NetBSD Problem Report #58133

From rhialto@falu.nl  Tue Apr  9 18:36:36 2024
Return-Path: <rhialto@falu.nl>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id A6B8E1A9239
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  9 Apr 2024 18:36:36 +0000 (UTC)
Message-Id: <ZhWKq3hIpdAjFZ0H@falu.nl>
Date: Tue, 9 Apr 2024 20:36:27 +0200
From: Rhialto <rhialto@falu.nl>
Reply-To: Rhialto <rhialto@falu.nl>
To: gnats-bugs@NetBSD.org
Cc: Rhialto <rhialto@falu.nl>
Subject: X server crashes; radeon 5450; modesetting
X-Send-Pr-Version: 3.95

>Number:         58133
>Category:       xsrc
>Synopsis:       X server crashes; radeon 5450; modesetting
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    xsrc-manager
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 09 18:40:00 +0000 2024
>Closed-Date:    Wed Oct 09 00:09:58 +0000 2024
>Last-Modified:  Wed Oct 09 00:09:58 +0000 2024
>Originator:     Rhialto
>Release:        NetBSD 10.0
>Organization:
>Environment:
System: NetBSD murthe.falu.nl 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:

Using 10.0/amd64 and native X, and with packages that were compiled for
9.2 and pkgsrc-2023Q4, I got a crash of the X server, and xdm restarted
it successfully.

The crash seemed to be triggered by something that Firefox did. My graphics
card is a Radeon 5450, which always was pretty much the best-suported
hardware. (The exact number doesn't seem to be logged any more)

Here is a stack trace (full-ish log appended later):

[108332.584] (EE) 
[108332.584] (EE) Backtrace:
[108332.695] (EE) 0: /usr/X11R7/bin/X (xorg_backtrace+0x44) [0x1af3b2575]
[108332.695] (EE) 1: /usr/X11R7/bin/X (os_move_fd+0x79) [0x1af3ae315]
[108332.695] (EE) 2: /usr/lib/libc.so.12 (__sigtramp_siginfo_2+0x0) [0x7b307517ee80]
[108332.695] (EE) 3: /usr/X11R7/lib/modules/libglamoregl.so (glamor_download_pixmap+0x248) [0x7b306e213595]
[108332.695] (EE) 4: /usr/X11R7/lib/modules/libglamoregl.so (glamor_download_pixmap+0xadb) [0x7b306e213e28]
[108332.695] (EE) 5: /usr/X11R7/lib/modules/libglamoregl.so (glamor_image_text8+0x30) [0x7b306e213fa9]
[108332.695] (EE) 6: /usr/X11R7/bin/X (DamageRegionAppend+0x1064) [0x1af35fbbe]
[108332.695] (EE) 7: /usr/X11R7/bin/X (DeliverRawEvent+0x1cf2) [0x1af27e6b5]
[108332.695] (EE) 8: /usr/X11R7/bin/X (ImageText+0x3a) [0x1af27f8df]
[108332.695] (EE) 9: /usr/X11R7/bin/X (ProcImageText8+0xe2) [0x1af28395b]
[108332.695] (EE) 10: /usr/X11R7/bin/X (Dispatch+0x264) [0x1af285c2e]
[108332.695] (EE) 11: /usr/X11R7/bin/X (dix_main+0x36f) [0x1af255e1f]
[108332.695] (EE) 
[108332.695] (EE) Segmentation fault at address 0x7b3070f7e000
[108332.695] (EE) 
Fatal server error:
[108332.695] (EE) Caught signal 11 (Segmentation fault). Server aborting

This seems to be in text-drawing code. Here I use the modesetting
driver, but before that I tried the radeon driver, and with that,
Firefox seemed to have font troubles too (but it didn't result in an
immediate crash; first there was missing text on the screen which got
worse, and after a short time X froze completely). So there may be some
driver-independent problem here which expresses differently with radeon
vs modesetting drivers.

And on NetBSD 9.3 I got occasional messages like these:

Mar 10 22:22:03 murthe /netbsd: [ 4261546.2226100] radeon0: autoconfiguration error: warn: evergreen_cs_track_validate_texture:888 texture bo too small (layer size 9830400, offset 0, max layer 1, depth 1, bo size 9338880) (1920 1280)
Mar 10 22:22:03 murthe /netbsd: [ 4261546.2226100] kern error: [drm:(../../../../external/bsd/drm2/dist/drm/radeon/radeon_cs.c:467)radeon_cs_ib_chunk] *ERROR* Invalid command stream !

Maybe the same issue still exists but is not checked for with the
modesetting driver?

Some source context from the stack frames in libglamoregl:

(gdb) list *(glamor_download_pixmap+0x248)
0x13595 is in glamor_text (/usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:173).
/*
 * Construct quads for the provided list of characters and draw them
 */

static int
glamor_text(DrawablePtr drawable, GCPtr gc,
            glamor_font_t *glamor_font,
            glamor_program *prog,
            int x, int y,
            int count, char *s_chars, CharInfoPtr *charinfo,
            Bool sixteen)
{
...
168     
169                 tx = (col - firstCol) * glyph_spacing_x;
170                 /* adjust for second row layout */
171                 tx += second_row * glamor_font->row_width * 8;
172     
173                 v[ 0] = x1;
174                 v[ 1] = y1;
175                 v[ 2] = width;
176                 v[ 3] = height;
177                 v[ 4] = tx;

Line 173 looks like a plausible place for a segfault. My copy of this
file has not been modified since 2016.

0x13e28 is in glamor_image_text (/usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:470).
465             goto bail;
466     
467         (void) glamor_text(drawable, gc, glamor_font, prog,
468                            x, y, count, chars, charinfo, sixteen);
469     
470         return TRUE;
471     
472     bail:
473         return FALSE;
474     }

(gdb) list *(glamor_image_text8+0x30)
0x13fa9 is in glamor_image_text8 (/usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:480).
475     
476     void
477     glamor_image_text8(DrawablePtr drawable, GCPtr gc,
478                        int x, int y, int count, char *chars)
479     {
480         if (!glamor_image_text(drawable, gc, x, y, count, chars, FALSE))
481             miImageText8(drawable, gc, x, y, count, chars);
482     }

/var/log/Xorg.0.log.old:

