NetBSD Problem Report #49835
From www@NetBSD.org Sun Apr 12 17:06:50 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7C7C4A582D
for <gnats-bugs@gnats.NetBSD.org>; Sun, 12 Apr 2015 17:06:50 +0000 (UTC)
Message-Id: <20150412170649.27532A6567@mollari.NetBSD.org>
Date: Sun, 12 Apr 2015 17:06:49 +0000 (UTC)
From: tnn@nygren.pp.se
Reply-To: tnn@nygren.pp.se
To: gnats-bugs@NetBSD.org
Subject: xf86-video-intel crashes Xorg server trying to access unmapped GEM page
X-Send-Pr-Version: www-1.0
>Number: 49835
>Category: xsrc
>Synopsis: xf86-video-intel crashes Xorg server trying to access unmapped GEM page
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: riastradh
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Apr 12 17:10:00 +0000 2015
>Closed-Date: Thu Aug 24 12:10:10 +0000 2023
>Last-Modified: Thu Aug 24 12:10:10 +0000 2023
>Originator: Tobias Nygren
>Release: NetBSD
>Organization:
>Environment:
NetBSD x201i 7.99.9 NetBSD 7.99.9 (GENERIC.x201i) #0: Sun Apr 12 15:25:01 CEST 2015
>Description:
(Please assign this to riastradh@ as requested.)
Program received signal SIGSEGV, Segmentation fault.
0x00007f7ff37297d0 in emit_primitive_identity_mask__sse4_2 (
sna=0x7f7ff7bad000, op=0x7f7fffffcae0, r=0x7f7fffffcac0)
at gen4_vertex.c:1362
1362 v[7] = v[3] = (msk_y + h) * op->mask.scale[1];
(gdb)
#0 0x00007f7ff37297d0 in emit_primitive_identity_mask__sse4_2 (
sna=0x7f7ff7bad000, op=0x7f7fffffcae0, r=0x7f7fffffcac0)
at gen4_vertex.c:1362
#1 0x00007f7ff37333f9 in gen5_render_composite_blt (sna=0x7f7ff7bad000,
op=0x7f7fffffcae0, r=0x7f7fffffcac0) at gen5_render.c:1123
#2 0x00007f7ff36b5e66 in glyphs0_to_dst (sna=0x7f7ff7bad000, op=3 '\003',
src=0x7f7ff53ade00, dst=0x7f7ff4fb4b00, src_x=0, src_y=0, nlist=1,
list=0x7f7fffffd6c0, glyphs=0x7f7fffffcfd8) at sna_glyphs.c:906
#3 0x00007f7ff36b8b03 in sna_glyphs (op=3 '\003', src=0x7f7ff53ade00,
dst=0x7f7ff4fb4b00, mask=0x0, src_x=153, src_y=44, nlist=2,
list=0x7f7fffffd6c0, glyphs=0x7f7fffffcec0) at sna_glyphs.c:1998
#4 0x0000000000568ea8 in damageGlyphs (op=3 '\003', pSrc=0x7f7ff53ade00,
pDst=0x7f7ff4fb4b00, maskFormat=0x0, xSrc=153, ySrc=44, nlist=2,
list=0x7f7fffffd6c0, glyphs=0x7f7fffffcec0) at damage.c:568
#5 0x000000000054f939 in CompositeGlyphs (op=3 '\003', pSrc=0x7f7ff53ade00,
pDst=0x7f7ff4fb4b00, maskFormat=0x0, xSrc=153, ySrc=44, nlist=2,
lists=0x7f7fffffd6c0, glyphs=0x7f7fffffcec0) at glyph.c:558
#6 0x000000000055a6a9 in ProcRenderCompositeGlyphs (client=0x7f7ff639e580)
at render.c:1390
#7 0x000000000055c1a5 in ProcRenderDispatch (client=0x7f7ff639e580)
at render.c:1989
#8 0x000000000043397e in Dispatch () at dispatch.c:432
#9 0x0000000000441b26 in dix_main (argc=4, argv=0x7f7fffffdc90,
envp=0x7f7fffffdcb8) at main.c:298
#10 0x00000000004243a8 in main (argc=4, argv=0x7f7fffffdc90,
envp=0x7f7fffffdcb8) at stubmain.c:34
Dump of assembler code for function emit_primitive_identity_mask__sse4_2:
