Ubuntu
mesa package

compiz crashed with SIGSEGV in _mesa_generate_mipmap()

Bug #710108 reported by Jean-Baptiste Lallement
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Mesa
Won't Fix
Medium
mesa (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: compiz

Fresh installation of Natty with the Alternate Network install.

Compiz crashes when pressing ALT+Tab.
Same crash with Unity or classic desktop.

#0 0x00007f584fc550ab in ?? () from /usr/lib/dri/libdricore.so
#1 0x00007f584fc5672f in ?? () from /usr/lib/dri/libdricore.so
#2 0x00007f584fc5b6d7 in _mesa_generate_mipmap () from /usr/lib/dri/libdricore.so
#3 0x00007f585420be7d in radeonGenerateMipmap () from /usr/lib/dri/r600_dri.so
#4 0x00007f584fc40b57 in _mesa_GenerateMipmapEXT () from /usr/lib/dri/libdricore.so
#5 0x00007f5854add608 in GLTexture::enable(GLTexture::Filter) () from /usr/lib/compiz/libopengl.so
#6 0x00007f5854add6d4 in TfpTexture::enable(GLTexture::Filter) () from /usr/lib/compiz/libopengl.so
#7 0x00007f5854ad5c97 in GLWindow::glDrawTexture(GLTexture*, GLFragment::Attrib&, unsigned int) () from /usr/lib/compiz/libopengl.so
#8 0x00007f5854ad6c51 in GLWindow::glDraw(GLMatrix const&, GLFragment::Attrib&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libopengl.so
#9 0x00007f584e2a0d85 in DecorWindow::glDraw(GLMatrix const&, GLFragment::Attrib&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libdecor.so
#10 0x00007f5854ad6a10 in GLWindow::glDraw(GLMatrix const&, GLFragment::Attrib&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libopengl.so
#11 0x00007f584a106388 in UnityWindow::glDraw(GLMatrix const&, GLFragment::Attrib&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libunityshell.so
#12 0x00007f5854ad6a10 in GLWindow::glDraw(GLMatrix const&, GLFragment::Attrib&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libopengl.so
#13 0x00007f584cd2ae46 in BaseSwitchWindow::paintThumb(GLWindowPaintAttrib const&, GLMatrix const&, unsigned int, int, int, int, int, int, int) () from /usr/lib/compiz/libcompiztoolbox.so
#14 0x00007f584abd2cc3 in StaticSwitchWindow::paintThumb(GLWindowPaintAttrib const&, GLMatrix const&, unsigned int, int, int) () from /usr/lib/compiz/libstaticswitcher.so
#15 0x00007f584abd2fba in StaticSwitchWindow::glPaint(GLWindowPaintAttrib const&, GLMatrix const&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libstaticswitcher.so
#16 0x00007f5854ad6860 in GLWindow::glPaint(GLWindowPaintAttrib const&, GLMatrix const&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libopengl.so
#17 0x00007f584a79cb25 in FadeWindow::glPaint(GLWindowPaintAttrib const&, GLMatrix const&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libfade.so
#18 0x00007f5854ad6860 in GLWindow::glPaint(GLWindowPaintAttrib const&, GLMatrix const&, CompRegion const&, unsigned int) () from /usr/lib/compiz/libopengl.so
#19 0x00007f584abd3789 in StaticSwitchScreen::glPaintOutput(GLScreenPaintAttrib const&, GLMatrix const&, CompRegion const&, CompOutput*, unsigned int) () from /usr/lib/compiz/libstaticswitcher.so
#20 0x00007f5854ad753d in GLScreen::glPaintOutput(GLScreenPaintAttrib const&, GLMatrix const&, CompRegion const&, CompOutput*, unsigned int) () from /usr/lib/compiz/libopengl.so
#21 0x00007f584a104bdf in UnityScreen::glPaintOutput(GLScreenPaintAttrib const&, GLMatrix const&, CompRegion const&, CompOutput*, unsigned int) () from /usr/lib/compiz/libunityshell.so
#22 0x00007f5854ad753d in GLScreen::glPaintOutput(GLScreenPaintAttrib const&, GLMatrix const&, CompRegion const&, CompOutput*, unsigned int) () from /usr/lib/compiz/libopengl.so
#23 0x00007f5854ad8fbd in PrivateGLScreen::paintOutputs(std::list<CompOutput*, std::allocator<CompOutput*> >&, unsigned int, CompRegion const&) () from /usr/lib/compiz/libopengl.so
#24 0x00007f58550ff569 in CompositeScreen::paint(std::list<CompOutput*, std::allocator<CompOutput*> >&, unsigned int) () from /usr/lib/compiz/libcomposite.so
#25 0x00007f5855101380 in CompositeScreen::handlePaintTimeout() () from /usr/lib/compiz/libcomposite.so