[    24.179] 
X.Org X Server 1.21.1.9
X Protocol Version 11, Revision 0
[    24.179] Current Operating System: NetBSD murthe.falu.nl 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
[    24.179]  
[    24.179] Current version of pixman: 0.38.4
[    24.179] 	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
[    24.179] Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[    24.179] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Apr  7 16:23:57 2024
[    24.245] (==) Using config file: "/etc/X11/xorg.conf"
[    24.273] (==) ServerLayout "X.org Configured"
[    24.273] (**) |-->Screen "Screen0" (0)
[    24.273] (**) |   |-->Monitor "Monitor0"
[    24.273] (**) |   |-->Device "Card0"
[    24.274] (**) |-->Input Device "Mouse0"
[    24.274] (**) |-->Input Device "Keyboard0"
[    24.274] (**) Option "DontZap" "false"
[    24.274] (**) Option "DontZoom" "false"
[    24.274] (**) Option "DisableVidModeExtension" "false"
[    24.274] (==) Automatically adding devices
[    24.274] (==) Automatically enabling devices
[    24.274] (==) Not automatically adding GPU devices
[    24.274] (==) Automatically binding GPU devices
[    24.302] (==) Max clients allowed: 256, resource mask: 0x1fffff
[    24.344] (WW) The directory "/usr/pkg/lib/X11/fonts/TTF" does not exist.
[    24.344] 	Entry deleted from font path.
[    24.371] (WW) The directory "/usr/pkg/lib/X11/fonts/misc/" does not exist.
[    24.371] 	Entry deleted from font path.
[    24.371] (WW) The directory "/usr/pkg/lib/X11/fonts/Type1/" does not exist.
[    24.371] 	Entry deleted from font path.
[    24.371] (WW) The directory "/usr/pkg/lib/X11/fonts/75dpi/" does not exist.
[    24.371] 	Entry deleted from font path.
[    24.371] (WW) The directory "/usr/pkg/lib/X11/fonts/100dpi/" does not exist.
[    24.371] 	Entry deleted from font path.
[    24.417] (WW) The directory "/usr/pkg/share/fonts/X11/Type1/" does not exist.
[    24.417] 	Entry deleted from font path.
[    24.417] (WW) The directory "/usr/pkg/share/fonts/X11/75dpi/" does not exist.
[    24.417] 	Entry deleted from font path.
[    24.417] (WW) The directory "/usr/pkg/share/fonts/X11/100dpi/" does not exist.
[    24.417] 	Entry deleted from font path.
[    24.417] (**) FontPath set to:
	/usr/X11R7/lib/X11/fonts/misc/,
	/usr/X11R7/lib/X11/fonts/TTF/,
	/usr/X11R7/lib/X11/fonts/Type1/,
	/usr/X11R7/lib/X11/fonts/75dpi/,
	/usr/X11R7/lib/X11/fonts/100dpi/,
	/usr/local/X11/fonts/TrueType/beos,
	/usr/local/X11/fonts/TrueType/enabled,
	/usr/pkg/share/fonts/X11/misc,
	/usr/pkg/share/fonts/X11/TTF,
	/usr/X11R7/lib/X11/fonts/misc/,
	/usr/X11R7/lib/X11/fonts/TTF/,
	/usr/X11R7/lib/X11/fonts/Type1/,
	/usr/X11R7/lib/X11/fonts/75dpi/,
	/usr/X11R7/lib/X11/fonts/100dpi/,
	/usr/pkg/share/fonts/X11/misc/,
	/usr/pkg/share/fonts/X11/TTF/
[    24.417] (**) ModulePath set to "/usr/X11R7/lib/modules"
[    24.418] (WW) Hotplugging is on, devices using drivers 'kbd', 'mouse' or 'vmmouse' will be disabled.
[    24.418] (WW) Disabling Mouse0
[    24.418] (WW) Disabling Keyboard0
[    24.418] (II) Loader magic: 0x1af6687a0
[    24.418] (II) Module ABI versions:
[    24.418] 	X.Org ANSI C Emulation: 0.4
[    24.418] 	X.Org Video Driver: 25.2
[    24.418] 	X.Org XInput driver : 24.4
[    24.418] 	X.Org Server Extension : 10.0
[    24.440] (--) PCI:*(1@1:0:0) 1002:68f9:1002:010a rev 0, Mem @ 0x90000000/268435456, 0xa0220000/131072, I/O @ 0x00003000/256, BIOS @ 0x????????/131072
[    24.440] (II) "glx" will be loaded. This was enabled by default and also specified in the config file.
[    24.440] (II) LoadModule: "dbe"
[    24.440] (II) Module "dbe" already built-in
[    24.440] (II) LoadModule: "dri"
[    24.440] (II) Module "dri" already built-in
[    24.440] (II) LoadModule: "extmod"
[    24.440] (II) Module "extmod" already built-in
[    24.440] (II) LoadModule: "glx"
[    24.468] (II) Loading /usr/X11R7/lib/modules/extensions/libglx.so
[    24.529] (II) Module glx: vendor="X.Org Foundation"
[    24.529] 	compiled for 1.21.1.9, module version = 1.0.0
[    24.529] 	ABI class: X.Org Server Extension, version 10.0
[    24.529] (II) LoadModule: "record"
[    24.529] (II) Module "record" already built-in
[    24.529] (II) LoadModule: "shadow"
[    24.529] (II) Loading /usr/X11R7/lib/modules/extensions/libshadow.so
[    24.530] (II) Module shadow: vendor="X.Org Foundation"
[    24.530] 	compiled for 1.21.1.9, module version = 1.1.0
[    24.530] 	ABI class: X.Org ANSI C Emulation, version 0.4
[    24.530] (II) LoadModule: "dri2"
[    24.530] (II) Module "dri2" already built-in
[    24.530] (II) LoadModule: "modesetting"
[    24.530] (II) Loading /usr/X11R7/lib/modules/drivers/modesetting_drv.so
[    24.533] (II) Module modesetting: vendor="X.Org Foundation"
[    24.533] 	compiled for 1.21.1.9, module version = 1.21.1
[    24.533] 	Module class: X.Org Video Driver
[    24.533] 	ABI class: X.Org Video Driver, version 25.2
[    24.533] (II) modesetting: Driver for Modesetting Kernel Drivers: kms
[    24.534] (--) Using wscons driver on /dev/ttyE4 in pcvt compatibility mode (version 3.32)
[    24.534] (--) using VT number 5
[    24.542] (**) modeset(0): claimed PCI slot 1@1:0:0
[    24.542] (II) modeset(0): using default device
[    24.542] (WW) VGA arbiter: cannot open kernel arbiter, no multi-card support
[    24.542] (==) modeset(0): Depth 24, (==) framebuffer bpp 32
[    24.542] (==) modeset(0): RGB weight 888
[    24.542] (==) modeset(0): Default visual is TrueColor
[    24.542] (II) Loading sub module "glamoregl"
[    24.542] (II) LoadModule: "glamoregl"
[    24.543] (II) Loading /usr/X11R7/lib/modules/libglamoregl.so
[    24.571] (II) Module glamoregl: vendor="X.Org Foundation"
[    24.571] 	compiled for 1.21.1.9, module version = 1.0.1
[    24.571] 	ABI class: X.Org ANSI C Emulation, version 0.4
[    27.871] (II) modeset(0): glamor X acceleration enabled on AMD CEDAR (DRM 2.50.0 / 10.0, LLVM 13.0.0)
[    27.871] (II) modeset(0): glamor initialized
[    27.871] (==) modeset(0): VariableRefresh: disabled
[    27.871] (==) modeset(0): AsyncFlipSecondaries: disabled
[    27.880] (II) modeset(0): Output HDMI-1 using monitor section Monitor0
[    27.903] (II) modeset(0): Output DVI-I-1 has no monitor section
[    27.908] (II) modeset(0): Output VGA-1 has no monitor section
[    27.943] (II) modeset(0): EDID for output HDMI-1
[    27.965] (II) modeset(0): EDID for output DVI-I-1
[    27.965] (II) modeset(0): Manufacturer: ACI  Model: 24d1  Serial#: 16843009
[    27.965] (II) modeset(0): Year: 2014  Week: 44
[    27.965] (II) modeset(0): EDID Version: 1.3
[    27.965] (II) modeset(0): Digital Display Input
[    27.965] (II) modeset(0): Max Image Size [cm]: horiz.: 52  vert.: 32
[    27.965] (II) modeset(0): Gamma: 2.20
[    27.965] (II) modeset(0): DPMS capabilities: StandBy Suspend Off
[    27.965] (II) modeset(0): Supported color encodings: RGB 4:4:4 YCrCb 4:4:4 
[    27.965] (II) modeset(0): First detailed timing is preferred mode
[    27.965] (II) modeset(0): redX: 0.653 redY: 0.332   greenX: 0.304 greenY: 0.633
[    27.965] (II) modeset(0): blueX: 0.150 blueY: 0.064   whiteX: 0.313 whiteY: 0.329
[    27.965] (II) modeset(0): Supported established timings:
[    27.965] (II) modeset(0): 640x480@60Hz
[    27.965] (II) modeset(0): 800x600@56Hz
[    27.965] (II) modeset(0): 800x600@60Hz
[    27.965] (II) modeset(0): 1024x768@60Hz
[    27.965] (II) modeset(0): Manufacturer's mask: 0
[    27.965] (II) modeset(0): Supported standard timings:
[    27.965] (II) modeset(0): #0: hsize: 1280  vsize 1024  refresh: 60  vid: 32897
[    27.965] (II) modeset(0): #1: hsize: 1280  vsize 960  refresh: 60  vid: 16513
[    27.965] (II) modeset(0): #2: hsize: 1440  vsize 900  refresh: 60  vid: 149
[    27.965] (II) modeset(0): #3: hsize: 1600  vsize 1200  refresh: 60  vid: 16553
[    27.965] (II) modeset(0): #4: hsize: 1680  vsize 1050  refresh: 60  vid: 179
[    27.965] (II) modeset(0): #5: hsize: 1920  vsize 1080  refresh: 60  vid: 49361
[    27.965] (II) modeset(0): Supported detailed timing:
[    27.965] (II) modeset(0): clock: 154.0 MHz   Image Size:  518 x 324 mm
[    27.965] (II) modeset(0): h_active: 1920  h_sync: 1968  h_sync_end 2000 h_blank_end 2080 h_border: 0
[    27.965] (II) modeset(0): v_active: 1200  v_sync: 1203  v_sync_end 1209 v_blanking: 1235 v_border: 0
[    27.965] (II) modeset(0): Ranges: V min: 50 V max: 61 Hz, H min: 30 H max: 83 kHz, PixClock max 175 MHz
[    27.965] (II) modeset(0): Monitor name: VS24A
[    27.966] (II) modeset(0): Serial No: EALMQS141527
[    27.966] (II) modeset(0): EDID (in hex):
[    27.966] (II) modeset(0): 	00ffffffffffff000469d12401010101
[    27.966] (II) modeset(0): 	2c18010380342078ea4ca5a7554da226
[    27.966] (II) modeset(0): 	105054230800818081409500a940b300
[    27.966] (II) modeset(0): 	d1c001010101283c80a070b023403020
[    27.966] (II) modeset(0): 	360006442100001a000000fd00323d1e
[    27.966] (II) modeset(0): 	5311000a202020202020000000fc0056
[    27.966] (II) modeset(0): 	533234410a20202020202020000000ff
[    27.966] (II) modeset(0): 	0045414c4d51533134313532370a00b9
[    27.966] (II) modeset(0): Not using default mode "1440x810" (bad mode clock/interlace/doublescan)
[    27.966] (II) modeset(0): Not using default mode "1600x900" (bad mode clock/interlace/doublescan)
[    27.966] (II) modeset(0): Not using default mode "1600x900" (bad mode clock/interlace/doublescan)
[    27.966] (II) modeset(0): Not using default mode "1920x1080" (bad mode clock/interlace/doublescan)
[    27.966] (II) modeset(0): Not using default mode "1920x1080" (bad mode clock/interlace/doublescan)
[    27.966] (II) modeset(0): Not using default mode "1920x1200" (bad mode clock/interlace/doublescan)
[    27.966] (II) modeset(0): Printing probed modes for output DVI-I-1
[    27.966] (II) modeset(0): Modeline "1920x1200"x60.0  154.00  1920 1968 2000 2080  1200 1203 1209 1235 +hsync -vsync (74.0 kHz UeP)
[    27.966] (II) modeset(0): Modeline "1920x1080"x60.0  173.00  1920 2048 2248 2576  1080 1083 1088 1120 -hsync +vsync (67.2 kHz d)
[    27.966] (II) modeset(0): Modeline "1920x1080"x60.0  148.50  1920 2008 2052 2200  1080 1084 1089 1125 -hsync -vsync (67.5 kHz e)
[    27.966] (II) modeset(0): Modeline "1920x1080"x59.9  138.50  1920 1968 2000 2080  1080 1083 1088 1111 +hsync -vsync (66.6 kHz d)
[    27.966] (II) modeset(0): Modeline "1600x1200"x60.0  162.00  1600 1664 1856 2160  1200 1201 1204 1250 +hsync +vsync (75.0 kHz e)
[    27.966] (II) modeset(0): Modeline "1680x1050"x60.0  146.25  1680 1784 1960 2240  1050 1053 1059 1089 -hsync +vsync (65.3 kHz d)
[    27.966] (II) modeset(0): Modeline "1680x1050"x59.9  119.00  1680 1728 1760 1840  1050 1053 1059 1080 +hsync -vsync (64.7 kHz e)
[    27.966] (II) modeset(0): Modeline "1400x1050"x60.0  122.00  1400 1488 1640 1880  1050 1052 1064 1082 +hsync +vsync (64.9 kHz d)
[    27.966] (II) modeset(0): Modeline "1600x900"x59.9  118.25  1600 1696 1856 2112  900 903 908 934 -hsync +vsync (56.0 kHz d)
[    27.966] (II) modeset(0): Modeline "1600x900"x59.8   97.50  1600 1648 1680 1760  900 903 908 926 +hsync -vsync (55.4 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x1024"x60.0  108.00  1280 1328 1440 1688  1024 1025 1028 1066 +hsync +vsync (64.0 kHz e)
[    27.966] (II) modeset(0): Modeline "1440x900"x59.9   88.75  1440 1488 1520 1600  900 903 909 926 +hsync -vsync (55.5 kHz e)
[    27.966] (II) modeset(0): Modeline "1400x900"x60.0  103.50  1400 1480 1624 1848  900 903 913 934 -hsync +vsync (56.0 kHz d)
[    27.966] (II) modeset(0): Modeline "1400x900"x59.9   86.50  1400 1448 1480 1560  900 903 913 926 +hsync -vsync (55.4 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x960"x60.0  108.00  1280 1376 1488 1800  960 961 964 1000 +hsync +vsync (60.0 kHz e)
[    27.966] (II) modeset(0): Modeline "1440x810"x60.0  151.88  1440 1464 1480 1520  810 811 814 833 doublescan +hsync -vsync (99.9 kHz d)
[    27.966] (II) modeset(0): Modeline "1368x768"x59.9   85.25  1368 1440 1576 1784  768 771 781 798 -hsync +vsync (47.8 kHz d)
[    27.966] (II) modeset(0): Modeline "1368x768"x59.9   72.25  1368 1416 1448 1528  768 771 781 790 +hsync -vsync (47.3 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x800"x60.0  174.25  1280 1380 1516 1752  800 801 804 829 doublescan -hsync +vsync (99.5 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x800"x60.0  134.25  1280 1304 1320 1360  800 801 804 823 doublescan +hsync -vsync (98.7 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x800"x59.8   83.50  1280 1352 1480 1680  800 803 809 831 -hsync +vsync (49.7 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x800"x59.9   71.00  1280 1328 1360 1440  800 803 809 823 +hsync -vsync (49.3 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x720"x60.0  156.12  1280 1376 1512 1744  720 721 724 746 doublescan -hsync +vsync (89.5 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x720"x60.0  120.75  1280 1304 1320 1360  720 721 724 740 doublescan +hsync -vsync (88.8 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x720"x59.9   74.50  1280 1344 1472 1664  720 723 728 748 -hsync +vsync (44.8 kHz d)
[    27.966] (II) modeset(0): Modeline "1280x720"x59.7   63.75  1280 1328 1360 1440  720 723 728 741 +hsync -vsync (44.3 kHz d)
[    27.966] (II) modeset(0): Modeline "1024x768"x60.0  133.47  1024 1100 1212 1400  768 768 770 794 doublescan -hsync +vsync (95.3 kHz d)
[    27.966] (II) modeset(0): Modeline "1024x768"x60.0   65.00  1024 1048 1184 1344  768 771 777 806 -hsync -vsync (48.4 kHz e)
[    27.966] (II) modeset(0): Modeline "960x720"x60.0  117.00  960 1024 1128 1300  720 720 722 750 doublescan -hsync +vsync (90.0 kHz d)
[    27.966] (II) modeset(0): Modeline "928x696"x60.1  109.15  928 976 1088 1264  696 696 698 719 doublescan -hsync +vsync (86.4 kHz d)
[    27.966] (II) modeset(0): Modeline "896x672"x60.0  102.40  896 960 1060 1224  672 672 674 697 doublescan -hsync +vsync (83.7 kHz d)
[    27.966] (II) modeset(0): Modeline "1024x576"x60.0   98.50  1024 1092 1200 1376  576 577 580 597 doublescan -hsync +vsync (71.6 kHz d)
[    27.966] (II) modeset(0): Modeline "1024x576"x60.0   78.38  1024 1048 1064 1104  576 577 580 592 doublescan +hsync -vsync (71.0 kHz d)
[    27.966] (II) modeset(0): Modeline "1024x576"x59.9   46.50  1024 1064 1160 1296  576 579 584 599 -hsync +vsync (35.9 kHz d)
[    27.966] (II) modeset(0): Modeline "1024x576"x59.8   42.00  1024 1072 1104 1184  576 579 584 593 +hsync -vsync (35.5 kHz d)
[    27.966] (II) modeset(0): Modeline "960x600"x59.9   96.62  960 1028 1128 1296  600 601 604 622 doublescan -hsync +vsync (74.6 kHz d)
[    27.966] (II) modeset(0): Modeline "960x600"x60.0   77.00  960 984 1000 1040  600 601 604 617 doublescan +hsync -vsync (74.0 kHz d)
[    27.966] (II) modeset(0): Modeline "960x540"x60.0   86.50  960 1024 1124 1288  540 541 544 560 doublescan -hsync +vsync (67.2 kHz d)
[    27.966] (II) modeset(0): Modeline "960x540"x60.0   69.25  960 984 1000 1040  540 541 544 555 doublescan +hsync -vsync (66.6 kHz d)
[    27.966] (II) modeset(0): Modeline "960x540"x59.6   40.75  960 992 1088 1216  540 543 548 562 -hsync +vsync (33.5 kHz d)
[    27.966] (II) modeset(0): Modeline "960x540"x59.8   37.25  960 1008 1040 1120  540 543 548 556 +hsync -vsync (33.3 kHz d)
[    27.966] (II) modeset(0): Modeline "800x600"x60.0   81.00  800 832 928 1080  600 600 602 625 doublescan +hsync +vsync (75.0 kHz d)
[    27.966] (II) modeset(0): Modeline "800x600"x60.3   40.00  800 840 968 1056  600 601 605 628 +hsync +vsync (37.9 kHz e)
[    27.966] (II) modeset(0): Modeline "800x600"x56.2   36.00  800 824 896 1024  600 601 603 625 +hsync +vsync (35.2 kHz e)
[    27.966] (II) modeset(0): Modeline "840x525"x60.0   73.12  840 892 980 1120  525 526 529 544 doublescan -hsync +vsync (65.3 kHz d)
[    27.966] (II) modeset(0): Modeline "840x525"x59.9   59.50  840 864 880 920  525 526 529 540 doublescan +hsync -vsync (64.7 kHz d)
[    27.966] (II) modeset(0): Modeline "864x486"x59.9   32.50  864 888 968 1072  486 489 494 506 -hsync +vsync (30.3 kHz d)
[    27.966] (II) modeset(0): Modeline "864x486"x59.6   30.50  864 912 944 1024  486 489 494 500 +hsync -vsync (29.8 kHz d)
[    27.966] (II) modeset(0): Modeline "700x525"x60.0   61.00  700 744 820 940  525 526 532 541 doublescan +hsync +vsync (64.9 kHz d)
[    27.966] (II) modeset(0): Modeline "800x450"x59.9   59.12  800 848 928 1056  450 451 454 467 doublescan -hsync +vsync (56.0 kHz d)
[    27.966] (II) modeset(0): Modeline "800x450"x59.8   48.75  800 824 840 880  450 451 454 463 doublescan +hsync -vsync (55.4 kHz d)
[    27.966] (II) modeset(0): Modeline "640x512"x60.0   54.00  640 664 720 844  512 512 514 533 doublescan +hsync +vsync (64.0 kHz d)
[    27.966] (II) modeset(0): Modeline "700x450"x60.0   51.75  700 740 812 924  450 451 456 467 doublescan -hsync +vsync (56.0 kHz d)
[    27.966] (II) modeset(0): Modeline "700x450"x59.9   43.25  700 724 740 780  450 451 456 463 doublescan +hsync -vsync (55.4 kHz d)
[    27.966] (II) modeset(0): Modeline "640x480"x60.0   54.00  640 688 744 900  480 480 482 500 doublescan +hsync +vsync (60.0 kHz d)
[    27.966] (II) modeset(0): Modeline "640x480"x59.9   25.18  640 656 752 800  480 490 492 525 -hsync -vsync (31.5 kHz e)
[    27.966] (II) modeset(0): Modeline "720x405"x59.5   22.50  720 744 808 896  405 408 413 422 -hsync +vsync (25.1 kHz d)
[    27.966] (II) modeset(0): Modeline "720x405"x59.0   21.75  720 768 800 880  405 408 413 419 +hsync -vsync (24.7 kHz d)
[    27.966] (II) modeset(0): Modeline "684x384"x59.9   42.62  684 720 788 892  384 385 390 399 doublescan -hsync +vsync (47.8 kHz d)
[    27.966] (II) modeset(0): Modeline "684x384"x59.9   36.12  684 708 724 764  384 385 390 395 doublescan +hsync -vsync (47.3 kHz d)
[    27.966] (II) modeset(0): Modeline "640x400"x59.9   41.75  640 676 740 840  400 401 404 415 doublescan -hsync +vsync (49.7 kHz d)
[    27.966] (II) modeset(0): Modeline "640x400"x60.0   35.50  640 664 680 720  400 401 404 411 doublescan +hsync -vsync (49.3 kHz d)
[    27.966] (II) modeset(0): Modeline "640x360"x59.9   37.25  640 672 736 832  360 361 364 374 doublescan -hsync +vsync (44.8 kHz d)
[    27.966] (II) modeset(0): Modeline "640x360"x59.8   31.88  640 664 680 720  360 361 364 370 doublescan +hsync -vsync (44.3 kHz d)
[    27.966] (II) modeset(0): Modeline "640x360"x59.8   18.00  640 664 720 800  360 363 368 376 -hsync +vsync (22.5 kHz d)
[    27.966] (II) modeset(0): Modeline "640x360"x59.3   17.75  640 688 720 800  360 363 368 374 +hsync -vsync (22.2 kHz d)
[    27.966] (II) modeset(0): Modeline "512x384"x60.0   32.50  512 524 592 672  384 385 388 403 doublescan -hsync -vsync (48.4 kHz d)
[    27.966] (II) modeset(0): Modeline "512x288"x60.0   23.25  512 532 580 648  288 289 292 299 doublescan -hsync +vsync (35.9 kHz d)
[    27.966] (II) modeset(0): Modeline "512x288"x59.9   21.00  512 536 552 592  288 289 292 296 doublescan +hsync -vsync (35.5 kHz d)
[    27.966] (II) modeset(0): Modeline "480x270"x59.6   20.38  480 496 544 608  270 271 274 281 doublescan -hsync +vsync (33.5 kHz d)
[    27.966] (II) modeset(0): Modeline "480x270"x59.8   18.62  480 504 520 560  270 271 274 278 doublescan +hsync -vsync (33.3 kHz d)
[    27.966] (II) modeset(0): Modeline "400x300"x60.3   20.00  400 420 484 528  300 300 302 314 doublescan +hsync +vsync (37.9 kHz d)
[    27.966] (II) modeset(0): Modeline "400x300"x56.3   18.00  400 412 448 512  300 300 301 312 doublescan +hsync +vsync (35.2 kHz d)
[    27.966] (II) modeset(0): Modeline "432x243"x59.9   16.25  432 444 484 536  243 244 247 253 doublescan -hsync +vsync (30.3 kHz d)
[    27.966] (II) modeset(0): Modeline "432x243"x59.6   15.25  432 456 472 512  243 244 247 250 doublescan +hsync -vsync (29.8 kHz d)
[    27.966] (II) modeset(0): Modeline "320x240"x60.1   12.59  320 328 376 400  240 245 246 262 doublescan -hsync -vsync (31.5 kHz d)
[    27.966] (II) modeset(0): Modeline "360x202"x59.5   11.25  360 372 404 448  202 204 206 211 doublescan -hsync +vsync (25.1 kHz d)
[    27.966] (II) modeset(0): Modeline "360x202"x59.1   10.88  360 384 400 440  202 204 206 209 doublescan +hsync -vsync (24.7 kHz d)
[    27.966] (II) modeset(0): Modeline "320x180"x59.8    9.00  320 332 360 400  180 181 184 188 doublescan -hsync +vsync (22.5 kHz d)
[    27.966] (II) modeset(0): Modeline "320x180"x59.3    8.88  320 344 360 400  180 181 184 187 doublescan +hsync -vsync (22.2 kHz d)
[    27.972] (II) modeset(0): EDID for output VGA-1
[    27.972] (II) modeset(0): Output HDMI-1 disconnected
[    27.972] (II) modeset(0): Output DVI-I-1 connected
[    27.972] (II) modeset(0): Output VGA-1 disconnected
[    27.972] (II) modeset(0): Using user preference for initial modes
[    27.972] (II) modeset(0): Output DVI-I-1 using initial mode 1920x1200 +0+0
[    27.972] (==) modeset(0): Using gamma correction (1.0, 1.0, 1.0)
[    27.972] (==) modeset(0): DPI set to (96, 96)
[    27.972] (II) Loading sub module "fb"
[    27.972] (II) LoadModule: "fb"
[    27.972] (II) Module "fb" already built-in
[    28.635] (==) modeset(0): Backing store enabled
[    28.635] (==) modeset(0): Silken mouse enabled
[    28.673] (II) modeset(0): Initializing kms color map for depth 24, 8 bpc.
[    28.697] (**) modeset(0): DPMS enabled
[    28.713] (II) modeset(0): [DRI2] Setup complete
[    28.713] (II) modeset(0): [DRI2]   DRI driver: r600
[    28.713] (II) modeset(0): [DRI2]   VDPAU driver: r600
[    28.738] (II) Initializing extension Generic Event Extension
[    28.739] (II) Initializing extension SHAPE
[    28.739] (II) Initializing extension MIT-SHM
[    28.739] (II) Initializing extension XInputExtension
[    28.744] (II) Initializing extension XTEST
[    28.744] (II) Initializing extension BIG-REQUESTS
[    28.744] (II) Initializing extension SYNC
[    28.744] (II) Initializing extension XKEYBOARD
[    28.744] (II) Initializing extension XC-MISC
[    28.744] (II) Initializing extension SECURITY
[    28.745] (II) Initializing extension XFIXES
[    28.745] (II) Initializing extension XFree86-Bigfont
[    28.745] (II) Initializing extension RENDER
[    28.745] (II) Initializing extension RANDR
[    28.745] (II) Initializing extension COMPOSITE
[    28.746] (II) Initializing extension DAMAGE
[    28.746] (II) Initializing extension MIT-SCREEN-SAVER
[    28.746] (II) Initializing extension DOUBLE-BUFFER
[    28.746] (II) Initializing extension RECORD
[    28.746] (II) Initializing extension DPMS
[    28.746] (II) Initializing extension Present
[    28.747] (II) Initializing extension DRI3
[    28.747] (II) Initializing extension X-Resource
[    28.747] (II) Initializing extension XVideo
[    28.747] (II) Initializing extension XVideo-MotionCompensation
[    28.747] (II) Initializing extension GLX
[    28.749] (II) AIGLX: Loaded and initialized r600
[    28.749] (II) GLX: Initialized DRI2 GL provider for screen 0
[    28.749] (II) Initializing extension XFree86-VidModeExtension
[    28.750] (II) Initializing extension XFree86-DGA
[    28.750] (II) Initializing extension XFree86-DRI
[    28.753] (II) Initializing extension DRI2
[    28.865] (II) modeset(0): Damage tracking initialized
[    28.865] (II) modeset(0): Setting screen physical size to 508 x 317
[    30.389] (II) config/wscons: checking input device /dev/wskbd
[    30.389] (II) wskbd: ignoring "user" layout
[    30.389] (**) /dev/wskbd: Applying InputClass "system-keyboard"
[    30.389] (II) LoadModule: "kbd"
[    30.389] (II) Loading /usr/X11R7/lib/modules/drivers/kbd_drv.so
[    30.413] (II) Module kbd: vendor="X.Org Foundation"
[    30.413] 	compiled for 1.21.1.9, module version = 2.0.0
[    30.413] 	Module class: X.Org XInput Driver
[    30.413] 	ABI class: X.Org XInput driver, version 24.4
[    30.413] (II) Using input driver 'kbd' for '/dev/wskbd'
[    30.413] (**) /dev/wskbd: always reports core events
[    30.413] (**) /dev/wskbd: always reports core events
[    30.413] (**) Option "Protocol" "standard"
[    30.413] (**) Option "XkbRules" "base"
[    30.413] (**) Option "XkbModel" "pc105"
[    30.413] (**) Option "XkbLayout" "us"
[    30.413] (**) Option "XkbOptions" "ctrl:swapcaps,compose:menu,terminate:ctrl_alt_bksp"
[    30.413] (II) XINPUT: Adding extended input device "/dev/wskbd" (type: KEYBOARD, id 6)
[    30.510] (II) config/wscons: checking input device /dev/wsmouse
[    30.510] (II) LoadModule: "ws"
[    30.511] (II) Loading /usr/X11R7/lib/modules/drivers/ws_drv.so
[    30.537] (II) Module ws: vendor="X.Org Foundation"
[    30.537] 	compiled for 1.21.1.9, module version = 1.3.0
[    30.537] 	Module class: X.Org XInput Driver
[    30.537] 	ABI class: X.Org XInput driver, version 24.4
[    30.537] (II) Using input driver 'ws' for '/dev/wsmouse'
[    30.537] (**) /dev/wsmouse: always reports core events
[    30.537] (II) /dev/wsmouse: debuglevel 0
[    30.537] (**) /dev/wsmouse: ZAxisMapping: buttons 4 and 5
[    30.537] (**) /dev/wsmouse associated screen: 0
[    30.537] (**) Option "Device" "/dev/wsmouse"
[    30.537] (II) /dev/wsmouse minimum x position: 0
[    30.537] (II) /dev/wsmouse maximum x position: 1919
[    30.537] (II) /dev/wsmouse minimum y position: 0
[    30.537] (II) /dev/wsmouse maximum y position: 1199
[    30.537] (**) /dev/wsmouse: Buttons: 5
[    30.537] (II) XINPUT: Adding extended input device "/dev/wsmouse" (type: MOUSE, id 7)
[    30.537] (**) /dev/wsmouse: (accel) keeping acceleration scheme 1
[    30.537] (**) /dev/wsmouse: (accel) acceleration profile 0
[    30.537] (**) /dev/wsmouse: (accel) acceleration factor: 2.000
[    30.537] (**) /dev/wsmouse: (accel) acceleration threshold: 4
[    31.833] (II) modeset(0): Disabling kernel dirty updates, not required.
[  3013.766] (II) modeset(0): EDID vendor "ACI", prod id 9425
[  3013.772] (II) modeset(0): Using EDID range info for horizontal sync
[  3013.772] (II) modeset(0): Using EDID range info for vertical refresh
[  3013.772] (II) modeset(0): Printing DDC gathered Modelines:
[  3013.772] (II) modeset(0): Modeline "1920x1200"x0.0  154.00  1920 1968 2000 2080  1200 1203 1209 1235 +hsync -vsync (74.0 kHz eP)
[  3013.772] (II) modeset(0): Modeline "800x600"x0.0   40.00  800 840 968 1056  600 601 605 628 +hsync +vsync (37.9 kHz e)
[  3013.772] (II) modeset(0): Modeline "800x600"x0.0   36.00  800 824 896 1024  600 601 603 625 +hsync +vsync (35.2 kHz e)
[  3013.772] (II) modeset(0): Modeline "640x480"x0.0   25.18  640 656 752 800  480 490 492 525 -hsync -vsync (31.5 kHz e)
[  3013.772] (II) modeset(0): Modeline "1024x768"x0.0   65.00  1024 1048 1184 1344  768 771 777 806 -hsync -vsync (48.4 kHz e)
[  3013.772] (II) modeset(0): Modeline "1280x1024"x0.0  108.00  1280 1328 1440 1688  1024 1025 1028 1066 +hsync +vsync (64.0 kHz e)
[  3013.772] (II) modeset(0): Modeline "1280x960"x0.0  108.00  1280 1376 1488 1800  960 961 964 1000 +hsync +vsync (60.0 kHz e)
[  3013.772] (II) modeset(0): Modeline "1440x900"x0.0   88.75  1440 1488 1520 1600  900 903 909 926 +hsync -vsync (55.5 kHz e)
[  3013.772] (II) modeset(0): Modeline "1600x1200"x0.0  162.00  1600 1664 1856 2160  1200 1201 1204 1250 +hsync +vsync (75.0 kHz e)
[  3013.772] (II) modeset(0): Modeline "1680x1050"x0.0  119.00  1680 1728 1760 1840  1050 1053 1059 1080 +hsync -vsync (64.7 kHz e)
[  3013.772] (II) modeset(0): Modeline "1920x1080"x60.0  172.80  1920 2040 2248 2576  1080 1081 1084 1118 -hsync +vsync (67.1 kHz e)
[  3838.421] (II) AIGLX: Suspending AIGLX clients for VT switch
[  3860.232] (II) AIGLX: Resuming AIGLX clients after VT switch

...more copies of modelines at several times...

[108332.584] (EE) 
[108332.584] (EE) Backtrace:
[108332.695] (EE) 0: /usr/X11R7/bin/X (xorg_backtrace+0x44) [0x1af3b2575]
[108332.695] (EE) 1: /usr/X11R7/bin/X (os_move_fd+0x79) [0x1af3ae315]
[108332.695] (EE) 2: /usr/lib/libc.so.12 (__sigtramp_siginfo_2+0x0) [0x7b307517ee80]
[108332.695] (EE) 3: /usr/X11R7/lib/modules/libglamoregl.so (glamor_download_pixmap+0x248) [0x7b306e213595]
[108332.695] (EE) 4: /usr/X11R7/lib/modules/libglamoregl.so (glamor_download_pixmap+0xadb) [0x7b306e213e28]
[108332.695] (EE) 5: /usr/X11R7/lib/modules/libglamoregl.so (glamor_image_text8+0x30) [0x7b306e213fa9]
[108332.695] (EE) 6: /usr/X11R7/bin/X (DamageRegionAppend+0x1064) [0x1af35fbbe]
[108332.695] (EE) 7: /usr/X11R7/bin/X (DeliverRawEvent+0x1cf2) [0x1af27e6b5]
[108332.695] (EE) 8: /usr/X11R7/bin/X (ImageText+0x3a) [0x1af27f8df]
[108332.695] (EE) 9: /usr/X11R7/bin/X (ProcImageText8+0xe2) [0x1af28395b]
[108332.695] (EE) 10: /usr/X11R7/bin/X (Dispatch+0x264) [0x1af285c2e]
[108332.695] (EE) 11: /usr/X11R7/bin/X (dix_main+0x36f) [0x1af255e1f]
[108332.695] (EE) 
[108332.695] (EE) Segmentation fault at address 0x7b3070f7e000
[108332.695] (EE) 
Fatal server error:
[108332.695] (EE) Caught signal 11 (Segmentation fault). Server aborting
[108332.695] (EE) 
[108332.695] (EE) 
Please consult the The X.Org Foundation support 
	 at http://wiki.x.org
 for help. 
[108332.695] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
[108332.695] (EE) 
[108332.715] (EE) WS: unknown command 4
[108332.715] (II) AIGLX: Suspending AIGLX clients for VT switch
[108332.836] (EE) Server terminated with error (1). Closing log file.

