[i945] (Needs UXA) X crashes in fbBlt() when using Sun Java Plugin 6 + firefox3.0 on Asus EEEPC 1000

Bug #337608 reported by Manoj Iyer on 2009-03-04
8
Affects Status Importance Assigned to Milestone
xf86-video-intel
Invalid
Critical
xserver-xorg-video-intel (Ubuntu)
High
Bryce Harrington
Jaunty
High
Unassigned

Bug Description

Ubuntu Jaunty Alpha 5 on Asus EEEPC 1000, Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03).

I installed Sun Java (6) update 12 though the "install missing plugin" on firefox. I restarted firefox, and I tried to test the plugin by going to http://java.com/en/download/help/testvm.xml website on firefox. The page loaded ok, the applet seems to run fine, but when I move the scroll bar on firefox (scroll bar on the LHS of firefox), this killed X. I looked in /var/log/ log files but did not see any relevant information there. I can update the bug with more info if someone shows me where to get it from.

Apport did not report that the Xserver was terminated abruptly.

[lspci]
00:00.0 Host bridge [0600]: Intel Corporation Mobile 945GME Express Memory Controller Hub [8086:27ac] (rev 03)
 Subsystem: ASUSTeK Computer Inc. Device [1043:830f]
00:02.0 VGA compatible controller [0300]: Intel Corporation Mobile 945GME Express Integrated Graphics Controller [8086:27ae] (rev 03)
 Subsystem: ASUSTeK Computer Inc. Device [1043:830f]

[backtrace]
#0 memcpy () at ../sysdeps/i386/i686/memcpy.S:75
No locals.
#1 0xa2ab12e0 in ?? ()
No symbol table info available.
#2 0xb7870583 in fbBltStip (src=0xa2a9c038, srcStride=1024, srcX=5440,
    dst=0x9404258, dstStride=85, dstX=0, width=2720, height=46, alu=3,
    pm=4294967295, bpp=32) at ../../fb/fbblt.c:944
No locals.
#3 0xb7875868 in fbGetImage (pDrawable=0x9102088, x=170, y=554, w=85, h=46,
    format=2, planeMask=4294967295, d=0x9404258 "") at ../../fb/fbimage.c:332
 pm = 4294967295
 src = (FbBits *) 0xa28a3038
 srcStride = 1024
 srcBpp = 155213372
 srcXoff = 0
 srcYoff = -49
 dstStride = -1565846816
#4 0xb78557f2 in exaGetImage (pDrawable=0x9102088, x=<value optimized out>,
    y=<value optimized out>, w=<value optimized out>, h=<value optimized out>,
    format=2, planeMask=4294967295, d=0x9404258 "")
    at ../../exa/exa_accel.c:1228
 pixmaps = {{as_dst = 0, as_src = 1, pPix = 0xa28a3008,
    pReg = 0xbf9e5318}}
---Type <return> to continue, or q <return> to quit---
 Reg = {extents = {x1 = 422, y1 = 505, x2 = 507, y2 = 551}, data = 0x0}
 pPix = (PixmapPtr) 0x0
 xoff = <value optimized out>
 yoff = <value optimized out>
 ok = <value optimized out>

Manoj Iyer (manjo) wrote :

Observed the same bug with EEEPC 900, with Intel Corp Mobile 915GM/PM/GMS/910GML express graphics controller.

Bryce Harrington (bryce) wrote :

Please collect a full backtrace - see http://wiki.ubuntu.com/X/Backtracing for directions.

Changed in xorg:
status: New → Incomplete
Manoj Iyer (manjo) wrote :

I updated Jaunty before collecting the backtrace, (7:35 cdt Fri March 13th).