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: compiz-core 1:0.9.2.1+glibmainloop4-0ubuntu7
ProcVersionSignature: Ubuntu 2.6.38-1.28-generic 2.6.38-rc2
Uname: Linux 2.6.38-1-generic x86_64
Architecture: amd64
CompisitorRunning: None
CompizPlugins: No value set for `/apps/compiz-1/general/allscreens/options/active_plugins'
CrashCounter: 1
DRM.card0.DP.1:
 status: disconnected
 enabled: disabled
 dpms: On
 modes:
 edid-base64:
DRM.card0.HDMI.A.1:
 status: disconnected
 enabled: disabled
 dpms: On
 modes:
 edid-base64:
Date: Sun Jan 30 12:05:38 2011
DistUpgraded: Fresh install
DistroCodename: natty
DistroVariant: ubuntu
ExecutablePath: /usr/bin/compiz
GraphicsCard: Subsystem: PC Partner Limited Device [174b:1482]
MachineType: Gigabyte Technology Co., Ltd. GA-890GPA-UD3H
ProcCmdline: compiz
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=en_US.UTF-8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.38-1-generic root=UUID=30fc9e49-b3c8-4ea6-aec8-d504895ea7eb ro quiet splash vt.handoff=7
Renderer: Hardware acceleration
SegvAnalysis:
 Segfault happened at: 0x7f584fc550ab: movzbl (%r9),%r10d
 PC (0x7f584fc550ab) ok
 source "(%r9)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%r10d" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: compiz
StacktraceTop:
 ?? () from /usr/lib/dri/libdricore.so
 ?? () from /usr/lib/dri/libdricore.so
 _mesa_generate_mipmap () from /usr/lib/dri/libdricore.so
 radeonGenerateMipmap () from /usr/lib/dri/r600_dri.so
 _mesa_GenerateMipmapEXT () from /usr/lib/dri/libdricore.so
Title: compiz crashed with SIGSEGV in _mesa_generate_mipmap()
UnitySupportTest:

UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (nautilus:2729): GConf-CRITICAL **: gconf_value_free: assertion `value != NULL' failed
 (nm-applet:2738): Gdk-CRITICAL **: IA__gdk_window_thaw_toplevel_updates_libgtk_only: assertion `private->update_and_descendants_freeze_count > 0' failed
dmi.bios.date: 07/23/2010
dmi.bios.vendor: Award Software International, Inc.
dmi.bios.version: FD
dmi.board.name: GA-890GPA-UD3H
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.modalias: dmi:bvnAwardSoftwareInternational,Inc.:bvrFD:bd07/23/2010:svnGigabyteTechnologyCo.,Ltd.:pnGA-890GPA-UD3H:pvr:rvnGigabyteTechnologyCo.,Ltd.:rnGA-890GPA-UD3H:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvr:
dmi.product.name: GA-890GPA-UD3H
dmi.sys.vendor: Gigabyte Technology Co., Ltd.
version.libdrm2: libdrm2 2.4.23-1ubuntu3
version.libgl1-mesa-glx: libgl1-mesa-glx 7.10-1ubuntu1
version.xserver-xorg: xserver-xorg 1:7.5+6ubuntu8
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.13.2+git20110124.fadee040-0ubuntu1
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.14.0-1ubuntu2
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20110107+b795ca6e-0ubuntu1

See original description
Revision history for this message
In , Chris Halse Rogers (raof) wrote :
Download full text (4.8 KiB)

Created attachment 40939
gdb session log of crash with backtrace.

Triggering the window switcher with mipmapping enabled in Compiz 0.9.2 results in a segfault in the mipmap generation code on r600c (but not r600g), apparently because the driver private data for the texture is not initialised.

Bottom of the backtrace inline, full backtrace attached:

