Bug 73811 - [sna ivb ddx] sna crashes inside pixman
Summary: [sna ivb ddx] sna crashes inside pixman
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/intel (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: Intel GFX Bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-19 20:55 UTC by Jiri Slaby
Modified: 2014-02-22 10:07 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
xorg log (27.82 KB, text/plain)
2014-01-19 20:55 UTC, Jiri Slaby 		no flags Details
View All

Description Jiri Slaby 2014-01-19 20:55:03 UTC 
Created attachment 92412 [details]
xorg log

#6  <signal handler called>
#7  _mm_store_si128 (__B=..., __P=0x7fb8c258c000) at /usr/lib64/gcc/x86_64-suse-linux/4.8/include/emmintrin.h:696
#8  save_128_aligned (data=..., dst=0x7fb8c258c000) at pixman-sse2.c:388
#9  sse2_fill (imp=<optimized out>, bits=<optimized out>, stride=1320, bpp=<optimized out>, x=<optimized out>, y=<optimized out>, width=5, height=42, filler=4278190080) at pixman-sse2.c:3434
#10 0x00007fb8cb6da8ef in _pixman_implementation_fill (imp=0x133c870, bits=0x7fb8c24e3000, stride=330, bpp=32, x=795, y=503, width=5, height=height@entry=62, filler=<optimized out>, filler@entry=4278190080) at pixman-implementation.c:277
#11 0x00007fb8cb68deb1 in pixman_fill (bits=<optimized out>, stride=<optimized out>, bpp=<optimized out>, x=<optimized out>, y=<optimized out>, width=<optimized out>, height=62, filler=4278190080) at pixman.c:766
#12 0x00007fb8c69bea97 in blt_composite_fill_boxes__cpu (sna=<optimized out>, op=0x7fff490c3dc0, box=0x2abca98, n=<optimized out>) at sna_blt.c:960
#13 0x00007fb8c69cb6b4 in sna_composite (op=<optimized out>, src=<optimized out>, mask=0x0, dst=0x29b4cb0, src_x=<optimized out>, src_y=<optimized out>, mask_x=0, mask_y=0, dst_x=-9, dst_y=-9, width=348, height=111) at sna_composite.c:731
#14 0x0000000000511eb2 in damageComposite (op=<optimized out>, pSrc=0x2398cf0, pMask=0x0, pDst=0x29b4cb0, xSrc=<optimized out>, ySrc=<optimized out>, xMask=0, yMask=0, xDst=-9, yDst=-9, width=348, height=111) at damage.c:563
#15 0x00000000004c8ee2 in compWindowUpdateAutomatic (pWin=<optimized out>) at compwindow.c:682
#16 compPaintWindowToParent (pWin=0x27fdd80) at compwindow.c:706
#17 compPaintChildrenToWindow (pWin=pWin@entry=0x2bda4a0) at compwindow.c:721
#18 0x00000000004c8d6d in compPaintWindowToParent (pWin=0x2bda4a0) at compwindow.c:700
#19 compPaintChildrenToWindow (pWin=0x13986d0) at compwindow.c:721
#20 0x00000000004c93dd in compScreenUpdate (pScreen=0x1366a80) at compalloc.c:54
#21 compBlockHandler (pScreen=0x1366a80, pTimeout=0x7fff490c4218, pReadmask=0x81e160 <LastSelectMask>) at compalloc.c:63
#22 0x0000000000440c84 in BlockHandler (pTimeout=pTimeout@entry=0x7fff490c4218, pReadmask=pReadmask@entry=0x81e160 <LastSelectMask>) at dixutils.c:387
#23 0x0000000000582fe4 in WaitForSomething (pClientsReady=pClientsReady@entry=0x1660740) at WaitFor.c:210
#24 0x000000000043c991 in Dispatch () at dispatch.c:361
#25 0x000000000042c1ba in main (argc=7, argv=0x7fff490c4628, envp=<optimized out>) at main.c:298
Comment 1 Chris Wilson 2014-01-19 21:14:09 UTC 
Repeatable? Now since you have assertions enabled, I can be reasonably sure that the requested fill was entirely within bounds... That only leaves the recent bug such as 5f3ee21a307, but you already have that commit. Leaning towards we violated some assumption made by pixman.
Comment 2 Jiri Slaby 2014-01-19 21:17:05 UTC 
(In reply to comment #1)
> Repeatable?

