x83203bc) at intel_regions.c:310
#6  0x001f1def in intel_miptree_release (mt=0x8328d2c) at intel_mipmap_tree.c:299
#7  0x001f1cab in intel_miptree_reference (dst=0x8328d2c, src=0x831f1f8) at intel_mipmap_tree.c:276
#8  0x001fa117 in intel_alloc_texture_image_buffer (ctx=0x80c8aa0, image=0x831d3b8, format=MESA_FORMAT_ARGB8888, width=4098, height=4098, depth=1) at intel_tex.c:104
#9  0x003f9815 in _mesa_store_teximage3d (ctx=0x80c8aa0, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, depth=1, border=0, format=6408, 
    type=5126, pixels=0x0, packing=0x80ce530) at main/texstore.c:4280
#10 0x001fb3ac in intelTexImage (ctx=0x80c8aa0, dims=2, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, depth=1, format=6408, type=5126, 
    pixels=0x0, unpack=0x80ce530, imageSize=0) at intel_tex_image.c:227
#11 0x001fb479 in intelTexImage2D (ctx=0x80c8aa0, texImage=0x831d3b8, internalFormat=32856, width=4098, height=4098, border=0, format=6408, type=5126, pixels=0x0, 
    unpack=0x80ce530) at intel_tex_image.c:256
#12 0x003e16ec in teximage (ctx=0x80c8aa0, dims=2, target=3553, level=0, internalFormat=32856, width=4098, height=4098, depth=1, border=0, format=6408, type=5126, 
    pixels=0x0) at main/teximage.c:2535
#13 0x003e193c in _mesa_TexImage2D (target=3553, level=0, internalFormat=32856, width=4098, height=4098, border=0, format=6408, type=5126, pixels=0x0)
    at main/teximage.c:2587
#14 0x0806bedb in piglit_display () at /home/anuj/projects/piglit/tests/bugs/intel-miptree-release.c:109
#15 0x0806c6d7 in display () at /home/anuj/projects/piglit/tests/util/piglit-framework.c:56
#16 0x4d13a3c3 in ?? () from /usr/lib/libglut.so.3
#17 0x4d13ddc7 in fgEnumWindows () from /usr/lib/libglut.so.3
#18 0x4d13a86e in glutMainLoopEvent () from /usr/lib/libglut.so.3
#19 0x4d13b0b8 in glutMainLoop () from /usr/lib/libglut.so.3
#20 0x0806ce59 in main (argc=1, argv=0xbffff1d4) at /home/anuj/projects/piglit/tests/util/piglit-framework.c:304
Comment 4 nobled 2012-03-16 06:03:38 UTC
Are you sure that's the same issue? When you disable asserts, does it go on to hit a bad memory access because rb->mt == NULL and it calls intel_miptree_release(&rb->mt->hiz_mt), which then dereferences it first thing?
Comment 5 nobled 2012-03-16 11:12:04 UTC
Created attachment 58573 [details]
log with chadv's debug branch

Here's the stderr output from a run of compiz with this branch:
Comment 6 nobled 2012-03-20 01:01:05 UTC
Created attachment 58726 [details] [review]
intel: fix null deref processing HiZ buffer

Does this patch look fine?
Comment 7 Chad Versace 2012-03-22 09:45:05 UTC
The patch looks perfect. It has my
Reviewed-by: Chad Versace <chad.versace@linux.intel.com>.
Comment 8 Chad Versace 2012-03-22 09:45:46 UTC
Assigning to self.
Comment 9 nobled 2012-03-22 13:59:45 UTC
*** Bug 46739 has been marked as a duplicate of this bug. ***
Comment 10 nobled 2012-03-22 14:04:24 UTC
Committed to master as 8d9decb75f0df564abaf9888d9fc5c77de8059cd.

It's a day too late to make it into 8.0.2 unfortunately.
Comment 11 nobled 2012-03-23 12:05:04 UTC
And cherry-picked to the 8.0 stable branch as 89e796aef5ca1b35ca4ff6fce9231b4125e07037.

Here's to 8.0.3?

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.