Program received signal SIGSEGV, Segmentation fault.
0x00007f7b76eed81b in do_row (datatype=<value optimised out>, comps=<value optimised out>, srcWidth=<value optimised out>, srcRowA=0x0, srcRowB=0xe40,
    dstWidth=<value optimised out>, dstRow=0x35ffe00) at main/mipmap.c:171
        in main/mipmap.c
(gdb) bt full
#0 0x00007f7b76eed81b in do_row (datatype=<value optimised out>, comps=<value optimised out>, srcWidth=<value optimised out>, srcRowA=0x0,
    srcRowB=0xe40, dstWidth=<value optimised out>, dstRow=0x35ffe00) at main/mipmap.c:171
        i = <value optimised out>
        k = <value optimised out>
        rowB = 0xe40
        dst = 0x35ffe00
        j = <value optimised out>
        rowA = 0x0
        k0 = 1
        colStride = 2
#1 0x00007f7b76eeee9f in make_2d_mipmap (datatype=5121, comps=3, border=0, srcWidth=1214, srcHeight=1000, srcPtr=0x0, srcRowStride=1216,
    dstWidth=607, dstHeight=500, dstPtr=0x35ffe00 "\340\271T\003", dstRowStride=607) at main/mipmap.c:1192
        bpt = 3
        srcWidthNB = 1214
        dstWidthNB = 607
        dstHeightNB = 500
        srcRowBytes = <value optimised out>
        dstRowBytes = 1821
        srcA = <value optimised out>
        srcB = <value optimised out>
        dst = <value optimised out>
        row = <value optimised out>
        srcRowStep = <value optimised out>
        __PRETTY_FUNCTION__ = "make_2d_mipmap"
#2 0x00007f7b76ef3e61 in _mesa_generate_mipmap (ctx=0x1585520, target=3553, texObj=0x1ed6300) at main/mipmap.c:1825
        srcImage = 0x1e186e0
        srcHeight = 1000
        srcDepth = 1
        dstWidth = 607
        dstHeight = 500
        border = 0
        dstImage = 0x3405cf0
        srcWidth = 1214
        dstDepth = 1
        srcImage = <value optimised out>
        convertFormat = MESA_FORMAT_RGB888
        srcData = 0x0
        dstData = 0x35ffe00 "\340\271T\003"
        level = 0
        maxLevels = 15
        datatype = 5121
        comps = 3
        __PRETTY_FUNCTION__ = "_mesa_generate_mipmap"
#3 0x00007f7b76eacc3d in radeon_generate_mipmap (ctx=0x1585520, target=<value optimised out>, texObj=0x1ed6300) at radeon_texture.c:256
        i = <value optimised out>
        nr_faces = 1
        face = <value optimised out>
#4 radeonGenerateMipmap (ctx=0x1585520, target=<value optimised out>, texObj=0x1ed6300) at radeon_texture.c:299
        rmesa = <value optimised out>
        bo = <value optimised out>
        face = <value optimised out>
        baseimage = 0x1e186e0
        __func__ = "radeonGenerateMipmap"
#5 0x00007f7b76ede567 in _mesa_GenerateMipmapEXT (target=3553) at main/fbobject.c:2177
        texObj = 0x1ed6300
        ctx = 0x1585520
#6 0x00007f7b77a52b88 in GLTexture::enable (this=0x1e1e250, filter=<value optimised out>)
    at /build/buildd/compiz-0.9.2.1+glibmainloop2/plugins/opengl/src/textu...

Read more...

Revision history for this message
In , agd5f (agd5f) wrote :

Should be fixed in:
fd543e1f9506fe41e6e9e78aebbe0bca01df055c

Revision history for this message
In , Chris Halse Rogers (raof) wrote :

This is not fixed in mesa up to commit 05e534e6, which includes fd543e1f. The backtrace remains the same.

Revision history for this message
In , Idr (idr) wrote :

This looks a lot like bug #32096. Different driver, but the end of the backtrace (from _mesa_generate_mipmap to the segfault) is the same.

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: compiz-0.9
Revision history for this message
Timo Witte (spacefish) wrote :

same Problem here, happens after update to 2.6.38 using radeon driver currently used fglrx before. Maybe this is a problem with the composite things in the driver? Not compiz?

Travis Watkins (amaranth)
affects: compiz (Ubuntu) → mesa (Ubuntu)
Revision history for this message
Bryce Harrington (bryce) wrote :

Are you able to reproduce this issue easily? If so, please collect a full backtrace - see http://wiki.ubuntu.com/X/Backtracing for directions. If not, could you describe the conditions under which the crash tends to occur?

description: updated
Changed in mesa (Ubuntu):
importance: Undecided → High
status: New → Incomplete
Revision history for this message
In , Bryce Harrington (bryce) wrote :

Created attachment 43410
0001-Check-for-null-pointer-in-mipmap-image-data.patch

It looks to me like this occurs when the calling application passes in a mipmap that has undefined image data (e.g. priv-target->Image[0][0]->Data == NULL in this case).

For the case where _mesa_is_format_compressed() is true, there is an ASSERT to catch that this is undefined, but there is no such check for the false case.

The attached patch adds such a check (a problem message rather than an assertion, though). Possibly it should be using _mesa_error() or perhaps an assert; I'm not certain.

Revision history for this message
Bryce Harrington (bryce) wrote :

I've reproduced this by holding alt+tab down for a moment with unity. Seems to be the upstream bug which I've attached.

Looks like compiz is passing in an invalid mipmap texture.

            (*GL::generateMipmap) (priv->target);

should probably add a check prior to that, like:

            ASSERT(priv-target->Image[0][0]->Data != NULL);

Bug Watch Updater (bug-watch-updater)
Changed in mesa:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
Bryce Harrington (bryce) wrote :

I wonder if this has anything to do with the caveat warning in "Automatic mipmap generation" at http://www.opengl.org/wiki/Common_Mistakes

Changed in mesa (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Bryce Harrington (bryce) wrote :

Confirmed as fixed with latest mesa + xserver + -ati.

This was a bug in the old r600 driver, and not present in r600g which we've upgraded Natty to today.

Changed in mesa (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
In , Andreas-boll-dev (andreas-boll-dev) wrote :

Note: classic r600 driver has been abandoned.
Please use r600g (gallium driver) instead.

Is this still an issue with a newer driver/kernel?

Bug Watch Updater (bug-watch-updater)
Changed in mesa:
status: Confirmed → Incomplete
Revision history for this message
In , Andreas-boll-dev (andreas-boll-dev) wrote :

The classic r600 driver has been abandoned long ago.
It was replaced by the Gallium driver r600g.

If you have issues with r600g please file a new bug report with component Drivers/Gallium/r600

Thanks.

Bug Watch Updater (bug-watch-updater)
Changed in mesa:
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.