Ubuntu

compiz crashes when using alt-tab (the radeon driver kills it)

Reported by David Barth on 2010-12-17
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Mesa
Fix Released
High
Unity
Undecided
Unassigned
compiz (Fedora)
Unknown
Unknown
compiz (Ubuntu)
Undecided
Unassigned
mesa (Ubuntu)
Undecided
Unassigned
xserver-xorg-video-ati (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: compiz

While alt-tabbing with compiz (latest version, 1:0.9.2.1+glibmainloop3-0ubuntu4), i got this crasher.

I've noticed crashers like this for a while since i switched over to natty, but most of the time i was getting traces that were mostly "stack smashers" according to smspillaz.

Withi this one, i think i've put the finger on a more probable cause for the crasher. See stacktrace at http://pastebin.ubuntu.com/544957/ an excerpt of which being:

b#0 0x00fc230b in radeon_r300_winsys_buffer_from_handle () from /usr/lib/dri/r300_dri.so
(gdb) bt
#0 0x00fc230b in radeon_r300_winsys_buffer_from_handle () from /usr/lib/dri/r300_dri.so
#1 0x00fd272f in r300_texture_from_handle () from /usr/lib/dri/r300_dri.so
#2 0x00fdd2b4 in r300_resource_from_handle () from /usr/lib/dri/r300_dri.so
#3 0x00fc0958 in dri2_allocate_textures () from /usr/lib/dri/r300_dri.so
#4 0x00fc1797 in dri_st_framebuffer_validate () from /usr/lib/dri/r300_dri.so
#5 0x00fc1916 in dri_set_tex_buffer2 () from /usr/lib/dri/r300_dri.so
#6 0x008fc019 in dri2_bind_tex_image () from /usr/lib/mesa/libGL.so.1
#7 0x008d3cb6 in __glXBindTexImageEXT () from /usr/lib/mesa/libGL.so.1
#8 0x006c8a8a in TfpTexture::bindPixmapToTexture(unsigned long, int, int, int) () from /usr/lib/compiz/libopengl.so
#9 0x006c5b3e in boost::detail::function::function_invoker4<GLTexture::List (*)(unsigned long, int, int, int), GLTexture::List, unsigned long, int, int, int>::invoke(boost::detail::function::function_buffer&, unsigned long, int, int, int) () from /usr/lib/compiz/libopengl.so
#10 0x006c850a in GLTexture::bindPixmapToTexture(unsigned long, int, int, int) () from /usr/lib/compiz/libopengl.so
#11 0x00c88743 in DecorTexture::DecorTexture(unsigned long) () from /usr/lib/compiz/libdecor.so
...

dbarth@thinkpad:~$ apt-cache policy libgl1-mesa-dri
libgl1-mesa-dri:
  Installed: 7.9+repack-1ubuntu3
  Candidate: 7.9+repack-1ubuntu3
  Version table:
 *** 7.9+repack-1ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status

To reproduce: alt-tab, and sometimes that will crash

mipmap was enabled, though i've had identical crashers when it was disabled as well.
---
Architecture: i386
CompizPlugins: No value set for `/apps/compiz-1/general/allscreens/options/active_plugins'
CompositorRunning: compiz
DRM.card0.LVDS.1:
 status: connected
 enabled: enabled
 dpms: On
 modes: 1400x1050 1400x1050 1280x1024 1280x1024 1280x960 1280x854 1280x800 1280x720 1152x768 1024x768 1024x768 800x600 800x600 848x480 720x480 640x480 640x480
 edid-base64: AP///////wAwriJAAAAAAAAPAQOAHBV46q9AlVZKjyUgUFQhCACBgAEBAQEBAQEBAQEBAQEBMCp4IFEaEEAwcBMAHdYQAAAZJSN4IFEaEEAwcBMAHdYQAAAZAAAADwCQQzKQQygPAQAJ5QAAAAAA/gBIVDE0UDEyLTEwMAogAD8=
DRM.card0.VGA.1:
 status: disconnected
 enabled: disabled
 dpms: On
 modes:
 edid-base64:
DistUpgraded: Yes, recently upgraded Log time: 2010-11-25 10:04:35.555639
DistroCodename: natty
DistroRelease: Ubuntu 11.04
DistroVariant: ubuntu
GraphicsCard: Subsystem: Lenovo ThinkPad T60p [17aa:2007]
MachineType: LENOVO 200783U
Package: mesa (not installed)
PackageArchitecture: all
PccardctlIdent:
 Socket 0:
   no product info available
PccardctlStatus:
 Socket 0:
   no card
PciDisplay: 01:00.0 VGA compatible controller [0300]: ATI Technologies Inc M56GL [Mobility FireGL V5200] [1002:71c4] (prog-if 00 [VGA controller])
ProcEnviron:
 LANGUAGE=en_US.UTF-8:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LC_MESSAGES=en_AG.utf8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.37-11-generic root=UUID=d71a3bd3-9679-4649-b4ac-ce425d0e5bed ro vt.handoff=7 quiet splash bootchart=disable
ProcKernelCmdLine_: BOOT_IMAGE=/boot/vmlinuz-2.6.37-11-generic root=UUID=d71a3bd3-9679-4649-b4ac-ce425d0e5bed ro vt.handoff=7 quiet splash bootchart=disable
ProcVersionSignature: Ubuntu 2.6.37-11.25-generic 2.6.37-rc7
ProcVersionSignature_: Ubuntu 2.6.37-11.25-generic 2.6.37-rc7
RelatedPackageVersions:
 xserver-xorg 1:7.5+6ubuntu6
 libgl1-mesa-glx 7.9+repack-1ubuntu3
 libdrm2 2.4.22-2ubuntu1
 xserver-xorg-video-intel 2:2.13.901-2ubuntu2
 xserver-xorg-video-ati 1:6.13.2-1ubuntu2
Renderer: Hardware acceleration
Tags: natty running-unity natty running-unity natty ubuntu
Uname: Linux 2.6.37-11-generic i686
UnitySupportTest:

UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XorgConf: Error: [Errno 2] No such file or directory: '/etc/X11/xorg.conf'
dmi.bios.date: 09/12/2008
dmi.bios.vendor: LENOVO
dmi.bios.version: 79ETE3WW (2.23 )
dmi.board.name: 200783U
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr79ETE3WW(2.23):bd09/12/2008:svnLENOVO:pn200783U:pvrThinkPadT60p:rvnLENOVO:rn200783U:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 200783U
dmi.product.version: ThinkPad T60p
dmi.sys.vendor: LENOVO
system: distro = Ubuntu, architecture = i686, kernel = 2.6.37-11-generic
version.libdrm2: libdrm2 2.4.22-2ubuntu1
version.libgl1-mesa-glx: libgl1-mesa-glx 7.9+repack-1ubuntu3
version.xserver-xorg: xserver-xorg 1:7.5+6ubuntu6
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.13.2-1ubuntu2
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.13.901-2ubuntu2
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20100805+b96170a-0ubuntu1

Related branches

Bryce Harrington (bryce) wrote :

Please run 'apport-collect 691653', so that it captures your X logs and pci ids and so on.

Also, collect another backtrace using 'bt full' in gdb. That should list out line numbers for the GL calls.

Offhand I wonder if this might be an r300 vs. r300g issue...

tags: added: natty
Changed in mesa (Ubuntu):
status: New → Incomplete

apport information

tags: added: apport-collected running-unity ubuntu
description: updated

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

David Barth (dbarth) wrote :

I can't get a full trace again, and i don't have the last core handy. I'll keep trying today.

Bryce Harrington (bryce) wrote :

This appears to be a more complete backtrace, found via Google:
https://bugzilla.redhat.com/attachment.cgi?id=464327

Bryce Harrington (bryce) wrote :

Ok, that backtrace makes it pretty plain what's gone wrong:

Code:
    _buf = radeon_drm_bufmgr_create_buffer_from_handle(ws->kman, whandle->handle);

    if (stride)
        *stride = whandle->stride;
    if (size)
        *size = _buf->base.size;

State:
 #0 radeon_r300_winsys_buffer_from_handle (rws=<value optimized out>, whandle=0x7fffe69964b0, stride=0x7fffe69963f4, size=0x7fffe69963f0) at radeon_r300.c:123
         ws = <value optimized out>
         _buf = 0x0

So, it's a simple null pointer dereference. Now we have two questions:

* How/why did radeon_drm_bufmgr_create_buffer_from_handle() give us a null pointer?
* If that is a permissible return value, the code should check for it. Should it still call radeon_libdrm_winsys_buffer() in this case, or just return?

Bryce Harrington (bryce) wrote :

Well, this is a pretty simpleminded check, but it looks like it might prevent it from crashing at least.

Still doesn't answer why the null pointer got in there to begin with.

We've got a new mesa release coming soon. I poked through the git tree looking for an obvious fix for this issue but didn't spot it. Still, I think the next step would be to test a newer mesa to verify it still has this bug, and then test out if this patch solves it, or just shifts the issue to some other bit of code. (Guessing the latter).

Bryce Harrington (bryce) wrote :

Browsed through the last month's worth of changes to the 7.10 branch for mesa and didn't spot an obvious fix for this issue, however there were several buffer validation patches for radeon, so it wouldn't surprise me if the bug goes away in newer mesa.

If you'd like to test it now, you could install xorg-edgers, which has a packaged snapshot of today's mesa:

    https://edge.launchpad.net/~xorg-edgers

After testing, you can use ppa-purge to restore your system to its pre-edgers state.

Or if you'd prefer, we anticipate the 7.10 final release immanently and expect to have it in natty within the next couple weeks or so.

