Ubuntu
mesa package

Crash in libegl-mesa0 (eglReleaseThread)

Bug #1946621 reported by Maniraj D
This bug report is a duplicate of:  Bug #1956915: New bugfix release 21.2.6. Edit Remove
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mesa
Unknown
Unknown
mesa (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
New
Undecided
Timo Aaltonen
Impish
New
Undecided
Timo Aaltonen

Bug Description

Crash in libegl-mesa0 (in eglReleaseThread API), please find the backtrace:

#0 0x0000fffff7c86ac4 in __GI___pthread_mutex_lock (mutex=mutex@entry=0x8) at pthread_mutex_lock.c:67
#1 0x0000fffff4a7d110 in mtx_lock (mtx=0x8) at ../include/c11/threads_posix.h:223
#2 eglReleaseThread () at ../src/egl/main/eglapi.c:1713
#3 0x0000fffff6c115b8 in eglReleaseThread () at /lib/aarch64-linux-gnu/libEGL.so.1
#4 0x0000fffff7fdac00 in () at /lib/ld-linux-aarch64.so.1
#5 0x0000fffff7b4284c in __run_exit_handlers
    (status=0, listp=0xfffff7c76680 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#6 0x0000fffff7b429dc in __GI_exit (status=<optimized out>) at exit.c:139
#7 0x0000fffff7b2d094 in __libc_start_main (main=
    0xaaaaaaaa3530 <main>, argc=13, argv=0xfffffffff488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>)
    at ../csu/libc-start.c:342
#8 0x0000aaaaaaaa4014 in _start ()

It crashes at: https://github.com/mesa3d/mesa/blob/mesa-21.0.3/src/egl/main/eglapi.c#L1713. 'disp' pointer is being NULL in this case.

Actually nvidia's EGL backend is being loaded by glvnd in this case. But the eglReleaseThread() implementation of glvnd calls the eglReleaseThread() API of all the vendors, that's how it end-up calling the eglReleaseThread() API of Mesa backend. Refer: https://github.com/NVIDIA/libglvnd/blob/master/src/EGL/libegl.c#L806

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

apt-cache policy libegl-mesa0
libegl-mesa0:
  Installed: 21.0.3-0ubuntu0.3~20.04.2
  Candidate: 21.0.3-0ubuntu0.3~20.04.2
  Version table:
 *** 21.0.3-0ubuntu0.3~20.04.2 500
        500 http://ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 Packages
        100 /var/lib/dpkg/status
     20.0.4-2ubuntu1 500
        500 http://ports.ubuntu.com/ubuntu-ports focal/main arm64 Packages

Revision history for this message
Maniraj D (manirajd) wrote :

The crash happens only when calling eglReleaseThread() from destructor of the process. Please find the attached simple app which can be used to repro the issue.

With valgrind, I see there is some invalid memory access during the eglReleaseThread() call. Find the logs below:

==5059== Invalid read of size 8
==5059== at 0x70480EC: eglReleaseThread (eglapi.c:1706)
==5059== by 0x48825B7: eglReleaseThread (in /usr/lib/aarch64-linux-gnu/libEGL.so.1.1.0)
==5059== by 0x1089FB: deinit (in /home/ubuntu/egl_sample/egl_sample)
==5059== by 0x400EBFF: _dl_fini (dl-fini.c:138)
==5059== by 0x48DC84B: __run_exit_handlers (exit.c:108)
==5059== by 0x48DC9DB: exit (exit.c:139)
==5059== by 0x48C7093: (below main) (libc-start.c:342)
==5059== Address 0x4c6f8c8 is 8 bytes inside a block of size 48 free'd
==5059== at 0x484AF20: free (in /usr/lib/aarch64-linux-gnu/valgrind/vgpreload_memcheck-arm64-linux.so)
==5059== by 0x7051FE3: _eglDestroyThreadInfo (eglcurrent.c:134)
==5059== by 0x7051FE3: _eglFiniTSD (eglcurrent.c:76)
==5059== by 0x70539CF: _eglAtExit (eglglobals.c:112)
==5059== by 0x48DC84B: __run_exit_handlers (exit.c:108)
==5059== by 0x48DC9DB: exit (exit.c:139)
==5059== by 0x48C7093: (below main) (libc-start.c:342)

So eglReleaseThread() in this case, tries to access the _EGLThreadInfo memory already freed by _eglFiniTSD() ? But it is expected that a new instance of _EGLThreadInfo has to be created when eglReleaseThread() is called from the app in this case.

Revision history for this message
Maniraj D (manirajd) wrote :

Root caused the issue with Mesa-EGL, created a PR for the same: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/13302

Revision history for this message
Maniraj D (manirajd) wrote :

PR: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/13302 is merged on Mesa master branch: https://gitlab.freedesktop.org/maniraj87/mesa/-/commit/796c9ab3fd6b897ae3b3c069568182178c7661d4

Please include this change in Mesa upgrades in "Focal" series.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mesa (Ubuntu):
status: New → Confirmed
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

fixed in 21.2.5-1 which is in jammy-proposed

Changed in mesa (Ubuntu):
status: Confirmed → Fix Released
Sebastien Bacher (seb128)
Changed in mesa (Ubuntu Focal):
assignee: nobody → Timo Aaltonen (tjaalton)
Changed in mesa (Ubuntu Impish):
assignee: nobody → Timo Aaltonen (tjaalton)
Revision history for this message
Maniraj D (manirajd) wrote :

Verified internally with Ubuntu 20.04.4 + libegl-mesa0 version "21.2.6-0ubuntu0.1~20.04.2" and confirmed the crash issue is resolved.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.