Bug 92296 - Xorg crashes with reverse PRIME (intel+nouveau) and OpenGL/VA-API
Summary: Xorg crashes with reverse PRIME (intel+nouveau) and OpenGL/VA-API
Status: NEW
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/intel (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Chris Wilson
QA Contact: Intel GFX Bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-05 19:44 UTC by Matthias Schiffer
Modified: 2015-11-12 17:01 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
Xorg.log for crash 1 (82.78 KB, text/plain)
2015-10-05 19:44 UTC, Matthias Schiffer
no flags Details
Xorg.log for crash 2 (78.83 KB, text/plain)
2015-10-05 19:45 UTC, Matthias Schiffer
no flags Details
Xorg.log for crash 3 (209.04 KB, text/plain)
2015-10-05 19:45 UTC, Matthias Schiffer
no flags Details
gdb log for crash 2 (8.06 KB, text/plain)
2015-10-06 09:39 UTC, Matthias Schiffer
no flags Details
gdb log for crash 1 (9.30 KB, text/plain)
2015-11-12 00:25 UTC, Matthias Schiffer
no flags Details
gdb log for crash 2 (Xserver 1.18 + patch from comment 9) (8.02 KB, text/plain)
2015-11-12 01:15 UTC, Matthias Schiffer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Schiffer 2015-10-05 19:44:54 UTC
Created attachment 118678 [details]
Xorg.log for crash 1

I've found various ways to crash Xorg in a reverse PRIME setup; I'm reporting them as a single bug as the backtraces look similar.

For the tests, I used the xorg-server 1.17.2 Arch Linux packages with recent git versions of xf86-video-intel and xf86-video-nouveau.

* Crash 1: I setup the (nouveau) reverse PRIME output as primary output. When I set a GL or VA-API window to fullscreen on the reverse PRIME output, Xorg segfaults. Might be related to #91491.

* Crash 2: I configure the intel driver to use DRI3. As soon as I open a window using GL or VA-API on the reverse PRIME output, Xorg segfaults.

* Crash 3: While normally the reverse PRIME setup as primary output would only make Xorg crash when a fullscreen window was involved, I also got a random crash in this setup without a fullscreen window.
Comment 1 Matthias Schiffer 2015-10-05 19:45:29 UTC
Created attachment 118679 [details]
Xorg.log for crash 2
Comment 2 Matthias Schiffer 2015-10-05 19:45:57 UTC
Created attachment 118680 [details]
Xorg.log for crash 3
Comment 3 Matthias Schiffer 2015-10-05 20:35:20 UTC
Oh, I didn't even read the logs carefully enough, crash 2 is a bus error, not a segfault. So maybe these crashs are distinct bugs after all...
Comment 4 Chris Wilson 2015-10-06 08:49:12 UTC
First should be fixed with an update already. 2/3 look to be a different bug. 2 might just be a known bug in the sigbus handler, but more likely related to 3.


The stacktraces aren't particularly helpful. Please could you compile and install the debug info and perhaps capture a coredump or have gdb attached?
Comment 5 Matthias Schiffer 2015-10-06 09:13:23 UTC
Thanks, crash 1 seems to be fixed with the latest xf86-video-intel master indeed, I should have checked that first.

I'll try to get some coredumps and debug info for crash 2, not sure if I can get one for 3 as it occured spontaneously.
Comment 6 Chris Wilson 2015-10-06 09:29:19 UTC
Hmm, something I missed was that you have TearFree enabled. There is a known interaction issue atm with TearFree/DRI3, you might like trying by disabling TearFree and testing.
Comment 7 Matthias Schiffer 2015-10-06 09:39:47 UTC
Created attachment 118707 [details]
gdb log for crash 2

Disabling TearFree didn't have an effect. Here's a proper backtrace of crash 2 (with TearFree disabled).
Comment 8 Chris Wilson 2015-11-11 20:42:12 UTC
Theory is that the wrong backend is being called...