Bryce Harrington (bryce) on 2011-01-05
Changed in mesa (Ubuntu):
status: Incomplete → In Progress
tags: added: patch
David Barth (dbarth) wrote :

I've installed the new mesa packages from xorg-edgers but got a similar crash. Unfortunately, even with the -dbg packages installed i still wasn't able to get correct line numbers.

For reference, here is what i have installed:

dbarth@thinkpad:~$ apt-cache policy libgl1-mesa-dri libgl1-mesa-dri-dbg libgl1-mesa-glx
libgl1-mesa-glx:
  Installed: 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2
  Candidate: 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2
  Version table:
 *** 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2 0
        500 http://ppa.launchpad.net/xorg-edgers/ppa/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status
     7.9+repack-1ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ natty/main i386 Packages
libgl1-mesa-dri:
  Installed: 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2
  Candidate: 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2
  Version table:
 *** 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2 0
        500 http://ppa.launchpad.net/xorg-edgers/ppa/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status
     7.9+repack-1ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ natty/main i386 Packages
libgl1-mesa-dri-dbg:
  Installed: 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2
  Candidate: 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2
  Version table:
 *** 7.10.0+git20110104.90b7a4cc-0ubuntu0sarvatt2 0
        500 http://ppa.launchpad.net/xorg-edgers/ppa/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status
     7.9+repack-1ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ natty/main i386 Packages

David Barth (dbarth) wrote :

And so the band aid nullptr patch sounds like a good option to me ;)

David Barth (dbarth) wrote :

Not a Unity issue anyway, it's a dri driver crashing us.

Changed in unity:
status: New → Invalid
David Barth (dbarth) wrote :

Not compiz's fault either, though we're all affected.

Changed in compiz (Ubuntu):
status: New → Invalid
tags: added: driver unity
David Barth (dbarth) wrote :

Just adding ubuntu/xorg per the workflow defined with Bryce.

bugbot (bugbot) on 2011-01-06
affects: xorg (Ubuntu) → xserver-xorg-video-ati (Ubuntu)
Bryce Harrington (bryce) wrote :

Actually since it's already targeted to mesa, which is an xorg subcomponent, no need to also target xorg or -ati. It's on our radar.

Changed in xserver-xorg-video-ati (Ubuntu):
status: New → Invalid
Bryce Harrington (bryce) wrote :

David, thanks for testing xorg edgers. How's testing of the patch going?

If you need need the patch built into a package, I've stuck it in a PPA for you:
https://launchpad.net/~bryce/+archive/bug691653

It usually takes several hours for mesa builds to complete in the PPAs, so check back later.

On 01/06/2011 09:43 PM, Bryce Harrington wrote:
> David, thanks for testing xorg edgers. How's testing of the patch
> going?
>
> If you need need the patch built into a package, I've stuck it in a PPA for you:
> https://launchpad.net/~bryce/+archive/bug691653
>
> It usually takes several hours for mesa builds to complete in the PPAs,
> so check back later.
Awesome, thanks! I've switched the glx and dri packages to those new
builds (along with the dbg ones). So far so good...

David

Bryce Harrington (bryce) wrote :

Heya David, how's the testing coming along? If you have the laptop here at the rally bring it by the desktop room and I can take a look at it directly for you.

Bryce Harrington (bryce) wrote :

RAOF suggests that re-running the current updates to xorg-edgers (which has a new mesa 7.10) it should still crash but in a different way (in the mipmap code, which will be bug #684745 / FDO #32246).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mesa - 7.9+repack-1ubuntu4

---------------
mesa (7.9+repack-1ubuntu4) natty; urgency=low

  * debian/patches/winsys_buffer_nullptr.patch: Null pointer check for
    winsys buffer.
    (LP: #691653)
 -- Bryce Harrington <email address hidden> Thu, 06 Jan 2011 14:44:43 -0800

Changed in mesa (Ubuntu):
status: In Progress → Fix Released
Bryce Harrington (bryce) wrote :

I spoke with David in person yesterday and he indicated that after updating to my patched version of mesa, he has no longer seen the crash in several days. So I think we can consider that patch to be a fix for this issue for now. I'll forward this upstream as well.

Bryce Harrington (bryce) on 2011-01-12
Changed in xserver-xorg-video-ati (Ubuntu):
status: Invalid → New
Bryce Harrington (bryce) wrote :

I've uploaded the patch to upstream:

  https://bugs.freedesktop.org//show_bug.cgi?id=33036

Possibly upstream will prefer fixing this bug some other way, but I think the null pointer check makes the most sense for now.

Bryce Harrington (bryce) on 2011-01-12
Changed in xserver-xorg-video-ati (Ubuntu):
status: New → Fix Released
Changed in mesa:
status: Unknown → Confirmed
Changed in mesa:
importance: Unknown → High
Changed in mesa:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.