Occasionally. Using wine and Mp3Tag.
Comment 3 Chris Wilson 2014-01-20 09:57:32 UTC 
I don't suppose there is any chance of capturing this within a full-debug run? I expect the timings will mask the issue. :|
Comment 4 Chris Wilson 2014-01-22 16:32:44 UTC 
Ah, actually that particular path wasn't asserting the box was entirely within bounds before calling pixman.

commit 32010ed86bb8f28d3b02e1e54a592d79b92b2b98
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Wed Jan 22 16:26:14 2014 +0000

    sna: Assert that the fill box is within bounds
    
    References: https://bugs.freedesktop.org/show_bug.cgi?id=73811
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Perhaps see if that catches the fault first?
Comment 5 Chris Wilson 2014-02-05 10:50:03 UTC 
Another subtle bug in move-to-cpu fixed. Do you still occasionally hit this bug or the new assertions?
Comment 6 Chris Wilson 2014-02-06 09:11:38 UTC 
Ok, had an idea for the cause here which would be fixed by:

commit 4d1a2ef9553c663bb97b56adde6f6b41241ff528
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Feb 6 08:29:20 2014 +0000

    sna: Reset composite offsets when reusing freed pixmaps
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=74550
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Comment 7 Jiri Slaby 2014-02-06 19:00:50 UTC 
(In reply to comment #5)
> Another subtle bug in move-to-cpu fixed. Do you still occasionally hit this
> bug or the new assertions?

I hit no more assertions in the past days. And I update the driver usually when I reboot (once a week). For the record, I'm now running 2.99.909-11-gde73c5fd1cd4 for 2 days.
Comment 8 Chris Wilson 2014-02-10 11:55:35 UTC 
I feel confident that this will turn out to be the invalid pixmap->screen_x|y left around in the freed pixmap cache.
Comment 9 Jiri Slaby 2014-02-22 09:52:50 UTC 
Got one of the introduced asserts with 2.99.910-49-g0b92b12:

#3  0x00007f6ab08fb6c2 in __GI___assert_fail (assertion=assertion@entry=0x7f6aac9e3a10 "box->x2 <= op->dst.pixmap->drawable.width", file=file@entry=0x7f6aac9e3821 "sna_blt.c", line=line@entry=967, function=function@entry=0x7f6aac9e4090 <__PRETTY_FUNCTION__.23865> "blt_composite_fill_boxes__cpu") at assert.c:101
#4  0x00007f6aac901fb6 in blt_composite_fill_boxes__cpu (sna=<optimized out>, op=0x7fff5cae7950, box=0x1d1f150, n=<optimized out>) at sna_blt.c:967
#5  0x00007f6aac90ecdc in sna_composite (op=<optimized out>, src=<optimized out>, mask=0x0, dst=0x1d708b0, src_x=<optimized out>, src_y=<optimized out>, mask_x=0, mask_y=0, dst_x=-9, dst_y=-9, width=348, height=111) at sna_composite.c:731
#6  0x0000000000511eb2 in damageComposite (op=<optimized out>, pSrc=0x1d31910, pMask=0x0, pDst=0x1d708b0, xSrc=<optimized out>, ySrc=<optimized out>, xMask=0, yMask=0, xDst=-9, yDst=-9, width=348, height=111) at damage.c:563
#7  0x00000000004c8ee2 in compWindowUpdateAutomatic (pWin=<optimized out>) at compwindow.c:682
#8  compPaintWindowToParent (pWin=0x1c5d650) at compwindow.c:706
#9  compPaintChildrenToWindow (pWin=pWin@entry=0x1d6d040) at compwindow.c:721
#10 0x00000000004c8d6d in compPaintWindowToParent (pWin=0x1d6d040) at compwindow.c:700
#11 compPaintChildrenToWindow (pWin=0xb7b6d0) at compwindow.c:721
#12 0x00000000004c93dd in compScreenUpdate (pScreen=0xb49a80) at compalloc.c:54
#13 compBlockHandler (pScreen=0xb49a80, pTimeout=0x7fff5cae7da8, pReadmask=0x81e160 <LastSelectMask>) at compalloc.c:63
#14 0x0000000000440c84 in BlockHandler (pTimeout=pTimeout@entry=0x7fff5cae7da8, pReadmask=pReadmask@entry=0x81e160 <LastSelectMask>) at dixutils.c:387
#15 0x0000000000582fe4 in WaitForSomething (pClientsReady=pClientsReady@entry=0xe435e0) at WaitFor.c:210
#16 0x000000000043c991 in Dispatch () at dispatch.c:361
#17 0x000000000042c1ba in main (argc=7, argv=0x7fff5cae81b8, envp=<optimized out>) at main.c:298
Comment 10 Chris Wilson 2014-02-22 10:07:32 UTC 
Aha!

commit 75cff26ebad33aca7ade7aa5a650235a7d42e47c
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Feb 22 10:05:41 2014 +0000

    sna: Apply the dst offset for pixman fills
    
    Along one of the sw blt paths we failed to apply the offset for
    Composite redirection.
    
    Reported-by: Jiri Slaby <jirislaby@gmail.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=73811
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.