Extract from /var/run/dmesg.boot:

Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003,
    2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013,
    2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023,
    2024
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024
	mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC
total memory = 65453 MB
avail memory = 63309 MB

pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0: Intel Core 8G (S) Host Bridge, DRAM (rev. 0x0d)
ppb0 at pci0 dev 1 function 0: Intel Core 6G PCIe x16 (rev. 0x0d)
ppb0: PCI Express capability version 2 <Root Port of PCI-E Root Complex> x16 @ 8.0GT/s
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled, rd/line, wr/inv ok
radeon0 at pci1 dev 0 function 0: ATI Technologies Radeon HD 5000/6000/7350/8350 Series (rev. 0x00)
...
[drm] initializing kernel modesetting (CEDAR 0x1002:0x68F9 0x1002:0x010A 0x00).
[drm] register mmio base: 0xa0220000
[drm] register mmio size: 131072
ATOM BIOS: BASS
radeon0: VRAM: 1024M 0x0000000000000000 - 0x000000003FFFFFFF (1024M used)
radeon0: GTT: 1024M 0x0000000040000000 - 0x000000007FFFFFFF
[drm] Detected VRAM RAM=400M, BAR=256M
[drm] RAM width 64bits DDR
Zone  kernel: Available graphics memory: 9007199252293626 KiB
Zone   dma32: Available graphics memory: 2097152 KiB
[drm] radeon: 1024M of VRAM memory ready
[drm] radeon: 1024M of GTT memory ready.
[drm] Loading CEDAR Microcode
[drm] Internal thermal controller with fan control
[drm] radeon: dpm initialized
[drm] GART: num cpu pages 262144, num gpu pages 262144
[drm] PCIE GART of 1024M enabled (table at 0x000000000014C000).
radeon0: WB enabled
radeon0: fence driver on ring 0 use gpu addr 0x0000000040000c00 and cpu addr 0x0xffffd5d0e86d3c00
radeon0: fence driver on ring 3 use gpu addr 0x0000000040000c0c and cpu addr 0x0xffffd5d0e86d3c0c
radeon0: fence driver on ring 5 use gpu addr 0x000000000005c418 and cpu addr 0x0xffffac90a7b4c418
[drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[drm] Driver supports precise vblank timestamp query.
radeon0: radeon: MSI limited to 32-bit
radeon0: radeon: using MSI.
radeon0: interrupting at msi6 vec 0 (radeon0)
[drm] radeon: irq initialized.
[drm] ring test on 0 succeeded in 1 usecs
[drm] ring test on 3 succeeded in 2 usecs
[drm] ring test on 5 succeeded in 1 usecs
[drm] UVD initialized successfully.
[drm] ib test on ring 0 succeeded in 0 usecs
[drm] ib test on ring 3 succeeded in 0 usecs
[drm] ib test on ring 5 succeeded
[drm] Radeon Display Connectors
[drm] Connector 0:
[drm]   HDMI-A-1
[drm]   HPD2
[drm]   DDC: 0x6460 0x6460 0x6464 0x6464 0x6468 0x6468 0x646c 0x646c
[drm]   Encoders:
[drm]     DFP1: INTERNAL_UNIPHY1
[drm] Connector 1:
[drm]   DVI-I-1
[drm]   HPD4
[drm]   DDC: 0x6450 0x6450 0x6454 0x6454 0x6458 0x6458 0x645c 0x645c
[drm]   Encoders:
[drm]     DFP2: INTERNAL_UNIPHY
[drm] Connector 2:
[drm]   VGA-1
[drm]   DDC: 0x6430 0x6430 0x6434 0x6434 0x6438 0x6438 0x643c 0x643c
[drm]   Encoders:
[drm]     CRT1: INTERNAL_KLDSCP_DAC1
radeondrmkmsfb0 at radeon0
[drm] Initialized radeon 2.50.0 20080528 for radeon0 on minor 0
radeondrmkmsfb0: framebuffer at 0x9034d000, size 1920x1200, depth 32, stride 7680
wsdisplay0 at radeondrmkmsfb0 kbdmux 1: console (default, vt100 emulation), using wskbd0
wsmux1: connecting to wsdisplay0

>How-To-Repeat:
    Not known...
>Fix:
    Not known...

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert                            <rhialto/at/falu.nl>
\X/ There is no AI. There is just someone else's work.           --I. Rose

>Release-Note:

>Audit-Trail:
From: matthew green <mrg@eterna23.net>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org,
    netbsd-bugs@netbsd.org
Subject: re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Wed, 10 Apr 2024 14:44:59 +1000

 > glamor_text(DrawablePtr drawable, GCPtr gc,
 >             glamor_font_t *glamor_font,
 >             glamor_program *prog,
 >             int x, int y,
 >             int count, char *s_chars, CharInfoPtr *charinfo,
 >             Bool sixteen)
 > {
 > ...
 > 168     =

 > 169                 tx =3D (col - firstCol) * glyph_spacing_x;
 > 170                 /* adjust for second row layout */
 > 171                 tx +=3D second_row * glamor_font->row_width * 8;
 > 172     =

 > 173                 v[ 0] =3D x1;
 > 174                 v[ 1] =3D y1;
 > 175                 v[ 2] =3D width;
 > 176                 v[ 3] =3D height;
 > 177                 v[ 4] =3D tx;
 >
 > Line 173 looks like a plausible place for a segfault. My copy of this
 > file has not been modified since 2016.
 >
 > 0x13e28 is in glamor_image_text (/usr/xsrc/external/mit/xorg-server/dist=
 /glamor/glamor_text.c:470).
 > 465             goto bail;
 > 466     =

 > 467         (void) glamor_text(drawable, gc, glamor_font, prog,
 > 468                            x, y, count, chars, charinfo, sixteen);
 > 469     =

 > 470         return TRUE;
 > 471     =

 > 472     bail:
 > 473         return FALSE;
 > 474     }
 >
 > (gdb) list *(glamor_image_text8+0x30)
 > 0x13fa9 is in glamor_image_text8 (/usr/xsrc/external/mit/xorg-server/dis=
 t/glamor/glamor_text.c:480).
 > 475     =

 > 476     void
 > 477     glamor_image_text8(DrawablePtr drawable, GCPtr gc,
 > 478                        int x, int y, int count, char *chars)
 > 479     {
 > 480         if (!glamor_image_text(drawable, gc, x, y, count, chars, FAL=
 SE))
 > 481             miImageText8(drawable, gc, x, y, count, chars);
 > 482     }

 this looks like a problem i've seen once or twice.  i think that the
 v array is not properly set but i've not managed to figure out what
 is going wrong.  actually, there's a clear case where it seems bad,
 in that we also have:

 122     v =3D glamor_get_vbo_space(drawable->pScreen, count * (6 * sizeof =
 (GLshort)), &vbo_offset);

 but v is not checked and used at L173 after this call, and looking
 at glamor_get_vbo_space() it seems to be able to return NULL in the
 case that radeon_buffer_object{} has a NULL 'bo' member, which is
 initialisation point.

 if you can reproduce this easily, can you patch the above to do eg:

 	if (v =3D=3D NULL)
 		return x;

 after L122?


 .mrg.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Wed, 10 Apr 2024 19:46:03 +0200

 So far I have tried to avoid reproducing it, but I can try :)
 I will add some logging, and since the callers^2 seem to have a fallback
 path, I will propagate the error condition a bit better so that that
 path should be taken. Something like this:

 --- glamor_text.c.orig	2024-04-10 19:22:22.286045752 +0200
 +++ glamor_text.c	2024-04-10 19:21:41.815261092 +0200
 @@ -120,6 +120,12 @@
      /* Set up the vertex buffers for the font and destination */

      v = glamor_get_vbo_space(drawable->pScreen, count * (6 * sizeof (GLshort)), &vbo_offset);
 +    if (v == NULL) {
 +	LogMessage(X_ERROR,
 +		   "glamor_text: glamor_get_vbo_space failed (%d)\n",
 +		   count * (6 * sizeof (GLshort)));
 +	return -1;
 +    }

      glEnableVertexAttribArray(GLAMOR_VERTEX_POS);
      glVertexAttribDivisor(GLAMOR_VERTEX_POS, 1);
 @@ -293,10 +299,13 @@
      if (!prog)
          goto bail;

 -    x = glamor_text(drawable, gc, glamor_font, prog,
 +    int new_x = glamor_text(drawable, gc, glamor_font, prog,
                      x, y, count, chars, charinfo, sixteen);

 -    *final_pos = x;
 +    if (new_x != -1) {
 +	*final_pos = new_x;
 +	return TRUE;
 +    }

  bail:
      return FALSE;
 @@ -463,10 +472,12 @@
      if (!glamor_use_program(pixmap, gc, prog, NULL))
          goto bail;

 -    (void) glamor_text(drawable, gc, glamor_font, prog,
 +    int new_x =  glamor_text(drawable, gc, glamor_font, prog,
                         x, y, count, chars, charinfo, sixteen);

 -    return TRUE;
 +    if (new_x != -1) {
 +	return TRUE;
 +    }

  bail:
      return FALSE;

 I noticed that none of the other callers of glamor_get_vbo_space() check
 for NULL, though.

 I do have the core dump available and bzip2-compressed it is only 7.1M
 (64M uncompressed). If you want it I can send it off-gnats. Maybe you
 can examine that radeon_buffer_object that way (I haven't searched hard
 enough to find it yet).

 -Olaf.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 13 Apr 2024 14:10:39 +0200

 I had another similar crash, while running with the above patch.
 Unfortunately I neglected to build the debug sets so the stack trace
 from gdb isn't so nice:

 [  4949.604] (EE) 
 [  4949.604] (EE) Backtrace:
 [  4949.701] (EE) 0: /usr/X11R7/bin/X (xorg_backtrace+0x44) [0x8ebb2575]
 [  4949.701] (EE) 1: /usr/X11R7/bin/X (os_move_fd+0x79) [0x8ebae315]
 [  4949.701] (EE) 2: /usr/lib/libc.so.12 (__sigtramp_siginfo_2+0x0) [0x7cc04cb7ee80]
 [  4949.701] (EE) 3: /usr/X11R7/lib/modules/libglamoregl.so (glamor_download_pixmap+0x250) [0x7cc045c1359d]
 [  4949.701] (EE) 4: /usr/X11R7/lib/modules/libglamoregl.so (glamor_download_pixmap+0xb17) [0x7cc045c13e64]
 [  4949.701] (EE) 5: /usr/X11R7/lib/modules/libglamoregl.so (glamor_image_text8+0x30) [0x7cc045c13fe9]
 [  4949.701] (EE) 6: /usr/X11R7/bin/X (DamageRegionAppend+0x1064) [0x8eb5fbbe]
 [  4949.701] (EE) 7: /usr/X11R7/bin/X (DeliverRawEvent+0x1cf2) [0x8ea7e6b5]
 [  4949.701] (EE) 8: /usr/X11R7/bin/X (ImageText+0x3a) [0x8ea7f8df]
 [  4949.701] (EE) 9: /usr/X11R7/bin/X (ProcImageText8+0xe2) [0x8ea8395b]
 [  4949.701] (EE) 10: /usr/X11R7/bin/X (Dispatch+0x264) [0x8ea85c2e]
 [  4949.701] (EE) 11: /usr/X11R7/bin/X (dix_main+0x36f) [0x8ea55e1f]
 [  4949.701] (EE) 
 [  4949.701] (EE) Segmentation fault at address 0x7cc04ac77000
 [  4949.701] (EE) 
 Fatal server error:
 [  4949.701] (EE) Caught signal 11 (Segmentation fault). Server aborting

 (gdb) bt
 #0  0x00007cc04cb7e74a in _lwp_kill () from /usr/lib/libc.so.12
 #1  0x00007cc04cb83f00 in abort () at /usr/src/lib/libc/stdlib/abort.c:74
 #2  0x000000008ebad704 in OsAbort ()
 #3  0x000000008eba8a1e in AbortServer ()
 #4  0x000000008eba968e in FatalError ()
 #5  0x000000008ebae382 in OsSigHandler ()
 #6  <signal handler called>
 #7  0x00007cc045c1359d in ?? () from /usr/X11R7/lib/modules/libglamoregl.so
 #8  0x00007cc045c13e64 in ?? () from /usr/X11R7/lib/modules/libglamoregl.so
 #9  0x00007cc045c13fe9 in glamor_image_text8 ()
    from /usr/X11R7/lib/modules/libglamoregl.so
 #10 0x000000008eb5fbbe in damageImageText8 (pDrawable=0x7cc04bc374c0,
     pGC=0x7cc04bc904c0, x=17, y=1170, count=80,
     chars=0x7cc04b861e24 "JavaScript warning: https://www.google.com/js/th/YDyovHw-xwWf1wKdxMBnmF3BGXV9Ywc=")
     at /usr/xsrc/external/mit/xorg-server/dist/miext/damage/damage.c:1377
 #11 0x000000008ea7e6b5 in doImageText ()
 #12 0x000000008ea7f8df in ImageText ()
 #13 0x000000008ea8395b in ProcImageText8 ()
 #14 0x000000008ea85c2e in Dispatch ()
 #15 0x000000008ea55e1f in dix_main ()
 #16 0x000000008ea559cd in ___start (cleanup=<optimized out>,
     ps_strings=0x7f7fffa81fe0) at /usr/src/lib/csu/common/crt0-common.c:350
 #17 0x00007f7fd460baf8 in ?? () from /usr/libexec/ld.elf_so
 #18 0x0000000000000005 in ?? ()
 #19 0x00007f7fffa810c0 in ?? ()
 #20 0x00007f7fffa810d1 in ?? ()
 #21 0x00007f7fffa810d4 in ?? ()
 #22 0x00007f7fffa810d9 in ?? ()
 #23 0x00007f7fffa810df in ?? ()
 #24 0x0000000000000000 in ?? ()

 Like before, the text to print looks like logging output from Firefox.
 It would be printed in the xterm from which it was started. But that was
 hidden behind the Firefox window.

 So not only isn't it Firefox trying to render text, also it's not even
 rendered to the screen (directly)...

 The crash address is nearly the same as before, so most likely it's the
 same code, but it is not guaranteed.

 So one or more of these must be true:

 - the crash is a result of a different call to glamor_get_vbo_space()
 - the v value from glamor_get_vbo_space() is not NULL but some other
   bogus value
 - the crash is even something different than we think.

 For debugging of the first core file I put back the original
 libglamoregl.so.0 (the rebuilt one confused gdb). So this is the
 crash in the previous mail:

 (gdb) up
 #7  glamor_text (drawable=drawable@entry=0x7b3072eddc80,
     gc=gc@entry=0x7b3072ed8780, glamor_font=glamor_font@entry=0x7b3077113320,
     prog=prog@entry=0x7b3079c72268, x=24, x@entry=17, y=y@entry=1170,
     count=count@entry=80,
     s_chars=s_chars@entry=0x7b3076cbbea4 "JavaScript error: https://xkcd.com/2916/client/727.js, line 2: Error: recursive >\001\a", charinfo=0x7f7fffd78888,
     charinfo@entry=0x7f7fffd78880, sixteen=sixteen@entry=0)
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:173
 173                 v[ 0] = x1;
 (gdb) info locals
 y1 = 1159
 tx = 592
 x1 = 17
 width = 7
 height = 13
 ty = <optimized out>
 row = <optimized out>
 col = <optimized out>
 second_row = <optimized out>
 chars = 0x7b3076cbbea4 "JavaScript error: https://xkcd.com/2916/client/727.js, line 2: Error: recursive >\001\a"
 font = 0x7b30785b3500
 off_x = 2043093608
 off_y = 31536
 c = 0
 nglyph = 0
 v = 0x7b3070f7e000
 vbo_offset = 0x0
 ci = 0x7b307710c808
 firstRow = 0
 firstCol = 0
 glyph_spacing_x = 8
 glyph_spacing_y = 13
 box_index = <optimized out>
 pixmap = <optimized out>
 pixmap_priv = 0x7b307a02f6d0
 (gdb) print v
 $1 = (GLshort *) 0x7b3070f7e000
 (gdb) print *v
 $2 = 0
 (gdb) print count
 $4 = 80
 (gdb) print charinfo[-1]
 $9 = (CharInfoPtr) 0x7b307710c808
 (gdb) print charinfo[0]
 $10 = (CharInfoPtr) 0x7b307710ca30

 All these values look sensible and gdb doesn's say that *v isn't
 accessible... but yet the segfault occurs in the very first access to
 this space (c == 0, nglyph == 0), and v == 0x7b3070f7e000, the reported
 address of the segfault.

 (gdb) info frame
 Stack level 7, frame at 0x7f7fffd78810:
  rip = 0x7b306e213595 in glamor_text
     (/usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:173); 
     saved rip = 0x7b306e213e28
  called by frame at 0x7f7fffd790c0, caller of frame at 0x7f7fffd783b0
  source language c.
  Arglist at 0x7f7fffd78800, args: drawable=drawable@entry=0x7b3072eddc80, 
     gc=gc@entry=0x7b3072ed8780, glamor_font=glamor_font@entry=0x7b3077113320, 
     prog=prog@entry=0x7b3079c72268, x=24, x@entry=17, y=y@entry=1170, 
     count=count@entry=80, 
     s_chars=s_chars@entry=0x7b3076cbbea4 "JavaScript error: https://xkcd.com/2916/client/727.js, line 2: Error: recursive >\001\a", charinfo=0x7f7fffd78888, 
     charinfo@entry=0x7f7fffd78880, sixteen=sixteen@entry=0
  Locals at 0x7f7fffd78800, Previous frame's sp is 0x7f7fffd78810
  Saved registers:
   rbx at 0x7f7fffd787d8, rbp at 0x7f7fffd78800, r12 at 0x7f7fffd787e0,
   r13 at 0x7f7fffd787e8, r14 at 0x7f7fffd787f0, r15 at 0x7f7fffd787f8,
   rip at 0x7f7fffd78808

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 13 Apr 2024 16:29:31 +0200

 Another crash. Same place. This time I was in an XTerm and I typed some
 command that produced lots of textual output.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 13 Apr 2024 16:34:53 +0200

 Another crash. Different place, but similar source:

 (gdb) bt
 #0  0x000078d7a8f7e74a in _lwp_kill () from /usr/lib/libc.so.12
 #1  0x000078d7a8f83f00 in abort () at /usr/src/lib/libc/stdlib/abort.c:74
 #2  0x00000000c4bad704 in OsAbort ()
 #3  0x00000000c4ba8a1e in AbortServer ()
 #4  0x00000000c4ba968e in FatalError ()
 #5  0x00000000c4bae382 in OsSigHandler ()
 #6  <signal handler called>
 #7  0x000078d7a20216ab in glamor_composite_glyphs (op=3 '\003', 
     src=0x78d7abac0380, dst=0x78d7ab364700, glyph_format=<optimized out>, 
     x_src=0, y_src=<optimized out>, nlist=<optimized out>, 
     list=0x7f7ffff141c0, glyphs=0x7f7ffff145b8)
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_composite_glyphs.c:457
 #8  0x00000000c4b5f4b4 in damageGlyphs (op=<optimized out>, 
     pSrc=0x78d7abac0380, pDst=0x78d7ab364700, maskFormat=0x78d7adba6890, 
     xSrc=<optimized out>, ySrc=<optimized out>, nlist=1, list=0x7f7ffff141b0, 
     glyphs=0x7f7ffff145b0)
     at /usr/xsrc/external/mit/xorg-server/dist/miext/damage/damage.c:579
 #9  0x00000000c4b42b25 in ProcRenderCompositeGlyphs ()
 #10 0x00000000c4a85c2e in Dispatch ()
 #11 0x00000000c4a55e1f in dix_main ()
 #12 0x00000000c4a559cd in ___start (cleanup=<optimized out>, 
     ps_strings=0x7f7ffff15fe0) at /usr/src/lib/csu/common/crt0-common.c:350
 #13 0x00007f7e43a0baf8 in ?? () from /usr/libexec/ld.elf_so
 #14 0x0000000000000005 in ?? ()
 #15 0x00007f7ffff15480 in ?? ()
 #16 0x00007f7ffff15491 in ?? ()
 #17 0x00007f7ffff15494 in ?? ()
 #18 0x00007f7ffff15499 in ?? ()
 #19 0x00007f7ffff1549f in ?? ()
 #20 0x0000000000000000 in ?? ()

 (gdb) up
 #7  0x000078d7a20216ab in glamor_composite_glyphs (op=3 '\003', 
     src=0x78d7abac0380, dst=0x78d7ab364700, glyph_format=<optimized out>,
     x_src=0, y_src=<optimized out>, nlist=<optimized out>,
     list=0x7f7ffff141c0, glyphs=0x7f7ffff145b8)
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_composite_glyphs.c:457
 457                             v[0] = x - glyph->info.x;
 (gdb) list
 452                         /* Add the glyph
 453                          */
 454
 455                         glyphs_queued++;
 456                         if (_X_LIKELY(glamor_glsl_has_ints(glamor_priv))) {
 457                             v[0] = x - glyph->info.x;
 458                             v[1] = y - glyph->info.y;
 459                             v[2] = glyph_draw->width;
 460                             v[3] = glyph_draw->height;
 461                             v[4] = glyph_priv->x;

 This is getting tiring... if this keeps going I will need to consider
 downgrading to 9.3.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sun, 14 Apr 2024 21:24:06 +0200

 I noticed that in the cases where I could check, vbo_offset == 0.
 That means that the flow through glamor_get_vbo_space() must have gone
 like so:

 glamor_get_vbo_space(ScreenPtr screen, unsigned size, char **vbo_offset)
 {
     glamor_screen_private *glamor_priv = glamor_get_screen_private(screen);
     void *data;

     glamor_make_current(glamor_priv);

     glBindBuffer(GL_ARRAY_BUFFER, glamor_priv->vbo);

     if (glamor_priv->has_buffer_storage) {	// YES
       if (glamor_priv->vbo_size < glamor_priv->vbo_offset + size) {
            if (glamor_priv->vbo_size)
                 glUnmapBuffer(GL_ARRAY_BUFFER);

             if (size > glamor_priv->vbo_size) { // NO
 		// allocate a bigger buffer,
 		// glamor_priv->vbo_size = MAX(GLAMOR_VBO_SIZE, size);
             }

             glamor_priv->vbo_offset = 0;
             glamor_priv->vb = glMapBufferRange(GL_ARRAY_BUFFER,
                                                0, glamor_priv->vbo_size,
                                                GL_MAP_WRITE_BIT |
                                                GL_MAP_INVALIDATE_BUFFER_BIT |
                                                GL_MAP_PERSISTENT_BIT |
                                                GL_MAP_COHERENT_BIT);
         }
         *vbo_offset = (void *)(uintptr_t)glamor_priv->vbo_offset;
         data = glamor_priv->vb + glamor_priv->vbo_offset;
         glamor_priv->vbo_offset += size;
     } else // IRRELEVANT
     return data;
 }

 This is consistent with the case where the crash was in
 glamor_composite_glyphs(), where `glamor_screen_private *glamor_priv` is
 available, and I could check for has_buffer_storage etc.

