Xorg crashes when exiting steam segfault in sna_pixmap_set_dri()

Can you please "apt-get install xserver-xorg-video-intel-dbg && addr2line -e /usr/lib/xorg/modules/drivers/intel_drv.so 0xd40a1"

Great, thanks. Installed Steam to see if I can reproduce this bug. Before I knew it, it was already dawn. Yikes!

I'm still waiting upon a symbolic stacktrace.

Please collect a full backtrace on this crash - see http://wiki.ubuntu.com/X/Backtracing for guidance.

In answer to #2, from my raring chroot:

/build/buildd/xserver-xorg-video-intel-2.21.2/build/src/sna/../../../src/sna/sna_dri.c:186

Hmm, that would be sna_pixmap_set_dri() crashing on priv->gpu_bo being NULL. But I can not see a way for sna_pixmap_move_to_gpu() to not returning with priv->gpu_bo initialised (or set_dri() bailing). So I would like to see that stacktrace confirmed.

Also, it would be useful if you could retest with ppa:xorg-edgers if you can reproduce the bug. I've been working on adding more assertions to the DRI handling which flagged a few potential issues - though I can't tell if the bug you've encountered is one of those.

Can you please "apt-get install xserver-xorg-video-intel-dbg && addr2line -e /usr/lib/xorg/modules/drivers/intel_drv.so 0xd40a1"

That gives me sna_dri.c:186

I can no longer reproduce the crash. Steam was updated in the meantime so it could have been fixed (workaround?) by valve

I just got it, it's still here:

Program received signal SIGSEGV, Segmentation fault.
0x00007fa7fcea80a1 in sna_pixmap_set_dri (pixmap=0x7fa802bacbc0, sna=0x7fa800454010) at ../../../src/sna/sna_dri.c:186
186 ../../../src/sna/sna_dri.c: Nie ma takiego pliku ani katalogu.

Sadly I could not capture the traceback, perhaps lightdm/plymouth/upstart somehow kill/respawn something.

I'll try again (following X debugging guidelines)

Program received signal SIGSEGV, Segmentation fault.
0x00007f868f35c0a1 in sna_pixmap_set_dri (pixmap=0x7f8694200b20, sna=0x7f8692908010) at ../../../src/sna/sna_dri.c:186
186 ../../../src/sna/sna_dri.c: Nie ma takiego pliku ani katalogu.
(gdb) backtrace full
#0 0x00007f868f35c0a1 in sna_pixmap_set_dri (pixmap=0x7f8694200b20, sna=0x7f8692908010) at ../../../src/sna/sna_dri.c:186
        priv = 0x7f8694205160
        tiling = 1
#1 sna_dri_create_buffer (draw=<optimized out>, attachment=0, format=32) at ../../../src/sna/sna_dri.c:280
        sna = 0x7f8692908010
        buffer = <optimized out>
        pixmap = <optimized out>
        bo = <optimized out>
        flags = 1
        size = <optimized out>
        bpp = <optimized out>
#2 0x00007f8692b5ae5c in ?? ()
No symbol table info available.
#3 0x00007f8692b5b7f6 in ?? ()
No symbol table info available.
#4 0x00007f8692b5bc10 in DRI2GetBuffersWithFormat ()
No symbol table info available.
#5 0x00007f8692b5d690 in ?? ()
No symbol table info available.
#6 0x00007f8692a32a41 in ?? ()
No symbol table info available.
#7 0x00007f8692a2154a in ?? ()
No symbol table info available.
#8 0x00007f869072eea5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#9 0x00007f8692a21891 in _start ()
No symbol table info available.

(gdb) info locals
priv = 0x7f8694205160
tiling = 1
(gdb) print *priv
$3 = {
  pixmap = 0x7f8694200b20,
  gpu_bo = 0x0,
  cpu_bo = 0x7f8693e673a0,
  gpu_damage = 0x7f8693b996e1,
  cpu_damage = 0x0,
  ptr = 0x7f868eb58000,
  list = {
    next = 0x7f8694205190,
    prev = 0x7f8694205190
  },
  stride = 1280,
  clear_color = 0,
  flush = 1,
  source_count = 4,
  pinned = 0 '\000',
  create = 11 '\v',
  mapped = 0 '\000',
  shm = 0 '\000',
  clear = 0 '\000',
  header = 0 '\000',
  cpu = 0 '\000'
}

That explains how we got through move_to_gpu, but doesn't reveal how we set it to be NULL in the first place. Thanks.

