91120 – [HD Graphics 2000] [xf86-video-intel version 1:2.99.917+364+gb24e758-1] Crash inside intel_dri.so

Bug 91120 - [HD Graphics 2000] [xf86-video-intel version 1:2.99.917+364+gb24e758-1] Crash inside intel_dri.so

Summary: [HD Graphics 2000] [xf86-video-intel version 1:2.99.917+364+gb24e758-1] Crash...

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Driver/intel (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Chris Wilson
QA Contact:	Intel GFX Bugs mailing list

URL:
Whiteboard:
Keywords:

Duplicates (1):	92708 (view as bug list)
Depends on:
Blocks:

Reported:	2015-06-26 21:23 UTC by bob_twinkles
Modified:	2015-10-28 13:49 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
dmesg output (137.19 KB, text/plain) 2015-06-26 21:23 UTC, bob_twinkles	no flags	Details
Example xmonad.hs (1.68 KB, text/plain) 2015-06-26 21:24 UTC, bob_twinkles	no flags	Details
Xorg.0.log with dri stactrace (26.05 KB, text/plain) 2015-06-27 18:38 UTC, bob_twinkles	no flags	Details
Xorg.0.log with full debugging, no patch (875.52 KB, text/plain) 2015-06-27 19:03 UTC, bob_twinkles	no flags	Details
Xorg.0.log with full debugging, patch (1.85 MB, text/plain) 2015-06-27 19:04 UTC, bob_twinkles	no flags	Details
View All

Description bob_twinkles 2015-06-26 21:23:17 UTC

Created attachment 116744 [details]
dmesg output

Hello, I seem to have found a bug which can reliable induce a crash inside intel_dri.so. The bug is triggered when moving OpenGL windows under XMonad, with a custom LayoutClass.

The attached xmonad.hs provides a minimal configuration which allows reproducing the issue.

To reproduce:
   - configure xinitrc to run XMonad on startup:
        #!/bin/bash
        xmonad
   - place the provided xmonad.hs file in ~/.xmonad/
   - startx
   - Press super + shift + enter to open a terminal (I've set up the example to use xterm, but this can be changed: just replace "xterm" on line 54 with the command to run your favorite terminal application
   - Run some OpenGL application. I have confirmed the crash with Minecraft and mpv, but I believe the problem will be exhibited by most OpenGL applications.
   - Press and hold super + shift + j to swap the OpenGL window in and out of the inset pane. X should crash at this point.

The reported stack trace is as follows: 
#0  0x00007fd467938dd7 in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#1  0x00007fd46797e57c in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#2  0x00007fd46799c218 in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#3  0x00007fd46a5a691d in ?? () from /usr/lib/xorg/modules/extensions/libglx.so
#4  0x000000000047a43f in AbortDDX ()
#5  0x000000000059e942 in ?? ()
#6  0x000000000059f77d in FatalError ()
#7  0x000000000059668e in ?? ()
#8  <signal handler called>
#9  0x00007fd467987b23 in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#10 0x00007fd467a0e38b in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#11 0x00007fd467a27e4f in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#12 0x00007fd467a2a93a in ?? () from /usr/lib/xorg/modules/drivers/intel_drv.so
#13 0x0000000000564d88 in DRI2SwapBuffers ()
#14 0x000000000056670c in ?? ()
#15 0x0000000000438dcf in ?? ()
#16 0x000000000043cf0b in ?? ()
#17 0x00007fd46cd86790 in __libc_start_main () from /usr/lib/libc.so.6
#18 0x0000000000427319 in _start ()

(which I understand is likely not overly helpful without debug symbols, if desired I can try to reproduce this with a debug build of intel_drv.so)

I have attached the example xmonad.hs and the full output of dmesg, when booted with drm.debug=0x06.

Comment 1 bob_twinkles 2015-06-26 21:24:04 UTC

Created attachment 116745 [details]
Example xmonad.hs

Comment 2 Chris Wilson 2015-06-27 07:32:50 UTC

The driver's a bit old; in the middle of rejigging the code that died. Could you please update and install the debug symbols in case it crashes again, and then retest?

Comment 3 bob_twinkles 2015-06-27 18:38:14 UTC

I built and installed git commit 6fc7b16b931946995ffab99c5216810417cfeb99, and confirmed this bug still exists. I will attach Xorg.0.log, which include the stack trace from the driver. Thanks for looking in to this!

Comment 4 bob_twinkles 2015-06-27 18:38:55 UTC

Created attachment 116753 [details]
Xorg.0.log with dri stactrace

Comment 5 Chris Wilson 2015-06-27 18:51:05 UTC

Ok, that's a little unexpected. Do you mind compiling with --enable-debug=full and attaching the compressed logfile?

I think

diff --git a/src/sna/sna_dri2.c b/src/sna/sna_dri2.c
index b2814da..2750497 100644
--- a/src/sna/sna_dri2.c
+++ b/src/sna/sna_dri2.c
@@ -1203,6 +1203,10 @@ __sna_dri2_copy_region(struct sna *sna, DrawablePtr draw, RegionPtr region,
                assert(region == NULL || region == &clip);
                pixman_region_intersect(&clip, &clip, &source);
 
+               if (!pixman_region_not_empty(&clip)) {
+                       DBG(("%s: region doesn't overlay pixmap\n", __FUNCTION__));
+                       return NULL;
+               }
        }
 
        dst_bo = dst_priv->bo;

will prevent the crash, but we shouldn't be reaching that point.

Comment 6 bob_twinkles 2015-06-27 19:03:35 UTC

Created attachment 116754 [details]
Xorg.0.log with full debugging, no patch

Crash is still exhibited here.

Comment 7 bob_twinkles 2015-06-27 19:04:07 UTC

Created attachment 116755 [details]
Xorg.0.log with full debugging, patch

The patch does indeed fix the crash.

Comment 8 Chris Wilson 2015-06-27 19:28:25 UTC

Ok, it makes sense. The important detail is that the Window is redirected and dramatically changed shape and was clipped in between the GL client grabbing its backbuffer and performing the swapbuffer.

commit 41f401ae27ee753d66aae341be60b27167bc5b62
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Jun 27 20:24:45 2015 +0100

    sna/dri2: Early return for empty DRI2CopyRegion
    
    It's possible if the Window is redirected whilst the client render for
    its backbuffer to no longer overlap with the visible Window. In this
    case, we attempt to copy an empty region, but it debugging is enabled
    this throws an assert.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91120
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Comment 9 Chris Wilson 2015-10-28 13:49:23 UTC

*** Bug 92708 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.