 I couldn't help wondering if glMapBufferRange() (documented at
 https://registry.khronos.org/OpenGL-Refpages/gl4/html/glMapBufferRange.xhtml
 I think) might perhaps work (slightly) async, so that by the time
 `*data` is written to, the mapping is not yet complete. gdb had no
 trouble to read v[0] in the core dump.

 Also I wonder why GL_MAP_READ_BIT is not included. I only see writing to
 the buffer, but who trusts the compiler not to read from it...

 I also wonder why the unmapping and remapping of the buffer isn't moved
 into the inner condition (the one which is false for our case, where a
 bigger buffer is allocated). That ought to be more efficient.

 It is unlikely that this is the first time through
 glamor_get_vbo_space(); many characters have been printed before.

 In case it matters, in most of my xterms I use bitmap fonts,
 lucidasanstypewriter-12, which is as far as I can tell indeed a 7x13
 font (width and height as seen in `info locals` before).

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 27 Apr 2024 18:50:25 +0200

 I had some more crashes with irregular intervals. Two of them didn't
 leave a core dump; /var/log/messages listed errno 27 (EFBIG).
 The 4 core dumps I have are available for debugging.

 I tried running with a locally modified version of libdrm_radeon.so.0.0
 with logging added to bo_map() and some nearby functions in
 xsrc/external/mit/libdrm/dist/radeon/radeon_bo_gem.c (printf to stderr)
 but I don't see the expected output anywhere. I'm not sure if I'm not
 looking in the right place, the output is getting lost, or X simply
 never gets there (in which case I don't understand why).

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Mon, 29 Apr 2024 20:35:19 +0200

 I tried to gain more insights by attaching gdb to the X server process,
 and setting breakpoints on some key functions, such as
 glamor_get_vbo_space and glamor_text. However they never triggered.

 On further inspection, the breakpoints were marked as <PENDING> and
 therefore not functional:

 (gdb) info break
 Num     Type           Disp Enb Address            What
 1       breakpoint     keep y   <PENDING>          glamor_get_vbo_space
 2       breakpoint     keep y   <PENDING>          glamor_text
 3       breakpoint     keep y   <MULTIPLE>
 3.1                         y   <PENDING>          mmap
 3.2                         y   <PENDING>          mmap
 4       breakpoint     keep y   <MULTIPLE>
 4.1                         y   <PENDING>          poll
 4.2                         y   <PENDING>          poll
 (gdb) break InputThreadDoWork
 Breakpoint 5 at 0xdcbb0722
 (gdb) c
 Continuing.
 Warning:
 Cannot insert breakpoint 5.
 Cannot access memory at address 0xdcbb0722

 Command aborted.

 and trying to set breakpoints at some functions even failed earlier.

 With hardware breakpoints I had slightly more success, but in the end it
 was of no use:

 (gdb) hbreak glamor_text
 Hardware assisted breakpoint 6 at 0x6fb07d41339e: file /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c, line 97.
 (gdb) c
 Continuing.
 [Switching to LWP 28256 of process 28256]

 Thread 4 "" hit Breakpoint 6, glamor_text (
     drawable=drawable@entry=0x6fb0824c98c0, gc=gc@entry=0x6fb082103ac0,
     glamor_font=glamor_font@entry=0x6fb086e3bfb0,
     prog=prog@entry=0x6fb088f24268, x=x@entry=17, y=y@entry=377,
     count=count@entry=6,
     s_chars=s_chars@entry=0x6fb086f52940 "        L\006\006",
     charinfo=charinfo@entry=0x7f7fffd18400, sixteen=sixteen@entry=0)
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:97
 97      {
 (gdb) bt
 #0  glamor_text (drawable=drawable@entry=0x6fb0824c98c0,
     gc=gc@entry=0x6fb082103ac0, glamor_font=glamor_font@entry=0x6fb086e3bfb0,
     prog=prog@entry=0x6fb088f24268, x=x@entry=17, y=y@entry=377,
     count=count@entry=6,
     s_chars=s_chars@entry=0x6fb086f52940 "        L\006\006",
     charinfo=charinfo@entry=0x7f7fffd18400, sixteen=sixteen@entry=0)
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:97
 #1  0x00006fb07d413e28 in glamor_image_text (
     drawable=drawable@entry=0x6fb0824c98c0, gc=gc@entry=0x6fb082103ac0,
     x=x@entry=17, y=y@entry=377, count=count@entry=6,
     chars=chars@entry=0x6fb086f52940 "        L\006\006",
     sixteen=sixteen@entry=0)
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:467
 #2  0x00006fb07d413fa9 in glamor_image_text8 (drawable=0x6fb0824c98c0,
     gc=0x6fb082103ac0, x=17, y=377, count=6,
     chars=0x6fb086f52940 "        L\006\006")
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c:480
 #3  0x00000000dcb5fbbe in damageImageText8 ()
 #4  0x00000000dca7e6b5 in doImageText ()
 #5  0x00000000dca7f8df in ImageText ()
 #6  0x00000000dca8395b in ProcImageText8 ()
 #7  0x00000000dca85c2e in Dispatch ()
 #8  0x00000000dca55e1f in dix_main ()
 #9  0x00000000dca559cd in ___start ()
 #10 0x00007f7ee6e0baf8 in ?? () from /usr/libexec/ld.elf_so
 #11 0x0000000000000005 in ?? ()
 #12 0x00007f7fffd19480 in ?? ()
 #13 0x00007f7fffd19491 in ?? ()
 #14 0x00007f7fffd19494 in ?? ()
 #15 0x00007f7fffd19499 in ?? ()
 #16 0x00007f7fffd1949f in ?? ()
 #17 0x0000000000000000 in ?? ()
 (gdb) n
 [New process 28256]
 /usr/src/external/gpl3/gdb/lib/libgdb/../../dist/gdb/infrun.c:5683: internal-error: int finish_step_over(execution_control_state*): Assertion `ecs->event_thread->control.trap_expected' failed.
 A problem internal to GDB has been detected,
 further debugging may prove unreliable.
 Quit this debugging session? (y or n) y

 This is a bug, please report it.  For instructions, see:
 <https://www.gnu.org/software/gdb/bugs/>.

 /usr/src/external/gpl3/gdb/lib/libgdb/../../dist/gdb/infrun.c:5683: internal-error: int finish_step_over(execution_control_state*): Assertion `ecs->event_thread->control.trap_expected' failed.
 A problem internal to GDB has been detected,
 further debugging may prove unreliable.
 Unable to dump core, use `ulimit -c unlimited' before executing GDB next time.
 [ 108164.2883624] sorry, pid 28256 was killed: orphaned traced process

 and X was killed.

 To get a usable machine, I have switched back to /usr/X11R7 from 9.3 and
 changed in /etc/X11/xorg.conf the Driver from "modesetting" to "radeon".
 (The "modesetting" driver with 9.3 doesn't result in working
 accelleration; with 10.0 the "radeon" driver crashed even quicker than
 the "modesetting" driver).

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sun, 5 May 2024 15:02:06 +0200

 After some experiments with difficulty, I found out less than I wanted
 and just got more confused in some respects.

 With Driver "modesetting", the segv is in glamor_text() in
 xsrc/external/mit/xorg-server/dist/glamor/glamor_text.c, which calls
 glamor_get_vbo_space() in
 xsrc/external/mit/xorg-server/dist/glamor/glamor_vbo.c. This ends up in
 /usr/X11R7/lib/modules/libglamoregl.so. I could get debugging output
 from there. It shows that the "vbo" (video buffer object, I presume)
 indeed gets filled up and restarted from the beginning pretty quickly,
 so when the segmentation violation happens with vbo_offset == 0, it must
 be the Nth time that this state occurs.

 A call there to glMapBufferRange() appears to be responsible for memory
 mapping. When chasing SIGSEGVs this would be a first suspect. But
 finding out to which source code this calls is nontrivial, since it
 seems that GL internally has lots of similar versions of the same thing,
 and a dispatcher that somehow chooses between options.

 It seemed that a function annotated "* Called via glMapBuffer() and
 glMapBufferRange()", named radeonMapBufferRange() in
 ./usr/xsrc/external/mit/MesaLib/dist/src/mesa/drivers/dri/radeon/radeon_buffer_objects.c
 would be a good candidate, which in turn would seem to refer to bo_map()
 in xsrc/external/mit/libdrm/dist/radeon/radeon_bo.c. However, this
 location is NOT reached with Driver "modesetting".

 With Driver "radeon", it does reach bo_map() but not glamor_get_vbo_space().

 To make things more confusing: if you do not have a xorg.conf file, X
 doesn't choose "modesetting_drv" as a default driver. It doesn't even
 choose "radeon_drv", but "ati_drv":

 [   845.672] (==) Using default built-in configuration (39 lines)
 [   845.672] (==) --- Start of built-in configuration ---
 [   845.672] 	Section "Device"
 [   845.672] 		Identifier	"Builtin Default ati Device 0"
 [   845.672] 		Driver	"ati"
 [   845.672] 	EndSection
 [   845.672] 	Section "Screen"
 [   845.672] 		Identifier	"Builtin Default ati Screen 0"
 [   845.672] 		Device	"Builtin Default ati Device 0"
 [   845.672] 	EndSection
 ...
 [   845.672] 	Section "ServerLayout"
 [   845.672] 		Identifier	"Builtin Default Layout"
 [   845.672] 		Screen	"Builtin Default ati Screen 0"
 [   845.672] 		Screen	"Builtin Default modesetting Screen 0"
 [   845.672] 		Screen	"Builtin Default vesa Screen 0"
 [   845.672] 		Screen	"Builtin Default wsfb Screen 0"
 [   845.672] 	EndSection
 [   845.672] (==) --- End of built-in configuration ---
 ...

 confusingly, it labels most of its output with (II) RADEON: 

 [   845.738] (II) RADEON(0): Creating default Display subsection in Screen section
 	"Builtin Default ati Screen 0" for depth/fbbpp 24/32
 [   845.738] (==) RADEON(0): Depth 24, (--) framebuffer bpp 32
 [   845.738] (II) RADEON(0): Pixel depth = 24 bits stored in 4 bytes (32 bpp pixmaps)
 [   845.738] (==) RADEON(0): Default visual is TrueColor
 [   845.738] (==) RADEON(0): RGB weight 888
 [   845.738] (II) RADEON(0): Using 8 bits per RGB (8 bit DAC)
 [   845.738] (--) RADEON(0): Chipset: "ATI Radeon HD 5450" (ChipID = 0x68f9)

 however this driver actually logs the precise chipset, which I think the
 "radeon_drv" doesn't do.

 The ati_drv is smaller than the radeon_drv and links to fewer other
 libraries (in particular not libglapi, but both do link to libdrm_radeon
 where bo_map() is).

 I'm trying the reliability of the "ati_drv" now.

 However I would still like to know what code there is behind
 glMapBufferRange(). It seems that this may be a key to the root cause of
 the segv. Without working single stepping in gdb this seems hard to find
 out though.

From: matthew green <mrg@eterna23.net>
To: Rhialto <rhialto@falu.nl>
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org,
    netbsd-bugs@netbsd.org, gnats-bugs@netbsd.org
Subject: re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Mon, 06 May 2024 19:24:37 +1000

 ati_drv is a meta-driver that loads the right ATI chipset,
 rage, radeon, amdgpu, whatever is valid.

 you should ignore ati driver things as this is using the
 radeon driver really, correctly.  that part is all fine.

 i had thought that radeonMapBufferRange() must have been
 the right function but if the modesetting driver isn't
 getting into that, hmmmm, don't know.


 .mrg.

From: Rhialto <rhialto@falu.nl>
To: matthew green <mrg@eterna23.net>
Cc: Rhialto <rhialto@falu.nl>, xsrc-manager@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-bugs@netbsd.org
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Mon, 6 May 2024 21:58:51 +0200

 ah, so I tested the radeon driver after all (kernel_10+X_10+radeon)
 and I saw indeed the same font issues as before. (some fonts didn't
 render most letters, and some only half; it didn't go away when
 minimizing and redisplaying the window) This time it was
 limited to Firefox though.

 A bit later in this combination X froze. In /var/log/messages it said
 many times:

 May  6 18:42:07 murthe /netbsd: [ 158834.9967050] radeon0: autoconfiguration error: error: ring 0 stalled for more than 374990msec
 May  6 18:42:07 murthe /netbsd: [ 158834.9967050] radeon0: autoconfiguration error: error: ring 0 stalled for 8a last fence id 0x00000000000f828d on ring 0)

 I had seen the same thing with kernel_10+X_9+radeon. Since I never had
 it at all with kernel_9+X_9+radeon, this would seem to mean this is a
 kernel-side issue in kernel_10.

 A reboot seems to be the only way out of this.

 I *thought* I had another candidate implementation of glMapBufferRange():

 * Called via glMapBufferRange().
 st_bufferobj_map_range() in ./usr/xsrc/external/mit/MesaLib/dist/src/mesa/state_tracker/st_cb_bufferobjects.c
     -> pipe_buffer_map_range() in ./usr/xsrc/external/mit/MesaLib/dist/src/gallium/auxiliary/util/u_inlines.h
 	-> struct pipe_context.buffer_map() in ./usr/xsrc/external/mit/MesaLib/dist/src/gallium/include/pipe/p_context.h

 	Possible initialization:
 	./external/mit/MesaLib/dist/src/gallium/winsys/radeon/drm/radeon_drm_bo.c:   ws->base.buffer_map = radeon_bo_map;
 	    # this is NOT the one listed above
 	    radeon_bo_map() in ./usr/xsrc/external/mit/MesaLib/dist/src/gallium/winsys/radeon/drm/radeon_drm_bo.c
 	    -> radeon_bo_do_map() in same file
 		-> os_mmap()

 so I put printfs in both st_bufferobj_map_range() and radeon_bo_map()
 (which is a different radeon_bo_map() than before!) but I did not see
 output from them. Even though I got output from glamor_get_vbo_space().
 So the real implementation must still be somewhere else.

 This would have been a nice candidate, because it does a mmap() and
 munmap() for every glMapBufferRange() / glUnMapBuffer(). So there would
 be lots of opportunity for things to go wrong.

 My current test is kernel_10+X_10+modesetting with a slightly modified
 version of glamor_get_vbo_space(). I moved the calls to glUnmapBuffer()
 and glMapBufferRange() into the condition about growing the buffer. So
 mmap should be called only once now, ever (needing a bigger buffer is
 really unlikely). It doesn't fix the root cause but it may work around
 the issue. I really hope it does.

 (maybe there needs to be some synchronisation, before reusing the
 buffer, to wait for it to be "all processed" (there is something like
 that in radeon_bo_map() in
 ./usr/xsrc/external/mit/MesaLib/dist/src/gallium/winsys/radeon/drm/radeon_drm_bo.c)
 but I'm not sure what to call there)

From: Rhialto <rhialto@falu.nl>
To: matthew green <mrg@eterna23.net>
Cc: Rhialto <rhialto@falu.nl>, xsrc-manager@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-bugs@netbsd.org
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Mon, 6 May 2024 22:36:01 +0200

 That did not help. Another crash and no core dump.

From: Rhialto <rhialto@falu.nl>
To: matthew green <mrg@eterna23.net>
Cc: Rhialto <rhialto@falu.nl>, xsrc-manager@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-bugs@netbsd.org
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 11 May 2024 17:28:44 +0200

 I pulled out the Radeon card so as to have a workable machine.
 However I set up and old box with Radeon HD 5450 and an old disk. It
 still had NetBSD 8.0 and an old home directory on it. I updated it to
 10.0.

 While extracting (verbosely) the debug sets, I got the "usual" crash
 with a core dump, with a segv in glamor_text() in the usual place.
 So the issue is repeatable on other hardware (it's not the same card,
 just the same model). I did use the same screen (1920 x 1200) but a
 different connector, VGA in this case. That way I can connect 3 inputs
 to it and switch.

 I don't know if the following are relevant but I list them anyway:
 I have a background image set with xv (graphics/xv).
 In xterm I use a bitmap font:
 xterm.vt100.font:               lucidasanstypewriter-12

 In ctwm I use opaque move and resize, and tabbed windows in 9 workspaces:
 OpaqueMove
 OpaqueMoveThreshold 100
 OpaqueResize
 OpaqueResizeThreshold 100
 SqueezeTitle

From: Rhialto <rhialto@falu.nl>
To: matthew green <mrg@eterna23.net>
Cc: Rhialto <rhialto@falu.nl>, xsrc-manager@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-bugs@netbsd.org
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 11 May 2024 18:38:51 +0200

 I caught a different crash in gdb.