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7a856d0 (LWP 4449)]
0xb7d12896 in memcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) backtrace full
#0 0xb7d12896 in memcpy () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#1 0xa30fd350 in ?? ()
No symbol table info available.
#2 0xb7881583 in fbBltStip () from /usr/lib/xorg/modules//libfb.so
No symbol table info available.
#3 0xb7886868 in fbGetImage () from /usr/lib/xorg/modules//libfb.so
No symbol table info available.
#4 0xb78667f2 in exaGetImage () from /usr/lib/xorg/modules//libexa.so
No symbol table info available.
#5 0x08124665 in ?? ()
No symbol table info available.
#6 0x08155b8b in ?? ()
No symbol table info available.
#7 0x08156730 in ?? ()
No symbol table info available.
#8 0x0808d5af in Dispatch ()
No symbol table info available.
#9 0x0807231d in main ()
No symbol table info available.
(gdb)

Manoj Iyer (manjo) wrote :
Download full text (5.6 KiB)

(gdb) info all-registers
eax 0x0 0
ecx 0x5a 90
edx 0x38 56
ebx 0xb788fff4 -1215758348
esp 0xbfef8708 0xbfef8708
ebp 0xbfef8818 0xbfef8818
esi 0xa30fd350 -1559243952
edi 0xa3583d58 -1554498216
eip 0xb7d12896 0xb7d12896 <memcpy+70>
eflags 0x13246 [ PF ZF IF #12 #13 RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 -inf (raw 0xffff0000000000000000)
st1 -inf (raw 0xffff0000000000000000)
st2 -inf (raw 0xffff0000000000000000)
st3 -inf (raw 0xffff0000000000000000)
st4 -inf (raw 0xffff0000000000000000)
st5 -inf (raw 0xffff0000000000000000)
st6 1 (raw 0x3fff8000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x73 115
fioff 0xb79b2fcf -1214566449
foseg 0x7b 123
fooff 0xbfef85e0 -1074821664
fop 0x19d 413
xmm0 {v4_float = {0x0, 0x0, 0x0, 0x1}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0, 0x0, 0x0, 0x3f, 0x0, 0x0, 0xfc, 0x33, 0x94, 0xaa, 0x62,
    0x3f, 0x3a, 0xcd, 0x93, 0x3f}, v8_int16 = {0x0, 0x3f00, 0x0, 0x33fc,
    0xaa94, 0x3f62, 0xcd3a, 0x3f93}, v4_int32 = {0x3f000000, 0x33fc0000,
    0x3f62aa94, 0x3f93cd3a}, v2_int64 = {0x33fc00003f000000,
    0x3f93cd3a3f62aa94}, uint128 = 0x3f93cd3a3f62aa9433fc00003f000000}
xmm1 {v4_float = {0x200, 0xfffffed4, 0x0, 0x1}, v2_double = {
    0xfa7fffef00000000, 0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x44, 0x0, 0x0, 0x96,
    0xc3, 0x0, 0x0, 0x0, 0x3f, 0x0, 0x0, 0x80, 0x3f}, v8_int16 = {0x0, 0x4400,
    0x0, 0xc396, 0x0, 0x3f00, 0x0, 0x3f80}, v4_int32 = {0x44000000,
    0xc3960000, 0x3f000000, 0x3f800000}, v2_int64 = {0xc396000044000000,
    0x3f8000003f000000}, uint128 = 0x3f8000003f000000c396000044000000}
xmm2 {v4_float = {0x200, 0x12c, 0x0, 0x0}, v2_double = {
    0x580001100000000, 0x0}, v16_int8 = {0x0, 0x0, 0x0, 0x44, 0x0, 0x0, 0x96,
    0x43, 0x0, 0x0, 0x0, 0x3f, 0x0, 0x0, 0x0, 0x0}, v8_int16 = {0x0, 0x4400,
    0x0, 0x4396, 0x0, 0x3f00, 0x0, 0x0}, v4_int32 = {0x44000000, 0x43960000,
    0x3f000000, 0x0}, v2_int64 = {0x4396000044000000, 0x3f000000},
  uint128 = 0x000000003f0000004396000044000000}
xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0xd7, 0xb3, 0x5d, 0xbf, 0xd7, 0xb3, 0x5d, 0x3f, 0x25, 0xe5,
    0x2a, 0x3f, 0xd7, 0xb3, 0x5d, 0x3f}, v8_int16 = {0xb3d7, 0xbf5d, 0xb3d7,
    0x3f5d, 0xe525, 0x3f2a, 0xb3d7, 0x3f5d}, v4_int32 = {0xbf5db3d7,
    0x3f5db3d7, 0x3f2ae525, 0x3f5db3d7}, v2_int64 = {0x3f5db3d7bf5db3d7,
    0x3f5db3d73f2ae525}, uint128 = 0x3f5db3d73f2ae5253f5db3d7bf5db3d7}
xmm4 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x13, 0x35, 0x57, 0x3f, 0xb3, 0x50, 0x45, 0xbf, 0x25, 0xe5,
    0x2a, 0x3f, 0xd7, 0xb3, 0x5d, 0x3f}, v8_int16 = {0x3513, 0x3f57, 0x50b3,
    0xbf45, 0xe525, 0x3f2a, 0xb3d7, 0x3f5d}, v4_int32 = {0x3f573513,
    0xbf4550b3, 0x3f2ae525, 0x3f5db3d7}...