Do you have a better idea of how to trigger it now?

I don't really know what triggers it. I tried a number of activities - launching steam and immediately exiting it (via menu, indicator, or accelerator), launching a game (I only tried uplink) and exiting. In the end I don't see a pattern. I saw crashes immediately after starting and long after keeping steam open in the background.

The only thing that I could add that is 'odd' is that I have not re-enabled workspaces after reinstalling the system from scratch.

I am almost 100% sure I have this fixed in upstream. I've been through all the places where gpu_bo/gpu_damage can become out-of-sync and validated that the checks are now inplace. If you can find the time to test with ppa:xorg-edgers (dated from today) that would be extremely useful.

Testing, I'll let you know if it crashes

It crashed again.

For reference, I've added the PPA, updated everything, logged out, checked that I don't have xorg config file (so that I keep getting sna by default).

Program received signal SIGSEGV, Segmentation fault.
0x00007f79d99ab5d0 in sna_pixmap_set_dri (pixmap=0x7f79de9d5220, sna=0x7f79dcf58010)
    at ../../../src/sna/sna_dri.c:186
186 ../../../src/sna/sna_dri.c: Nie ma takiego pliku ani katalogu.
(gdb) backtrace full
#0 0x00007f79d99ab5d0 in sna_pixmap_set_dri (pixmap=0x7f79de9d5220, sna=0x7f79dcf58010)
    at ../../../src/sna/sna_dri.c:186
        priv = 0x7f79dead6940
        tiling = -1
#1 sna_dri_create_buffer (draw=<optimized out>, attachment=0, format=32)
    at ../../../src/sna/sna_dri.c:274
        sna = 0x7f79dcf58010
        buffer = <optimized out>
        pixmap = <optimized out>
        bo = <optimized out>
        flags = 1
        size = <optimized out>
        bpp = <optimized out>
#2 0x00007f79dd1aae5c in ?? ()
No symbol table info available.
#3 0x00007f79dd1ab7f6 in ?? ()
No symbol table info available.
#4 0x00007f79dd1abc10 in DRI2GetBuffersWithFormat ()
No symbol table info available.
#5 0x00007f79dd1ad690 in ?? ()
No symbol table info available.
#6 0x00007f79dd082a41 in ?? ()
No symbol table info available.
#7 0x00007f79dd07154a in ?? ()
No symbol table info available.
#8 0x00007f79dad7eea5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#9 0x00007f79dd071891 in _start ()
No symbol table info available.
(gdb)

The gdb session is still active, ask for more data if you want

Frustating. Can I ask you to build from scratch with debugging enabled:

# sudo apt-get build-dep xserver-xorg-video-intel
# git clone git://anongit.freedesktop.org/xorg/driver/xf86-video-intel
# cd xf86-video-intel
# ./autogen.sh --prefix=/usr --with-default-accel=sna --enable-debug
# make && sudo make install

That will (temporarily) replace your intel_drv.so with assertions enabled. It is likely to crash much earlier - hopefully closer to the actual culprit.

Whilst you have the gdb, p *priv again.

(gdb) p *priv
$2 = {
  pixmap = 0x7f79de9d5220,
  gpu_bo = 0x0,
  cpu_bo = 0x7f79dead4330,
  gpu_damage = 0x7f79de849421,
  cpu_damage = 0x0,
  ptr = 0x7f79d6499000,
  list = {
    next = 0x7f79dead6970,
    prev = 0x7f79dead6970
  },
  stride = 1280,
  clear_color = 0,
  source_count = 4,
  pinned = 0 '\000',
  create = 11 '\v',
  mapped = 0 '\000',
  flush = 0 '\000',
  shm = 0 '\000',
  clear = 0 '\000',
  header = 0 '\000',
  cpu = 0 '\000'
}

I'll build the tree and get back to you

Ok, built and ready, trying to get it to crash again

Nothing, is there a chance it got fixed along the way? Do you want me to try bisecting things?