 In one xterm I had a lot of text output: ls -lR, repeated.  In another
 workspace (so the xterm window wasn't even mapped, that is how ctwm does
 workspaces): I was just starting geeqie to view some images, and a small
 subrectangle of the first one had already appeared.

 radl.1:~$ sudo gdb -p 429
 ...
 Thread 4 "" received signal SIGSEGV, Segmentation fault.
 [Switching to LWP 429 of process 429]
 0x000073c6f0b83b4f in memcpy () from /usr/lib/libc.so.12
 (gdb) bt
 #0  0x000073c6f0b83b4f in memcpy () from /usr/lib/libc.so.12
 #1  0x000073c6e4979b7b in store_shader ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_shader.c:152
 #2  0x000073c6e4984742 in store_shader ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_shader.c:209
 #3  r600_pipe_shader_create ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_shader.c:241
 #4  0x000073c6e495f70c in r600_shader_select ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_state_common.c:876
 #5  0x000073c6e49608ae in r600_update_derived_state ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_state_common.c:1766
 #6  r600_draw_vbo ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_state_common.c:2087
 #7  0x000073c6e458567e in st_draw_vbo ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/mesa/state_tracker/st_draw.c:268
 #8  0x000073c6e4729d32 in _mesa_draw_arrays ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/mesa/main/draw.c:374
 #9  _mesa_draw_arrays ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/mesa/main/draw.c:351
 #10 0x000073c6e4729ddb in _mesa_DrawArrays ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/mesa/main/draw.c:531
 #11 0x000073c6e9c1e5ac in glamor_composite_with_shader (ca_state=CA_NONE,
     rects=0x7f7fffa6f3d0, nrect=1, dest_pixmap_priv=0x73c6f01b15d0,
     mask_pixmap_priv=0x0, source_pixmap_priv=0x73c6f01b1710,
     dest_pixmap=<optimized out>, mask_pixmap=0x0,
     source_pixmap=0x73c6f01b16c0, dest=0x73c6f0131380, mask=0x73c6f0131480,
     source=0x73c6f0131400, op=<optimized out>)
     at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_render.c:1295
 --Type <RET> for more, q to quit, c to continue without paging--
 #12 glamor_composite_clipped_region (op=<optimized out>, op@entry=3 '\003', source=source@entry=0x73c6f0131400, mask=mask@entry=0x73c6f0131480,
     dest=dest@entry=0x73c6f0131380, source_pixmap=source_pixmap@entry=0x73c6f01b16c0, mask_pixmap=mask_pixmap@entry=0x0, dest_pixmap=dest_pixmap@entry=0x73c6f01b1580,
     region=region@entry=0x7f7fffa6f560, x_source=<optimized out>, x_source@entry=0, y_source=<optimized out>, y_source@entry=0, x_mask=<optimized out>, x_mask@entry=0,
     y_mask=<optimized out>, y_mask@entry=0, x_dest=x_dest@entry=0, y_dest=y_dest@entry=94) at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_render.c:1578
 #13 0x000073c6e9c1f96e in glamor_composite (op=<optimized out>, source=0x73c6f0131400, mask=0x73c6f0131480, dest=0x73c6f0131380, x_source=<optimized out>,
     y_source=<optimized out>, x_mask=0, y_mask=0, x_dest=0, y_dest=94, width=6, height=195) at /usr/xsrc/external/mit/xorg-server/dist/glamor/glamor_render.c:1717
 #14 0x00000001d175f0dc in damageComposite (op=<optimized out>, pSrc=<optimized out>, pMask=<optimized out>, pDst=0x73c6f0131380, xSrc=<optimized out>,
     ySrc=<optimized out>, xMask=0, yMask=0, xDst=0, yDst=94, width=6, height=195) at /usr/xsrc/external/mit/xorg-server/dist/miext/damage/damage.c:513
 #15 0x00000001d174501b in ProcRenderComposite ()
 #16 0x00000001d1685c2e in Dispatch ()
 #17 0x00000001d1655e1f in dix_main ()
 #18 0x00000001d16559cd in ___start (cleanup=<optimized out>, ps_strings=0x7f7fffa70fe0) at /usr/src/lib/csu/common/crt0-common.c:350
 #19 0x00007f7f0020baf8 in ?? () from /usr/libexec/ld.elf_so
 #20 0x0000000000000005 in ?? ()
 #21 0x00007f7fffa6fdc8 in ?? ()
 #22 0x00007f7fffa6fdd9 in ?? ()
 #23 0x00007f7fffa6fddc in ?? ()
 #24 0x00007f7fffa6fde1 in ?? ()
 #25 0x00007f7fffa6fde7 in ?? ()
 #26 0x0000000000000000 in ?? ()
 (gdb)

 (gdb) list
 147                     if (R600_BIG_ENDIAN) {
 148                             for (i = 0; i < shader->shader.bc.ndw; ++i) {
 149                                     ptr[i] = util_cpu_to_le32(shader->shader.bc.bytecode[i]);
 150                             }
 151                     } else {
 152 -->>>                       memcpy(ptr, shader->shader.bc.bytecode, shader->shader.bc.ndw * sizeof(*ptr));
 153                     }
 154                     rctx->b.ws->buffer_unmap(shader->bo->buf);
 155             }
 156
 (gdb) info frame
 Stack level 1, frame at 0x7f7fffa6edb0:
  rip = 0x73c6e4979b7b in store_shader (/usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_shader.c:152); saved rip = 0x73c6e4984742
  called by frame at 0x7f7fffa6ee50, caller of frame at 0x7f7fffa6ed60
  source language c.
  Arglist at 0x7f7fffa6eda0, args: 
  Locals at 0x7f7fffa6eda0, Previous frame's sp is 0x7f7fffa6edb0
  Saved registers:
   rbx at 0x7f7fffa6ed90, rbp at 0x7f7fffa6eda0, r12 at 0x7f7fffa6ed98, rip at 0x7f7fffa6eda8
 (gdb) info locals
 No locals.

 I'm not sure why gdb doesn't have debugging info here. It loaded a lot
 of debug info files but none with "mesa" in their name. I have the core
 file available for later inspection.

From: Rhialto <rhialto@falu.nl>
To: matthew green <mrg@eterna23.net>
Cc: Rhialto <rhialto@falu.nl>, xsrc-manager@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-bugs@netbsd.org
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 11 May 2024 23:32:47 +0200

 Some observations:

 The destination variable "ptr" comes from
 r600_buffer_map_sync_with_rings() which seems to map a buffer (similar
 to the crashes arount glamor_get_vbo_space()).

 Stack frame #2 makes no sense:
 #2  0x000073c6e4984742 in store_shader ()
     at /usr/xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_shader.c:209

 204	/* Check if the bytecode has already been built. */
 	if (!shader->shader.bc.bytecode) {
 		r = r600_bytecode_build(&shader->shader.bc);
 		if (r) {
 			R600_ERR("building bytecode failed !\n");
 209			goto error;
 		}
 	}

 since line 209 is in a different function and there is no call to
 store_shader() there.

 And, after I gave a 'continue' command in gdb to let X crash, it
 continued where it left off seemingly without issues...

 I didn't check signal handers; maybe the other segvs are supposed to be
 "repaired" like this one seems to have been? (just wildly speculating)

From: Rhialto <rhialto@falu.nl>
To: matthew green <mrg@eterna23.net>
Cc: Rhialto <rhialto@falu.nl>, xsrc-manager@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-bugs@netbsd.org
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sun, 12 May 2024 20:25:59 +0200

 So my experiments of today can easily reproduce the crash.
 It happened at the familiar place in glamor_text() every time.

 Procedure: With ctwm as window manager, run "while :; do ls -lR; done"
 in an xterm. Possibly the associated disk I/O contributes to the issue.
 The font is lucidasanstypewriter-12.

 In another workspace (so the ls is not even visible), run image viewer
 geeqie (graphics/geeqie) in a directory with images - at least one
 should be larger than the screen. Show such an image at unscaled
 resolution (shortcut key z), with the window maximized or the image
 fullscreen (f). I had best "success" with just the maximized window.
 Then drag the image around, to view other parts. Within a few seconds,
 the SIGSEGV should occur. The attached gdb should show this and its
 promt.

 It happened every time today in glamor_text(), printing some output from
 "ls".

 Typing "c" for continue in gdb simply continued X without causing the
 expected crash.

 This seems to mean that the effect of the mmap(2) call done not so long
 before, to map the vbo into memory, has a delayed effect.

 The protocol for mapping seems to be (simplified):

 - ioctl(fd, RADEON_GEM_MMAP, &args, ...), returns an args.addr_ptr
 - mmap(0, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, args.addr_ptr)

 There are 3 occurrences of this:
 - xsrc/external/mit/MesaLib/dist/src/gallium/winsys/radeon/drm/radeon_drm_bo.c
 - xsrc/external/mit/MesaLib.old/dist/src/gallium/winsys/radeon/drm/radeon_drm_bo.c
 - xsrc/external/mit/libdrm/dist/radeon/radeon_bo_gem.c

 The one in MesaLib.old seems to be the one in play (I instrumented the
 others and that didn't trigger; also one of the observed crashes
 happened in
 /xsrc/external/mit/MesaLib.old/dist/src/gallium/drivers/r600/r600_shader.c
 as reported above)

 My first theory was that the page table entries created by the mmap(2)
 call might not be propagated to all cpus yet, and that a cpu switch
 would (sometimes) have occurred before using the mapped memory. That
 would explain why a delay caused by human reaction time in gdb would fix
 up the memory access.

 I tried to test this theory by setting the cpu affinity of the X process
 to just a single cpu:  "sudo schedctl -p 1701 -A 0". After that all 4
 threads of the process were shown to have affinity to cpu 0.

 However the SIGSEGV could still be reproduced with this. This makes this
 theory less likely. Can anyone think of some other mechanism that
 "delays" the validity of mapped memory?
 (or maybe the command I used doesn't have the effect I thought?)

From: matthew green <mrg@eterna23.net>
To: Rhialto <rhialto@falu.nl>
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org,
    netbsd-bugs@netbsd.org, gnats-bugs@netbsd.org
Subject: re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Mon, 13 May 2024 05:44:11 +1000

 nice work on a good repro!  my remote-attempt that got a crash
 in 6 hours but no core or gdb, has now been running for over
 4 days without failure again.

 i'll have a read throught the various code to see if i can spot
 anything.

 > Typing "c" for continue in gdb simply continued X without causing the
 > expected crash.

 FWIW, i've seen this "feature" multiple times, and i don't
 think it is directly related to this problem.  something that
 X is doing (and that other things can do) seems to set it up.

 > - xsrc/external/mit/MesaLib.old/dist/src/gallium/winsys/radeon/drm/radeo=
 n_drm_bo.c

 this is used on netbsd-10, not MesaLib (but the newer one is
 used in -current.)  so it's expected this is what you'd get.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sun, 12 May 2024 22:36:40 +0200

 >  > Typing "c" for continue in gdb simply continued X without causing the
 >  > expected crash.
 >  
 >  FWIW, i've seen this "feature" multiple times, and i don't
 >  think it is directly related to this problem.  something that
 >  X is doing (and that other things can do) seems to set it up.

 There is a signal handler for SIGSEGV and others set up by OsInit() in
 xsrc/external/mit/xorg-server/dist/os/osinit.c, and the handler is
 OsSigHandler() in the same file. This looks like it is where the stack
 trace in the Xorg.0.log file is generated. There may be a detour via a
 function pointer OsSigWrapper but that appears to be NULL. A breakpoint
 set on OsSigHandler() doesn't trigger.

 I didn't find a gdb command to see the state of signals and their
 handlers.

From: Rhialto <rhialto@falu.nl>
To: matthew green <mrg@eterna23.net>
Cc: Rhialto <rhialto@falu.nl>, xsrc-manager@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-bugs@netbsd.org
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Thu, 16 May 2024 21:46:30 +0200

 As suggested on irc, I traced X with dtrace and ktrace. The dtrace
 script shows mmaps and return values, and ttm_bo_uvm_fault arguments and
 return value.

 With dtrace active, my reproducer doesn't reproduce any more.
 However it does show that after mmap() was called, the vaddr argument to
 the next ttm_bo_uvm_fault() is the value which was just before returned
 from mmap(). (There are other calls to ttm_bo_uvm_fault() too, though)

 Ktrace didn't inhibit the crash though.

 Some fragment from dtrace's output. I wasn't quite sure if arg0 is
 always the return value for a function, but for ttm_bo_mmap_object() it
 would be a non-existent errno value (even
 sys/compat/linux/common/linux_errno_generic.h only goes up to 133)

   2    754                       mmap:entry   2736 X            -WR  ----S 0        512      17
   2  15167                ktr_syscall:entry 
   2  15130                   ktealloc:entry 
   2  21171       pool_cache_get_paddr:entry 
   2  21172      pool_cache_get_paddr:return 
   2  15042            kmem_intr_alloc:entry 
   2  21171       pool_cache_get_paddr:entry 
   2  21172      pool_cache_get_paddr:return 
   2  15043           kmem_intr_alloc:return 
   2  17030                   nanotime:entry 
   2   4938                  binuptime:entry 
   2  50781          tsc_get_timecount:entry 
   2  50782         tsc_get_timecount:return 
   2   4939                 binuptime:return 
   2  17031                  nanotime:return 
   2  15131                  ktealloc:return 
   2  15173                ktraddentry:entry 
   2   5540            callout_pending:entry 
   2   5541           callout_pending:return 
   2  15174               ktraddentry:return 
   2  15168               ktr_syscall:return 
   2  26698               trace_enter:return 
   2  26017                   sys_mmap:entry 
   2   9797                 fd_getfile:entry 
   2   9798                fd_getfile:return 
   2  35449               drm_fop_mmap:entry 
   2  26783         ttm_bo_mmap_object:entry 
   2   8934 drm_vma_offset_lookup_locked:entry 
   2  23278      rb_tree_find_node_leq:entry 
   2  23279     rb_tree_find_node_leq:return 
   2   8935 drm_vma_offset_lookup_locked:return 
   2   8926 drm_vma_node_verify_access:entry 
   2  23274          rb_tree_find_node:entry 
   2  23275         rb_tree_find_node:return 
   2   8927 drm_vma_node_verify_access:return 
   2  26784        ttm_bo_mmap_object:return 
   2  35450              drm_fop_mmap:return 
   2  20609              pax_aslr_mmap:entry 
   2  20610             pax_aslr_mmap:return 
   2  52803            uvm_mmap.part.0:entry 
   2  27913                    uvm_map:entry 
   2  27939            uvm_map_prepare:entry 
   2  27927          uvm_map_findspace:entry 
   2  27928         uvm_map_findspace:return 
   2  27940           uvm_map_prepare:return 
   2  27923              uvm_map_enter:entry 
   2  21171       pool_cache_get_paddr:entry 
   2  21172      pool_cache_get_paddr:return 
   2  52816              uvm_rb_insert:entry 
   2  23280        rb_tree_insert_node:entry 
   2  23281       rb_tree_insert_node:return 
   2  27924             uvm_map_enter:return 
   2  27914                   uvm_map:return 
   2  52804           uvm_mmap.part.0:return 
   2   9822                fd_putvnode:entry 
   2   9823               fd_putvnode:return 
   2  26018                  sys_mmap:return 
   2  26699                 trace_exit:entry 
   2    755                      mmap:return return: 7f7ff1ca6000
   2  26805           ttm_bo_uvm_fault:entry ttm_bo_uvm_fault(ufi=ffffba886bcadd60, vaddr=7f7ff1ca6000, pps=ffffba886bcade50, npages=1, centeridx=0, access_type=2, flags=42)
 ufi->orig_map=ffff9db1cbcf1af8, orig_rvaddr=7f7ff1ca6000, orig_size=1000, map=ffff9db1cbcf1af8, mapv=6563, entry=ffff9db2155d08c0, size=1000
 *pps=0
   2  26806          ttm_bo_uvm_fault:return returns 134 or 4294967293
   2  26805           ttm_bo_uvm_fault:entry ttm_bo_uvm_fault(ufi=ffffba886bcadd60, vaddr=7f7ff1ca6000, pps=ffffba886bcade50, npages=1, centeridx=0, access_type=2, flags=42)
 ufi->orig_map=ffff9db1cbcf1af8, orig_rvaddr=7f7ff1ca6000, orig_size=1000, map=ffff9db1cbcf1af8, mapv=6563, entry=ffff9db2155d08c0, size=1000
 *pps=0
   2  26806          ttm_bo_uvm_fault:return returns 134 or 0

 another bit from another run, with calls inside ttm_bo_uvm_fault() being
 traced:

   1    755                      mmap:return return: 7f7feec56000
   1  26805           ttm_bo_uvm_fault:entry ttm_bo_uvm_fault(ufi=ffffba886bcadd60, vaddr=7f7feec56000, pps=ffffba886bcade50, npages=1, centeridx=0, access_type=2, flags=42)
 ufi->orig_map=ffff9db1cbcf1af8, orig_rvaddr=7f7feec56000, orig_size=1000, map=ffff9db1cbcf1af8, mapv=7094, entry=ffff9db20d488e40, size=1000
 *pps=0
   1  15795     linux_dma_resv_trylock:entry 
   1  16082     linux_ww_mutex_trylock:entry 
   1  16990         mutex_vector_enter:entry 
   1  16991        mutex_vector_enter:return 
   1  16992          mutex_vector_exit:entry 
   1  16083    linux_ww_mutex_trylock:return 
   1  15796    linux_dma_resv_trylock:return 
   1  22684 radeon_bo_fault_reserve_notify:entry 
   1  22680     radeon_bo_check_tiling:entry 
   1  22681    radeon_bo_check_tiling:return 
   1  22685 radeon_bo_fault_reserve_notify:return 
   1  26837      ttm_mem_io_reserve_vm:entry 
   1  26835         ttm_mem_io_reserve:entry 
   1  26838     ttm_mem_io_reserve_vm:return 
   1  46011                 pmap_enter:entry 
   1  21054              pmap_enter_ma:entry 
   1  28069        uvm_phys_to_vm_page:entry 
   1  28070       uvm_phys_to_vm_page:return 
   1  46033              pmap_find_ptp:entry 
   1  46034             pmap_find_ptp:return 
   1  46013  pmap_enter_pv.constprop.0:entry 
   1  46014 pmap_enter_pv.constprop.0:return 
   1  21073              pmap_map_ptes:entry 
   1  21074             pmap_map_ptes:return 
   1  21096            pmap_unmap_ptes:entry 
   1  21097           pmap_unmap_ptes:return 
   1  21055             pmap_enter_ma:return 
   1  46012                pmap_enter:return 
   1  21100                pmap_update:entry 
   1  21094          pmap_tlb_shootnow:entry 
   1  21095         pmap_tlb_shootnow:return 
   1  21101               pmap_update:return 
   1  16990         mutex_vector_enter:entry 
   1  16991        mutex_vector_enter:return 
   1  26789    ttm_bo_move_to_lru_tail:entry 
   1  50808        ttm_bo_del_from_lru:entry 
   1  50809       ttm_bo_del_from_lru:return 
   1  50800      ttm_bo_add_mem_to_lru:entry 
   1  26790   ttm_bo_move_to_lru_tail:return 
   1  16992          mutex_vector_exit:entry 
   1  16084      linux_ww_mutex_unlock:entry 
   1  16990         mutex_vector_enter:entry 
   1  16991        mutex_vector_enter:return 
   1  16992          mutex_vector_exit:entry 
   1  28131      uvmfault_update_stats:entry 
   1  28132     uvmfault_update_stats:return 
   1  26806          ttm_bo_uvm_fault:return 
   1  26806          ttm_bo_uvm_fault:return returns 134 or 0

 Here are the last 300 lines from kdump, which ends in a SEGV, but you
 don't see that reflected in the output, probably because gdb intercepts
 it and halts X while it is prompting me for a command.
 Output from "ls -lR" is recognizable in the GIO lines.