Read more...

Bryce Harrington (bryce) wrote :

Hi Manoj,

Unfortunately it looks like you're still missing debug symbols. Make sure to get a full backtrace with symbols installed

Manoj Iyer (manjo) wrote :

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7a746d0 (LWP 3178)]
memcpy () at ../sysdeps/i386/i686/memcpy.S:75
75 ../sysdeps/i386/i686/memcpy.S: No such file or directory.
 in ../sysdeps/i386/i686/memcpy.S
Current language: auto; currently asm
(gdb) backtrace full
#0 memcpy () at ../sysdeps/i386/i686/memcpy.S:75
No locals.
#1 0xa2ab12e0 in ?? ()
No symbol table info available.
#2 0xb7870583 in fbBltStip (src=0xa2a9c038, srcStride=1024, srcX=5440,
    dst=0x9404258, dstStride=85, dstX=0, width=2720, height=46, alu=3,
    pm=4294967295, bpp=32) at ../../fb/fbblt.c:944
No locals.
#3 0xb7875868 in fbGetImage (pDrawable=0x9102088, x=170, y=554, w=85, h=46,
    format=2, planeMask=4294967295, d=0x9404258 "") at ../../fb/fbimage.c:332
 pm = 4294967295
 src = (FbBits *) 0xa28a3038
 srcStride = 1024
 srcBpp = 155213372
 srcXoff = 0
 srcYoff = -49
 dstStride = -1565846816
#4 0xb78557f2 in exaGetImage (pDrawable=0x9102088, x=<value optimized out>,
    y=<value optimized out>, w=<value optimized out>, h=<value optimized out>,
    format=2, planeMask=4294967295, d=0x9404258 "")
    at ../../exa/exa_accel.c:1228
 pixmaps = {{as_dst = 0, as_src = 1, pPix = 0xa28a3008,
    pReg = 0xbf9e5318}}
---Type <return> to continue, or q <return> to quit---
 Reg = {extents = {x1 = 422, y1 = 505, x2 = 507, y2 = 551}, data = 0x0}
 pPix = (PixmapPtr) 0x0
 xoff = <value optimized out>
 yoff = <value optimized out>
 ok = <value optimized out>
#5 0x08124665 in miSpriteGetImage (pDrawable=0x9102088, sx=40, sy=172, w=85,
    h=46, format=2, planemask=4294967295, pdstLine=0x9404258 "")
    at ../../mi/misprite.c:354
 pScreen = (ScreenPtr) 0x87d4b40
 pDev = (DeviceIntPtr) 0x0
 pCursorInfo = (miCursorInfoPtr) 0x55
#6 0x0808b48b in ProcGetImage (client=0x91a4b48) at ../../dix/dispatch.c:2041
No locals.
#7 0x0808d5af in Dispatch () at ../../dix/dispatch.c:437
 result = <value optimized out>
 client = (ClientPtr) 0x91a4b48
 nready = 0
 start_tick = 8480
#8 0x0807231d in main (argc=10, argv=0xbf9e5574, envp=Cannot access memory at address 0x5d
)
    at ../../dix/main.c:397
 i = <value optimized out>
 alwaysCheckForInput = {0, 1}
(gdb)

Bryce Harrington (bryce) wrote :