I'd give it a bit of time before declaring success. Since you've reported the issue I have been trying to add some paranoia to that layer and harden it, which is why I was optimist I had fixed something. Can you tell me the package name you installed from xorg-edgers, so that I can check to see what changes had been made since?

I didn't install any package, just updated all my packages which included xserver-xorg-video-intel. The version apt reports is 2:2.21.2+git20130213.9861423a-0ubuntu0sarvatt. This is an upgrade from 2:2.21.2-0ubuntu0

Thanks, that suggests

commit 1f16d854264ea923303b79379266bd789fd9dd4d
Author: Chris Wilson <email address hidden>
Date: Mon Feb 18 14:30:55 2013 +0000

    sna/dri: Prevent swapping a decoupled DRI2Buffer

    If the DRI2Buffer is no longer valid for the Drawable, for example the
    window had just been reparent, just complete the swap without triggering
    any assertions.

as being the most likely fix. Doesn't quite fit the symptoms though, so I'm still worried there is another bug lurking. :|

I can revert that and test if it exposes the issue.

That was quick. I didn't have to exit steam though, just launch it:

Program received signal SIGABRT, Aborted.
0x00007ff335664037 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ff335664037 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ff335667698 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ff33565ce03 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ff33565ceb2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007ff33426d164 in sna_dri_schedule_swap (client=0x7ff339c4bab0, draw=0x7ff33a09b140,
    front=0x7ff339cb1100, back=0x7ff339b97700, target_msc=0x7fffa3cb6a28, divisor=0, remainder=0,
    func=0x7ff337a7cef0, data=0x7ff33a09b140) at sna_dri.c:2140
#5 0x00007ff337a7c224 in DRI2SwapBuffers ()
#6 0x00007ff337a7d3b4 in ?? ()
#7 0x00007ff337952a41 in ?? ()
#8 0x00007ff33794154a in ?? ()
#9 0x00007ff33564eea5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x00007ff337941891 in _start ()
(gdb) git backtrace
Undefined command: "git". Try "help".
(gdb) backtrace full
#0 0x00007ff335664037 in raise () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1 0x00007ff335667698 in abort () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#2 0x00007ff33565ce03 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#3 0x00007ff33565ceb2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#4 0x00007ff33426d164 in sna_dri_schedule_swap (client=0x7ff339c4bab0, draw=0x7ff33a09b140,
    front=0x7ff339cb1100, back=0x7ff339b97700, target_msc=0x7fffa3cb6a28, divisor=0, remainder=0,
    func=0x7ff337a7cef0, data=0x7ff33a09b140) at sna_dri.c:2140
        screen = <optimized out>
        scrn = <optimized out>
        sna = 0x7ff337828010
        vbl = {request = {
            type = (DRM_VBLANK_HIGH_CRTC_MASK | DRM_VBLANK_EVENT | DRM_VBLANK_NEXTONMISS | DRM_VBLANK_SECONDARY | unknown: 58884096), sequence = 32755, signal = 140682528728598}, reply = {
            type = (DRM_VBLANK_HIGH_CRTC_MASK | DRM_VBLANK_EVENT | DRM_VBLANK_NEXTONMISS | DRM_VBLANK_SECONDARY | unknown: 58884096), sequence = 32755, tval_sec = 140682528728598,
            tval_usec = 4230521311723520}}
        pipe = <optimized out>
        info = 0x0
        current_msc = 8
        __PRETTY_FUNCTION__ = "sna_dri_schedule_swap"
#5 0x00007ff337a7c224 in DRI2SwapBuffers ()
No symbol table info available.
#6 0x00007ff337a7d3b4 in ?? ()
No symbol table info available.
#7 0x00007ff337952a41 in ?? ()
No symbol table info available.
#8 0x00007ff33794154a in ?? ()
No symbol table info available.
#9 0x00007ff33564eea5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#10 0x00007ff337941891 in _start ()
No symbol table info available.

That's one of the assertions recently added to track down an issue whereby the flushing flag on the pixmap and the GPU bo became inconsistent - and yes the patch you reverted was a direct consequence. ;-)

Can you keep running master with assertions enabled and let me know if it crashes?

Ok, I'll undo the revert and keep pushing it