   2736   2736 X        RET   recvmsg 11868/0x2e5c
   2736   2736 X        CALL  writev(0x20,0x7f7fffffe660,1)
   2736   2736 X        GIO   fd 32 wrote 32 bytes
        "\^N\0\M-c{\^Q\0 \^A\0\0>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736   2736 X        RET   writev 32/0x20
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 32 read 4088 bytes
        "\^B\^A\^D\0\f\0 \^A\^B\0\0\0\0\0\0\0\^B\0\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0=\0\^D\0\^Q\0 \^A\^Q\0\M-P\M-R0\^B\M-D1\^B \^D\0\f\0 \^A\^B\0\0\0\0\0\0\0\^B \^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\
 	\0L<\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\r\0-r-xr-xr-x  1 rhialto  users     384 Aug  2  1986 OKI84.PRT*L\^T	\0\^Q\0 \^A\^O\0 \^A\M-5\^A\r\0                    L?\^T\0\^Q\0 \^A\^O\0 \
 	\^A\^Q\0\^Z\0-r-xr-xr-x  1 rhialto  users     512 Aug  2  1986 PANASNIC.PRT*7L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\^Z\0                 \^S	\0L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0'\0\
 	-r-xr-xr-x  1 rhialto  users   15666 Sep 25  1985 PRINTER.COM*17L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A'\0                  	\0L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0004\0-r-xr-xr-x  1 \
 	rhialto  users     173 Sep  6  1986 PRINTME.BAT*17L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A4\0                  	\0L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0A\0-r-xr-xr-x  1 rhialto  users    \
 	 293 Oct  2  1985 PS-READ.DOC*17L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^AA\0                  	\0L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0N\0-r-xr-xr-x  1 rhialto  users    2048 Sep  6  198\
 	6 README-M.AAC*7L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^AN\0                 \^S	\0L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0[\0-r-xr-xr-x  1 rhialto  users   16128 Aug  8  1986 README.DOC* 17\
 	L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A[\0                   \0L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0h\0-r-xr-xr-x  1 rhialto  users    5891 Oct  2  1985 README.WKS* 17L\^S	\0\^Q\0 \^A\
 	\^O\0 \^A\M-<\^Ah\0                   \0L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0u\0-r-xr-xr-x  1 rhialto  users     512 Aug  2  1986 REGISTER.DOC*7L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^Au\0     \
 	            \^S	\0L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^B\0-r-xr-xr-x  1 rhialto  users     465 May 29  1985 S-DUMP.COM*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\M^B\0                  \
 	  L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^O\0-r-xr-xr-x  1 rhialto  users    1664 Aug  2  1986 SKELETON.PRT* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M^O\0                 r-xL=\^T\0\^Q\0 \
 	\^A\^O\0 \^A\^Q\0\M^\\0-r-xr-xr-x  1 rhialto  users    4238 Oct  4  1985 SPREAD.MSG*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\M^\\0                   xL?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\
 	\M-)\0-r-xr-xr-x  1 rhialto  users     384 Aug  2  1986 THINKJET.PRT* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M-)\0                 r-xL9\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-6\0-r-xr-xr-x\
 	  1 rhialto  users  148352 Aug  2  1986 WP.EXE*\^A\M-6\0L\^W\n\0\^Q\0 \^A\^O\0 \^A\240\^A\M-6\0                        L;\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-C\0-r-xr-xr-x  1 rhialto  u\
 	sers    1664 Aug  2  1986 WPDEFAUL* L\^U\n\0\^Q\0 \^A\^O\0 \^A\M-.\^A\M-C\0                     -LiL;\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-P\0-r-xr-xr-x  1 rhialto  users    1664 Aug  2 \
 	 1986 WPFORMAT*uL\^U\n\0\^Q\0 \^A\^O\0 \^A\M-.\^A\M-P\0                     \0\M-]\0L;\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-]\0-r-xr-xr-x  1 rhialto  users    1536 Aug  2  1986 WPPRMENU*\
 	\0L\^U\n\0\^Q\0 \^A\^O\0 \^A\M-.\^A\M-]\0                     ersLP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-j\0                                                                              \
 	  L.\^P\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-w\0./uae/C64-cd/PET/TPUG-Library-cd/MSDOS/(m)aad: \^AL\"\r\0\^Q\0 \^A\^O\0 \^AS\^A\M-w\0                                  xrL	\a\0\^Q\0 \
 	\^A\^O\0 \^A\^Q\0\^D\^Atotal 3169 NLG\^V\0\^Q\0 \^A\^O\0 \^AP\0\^D\^A                                                                       rL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\^Q\^A-r\
 	-xr-xr-x  1 rhialto  users       1 May 26  1986 ---DM---.--*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\^Q\^A                  xrL?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\^^\^A-r-xr-xr-x  1 rhia\
 	lto  users       1 May 26  1986 ---E8---.---* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\^^\^A                 x  L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0+\^A-r-xr-xr-x  1 rhialto  users       1\
 	 May 26  1986 ---END--.---* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A+\^A                 x  L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\08\^A-r-xr-xr-x  1 rhialto  users       1 May 26  1986 ---P\
 	T---.---* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A8\^A                 x  L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0E\^A-r-xr-xr-x  1 rhialto  users       1 May 26  1986 ---RD---.---* L\^Q	\0\
 	\^Q\0 \^A\^O\0 \^A\M-J\^AE\^A                  rhL:\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0R\^A-r-xr-xr-x  1 rhialto  users      11 Jan 31  1986 128.BAT*  L\^V\n\0\^Q\0 \^A\^O\0 \^A\M-'\^AR\
 	\^A                      ltL:\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0_\^A-r-xr-xr-x  1 rhialto  users      11 Jan 31  1986 360.BAT*  L\^V\n\0\^Q\0 \^A\^O\0 \^A\M-'\^A_\^A                     \
 	  uL9\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0l\^A-r-xr-xr-x  1 rhialto  users      10 Jan 31  1986 64.BAT* ssL\^W\n\0\^Q\0 \^A\^O\0 \^A\240\^Al\^A                        L<\^S\0\^Q\0 \^A\^O\0\
 	 \^A\^Q\0y\^A-r-xr-xr-x  1 rhialto  users    1921 Oct 17  1985 ASCII.PAD*L\^T	\0\^Q\0 \^A\^O\0 \^A\M-5\^Ay\^A                    L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^F\^A-r-xr-xr-x \
 	 1 rhialto  users      37 Mar  3  1985 AUTOEXEC.BAT*6L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M^F\^A                    L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^S\^A-r-xr-xr-x  1 rhialto  u\
 	sers    1020 Oct 17  1985 CALENDAR.PAD* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M^S\^A                 009L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\240\^A-r-xr-xr-x  1 rhialto  users     177 Sep\
 	 30  1985 DESKMATE.CFG* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\240\^A                 009L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M--\^A-r-xr-xr-x  1 rhialto  users   51427 Aug 21  1987 DESKMA\
 	TE.COM* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M--\^A                    L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-:\^A-r-xr-xr-x  1 rhialto  users  120245 Oct 17  1985 DESKMATE.DOC*dL\^Q	\0\
 	\^Q\0 \^A\^O\0 \^A\M-J\^A\M-:\^A                    L;\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-G\^A-r-xr-xr-x  1 rhialto  users     256 Jul  2  1986 DISC.III*\^AL\^U\n\0\^Q\0 \^A\^O\0 \^A\
 	\M-.\^A\M-G\^A"
   2736   2736 X        GIO   fd 32 read 4088 bytes
        "                        L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-T\^A-r-xr-xr-x  1 rhialto  users      97 Jul  7  1985 DISKETTE.BAT* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M-T\^A         \
 	        \0 \^AL:\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-a\^A-r-xr-xr-x  1 rhialto  users   35322 Sep 14  1986 E88.DOC*  L\^V\n\0\^Q\0 \^A\^O\0 \^A\M-'\^A\M-a\^A                       \^AL:\
 	\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-n\^A-r-xr-xr-x  1 rhialto  users   13398 Sep 14  1986 E88.EXE*20L\^V\n\0\^Q\0 \^A\^O\0 \^A\M-'\^A\M-n\^A                      \M-{\^AL;\^S\0\^Q\0 \
 	\^A\^O\0 \^A\^Q\0\M-{\^A-r-xr-xr-x  1 rhialto  users     231 Aug 20  1986 E888.BAT*vL\^U\n\0\^Q\0 \^A\^O\0 \^A\M-.\^A\M-{\^A                     \^A\b\^BL<\^S\0\^Q\0 \^A\^O\0 \^A\
 	\^Q\0\b\^B-r-xr-xr-x  1 rhialto  users      92 Mar 16  1985 EPSON.CFG*L\^T	\0\^Q\0 \^A\^O\0 \^A\M-5\^A\b\^B                    L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\^U\^B-r-xr-xr-x \
 	 1 rhialto  users     125 Jul  7  1985 HARDISK.BAT*ovL\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\^U\^B                   \^AL?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\"\^B-r-xr-xr-x  1 rhialto  us\
 	ers     640 Mar  3  1985 HOLIDAYS.PAD*vL\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\"\^B                 \^A/\^BL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0/\^B-r-xr-xr-x  1 rhialto  users   17737 Oct \
 	17  1985 INSTALL.COM*4 L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A/\^B                    L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0<\^B-r-xr-xr-x  1 rhialto  users      17 Mar  3  1985 MANUAL.BAT* \
 	  L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A<\^B                   \0L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0I\^B-r-xr-xr-x  1 rhialto  users    2011 Oct 17  1985 METRICS.PAD*  L\^R	\0\^Q\0 \^A\
 	\^O\0 \^A\M-C\^AI\^B                  \^F\0L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0V\^B-r-xr-xr-x  1 rhialto  users    3540 Sep 14  1986 NEWSTUFF.DOC* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\
 	V\^B                 >\^T\0L:\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0c\^B-r-xr-xr-x  1 rhialto  users      11 Jan 31  1986 OFF.BAT*  L\^V\n\0\^Q\0 \^A\^O\0 \^A\M-'\^Ac\^B                     \
 	 \^T\0L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0p\^B-r-xr-xr-x  1 rhialto  users     115 Mar  3  1985 OKIDATA.CFG*	\0L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^Ap\^B                  \^X\0L<\^S\0\^Q\0 \
 	\^A\^O\0 \^A\^Q\0}\^B-r-xr-xr-x  1 rhialto  users     533 Mar 16  1985 PHONE.PAD*L\^T	\0\^Q\0 \^A\^O\0 \^A\M-5\^A}\^B                    L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^J\^B-r-\
 	xr-xr-x  1 rhialto  users     115 Mar  3  1985 PLUGPLAY.CFG* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M^J\^B                  11L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^W\^B-r-xr-xr-x  1 rh\
 	ialto  users     115 Sep 30  1985 PRINTER.CFG*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\M^W\^B                  xrL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-$\^B-r-xr-xr-x  1 rhialto  users    \
 	 512 Nov  4  1986 PRINTME.BAT*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\M-$\^B                    L<\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-1\^B-r-xr-xr-x  1 rhialto  users    1892 Oct 28  198\
 	6 PTSET.COM*L\^T	\0\^Q\0 \^A\^O\0 \^A\M-5\^A\M-1\^B                    L<\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M->\^B-r-xr-xr-x  1 rhialto  users     290 Nov  1  1986 PTSET.DOC*L\^T\
 		\0\^Q\0 \^A\^O\0 \^A\M-5\^A\M->\^B                    L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-K\^B-r-xr-xr-x  1 rhialto  users    1024 Aug 11  1986 RAMDISK.COM*  L\^R	\0\^Q\0 \^A\
 	\^O\0 \^A\M-C\^A\M-K\^B                  -xL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-X\^B-r-xr-xr-x  1 rhialto  users    1191 Jun 21  1986 RAMDISK.DOC*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\
 	\M-X\^B                  -xL=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-e\^B-r-xr-xr-x  1 rhialto  users     512 Aug 13  1985 RAMDRV.SYS*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\M-e\^B         \
 	          xL9\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-r\^B-r-xr-xr-x  1 rhialto  users    1274 Oct 17  1985 README*\^A\M^?\^BL\^W\n\0\^Q\0 \^A\^O\0 \^A\240\^A\M-r\^B                       x\
 	L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^?\^B-r-xr-xr-x  1 rhialto  users      14 Apr 27  1985 README.BAT*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\M^?\^B                   xL=\^T\0\^Q\0 \
 	\^A\^O\0 \^A\^Q\0\f\^C-r-xr-xr-x  1 rhialto  users    1920 Oct 17  1985 STATES.PAD*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\f\^C                   xL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\
 	\^Y\^C-r-xr-xr-x  1 rhialto  users    2351 Nov  4  1986 TPUG1-4.PRT*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\^Y\^C                  -xL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0&\^C-r-xr-xr-x  \
 	1 rhialto  users    2048 Nov  4  1986 TPUGREAD.ME*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A&\^C                  -xLP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0003\^C                            \
 	                                                    L.\^P\0\^Q\0 \^A\^O\0 \^A\^Q\0@\^C./uae/C64-cd/PET/TPUG-Library-cd/MSDOS/(m)aae:00L\"\r\0\^Q\0 \^A\^O\0 \^AS\^A@\^C            \
 	                       \^CL	\a\0\^Q\0 \^A\^O\0 \^A\^Q\0M\^Ctotal 344x  LG\^V\0\^Q\0 \^A\^O\0 \^AP\0M\^C                                                                       \
 	\^CL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0Z\^C-r-xr-xr-x  1 rhialto  users      1 May 26  1986 ---END--.---*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^AZ\^C                   -L>\^T\0\^Q\0 \^A\
 	\^O\0 \^A\^Q\0g\^C-r-xr-xr-x  1 rhialto  users      1 May 26  1986 ---PM---.---*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^Ag\^C                    L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0t\^C-r-xr-\
 	xr-x  1 rhialto  users      1 May 26  1986 ---RD---.---*\r\0L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^At\^C                   iL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^A\^C-r-xr-xr-x  1 rhial\
 	to  users      1 May 26  1986 ---ST---.---* \^AL\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\M^A\^C                   \^CL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^N\^C-r-xr-xr-x  1 rhialto  users  \
 	    1 May 26  1986 ---TK---.---* \^AL\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\M^N\^C                    L<\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^[\^C-r-xr-xr-x  1 rhialto  u"
   2736   2736 X        GIO   fd 32 read 3332 bytes
        "sers    384 Jun 10  1986 BALOON.BIN*L\^T	\0\^Q\0 \^A\^O\0 \^A\M-5\^A\M^[\^C                    L;\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-(\^C-r-xr-xr-x  1 rhialto  users    128 Jun \
 	10  1986 BIRD1.BIN*tL\^U\n\0\^Q\0 \^A\^O\0 \^A\M-.\^A\M-(\^C                        L;\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-5\^C-r-xr-xr-x  1 rhialto  users    128 Jun 10  1986 BIRD2.BIN\
 	*uL\^U\n\0\^Q\0 \^A\^O\0 \^A\M-.\^A\M-5\^C                        L:\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-B\^C-r-xr-xr-x  1 rhialto  users    128 Jun 10  1986 BOMB.BIN*avL\^V\n\0\^Q\0 \
 	\^A\^O\0 \^A\M-'\^A\M-B\^C                        L<\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-O\^C-r-xr-xr-x  1 rhialto  users   1920 Jun 10  1986 BOTTOM.BIN*L\^T	\0\^Q\0 \^A\^O\0 \^A\M-5\^A\
 	\M-O\^C                    L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-\\^C-r-xr-xr-x  1 rhialto  users    128 Jun 10  1986 EXPLODE.BIN*aaxL\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\M-\\^C         \
 	           L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-i\^C-r-xr-xr-x  1 rhialto  users  16128 Jun 10  1986 INSTRUCT.BIN*ayL\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\M-i\^C                    L:\^S\
 	\0\^Q\0 \^A\^O\0 \^A\^Q\0\M-v\^C-r-xr-xr-x  1 rhialto  users    640 Jun 10  1986 LOGO.BIN*(yL\^V\n\0\^Q\0 \^A\^O\0 \^A\M-'\^A\M-v\^C                        L;\^S\0\^Q\0 \^A\^O\0 \
 	\^A\^Q\0\^C\^D-r-xr-xr-x  1 rhialto  users    128 Jun 10  1986 LTANK.BIN*yL\^U\n\0\^Q\0 \^A\^O\0 \^A\M-.\^A\^C\^D                        L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\^P\^D-r-xr-\
 	xr-x  1 rhialto  users   4736 Apr 18  1986 PACKMAN.DOC*d64L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\^P\^D                    L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\^]\^D-r-xr-xr-x  1 rhialto  use\
 	rs  37120 Apr 18  1986 PACKMAN.EXE*d64L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\^]\^D                    L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0*\^D-r-xr-xr-x  1 rhialto  users    512 Nov  4  \
 	1986 PRINTME.BAT*d64L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A*\^D                    L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0007\^D-r-xr-xr-x  1 rhialto  users  60416 Jun 27  1986 ROUND42.COM\
 	*d64L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A7\^D                    L;\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0D\^D-r-xr-xr-x  1 rhialto  users    128 Jun 10  1986 RTANK.BIN*eL\^U\n\0\^Q\0 \^A\
 	\^O\0 \^A\M-.\^AD\^D                        L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0Q\^D-r-xr-xr-x  1 rhialto  users  13519 Jan  1  1980 STRIKER.DOC*d64L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A\
 	Q\^D                    L=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0^\^D-r-xr-xr-x  1 rhialto  users  67285 Jan  1  1980 STRIKER.EXE*d64L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A^\^D                    \
 	L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0k\^D-r-xr-xr-x  1 rhialto  users     93 Jan  1  1980 STRKHINS.BAT*64L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^Ak\^D                    L>\^T\0\^Q\0 \^A\^O\0 \
 	\^A\^Q\0x\^D-r-xr-xr-x  1 rhialto  users   6144 Jan  1  1980 STRKLOGO.DAT*64L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^Ax\^D                    L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^E\^D-r-\
 	xr-xr-x  1 rhialto  users    512 Oct  3  1986 STRKPARM.DAT*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A\M^E\^D                  \M^R\^DLP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D           \
 	                                                                     L\^A\^E\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D    A\^A\b\0\^Q\0 \^A\^W\0 \^A\^Q\0\M^G\^D\^F\0\0\0\0\0\f\0\M-z\M^?\0\0\
 	\0\0\M-t\M^?L\^A\^E\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D \0\^D\0L:\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D-r-xr-xr-x  1 rhialto  users  17664 Jun 10  1986 TANK.EXE*\r\0>\^A\a\0\^Q\0 \^A\^Q\
 	\0 \^A\^O\0 \^A\^Q\0]\0\^Q\0\^B\0000\^B7\^D\^B\0\^D\0\f\0 \^A\^B\0\0\0\0\0\0\0\^Bx\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0=\0\^D\0\^Q\0 \^A\^Q\09\^D0\^B[\0\^B0\^D\0\f\0 \^A\^B\0\0\0\0\0\0\
 	\0\^B*\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0L:\^S\0\^Q\0 \^A\^O\0 \^A\^Q\0D\^D-r-xr-xr-x  1 rhialto  users  31744 Jun 10  1986 TANK.OVL*  L\^V\n\0\^Q\0 \^A\^O\0 \^A\M-'\^AD\^D           \
 	           rhL=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0Q\^D-r-xr-xr-x  1 rhialto  users   2357 Nov  4  1986 TPUG1-5.PRT*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^AQ\^D                   hL=\^T\0\
 	\^Q\0 \^A\^O\0 \^A\^Q\0^\^D-r-xr-xr-x  1 rhialto  users   1536 Nov  4  1986 TPUGREAD.ME*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^A^\^D                   hL=\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0k\
 	\^D-r-xr-xr-x  1 rhialto  users  49152 Jan  1  1980 TUNNELS.DAT*   L\^S	\0\^Q\0 \^A\^O\0 \^A\M-<\^Ak\^D                   hLP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0x\^D                      \
 	                                                          L.\^P\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^E\^D./uae/C64-cd/PET/TPUG-Library-cd/MSDOS/(m)aaf:.AL\"\r\0\^Q\0 \^A\^O\0 \^AS\^A\M^E\^D\
 	                                   \^ALP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D                                                                                L\^A\^E\0\^Q\0 \^A\^O\0 \
 	\^A\^Q\0\M^R\^D \0 \^AA\^A\b\0\^Q\0 \^A\^W\0 \^A\^Q\0\M^G\^D\^F\0\0\0\0\0\f\0\M-z\M^?\0\0\0\0\M-t\M^?"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 11508/0x2cf4
   2736   2736 X        CALL  writev(0x20,0x7f7fffffe660,1)
   2736   2736 X        GIO   fd 32 wrote 32 bytes
        "\^N\0\M-:|\^Q\0 \^A\0\0>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736   2736 X        RET   writev 32/0x20
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        RET   recvmsg -1 errno 35 Resource temporarily unavailable
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffe7f0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  poll(0x7f7ff7e544c0,0x12,0x4a1ca)
   2736   2736 X        RET   poll 1
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  recvmsg(0x23,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 35 read 8 bytes
        "&\^E\^B\0\^C\0\M^@\^A"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 8
   2736   2736 X        CALL  writev(0x23,0x7f7fffffe780,1)
   2736   2736 X        GIO   fd 35 wrote 32 bytes
        "\^A\^A\M^^\M^W\0\0\0\0\M-p\^F\0\0\0\0\0\0k\^Ee\^Bi\^EU\^B\0\^A\0\0\0\0\0\0"
   2736   2736 X        RET   writev 32/0x20
   2736   2736 X        CALL  recvmsg(0x23,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        RET   recvmsg -1 errno 35 Resource temporarily unavailable
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffe7f0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  poll(0x7f7ff7e544c0,0x12,0x4a1ca)
   2736   2736 X        RET   poll 1
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 32 read 48 bytes
        "L\^A\^E\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D \0]\0L	\a\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^Dtotal 330x\^D\0"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 48/0x30
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        RET   recvmsg -1 errno 35 Resource temporarily unavailable
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffe7f0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  poll(0x7f7ff7e544c0,0x12,0x4a1ca)
   2736   2736 X        RET   poll 1
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 32 read 488 bytes
        ">\^A\a\0\^Q\0 \^A\^Q\0 \^A\^O\0 \^A\^Q\0)\0\^Q\0\^B\0000\^Bk\^D\^B\0\^D\0\f\0 \^A\^B\0\0\0\0\0\0\0\^Bx\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0=\0\^D\0\^Q\0 \^A\^Q\0m\^D0\^B'\0\^B0\^D\0\f\0\
 	 \^A\^B\0\0\0\0\0\0\0\^B*\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0x\^D-r-xr-xr-x  1 rhialto  users       1 May 26  1986 ---END--.---*\0L\^Q	\0\^Q\0 \^A\^O\0 \
 	\^A\M-J\^Ax\^D                  rhL?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^E\^D-r-xr-xr-x  1 rhialto  users       1 May 26  1986 --PRCM--.---* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A\M^E\^D \
 	                  hLP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D                                                                                L\^A\^E\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D   h\
 	A\^A\b\0\^Q\0 \^A\^W\0 \^A\^Q\0\M^G\^D\^F\0\0\0\0\0\f\0\M-z\M^?\0\0\0\0\M-t\M^?"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 488/0x1e8
   2736   2736 X        CALL  writev(0x20,0x7f7fffffe660,1)
   2736   2736 X        GIO   fd 32 wrote 32 bytes
        "\^N\0\M-P|\^Q\0 \^A\0\0>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736   2736 X        RET   writev 32/0x20
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 32 read 100 bytes
        "L\^A\^E\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D \0)\0L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D-r-xr-xr-x  1 rhialto  users       1 May 26  1986 --PRDOC-.---*\^A"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 100/0x64
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        RET   recvmsg -1 errno 35 Resource temporarily unavailable
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffe7f0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  poll(0x7f7ff7e544c0,0x12,0x4a1ca)
   2736   2736 X        RET   poll 1
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 32 read 372 bytes
        ">\^A\a\0\^Q\0 \^A\^Q\0 \^A\^O\0 \^A\^Q\0\^\\0\^Q\0\^B\0000\^Bx\^D\^B\0\^D\0\f\0 \^A\^B\0\0\0\0\0\0\0\^Bx\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0=\0\^D\0\^Q\0 \^A\^Q\0z\^D0\^B\^Z\0\^B2\^D\0\
 	\f\0 \^A\^B\0\0\0\0\0\0\0\^B-\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^E\^D-r-xr-xr-x  1 rhialto  users       1 May 26  1986 -UNARC--.---*\0L\^Q	\0\^Q\0 \^A\
 	\^O\0 \^A\M-J\^A\M^E\^D                  rhLP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D                                                                                L\^A\^E\0\^Q\0 \^A\
 	\^O\0 \^A\^Q\0\M^R\^D   hA\^A\b\0\^Q\0 \^A\^W\0 \^A\^Q\0\M^G\^D\^F\0\0\0\0\0\f\0\M-z\M^?\0\0\0\0\M-t\M^?"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 372/0x174
   2736   2736 X        CALL  writev(0x20,0x7f7fffffe660,1)
   2736   2736 X        GIO   fd 32 wrote 32 bytes
        "\^N\0\M-_|\^Q\0 \^A\0\0>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736   2736 X        RET   writev 32/0x20
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        RET   recvmsg -1 errno 35 Resource temporarily unavailable
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffe7f0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  poll(0x7f7ff7e544c0,0x12,0x4a1ca)
   2736   2736 X        RET   poll 1
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 32 read 100 bytes
        "L\^A\^E\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D \0\^\\0L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D-r-xr-xr-x  1 rhialto  users    5424 Sep 10  1986 ARCE206.COM* \^A"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 100/0x64
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        RET   recvmsg -1 errno 35 Resource temporarily unavailable
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffe7f0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  poll(0x7f7ff7e544c0,0x12,0x4a1ca)
   2736   2736 X        RET   poll 1
   2736   2736 X        CALL  __setitimer50(0,0x7f7fffffe7f0,0)
   2736   2736 X        RET   __setitimer50 0
   2736   2736 X        CALL  recvmsg(0x20,0x7f7fffffe5a0,0)
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=528, flags=4000000]
   2736   2736 X        GIO   fd 32 read 1396 bytes
        ">\^A\a\0\^Q\0 \^A\^Q\0 \^A\^O\0 \^A\^Q\0\M^Q\0\^Q\0\^B\0000\^B\^C\^D\^B\0\^D\0\f\0 \^A\^B\0\0\0\0\0\0\0\^Bx\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0=\0\^D\0\^Q\0 \^A\^Q\0\^E\^D0\^B\M^O\0\^B\
 	1\^D\0\f\0 \^A\^B\0\0\0\0\0\0\0\^B.\^D\0\^Q\0 \^A\^B\0\0\0\0\0\0\0L>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\^P\^D-r-xr-xr-x  1 rhialto  users    7134 Sep 17  1986 ARCE206.DOC**\0L\^R	\0\
 	\^Q\0 \^A\^O\0 \^A\M-C\^A\^P\^D                  rhL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0\^]\^D-r-xr-xr-x  1 rhialto  users   19160 Sep 22  1986 CMDCNVT.EXE*  L\^R	\0\^Q\0 \^A\^O\0 \
 	\^A\M-C\^A\^]\^D                   hL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0*\^D-r-xr-xr-x  1 rhialto  users    8908 Sep 22  1986 LICENSE.DOC*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A*\^D    \
 	               hL>\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0007\^D-r-xr-xr-x  1 rhialto  users    5127 Oct 17  1986 PRCM242.NEW*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^A7\^D                   h\
 	L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0D\^D-r-xr-xr-x  1 rhialto  users  121600 Sep 25  1986 PRCM24DC.ARC* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^AD\^D                 /uaL>\^T\0\^Q\0 \^A\^O\0 \
 	\^A\^Q\0Q\^D-r-xr-xr-x  1 rhialto  users  165296 Oct 17  1986 PROCOMM.EXE*  L\^R	\0\^Q\0 \^A\^O\0 \^A\M-C\^AQ\^D                    L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0^\^D-r-xr-\
 	xr-x  1 rhialto  users    2048 Dec 30  1986 README-M.AAF*\0L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^A^\^D                 \0\0\0L?\^T\0\^Q\0 \^A\^O\0 \^A\^Q\0k\^D-r-xr-xr-x  1 rhialto  user\
 	s    2533 Dec 30  1986 TPUGDISK.LST* L\^Q	\0\^Q\0 \^A\^O\0 \^A\M-J\^Ak\^D                  rhLP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0x\^D                                              \
 	                                  L.\^P\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^E\^D./uae/C64-cd/PET/TPUG-Library-cd/MSDOS/(m)aag:OML\"\r\0\^Q\0 \^A\^O\0 \^AS\^A\M^E\^D                        \
 	           \^ALP\^X\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D                                                                                L\^A\^E\0\^Q\0 \^A\^O\0 \^A\^Q\0\M^R\^D \0 \^AA\
 	\^A\b\0\^Q\0 \^A\^W\0 \^A\^Q\0\M^G\^D\^F\0\0\0\0\0\f\0\M-z\M^?\0\0\0\0\M-t\M^?"
   2736   2736 X        MISC  msghdr: [name=0x0, namelen=0, iov=0x7f7fffffe590, iovlen=1, control=0x7f7fffffe5d0, controllen=0, flags=0]
   2736   2736 X        RET   recvmsg 1396/0x574
   2736   2736 X        CALL  writev(0x20,0x7f7fffffe660,1)
   2736   2736 X        GIO   fd 32 wrote 32 bytes
        "\^N\0\M-l|\^Q\0 \^A\0\0>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736   2736 X        RET   writev 32/0x20
   2736   2736 X        CALL  ioctl(0x11,DRM_IOCTL_RADEON_GEM_BUSY,0x7f7fffffdb98)
   2736   2736 X        GIO   fd 17 wrote 8 bytes
        "\M-0\^A\0\0\0\0\0\0"
   2736   2736 X        RET   ioctl -1 errno 16 Device busy
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffda50)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  ioctl(0x11,DRM_IOCTL_RADEON_GEM_BUSY,0x7f7fffffda48)
   2736   2736 X        GIO   fd 17 wrote 8 bytes
        "\M^U\^A\0\0\0\0\0\0"
   2736   2736 X        RET   ioctl -1 errno 16 Device busy
   2736   2736 X        CALL  ioctl(0x11,DRM_IOCTL_RADEON_GEM_CREATE,0x7f7fffffda80)
   2736   2736 X        GIO   fd 17 wrote 32 bytes
        "\0\0\b\0\0\0\0\0\0\^P\0\0\0\0\0\0\0\0\0\0\^D\0\0\0\^D\0\0\0\0\0\0\0"
   2736   2736 X        GIO   fd 17 read 32 bytes
        "\0\0\b\0\0\0\0\0\0\^P\0\0\0\0\0\0\M-H\^A\0\0\^D\0\0\0\^D\0\0\0\0\0\0\0"
   2736   2736 X        RET   ioctl 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffdaa0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  __clock_gettime50(3,0x7f7fffffdaa0)
   2736   2736 X        RET   __clock_gettime50 0
   2736   2736 X        CALL  ioctl(0x11,DRM_IOCTL_RADEON_GEM_MMAP,0x7f7fffffdb80)
   2736   2736 X        GIO   fd 17 wrote 32 bytes
        "\M-H\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\b\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736   2736 X        GIO   fd 17 read 32 bytes
        "\M-H\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\b\0\0\0\0\0\0\M-@\M-C\^C\^A\0\0\0"
   2736   2736 X        RET   ioctl 0
   2736   2736 X        CALL  mmap(0,0x80000,PROT_READ|PROT_WRITE,0x1<SHARED,FILE,ALIGN=NONE>,0x11,0,0x103c3c000)
   2736   2736 X        RET   mmap 140187490844672/0x7f7ff1980000
   2736    391 X        RET   poll 1
   2736    391 X        CALL  read(0x18,0x7f7ff7bfa880,0x180)
   2736    391 X        GIO   fd 24 read 24 bytes
        "\a\0\0\0\M-|\M^?\M^?\M^?1XFf\0\0\0\0\M-sE\M^^\b\0\0\0\0"
   2736    391 X        RET   read 24/0x18
   2736    391 X        CALL  poll(0x7f7fe27ffe78,1,0)
   2736    391 X        RET   poll 0
   2736    391 X        CALL  __clock_gettime50(3,0x7f7fe27ff640)
   2736    391 X        RET   __clock_gettime50 0
   2736    391 X        CALL  __clock_gettime50(3,0x7f7fe27ff130)
   2736    391 X        RET   __clock_gettime50 0
   2736    391 X        CALL  ioctl(0xf,DRM_IOCTL_MODE_CURSOR,0x7f7fe27ff100)
   2736    391 X        GIO   fd 15 wrote 28 bytes
        "\^B\0\0\0*\0\0\0c\^E\0\0a\^B\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736    391 X        GIO   fd 15 read 28 bytes
        "\^B\0\0\0*\0\0\0c\^E\0\0a\^B\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
   2736    391 X        RET   ioctl 0
   2736    391 X        CALL  write(0x15,0x7f7fe27fff9f,1)
   2736    391 X        GIO   fd 21 wrote 1 bytes
        "\0"
   2736    391 X        RET   write 1
   2736    391 X        CALL  poll(0x7f7ff5f39700,3,0xffffffff)