  #2 0xb7870583 in fbBltStip (src=0xa2a9c038, srcStride=1024, srcX=5440,
    dst=0x9404258, dstStride=85, dstX=0, width=2720, height=46, alu=3,
    pm=4294967295, bpp=32) at ../../fb/fbblt.c:944

Seems to correspond to:

        fbBlt ((FbBits *) src, FbStipStrideToBitsStride (srcStride),
               srcX,
               (FbBits *) dst, FbStipStrideToBitsStride (dstStride),
               dstX,
               width, height,
               alu, pm, bpp, FALSE, FALSE);

This implies that this call is fbBlt:

  #1 0xa2ab12e0 in ?? ()
  No symbol table info available.

unfortunately no symbols, so can't tell what's going on there. Wonder what is going on at memcpy.S:75

Bryce Harrington (bryce) wrote :

memcpy.S:

1: pushl %eax
        movl %ecx, %eax
        shrl $2, %ecx
 andl $3, %eax
        rep

REP INSW (Repeat Input String) is a 286/386/486 class CPU
instruction which allows the PC to transfer large amounts of data using one instruction. The data is transferred at the maximum rate allowed by the bus.

So, seems to be having some trouble copying bits to the hardware.

Attach your `lspci -vvnn` and Xorg.0.log (these are both absolutely required whenever reporting X bugs btw.)

Manoj Iyer (manjo) wrote :

I wrote some stupid program like below and got similar back trace..

main()
{
        char *src = 0;
        char *dst = malloc(1024);

        memcpy(dst, src, 1024);
}

Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/i386/i686/memcpy.S:75
75 ../sysdeps/i386/i686/memcpy.S: No such file or directory.
 in ../sysdeps/i386/i686/memcpy.S
Current language: auto; currently asm
(gdb) bt full
#0 memcpy () at ../sysdeps/i386/i686/memcpy.S:75
No locals.
#1 0x08048340 in ?? ()
No locals.
#2 0xb7df2775 in __libc_start_main (main=0x80483f4 <main>, argc=1,
    ubp_av=0xbfe6c6f4, init=0x8048450 <__libc_csu_init>,
    fini=0x8048440 <__libc_csu_fini>, rtld_fini=0xb7f5d870 <_dl_fini>,
    stack_end=0xbfe6c6ec) at libc-start.c:220
 result = <value optimized out>
 unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1208766476, 134513744,
        134513472, -1075394872, 2126369752, 226445256}, mask_was_saved = 0}},
  priv = {pad = {0x0, 0x0, 0xb7f629b0, 0xb7df269d}, data = {prev = 0x0,
      cleanup = 0x0, canceltype = -1208604240}}}
 not_first_call = <value optimized out>
#3 0x08048361 in _start () at ../sysdeps/i386/elf/start.S:119
No locals.
(gdb)
(gdb) info all-registers
eax 0x0 0
ecx 0x100 256
edx 0x8048450 134513744
ebx 0xb7f3aff4 -1208766476
esp 0xbfe6c628 0xbfe6c628
ebp 0xbfe6c658 0xbfe6c658
esi 0x0 0
edi 0x84fa008 139436040
eip 0xb7e55896 0xb7e55896 <memcpy+70>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
---Type <return> to continue, or q <return> to quit---

Manoj Iyer (manjo) wrote :
Manoj Iyer (manjo) wrote :

also...

cslumdawg@slumdawg-laptop:~$ cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 28
model name : Intel(R) Atom(TM) CPU N270 @ 1.60GHz
stepping : 2
cpu MHz : 1600.000
cache size : 32 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pebs bts pni dtes64 monitor ds_cpl est tm2 ssse3 xtpr pdcm lahf_lm
bogomips : 3200.46
clflush size : 64
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 28
model name : Intel(R) Atom(TM) CPU N270 @ 1.60GHz
stepping : 2
cpu MHz : 1600.000
cache size : 32 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
apicid : 1
initial apicid : 1
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pebs bts pni dtes64 monitor ds_cpl est tm2 ssse3 xtpr pdcm lahf_lm
bogomips : 3223.46
clflush size : 64
power management:

slumdawg@slumdawg-laptop:~$

Bryce Harrington (bryce) wrote :

Hmm, well there's two null pointers in the stack trace...

 pPix = (PixmapPtr) 0x0

 pDev = (DeviceIntPtr) 0x0

Bryce Harrington (bryce) wrote :

I can't definitively tie either of those nulls to the affected code. However your sample code shows that a null pointer being passed into memcpy could indeed be the culprit.

