xsrc/49835: xf86-video-intel crashes Xorg server trying to access unmapped GEM page

To: xsrc-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: xsrc/49835: xf86-video-intel crashes Xorg server trying to access unmapped GEM page
From: tnn%nygren.pp.se@localhost
Date: Sun, 12 Apr 2015 17:10:01 +0000 (UTC)

>Number:         49835
>Category:       xsrc
>Synopsis:       xf86-video-intel crashes Xorg server trying to access unmapped GEM page
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    xsrc-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 12 17:10:00 +0000 2015
>Originator:     Tobias Nygren
>Release:        NetBSD
>Organization:
>Environment:
NetBSD x201i 7.99.9 NetBSD 7.99.9 (GENERIC.x201i) #0: Sun Apr 12 15:25:01 CEST 2015
>Description:
(Please assign this to riastradh@ as requested.)

Program received signal SIGSEGV, Segmentation fault.
0x00007f7ff37297d0 in emit_primitive_identity_mask__sse4_2 (
    sna=0x7f7ff7bad000, op=0x7f7fffffcae0, r=0x7f7fffffcac0)
    at gen4_vertex.c:1362
1362            v[7] = v[3] = (msk_y + h) * op->mask.scale[1];
(gdb)
#0  0x00007f7ff37297d0 in emit_primitive_identity_mask__sse4_2 (
    sna=0x7f7ff7bad000, op=0x7f7fffffcae0, r=0x7f7fffffcac0)
    at gen4_vertex.c:1362
#1  0x00007f7ff37333f9 in gen5_render_composite_blt (sna=0x7f7ff7bad000,
    op=0x7f7fffffcae0, r=0x7f7fffffcac0) at gen5_render.c:1123
#2  0x00007f7ff36b5e66 in glyphs0_to_dst (sna=0x7f7ff7bad000, op=3 '\003',
    src=0x7f7ff53ade00, dst=0x7f7ff4fb4b00, src_x=0, src_y=0, nlist=1,
    list=0x7f7fffffd6c0, glyphs=0x7f7fffffcfd8) at sna_glyphs.c:906
#3  0x00007f7ff36b8b03 in sna_glyphs (op=3 '\003', src=0x7f7ff53ade00,
    dst=0x7f7ff4fb4b00, mask=0x0, src_x=153, src_y=44, nlist=2,
    list=0x7f7fffffd6c0, glyphs=0x7f7fffffcec0) at sna_glyphs.c:1998
#4  0x0000000000568ea8 in damageGlyphs (op=3 '\003', pSrc=0x7f7ff53ade00,
    pDst=0x7f7ff4fb4b00, maskFormat=0x0, xSrc=153, ySrc=44, nlist=2,
    list=0x7f7fffffd6c0, glyphs=0x7f7fffffcec0) at damage.c:568
#5  0x000000000054f939 in CompositeGlyphs (op=3 '\003', pSrc=0x7f7ff53ade00,
    pDst=0x7f7ff4fb4b00, maskFormat=0x0, xSrc=153, ySrc=44, nlist=2,
    lists=0x7f7fffffd6c0, glyphs=0x7f7fffffcec0) at glyph.c:558
#6  0x000000000055a6a9 in ProcRenderCompositeGlyphs (client=0x7f7ff639e580)
    at render.c:1390
#7  0x000000000055c1a5 in ProcRenderDispatch (client=0x7f7ff639e580)
    at render.c:1989
#8  0x000000000043397e in Dispatch () at dispatch.c:432
#9  0x0000000000441b26 in dix_main (argc=4, argv=0x7f7fffffdc90,
    envp=0x7f7fffffdcb8) at main.c:298
#10 0x00000000004243a8 in main (argc=4, argv=0x7f7fffffdc90,
    envp=0x7f7fffffdcb8) at stubmain.c:34
Dump of assembler code for function emit_primitive_identity_mask__sse4_2:
1362            v[7] = v[3] = (msk_y + h) * op->mask.scale[1];
   0x00007f7ff372979a <+412>:   mov    -0x18(%rbp),%rax
   0x00007f7ff372979e <+416>:   lea    0x1c(%rax),%rcx
   0x00007f7ff37297a2 <+420>:   mov    -0x18(%rbp),%rax
   0x00007f7ff37297a6 <+424>:   lea    0xc(%rax),%rdx
   0x00007f7ff37297aa <+428>:   mov    -0x8(%rbp),%eax
   0x00007f7ff37297ad <+431>:   movd   %eax,%xmm0
   0x00007f7ff37297b1 <+435>:   addss  -0x10(%rbp),%xmm0
   0x00007f7ff37297b6 <+440>:   mov    -0x30(%rbp),%rax
   0x00007f7ff37297ba <+444>:   mov    0xf0(%rax),%eax
   0x00007f7ff37297c0 <+450>:   movd   %eax,%xmm2
   0x00007f7ff37297c4 <+454>:   mulss  %xmm0,%xmm2
   0x00007f7ff37297c8 <+458>:   movd   %xmm2,%eax
   0x00007f7ff37297cc <+462>:   mov    %eax,(%rdx)
   0x00007f7ff37297ce <+464>:   mov    (%rdx),%eax
=> 0x00007f7ff37297d0 <+466>:   mov    %eax,(%rcx)
(gdb) info registers
rax            0x3df20000       1039269888
rbx            0x7f7fffffffe0   140187732541408
rcx            0x7f7ff66b100c   140187571785740

Note that we crashed when assigning v[7]. The vertex
assigned to before that is v[2].
With rcx = ...b100c it means we crashed when
access to sna->render.vertices crossed a page boundary.
This seems to always be the case in this crash.
(Nothing seems to be mapped there?)

>How-To-Repeat:
Install:
pkgsrc/wip/MesaLib
pkgsrc/wip/modular-xorg-server
pkgsrc/wip/xf86-video-intel

On a Thinkpad x201i with intel Iron Lake chipset.

Compile with CONFIGURE_ARGS+=--enable-debug, CFLAGS+=-g -ggdb -O0, INSTALL_UNSTRIPPED=yes.

(this is just what I happen to use now, I'm fairly sure it crashed the same with old server versions as well.)

To trigger the bug I browse to reddit.com in Firefox and scroll the page up and down rapidly a few times.
>Fix:
unknown

Prev by Date: Re: bin/29225 (cpio -pdm does not work)
Next by Date: Re: xsrc/49835 (xf86-video-intel crashes Xorg server trying to access unmapped GEM page)
Previous by Thread: Re: bin/29225 (cpio -pdm does not work)
Next by Thread: Re: xsrc/49835 (xf86-video-intel crashes Xorg server trying to access unmapped GEM page)
Indexes:

Home | Main Index | Thread Index | Old Index