 (ktrace output ends)

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, matthew green <mrg@eterna23.net>
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Thu, 16 May 2024 22:28:47 +0200

 I had a bit more success when dtrace's output was redirected to a file.
 Here is the output from the last ttm_bo_uvm_fault() and the mmap()
 before it. Before that there were several ttm_bo_uvm_fault() but no
 preceeding mmap().

 At first sight I notice that the number of calls/returns traced inside
 ttm_bo_uvm_fault() is much larger than the cases where it didn't SEGV
 afterwards (an example is shown in my previous mail).

   0    754                       mmap:entry   2812 X            -WR  ----S 0        512      17
   0  15167                ktr_syscall:entry 
   0  15168               ktr_syscall:return 
   0  26698               trace_enter:return 
   0  26017                   sys_mmap:entry 
   0   9797                 fd_getfile:entry 
   0   9798                fd_getfile:return 
   0  35449               drm_fop_mmap:entry 
   0  26783         ttm_bo_mmap_object:entry 
   0   8934 drm_vma_offset_lookup_locked:entry 
   0  23278      rb_tree_find_node_leq:entry 
   0  23279     rb_tree_find_node_leq:return 
   0   8935 drm_vma_offset_lookup_locked:return 
   0   8926 drm_vma_node_verify_access:entry 
   0  23274          rb_tree_find_node:entry 
   0  23275         rb_tree_find_node:return 
   0   8927 drm_vma_node_verify_access:return 
   0  26784        ttm_bo_mmap_object:return 
   0  35450              drm_fop_mmap:return 
   0  20609              pax_aslr_mmap:entry 
   0  20610             pax_aslr_mmap:return 
   0  52803            uvm_mmap.part.0:entry 
   0  27913                    uvm_map:entry 
   0  27939            uvm_map_prepare:entry 
   0  27927          uvm_map_findspace:entry 
   0  27928         uvm_map_findspace:return 
   0  27940           uvm_map_prepare:return 
   0  27923              uvm_map_enter:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  52816              uvm_rb_insert:entry 
   0  23280        rb_tree_insert_node:entry 
   0  23281       rb_tree_insert_node:return 
   0  27924             uvm_map_enter:return 
   0  27914                   uvm_map:return 
   0  52804           uvm_mmap.part.0:return 
   0   9822                fd_putvnode:entry 
   0   9823               fd_putvnode:return 
   0  26018                  sys_mmap:return 
   0  26699                 trace_exit:entry 
   0    755                      mmap:return return: 7f7ff1180000
   0  26805           ttm_bo_uvm_fault:entry ttm_bo_uvm_fault(ufi=ffffba886c0bbd60, vaddr=7f7ff1180000, pps=ffffba886c0bbe50, npages=1, centeridx=0, access_type=2, flags=42)
 ufi->orig_map=ffff9db1cbcf1190, orig_rvaddr=7f7ff1180000, orig_size=1000, map=ffff9db1cbcf1190, mapv=5743, entry=ffff9db1d0ae5340, size=1000
 *pps=0

   0  15795     linux_dma_resv_trylock:entry 
   0  16082     linux_ww_mutex_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16083    linux_ww_mutex_trylock:return 
   0  15796    linux_dma_resv_trylock:return 
   0  22684 radeon_bo_fault_reserve_notify:entry 
   0  22680     radeon_bo_check_tiling:entry 
   0  22681    radeon_bo_check_tiling:return 
   0  26807            ttm_bo_validate:entry 
   0  26779          ttm_bo_mem_compat:entry 
   0  26780         ttm_bo_mem_compat:return 
   0  26781           ttm_bo_mem_space:entry 
   0  15791 linux_dma_resv_reserve_shared:entry 
   0  15792 linux_dma_resv_reserve_shared:return 
   0  50828 ttm_bo_mem_placement.constprop.0.isra.0:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  50808        ttm_bo_del_from_lru:entry 
   0  50809       ttm_bo_del_from_lru:return 
   0  50800      ttm_bo_add_mem_to_lru:entry 
   0  50801     ttm_bo_add_mem_to_lru:return 
   0  16992          mutex_vector_exit:entry 
   0  50829 ttm_bo_mem_placement.constprop.0.isra.0:return 
   0  50820        ttm_bo_man_get_node:entry 
   0  15045           kmem_intr_zalloc:entry 
   0  15042            kmem_intr_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  15043           kmem_intr_alloc:return 
   0  15046          kmem_intr_zalloc:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0   8571 drm_mm_insert_node_in_range:entry 
   0  23278      rb_tree_find_node_leq:entry 
   0  23279     rb_tree_find_node_leq:return 
   0  47466                    rm_hole:entry 
   0  23282        rb_tree_remove_node:entry 
   0  47105  rb_tree_removal_rebalance:entry 
   0  47106 rb_tree_removal_rebalance:return 
   0  47105  rb_tree_removal_rebalance:entry 
   0  47467                   rm_hole:return 
   0  23280        rb_tree_insert_node:entry 
   0  23281       rb_tree_insert_node:return 
   0  23280        rb_tree_insert_node:entry 
   0  23281       rb_tree_insert_node:return 
   0   8572 drm_mm_insert_node_in_range:return 
   0  16992          mutex_vector_exit:entry 
   0  50821       ttm_bo_man_get_node:return 
   0  50802 ttm_bo_add_move_fence.constprop.0:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  16992          mutex_vector_exit:entry 
   0  50803 ttm_bo_add_move_fence.constprop.0:return 
   0  26782          ttm_bo_mem_space:return 
   0  50817     ttm_bo_handle_move_mem:entry 
   0  26804 ttm_bo_unmap_virtual_locked:entry 
   0  22700      radeon_bo_move_notify:entry 
   0  22680     radeon_bo_check_tiling:entry 
   0  22681    radeon_bo_check_tiling:return 
   0  23173    radeon_vm_bo_invalidate:entry 
   0  23174   radeon_vm_bo_invalidate:return 
   0  46596             radeon_bo_move:entry 
   0  26809                ttm_bo_wait:entry 
   0  15797 linux_dma_resv_wait_timeout_rcu:entry 
   0  15798 linux_dma_resv_wait_timeout_rcu:return 
   0  15773 linux_dma_resv_add_excl_fence:entry 
   0  15774 linux_dma_resv_add_excl_fence:return 
   0  26810               ttm_bo_wait:return 
   0  46781 radeon_move_blit.constprop.0.isra.0:entry 
   0   9441         evergreen_copy_dma:entry 
   0  23058           radeon_ring_lock:entry 
   0  23047          radeon_ring_alloc:entry 
   0  23054      radeon_ring_free_size:entry 
   0  23055     radeon_ring_free_size:return 
   0  23048         radeon_ring_alloc:return 
   0  23059          radeon_ring_lock:return 
   0  23100           radeon_sync_resv:entry 
   0  23101          radeon_sync_resv:return 
   0  23102          radeon_sync_rings:entry 
   0  23103         radeon_sync_rings:return 
   0  22855          radeon_fence_emit:entry 
   0  15042            kmem_intr_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  15043           kmem_intr_alloc:return 
   0  15749       linux_dma_fence_init:entry 
   0  15750      linux_dma_fence_init:return 
   0   9449 evergreen_dma_fence_ring_emit:entry 
   0   9450 evergreen_dma_fence_ring_emit:return 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  15982  linux_queue_delayed_work:return 
   0  22856         radeon_fence_emit:return 
   0  23066  radeon_ring_unlock_commit:entry 
   0  23051         radeon_ring_commit:entry 
   0  23098           radeon_sync_free:entry 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23099          radeon_sync_free:return 
   0   9442        evergreen_copy_dma:return 
   0  26785  ttm_bo_move_accel_cleanup:entry 
   0  15773 linux_dma_resv_add_excl_fence:entry 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  15774 linux_dma_resv_add_excl_fence:return 
   0  15754       linux_dma_fence_put:return 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  50833 ttm_buffer_object_transfer:entry 
   0  15042            kmem_intr_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  15043           kmem_intr_alloc:return 
   0   8922          drm_vma_node_init:entry 
   0  27966               uvm_obj_init:entry 
   0  24392               rw_obj_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  24393              rw_obj_alloc:return 
   0  27971            uvm_obj_setlock:entry 
   0  24394                rw_obj_free:entry 
   0  21176       pool_cache_put_paddr:entry 
   0  24395               rw_obj_free:return 
   0  27972           uvm_obj_setlock:return 
   0  15786        linux_dma_resv_init:entry 
   0  16070        linux_ww_mutex_init:entry 
   0  15787       linux_dma_resv_init:return 
   0  15795     linux_dma_resv_trylock:entry 
   0  16082     linux_ww_mutex_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16083    linux_ww_mutex_trylock:return 
   0  15796    linux_dma_resv_trylock:return 
   0  50834 ttm_buffer_object_transfer:return 
   0  15773 linux_dma_resv_add_excl_fence:entry 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  15774 linux_dma_resv_add_excl_fence:return 
   0  16084      linux_ww_mutex_unlock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  26797                 ttm_bo_put:entry 
   0  50830             ttm_bo_release:entry 
   0  27965            uvm_obj_destroy:entry 
   0  24394                rw_obj_free:entry 
   0  24395               rw_obj_free:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  15795     linux_dma_resv_trylock:entry 
   0  16082     linux_ww_mutex_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  16083    linux_ww_mutex_trylock:return 
   0  15796    linux_dma_resv_trylock:return 
   0  15793 linux_dma_resv_test_signaled_rcu:entry 
   0  15741    linux_dma_fence_get_rcu:entry 
   0  15742   linux_dma_fence_get_rcu:return 
   0  15751 linux_dma_fence_is_signaled:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  42401 linux_dma_fence_is_signaled_locked.part.0:entry 
   0  46701   radeon_fence_is_signaled:entry 
   0  15808    linux_down_read_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15809   linux_down_read_trylock:return 
   0  46690      radeon_fence_activity:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15982  linux_queue_delayed_work:return 
   0  46691     radeon_fence_activity:return 
   0  16052              linux_up_read:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  46702  radeon_fence_is_signaled:return 
   0  42402 linux_dma_fence_is_signaled_locked.part.0:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15752 linux_dma_fence_is_signaled:return 
   0  15753        linux_dma_fence_put:entry 
   0  15754       linux_dma_fence_put:return 
   0  15794 linux_dma_resv_test_signaled_rcu:return 
   0  50808        ttm_bo_del_from_lru:entry 
   0  50809       ttm_bo_del_from_lru:return 
   0  50800      ttm_bo_add_mem_to_lru:entry 
   0  50801     ttm_bo_add_mem_to_lru:return 
   0  16084      linux_ww_mutex_unlock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  16992          mutex_vector_exit:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0   5534               callout_init:entry 
   0   5535              callout_init:return 
   0   5544            callout_setfunc:entry 
   0   5543           callout_schedule:entry 
   0  33662    callout_schedule_locked:entry 
   0  16992          mutex_vector_exit:entry 
   0  15982  linux_queue_delayed_work:return 
   0  50831            ttm_bo_release:return 
   0  26786 ttm_bo_move_accel_cleanup:return 
   0  15753        linux_dma_fence_put:entry 
   0  15754       linux_dma_fence_put:return 
   0  46782 radeon_move_blit.constprop.0.isra.0:return 
   0  46597            radeon_bo_move:return 
   0  50818    ttm_bo_handle_move_mem:return 
   0  26808           ttm_bo_validate:return 
   0  22685 radeon_bo_fault_reserve_notify:return 
   0  15751 linux_dma_fence_is_signaled:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  42401 linux_dma_fence_is_signaled_locked.part.0:entry 
   0  46701   radeon_fence_is_signaled:entry 
   0  15808    linux_down_read_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15809   linux_down_read_trylock:return 
   0  46690      radeon_fence_activity:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15982  linux_queue_delayed_work:return 
   0  46691     radeon_fence_activity:return 
   0  16052              linux_up_read:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  46702  radeon_fence_is_signaled:return 
   0  42402 linux_dma_fence_is_signaled_locked.part.0:return 
   0  16992          mutex_vector_exit:entry 
   0  15752 linux_dma_fence_is_signaled:return 
   0  15763       linux_dma_fence_wait:entry 
   0  15767 linux_dma_fence_wait_timeout:entry 
   0  46695  radeon_fence_default_wait:entry 
   0  15723 linux_dma_fence_add_callback:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  35175 dma_fence_ensure_signal_enabled:entry 
   0  46697 radeon_fence_enable_signaling:entry 
   0  15808    linux_down_read_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15809   linux_down_read_trylock:return 
   0  22992  radeon_irq_kms_sw_irq_get:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0   9490          evergreen_irq_set:entry 
   0   2745                  __drm_dbg:entry 
   0   2746                 __drm_dbg:return 
   0   2745                  __drm_dbg:entry 
   0   2746                 __drm_dbg:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0   9491         evergreen_irq_set:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  46690      radeon_fence_activity:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15982  linux_queue_delayed_work:return 
   0  46691     radeon_fence_activity:return 
   0  16052              linux_up_read:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  29569            DMA_FENCE_TRACE:entry 
   0  29570           DMA_FENCE_TRACE:return 
   0  46698 radeon_fence_enable_signaling:return 
   0  35176 dma_fence_ensure_signal_enabled:return 
   0  16992          mutex_vector_exit:entry 
   0  15724 linux_dma_fence_add_callback:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0   7128           cv_timedwait_sig:entry 
   0  16257              lwp_unlock_to:entry 
   0   2924             _kernel_unlock:entry 
   0   2925            _kernel_unlock:return 
   0  25146             sleepq_enqueue:entry 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  25144               sleepq_block:entry 
   0  15143                    ktr_csw:entry 
   0  15144                   ktr_csw:return 
   0   5543           callout_schedule:entry 
   0  33662    callout_schedule_locked:entry 
   0  16542                  mi_switch:entry 
   0   4938                  binuptime:entry 
   0  50781          tsc_get_timecount:entry 
   0  50782         tsc_get_timecount:return 
   0   4939                 binuptime:return 
   0  24490              sched_nextlwp:entry 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0  24491             sched_nextlwp:return 
   0  21046            pmap_deactivate:entry 
   0  21094          pmap_tlb_shootnow:entry 
   0  21095         pmap_tlb_shootnow:return 
   0  21047           pmap_deactivate:return 
   0  25614            svs_lwp_switch:return 
   0  16543                 mi_switch:return 
   0   5530               callout_halt:entry 
   0   5531              callout_halt:return 
   0  24972               sigispending:entry 
   0  24973              sigispending:return 
   0  15143                    ktr_csw:entry 
   0  15144                   ktr_csw:return 
   0  25145              sleepq_block:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0   7129          cv_timedwait_sig:return 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0  16992          mutex_vector_exit:entry 
   0  15755 linux_dma_fence_remove_callback:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  15756 linux_dma_fence_remove_callback:return 
   0  46696 radeon_fence_default_wait:return 
   0  15768 linux_dma_fence_wait_timeout:return 
   0  15764      linux_dma_fence_wait:return 
   0  28131      uvmfault_update_stats:entry 
   0  28132     uvmfault_update_stats:return 
   0  15753        linux_dma_fence_put:entry 
   0  15754       linux_dma_fence_put:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  26789    ttm_bo_move_to_lru_tail:entry 
   0  50808        ttm_bo_del_from_lru:entry 
   0  50809       ttm_bo_del_from_lru:return 
   0  50800      ttm_bo_add_mem_to_lru:entry 
   0  50801     ttm_bo_add_mem_to_lru:return 
   0  26790   ttm_bo_move_to_lru_tail:return 
   0  16992          mutex_vector_exit:entry 
   0  16084      linux_ww_mutex_unlock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  26806          ttm_bo_uvm_fault:return 
   0  26806          ttm_bo_uvm_fault:return returns 134 or 14

   0  26701                 trapsignal:entry 
   0    158                 none:signal-send signal-send
   0    158                 none:signal-send signal-send
   0    158                 none:signal-send signal-send
   0    158                 none:signal-send signal-send

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, matthew green <mrg@eterna23.net>
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Fri, 17 May 2024 19:46:55 +0200

 I added some tracing of linux_dma_fence_wait() and
 fence:wait_start/done. Here are the results from mmap and
 ttm_bo_uvm_fault just before the SEGV.

 linux_dma_fence_wait:return returns -99

 I can add tracing of more functions to show their arguments but doing
 all of them would be a lot of work...