1362 v[7] = v[3] = (msk_y + h) * op->mask.scale[1];
0x00007f7ff372979a <+412>: mov -0x18(%rbp),%rax
0x00007f7ff372979e <+416>: lea 0x1c(%rax),%rcx
0x00007f7ff37297a2 <+420>: mov -0x18(%rbp),%rax
0x00007f7ff37297a6 <+424>: lea 0xc(%rax),%rdx
0x00007f7ff37297aa <+428>: mov -0x8(%rbp),%eax
0x00007f7ff37297ad <+431>: movd %eax,%xmm0
0x00007f7ff37297b1 <+435>: addss -0x10(%rbp),%xmm0
0x00007f7ff37297b6 <+440>: mov -0x30(%rbp),%rax
0x00007f7ff37297ba <+444>: mov 0xf0(%rax),%eax
0x00007f7ff37297c0 <+450>: movd %eax,%xmm2
0x00007f7ff37297c4 <+454>: mulss %xmm0,%xmm2
0x00007f7ff37297c8 <+458>: movd %xmm2,%eax
0x00007f7ff37297cc <+462>: mov %eax,(%rdx)
0x00007f7ff37297ce <+464>: mov (%rdx),%eax
=> 0x00007f7ff37297d0 <+466>: mov %eax,(%rcx)
(gdb) info registers
rax 0x3df20000 1039269888
rbx 0x7f7fffffffe0 140187732541408
rcx 0x7f7ff66b100c 140187571785740
Note that we crashed when assigning v[7]. The vertex
assigned to before that is v[2].
With rcx = ...b100c it means we crashed when
access to sna->render.vertices crossed a page boundary.
This seems to always be the case in this crash.
(Nothing seems to be mapped there?)
>How-To-Repeat:
Install:
pkgsrc/wip/MesaLib
pkgsrc/wip/modular-xorg-server
pkgsrc/wip/xf86-video-intel
On a Thinkpad x201i with intel Iron Lake chipset.
Compile with CONFIGURE_ARGS+=--enable-debug, CFLAGS+=-g -ggdb -O0, INSTALL_UNSTRIPPED=yes.
(this is just what I happen to use now, I'm fairly sure it crashed the same with old server versions as well.)
To trigger the bug I browse to reddit.com in Firefox and scroll the page up and down rapidly a few times.
>Fix:
unknown
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: xsrc-manager->riastradh
Responsible-Changed-By: tnn@NetBSD.org
Responsible-Changed-When: Sun, 12 Apr 2015 17:35:06 +0000
Responsible-Changed-Why:
humbly seeking advice from the drm2 wizard
From: Joachim Henke <free.software@gmx.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: xsrc/49835
Date: Mon, 13 Apr 2015 13:12:10 +0200
I can confirm this bug for a Intel GMA 4500MHD. It's easily
reproduceable with Firefox.
From: Tobias Nygren <tnn@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: xsrc/49835 (xf86-video-intel crashes Xorg server trying to
access unmapped GEM page)
Date: Mon, 13 Apr 2015 20:58:03 +0200
Timing is relevant for this bug. xf86-video-intel configured with
--enable-debug=full does not exhibit the problem, probably due to
delayed by huge amount of writes to /var/log/Xorg.0.log.
State-Changed-From-To: open->feedback
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sun, 20 Aug 2023 06:45:46 +0000
State-Changed-Why:
Lots of drm updates since this was filed, still reproducible?
State-Changed-From-To: feedback->closed
State-Changed-By: tnn@NetBSD.org
State-Changed-When: Thu, 24 Aug 2023 12:10:10 +0000
State-Changed-Why:
No longer reproducable on -current.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home