If you enable assertions (say --enable-debug=full since it appears to crash very early) and try:

--- a/src/sna/sna_present.c
+++ b/src/sna/sna_present.c
@@ -312,6 +312,7 @@ sna_present_queue_vblank(RRCrtcPtr crtc, uint64_t event_id, 
        DBG(("%s(pipe=%d, event=%lld, msc=%lld)\n",
             __FUNCTION__, sna_crtc_pipe(crtc->devPrivate),
             (long long)event_id, (long long)msc));
+       assert(sna->scrn == ((xf86CrtcPtr)crtc->devPrivate)->scrn);
 
        swap = sna_crtc_last_swap(crtc->devPrivate);
        warn_unless((int64_t)(msc - swap->msc) >= 0);
Comment 9 Chris Wilson 2015-11-11 21:09:06 UTC
If I am right, the gist of the issue is:

diff --git a/present/present.c b/present/present.c
index beb01dc..de37abc 100644
--- a/present/present.c
+++ b/present/present.c
@@ -724,7 +724,7 @@ present_pixmap(WindowPtr window,
 
     if (!screen_priv || !screen_priv->info)
         target_crtc = NULL;
-    else if (!target_crtc) {
+    else if (!target_crtc || target_crtc->pScreen != screen) {
         /* Update the CRTC if we have a pixmap or we don't have a CRTC
          */
         if (!pixmap)
Comment 10 Matthias Schiffer 2015-11-12 00:10:50 UTC
The assertion in comment 8 is indeed hit when I try to trigger crash 2. The patch from comment 9 doesn't have an effect, the assertion is still hit (on Xserver 1.17.4, I'll try with 1.18 next)
Comment 11 Matthias Schiffer 2015-11-12 00:25:27 UTC
Created attachment 119579 [details]
gdb log for crash 1

While I thought that crash 1 had been fixed, this is not the case after all; on both Xserver 1.17.2 and 1.17.4, and both the current xf86-video-intel git master and the version I used when I tested last time, it crashes every time I try it. 

GDB log attached.
Comment 12 Matthias Schiffer 2015-11-12 01:15:49 UTC
Created attachment 119580 [details]
gdb log for crash 2 (Xserver 1.18 + patch from comment 9)

I've removed the assertion from comment 8, I wasn't able to get a gdb log when the assertion was hit.
Comment 13 Matthias Schiffer 2015-11-12 01:19:26 UTC
I wasn't able to reproduce crash 1 with Xserver 1.18, but that might or might not be because I wasn't able to properly get a window to fullscreen on the reverse PRIME screen because of bug 92313.
Comment 14 Chris Wilson 2015-11-12 09:01:12 UTC
(In reply to Matthias Schiffer from comment #11)
> Created attachment 119579 [details]
> gdb log for crash 1
> 
> While I thought that crash 1 had been fixed, this is not the case after all;
> on both Xserver 1.17.2 and 1.17.4, and both the current xf86-video-intel git
> master and the version I used when I tested last time, it crashes every time
> I try it. 

Still mixing Present/DRI3 + DRI2? If so, this may help


diff --git a/src/sna/sna_dri2.c b/src/sna/sna_dri2.c
index 6f5e9f7..43b1534 100644
--- a/src/sna/sna_dri2.c
+++ b/src/sna/sna_dri2.c
@@ -2207,7 +2207,7 @@ can_xchg_crtc(struct sna *sna,
        if (!DBG_CAN_XCHG)
                return false;
 
-       if ((sna->flags & SNA_TEAR_FREE) == 0) {
+       if ((sna->flags & SNA_TEAR_FREE) == 0 || !sna->mode.shadow_enabled) {
                DBG(("%s: no, requires TearFree\n",
                     __FUNCTION__));
                return false;
Comment 15 Matthias Schiffer 2015-11-12 17:01:43 UTC
In crash 1, only DRI2 should be involved, I explicitly set the maximum DRI verion to 2 in xorg.conf for both drivers. As soon as I enable DRI3, I can't even get to crash 1, as crash 2 happens before.

AFAICT, your last patch snippet didn't have any effect.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.