   0    754                       mmap:entry   2812 X            -WR  ----S 0        512      17
   0  15167                ktr_syscall:entry 
   0  15168               ktr_syscall:return 
   0  26698               trace_enter:return 
   0  26017                   sys_mmap:entry 
   0   9797                 fd_getfile:entry 
   0   9798                fd_getfile:return 
   0  35449               drm_fop_mmap:entry 
   0  26783         ttm_bo_mmap_object:entry 
   0   8934 drm_vma_offset_lookup_locked:entry 
   0  23278      rb_tree_find_node_leq:entry 
   0  23279     rb_tree_find_node_leq:return 
   0   8935 drm_vma_offset_lookup_locked:return 
   0   8926 drm_vma_node_verify_access:entry 
   0  23274          rb_tree_find_node:entry 
   0  23275         rb_tree_find_node:return 
   0   8927 drm_vma_node_verify_access:return 
   0  26784        ttm_bo_mmap_object:return 
   0  35450              drm_fop_mmap:return 
   0  20609              pax_aslr_mmap:entry 
   0  20610             pax_aslr_mmap:return 
   0  52803            uvm_mmap.part.0:entry 
   0  27913                    uvm_map:entry 
   0  27939            uvm_map_prepare:entry 
   0  27927          uvm_map_findspace:entry 
   0  27928         uvm_map_findspace:return 
   0  27940           uvm_map_prepare:return 
   0  27923              uvm_map_enter:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  52816              uvm_rb_insert:entry 
   0  23280        rb_tree_insert_node:entry 
   0  23281       rb_tree_insert_node:return 
   0  27924             uvm_map_enter:return 
   0  27914                   uvm_map:return 
   0  52804           uvm_mmap.part.0:return 
   0   9822                fd_putvnode:entry 
   0   9823               fd_putvnode:return 
   0  26018                  sys_mmap:return 
   0  26699                 trace_exit:entry 
   0    755                      mmap:return return: 7f7ff1d47000
   0  26805           ttm_bo_uvm_fault:entry ttm_bo_uvm_fault(ufi=ffffba886c0bbd60, vaddr=7f7ff1d47000, pps=ffffba886c0bbe50, npages=1, centeridx=0, access_type=2, flags=42)
 ufi->orig_map=ffff9db1cbcf1190, orig_rvaddr=7f7ff1d47000, orig_size=1000, map=ffff9db1cbcf1190, mapv=6304, entry=ffff9db1d0ae51c0, size=1000
 *pps=0

   0  15795     linux_dma_resv_trylock:entry 
   0  16082     linux_ww_mutex_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16083    linux_ww_mutex_trylock:return 
   0  15796    linux_dma_resv_trylock:return 
   0  22684 radeon_bo_fault_reserve_notify:entry 
   0  22680     radeon_bo_check_tiling:entry 
   0  22681    radeon_bo_check_tiling:return 
   0  26807            ttm_bo_validate:entry 
   0  26779          ttm_bo_mem_compat:entry 
   0  26780         ttm_bo_mem_compat:return 
   0  26781           ttm_bo_mem_space:entry 
   0  15791 linux_dma_resv_reserve_shared:entry 
   0  15792 linux_dma_resv_reserve_shared:return 
   0  50828 ttm_bo_mem_placement.constprop.0.isra.0:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  50808        ttm_bo_del_from_lru:entry 
   0  50809       ttm_bo_del_from_lru:return 
   0  50800      ttm_bo_add_mem_to_lru:entry 
   0  50801     ttm_bo_add_mem_to_lru:return 
   0  16992          mutex_vector_exit:entry 
   0  50829 ttm_bo_mem_placement.constprop.0.isra.0:return 
   0  50820        ttm_bo_man_get_node:entry 
   0  15045           kmem_intr_zalloc:entry 
   0  15042            kmem_intr_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  15043           kmem_intr_alloc:return 
   0  15046          kmem_intr_zalloc:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0   8571 drm_mm_insert_node_in_range:entry 
   0  23278      rb_tree_find_node_leq:entry 
   0  23279     rb_tree_find_node_leq:return 
   0  47466                    rm_hole:entry 
   0  23283       rb_tree_remove_node:return 
   0  23283       rb_tree_remove_node:return 
   0  47467                   rm_hole:return 
   0  23280        rb_tree_insert_node:entry 
   0  23281       rb_tree_insert_node:return 
   0  23280        rb_tree_insert_node:entry 
   0  23281       rb_tree_insert_node:return 
   0   8572 drm_mm_insert_node_in_range:return 
   0  16992          mutex_vector_exit:entry 
   0  50821       ttm_bo_man_get_node:return 
   0  50802 ttm_bo_add_move_fence.constprop.0:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  16992          mutex_vector_exit:entry 
   0  50803 ttm_bo_add_move_fence.constprop.0:return 
   0  26782          ttm_bo_mem_space:return 
   0  50817     ttm_bo_handle_move_mem:entry 
   0  26804 ttm_bo_unmap_virtual_locked:entry 
   0  22700      radeon_bo_move_notify:entry 
   0  22680     radeon_bo_check_tiling:entry 
   0  22681    radeon_bo_check_tiling:return 
   0  23173    radeon_vm_bo_invalidate:entry 
   0  23174   radeon_vm_bo_invalidate:return 
   0  46596             radeon_bo_move:entry 
   0  26809                ttm_bo_wait:entry 
   0  15797 linux_dma_resv_wait_timeout_rcu:entry 
   0  15798 linux_dma_resv_wait_timeout_rcu:return 
   0  15773 linux_dma_resv_add_excl_fence:entry 
   0  15774 linux_dma_resv_add_excl_fence:return 
   0  26810               ttm_bo_wait:return 
   0  46781 radeon_move_blit.constprop.0.isra.0:entry 
   0   9441         evergreen_copy_dma:entry 
   0  23058           radeon_ring_lock:entry 
   0  23047          radeon_ring_alloc:entry 
   0  23054      radeon_ring_free_size:entry 
   0  23055     radeon_ring_free_size:return 
   0  23048         radeon_ring_alloc:return 
   0  23059          radeon_ring_lock:return 
   0  23100           radeon_sync_resv:entry 
   0  23101          radeon_sync_resv:return 
   0  23102          radeon_sync_rings:entry 
   0  23103         radeon_sync_rings:return 
   0  22855          radeon_fence_emit:entry 
   0  15042            kmem_intr_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  15043           kmem_intr_alloc:return 
   0  15749       linux_dma_fence_init:entry 
   0  15750      linux_dma_fence_init:return 
   0   9449 evergreen_dma_fence_ring_emit:entry 
   0   9450 evergreen_dma_fence_ring_emit:return 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  15982  linux_queue_delayed_work:return 
   0  22856         radeon_fence_emit:return 
   0  23066  radeon_ring_unlock_commit:entry 
   0  23051         radeon_ring_commit:entry 
   0  23098           radeon_sync_free:entry 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23090      radeon_semaphore_free:entry 
   0  23091     radeon_semaphore_free:return 
   0  23099          radeon_sync_free:return 
   0   9442        evergreen_copy_dma:return 
   0  26785  ttm_bo_move_accel_cleanup:entry 
   0  15773 linux_dma_resv_add_excl_fence:entry 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  15774 linux_dma_resv_add_excl_fence:return 
   0  15754       linux_dma_fence_put:return 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  50833 ttm_buffer_object_transfer:entry 
   0  15042            kmem_intr_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  15043           kmem_intr_alloc:return 
   0   8922          drm_vma_node_init:entry 
   0  27966               uvm_obj_init:entry 
   0  24392               rw_obj_alloc:entry 
   0  21171       pool_cache_get_paddr:entry 
   0  21172      pool_cache_get_paddr:return 
   0  24393              rw_obj_alloc:return 
   0  27971            uvm_obj_setlock:entry 
   0  24394                rw_obj_free:entry 
   0  21176       pool_cache_put_paddr:entry 
   0  24395               rw_obj_free:return 
   0  27972           uvm_obj_setlock:return 
   0  15786        linux_dma_resv_init:entry 
   0  16070        linux_ww_mutex_init:entry 
   0  15787       linux_dma_resv_init:return 
   0  15795     linux_dma_resv_trylock:entry 
   0  16082     linux_ww_mutex_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16083    linux_ww_mutex_trylock:return 
   0  15796    linux_dma_resv_trylock:return 
   0  50834 ttm_buffer_object_transfer:return 
   0  15773 linux_dma_resv_add_excl_fence:entry 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  15774 linux_dma_resv_add_excl_fence:return 
   0  16084      linux_ww_mutex_unlock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  26797                 ttm_bo_put:entry 
   0  50830             ttm_bo_release:entry 
   0  27965            uvm_obj_destroy:entry 
   0  24394                rw_obj_free:entry 
   0  24395               rw_obj_free:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  15795     linux_dma_resv_trylock:entry 
   0  16082     linux_ww_mutex_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  16083    linux_ww_mutex_trylock:return 
   0  15796    linux_dma_resv_trylock:return 
   0  15793 linux_dma_resv_test_signaled_rcu:entry 
   0  15741    linux_dma_fence_get_rcu:entry 
   0  15742   linux_dma_fence_get_rcu:return 
   0  15751 linux_dma_fence_is_signaled:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  42401 linux_dma_fence_is_signaled_locked.part.0:entry 
   0  46701   radeon_fence_is_signaled:entry 
   0  15808    linux_down_read_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15809   linux_down_read_trylock:return 
   0  46690      radeon_fence_activity:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15982  linux_queue_delayed_work:return 
   0  46691     radeon_fence_activity:return 
   0  16052              linux_up_read:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  46702  radeon_fence_is_signaled:return 
   0  42402 linux_dma_fence_is_signaled_locked.part.0:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15752 linux_dma_fence_is_signaled:return 
   0  15753        linux_dma_fence_put:entry 
   0  15754       linux_dma_fence_put:return 
   0  15794 linux_dma_resv_test_signaled_rcu:return 
   0  50808        ttm_bo_del_from_lru:entry 
   0  50809       ttm_bo_del_from_lru:return 
   0  50800      ttm_bo_add_mem_to_lru:entry 
   0  50801     ttm_bo_add_mem_to_lru:return 
   0  16084      linux_ww_mutex_unlock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  16992          mutex_vector_exit:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0   5534               callout_init:entry 
   0   5535              callout_init:return 
   0   5544            callout_setfunc:entry 
   0   5543           callout_schedule:entry 
   0  33662    callout_schedule_locked:entry 
   0  16992          mutex_vector_exit:entry 
   0  15982  linux_queue_delayed_work:return 
   0  50831            ttm_bo_release:return 
   0  26786 ttm_bo_move_accel_cleanup:return 
   0  15753        linux_dma_fence_put:entry 
   0  15754       linux_dma_fence_put:return 
   0  46782 radeon_move_blit.constprop.0.isra.0:return 
   0  46597            radeon_bo_move:return 
   0  50818    ttm_bo_handle_move_mem:return 
   0  26808           ttm_bo_validate:return 
   0  22685 radeon_bo_fault_reserve_notify:return 
   0  15751 linux_dma_fence_is_signaled:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  42401 linux_dma_fence_is_signaled_locked.part.0:entry 
   0  46701   radeon_fence_is_signaled:entry 
   0  15808    linux_down_read_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15809   linux_down_read_trylock:return 
   0  46690      radeon_fence_activity:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15982  linux_queue_delayed_work:return 
   0  46691     radeon_fence_activity:return 
   0  16052              linux_up_read:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  46702  radeon_fence_is_signaled:return 
   0  42402 linux_dma_fence_is_signaled_locked.part.0:return 
   0  16992          mutex_vector_exit:entry 
   0  15752 linux_dma_fence_is_signaled:return 
   0  15763       linux_dma_fence_wait:entry 
   0  15763       linux_dma_fence_wait:entry 
   0  15767 linux_dma_fence_wait_timeout:entry 
   0    334                 fence:wait_start fence=ffff9db1da6eb408 intr=1
   0  46695  radeon_fence_default_wait:entry 
   0  15723 linux_dma_fence_add_callback:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  35175 dma_fence_ensure_signal_enabled:entry 
   0  46697 radeon_fence_enable_signaling:entry 
   0  15808    linux_down_read_trylock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15809   linux_down_read_trylock:return 
   0  22992  radeon_irq_kms_sw_irq_get:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0   9490          evergreen_irq_set:entry 
   0   2745                  __drm_dbg:entry 
   0   2746                 __drm_dbg:return 
   0   2745                  __drm_dbg:entry 
   0   2746                 __drm_dbg:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0  22990 radeon_irq_kms_set_irq_n_enabled:entry 
   0  22991 radeon_irq_kms_set_irq_n_enabled:return 
   0   9491         evergreen_irq_set:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  46690      radeon_fence_activity:entry 
   0  15981   linux_queue_delayed_work:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  30419               acquire_work:entry 
   0  30420              acquire_work:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15982  linux_queue_delayed_work:return 
   0  46691     radeon_fence_activity:return 
   0  16052              linux_up_read:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  15739        linux_dma_fence_get:entry 
   0  15740       linux_dma_fence_get:return 
   0  29569            DMA_FENCE_TRACE:entry 
   0  29570           DMA_FENCE_TRACE:return 
   0  46698 radeon_fence_enable_signaling:return 
   0  35176 dma_fence_ensure_signal_enabled:return 
   0  16992          mutex_vector_exit:entry 
   0  15724 linux_dma_fence_add_callback:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0   7128           cv_timedwait_sig:entry 
   0  16257              lwp_unlock_to:entry 
   0   2924             _kernel_unlock:entry 
   0   2925            _kernel_unlock:return 
   0  25146             sleepq_enqueue:entry 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0  16992          mutex_vector_exit:entry 
   0  16993         mutex_vector_exit:return 
   0  25144               sleepq_block:entry 
   0  15143                    ktr_csw:entry 
   0  15144                   ktr_csw:return 
   0   5543           callout_schedule:entry 
   0  33662    callout_schedule_locked:entry 
   0  16542                  mi_switch:entry 
   0   4938                  binuptime:entry 
   0  50781          tsc_get_timecount:entry 
   0  50782         tsc_get_timecount:return 
   0   4939                 binuptime:return 
   0  24490              sched_nextlwp:entry 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0  24491             sched_nextlwp:return 
   0  21046            pmap_deactivate:entry 
   0  21094          pmap_tlb_shootnow:entry 
   0  21095         pmap_tlb_shootnow:return 
   0  21047           pmap_deactivate:return 
   0  25614            svs_lwp_switch:return 
   0  10088                 fpu_switch:entry 
   0  10075              fpu_area_save:entry 
   0  10089                fpu_switch:return 
   0  16543                 mi_switch:return 
   0   5530               callout_halt:entry 
   0   5531              callout_halt:return 
   0  24972               sigispending:entry 
   0  24973              sigispending:return 
   0  15143                    ktr_csw:entry 
   0  15144                   ktr_csw:return 
   0  25145              sleepq_block:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0   7129          cv_timedwait_sig:return 
   0  10585                   getticks:entry 
   0  10586                  getticks:return 
   0  16992          mutex_vector_exit:entry 
   0  15755 linux_dma_fence_remove_callback:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  15756 linux_dma_fence_remove_callback:return 
   0  46696 radeon_fence_default_wait:return 
   0    333                  fence:wait_done fence=ffff9db1da6eb408 ret=-99
   0  15768 linux_dma_fence_wait_timeout:return 
   0  15764      linux_dma_fence_wait:return 
   0  15764      linux_dma_fence_wait:return returns -99
   0  28131      uvmfault_update_stats:entry 
   0  28132     uvmfault_update_stats:return 
   0  15753        linux_dma_fence_put:entry 
   0  15754       linux_dma_fence_put:return 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  26789    ttm_bo_move_to_lru_tail:entry 
   0  50808        ttm_bo_del_from_lru:entry 
   0  50809       ttm_bo_del_from_lru:return 
   0  50800      ttm_bo_add_mem_to_lru:entry 
   0  50801     ttm_bo_add_mem_to_lru:return 
   0  26790   ttm_bo_move_to_lru_tail:return 
   0  16992          mutex_vector_exit:entry 
   0  16084      linux_ww_mutex_unlock:entry 
   0  16990         mutex_vector_enter:entry 
   0  16991        mutex_vector_enter:return 
   0  16992          mutex_vector_exit:entry 
   0  26806          ttm_bo_uvm_fault:return 
   0  26806          ttm_bo_uvm_fault:return returns 14

 (trapsignal:entry follows and X terminates)

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, matthew green <mrg@eterna23.net>
Cc: xsrc-manager@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
	Rhialto <rhialto@falu.nl>
Subject: Re: xsrc/58133: X server crashes; radeon 5450; modesetting
Date: Sat, 18 May 2024 20:51:14 +0200

 I tried adding more tracing to my dtrace script, but this seemed to
 influence the crash. Probably because more trace points take more time.
 As a result, it took much longer to provoke X to crash, and when it did,
 it crashed in a different location than usual. This was even with
 ttm_bo_uvm_fault() returning 0, so it seems the crash was totally
 different and not comparable with most data gathered so far.

From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58133 CVS commit: src/sys/external/bsd/drm2/ttm
Date: Sun, 19 May 2024 13:28:28 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Sun May 19 13:28:28 UTC 2024

 Modified Files:
 	src/sys/external/bsd/drm2/ttm: ttm_bo_vm.c

 Log Message:
 ttm: Sync ttm_bo_uvm_fault_idle better with Linux.

 PR xsrc/58133


 To generate a diff of this commit:
 cvs rdiff -u -r1.22 -r1.23 src/sys/external/bsd/drm2/ttm/ttm_bo_vm.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58133 CVS commit: src/sys/external/bsd/drm2/ttm
Date: Sun, 19 May 2024 13:50:05 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Sun May 19 13:50:05 UTC 2024

 Modified Files:
 	src/sys/external/bsd/drm2/ttm: ttm_bo_vm.c

 Log Message:
 ttm: Undo mistake in previous.

 PR xsrc/58133


 To generate a diff of this commit:
 cvs rdiff -u -r1.23 -r1.24 src/sys/external/bsd/drm2/ttm/ttm_bo_vm.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 20 May 2024 01:13:37 +0000
State-Changed-Why:
needs pullup-10, probably not worth pullup-9
rest of ttm fault routine might need more syncing too


State-Changed-From-To: needs-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Wed, 09 Oct 2024 00:09:58 +0000
State-Changed-Why:
fixed in HEAD, pulled up to 10, inapplicable <10
https://mail-index.netbsd.org/source-changes/2024/10/04/msg153702.html


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.