If my guess that the mystery line is fbBlt(), this code seems to be doing a memcpy:

        if (!upsidedown)
            for (i = 0; i < height; i++)
                MEMCPY_WRAPPED(dst + i * dstStride, src + i * srcStride, width);
        else
            for (i = height - 1; i >= 0; i--)
                MEMCPY_WRAPPED(dst + i * dstStride, src + i * srcStride, width);

        return;

Interestingly, this was the last code change to this fbblt.c file, although you can see it was a long time ago:

commit ee02e647882a4be29e1130bd79904ee79ed6b802
Author: Aaron Plattner <email address hidden>
Date: Tue Aug 1 13:45:43 2006 -0700

    Wrap libwfb memory access.

    Use the READ and WRITE macros to wrap memory accesses that could be in video
    memory. Add MEMCPY_WRAPPED and MEMSET_WRAPPED macros to wrap memcpy and
    memset, respectively.

Hrm, this is a tough one. I think the next step is to set a breakpoint and step through the fbBlt code after triggering the error, and see where memcpy is getting the null pointer. Let me know if you'd be able/willing to do that; if not, then let's just push this bug upstream and see what they say...

Bryce Harrington (bryce) on 2009-03-17
Changed in xserver-xorg-video-intel (Ubuntu):
importance: Undecided → High
status: Incomplete → Triaged

Created an attachment (id=24018)
Xorg.0.log

Forwarding this report from Ubuntu:
https://bugs.edge.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/337608

[Problem]
Sun's Java test web page causes X to crash in fbBlt apparently due to invalid memcpy().

[Original Report]
Ubuntu Jaunty Alpha 5 on Asus EEEPC 1000, Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03).

I installed Sun Java (6) update 12 though the "install missing plugin" on firefox. I restarted firefox, and I tried to test the plugin by going to http://java.com/en/download/help/testvm.xml website on firefox. The page loaded ok, the applet seems to run fine, but when I move the scroll bar on firefox (scroll bar on the LHS of firefox), this killed X. I looked in /var/log/ log files but did not see any relevant information there. I can update the bug with more info if someone shows me where to get it from.

Apport did not report that the Xserver was terminated abruptly.

[lspci]
00:00.0 Host bridge [0600]: Intel Corporation Mobile 945GME Express Memory Controller Hub [8086:27ac] (rev 03)
 Subsystem: ASUSTeK Computer Inc. Device [1043:830f]
00:02.0 VGA compatible controller [0300]: Intel Corporation Mobile 945GME Express Integrated Graphics Controller [8086:27ae] (rev 03)
 Subsystem: ASUSTeK Computer Inc. Device [1043:830f]

[backtrace]
#0 memcpy () at ../sysdeps/i386/i686/memcpy.S:75
No locals.
#1 0xa2ab12e0 in ?? ()
No symbol table info available.
#2 0xb7870583 in fbBltStip (src=0xa2a9c038, srcStride=1024, srcX=5440,
    dst=0x9404258, dstStride=85, dstX=0, width=2720, height=46, alu=3,
    pm=4294967295, bpp=32) at ../../fb/fbblt.c:944
No locals.
#3 0xb7875868 in fbGetImage (pDrawable=0x9102088, x=170, y=554, w=85, h=46,
    format=2, planeMask=4294967295, d=0x9404258 "") at ../../fb/fbimage.c:332
 pm = 4294967295
 src = (FbBits *) 0xa28a3038
 srcStride = 1024
 srcBpp = 155213372
 srcXoff = 0
 srcYoff = -49
 dstStride = -1565846816
#4 0xb78557f2 in exaGetImage (pDrawable=0x9102088, x=<value optimized out>,
    y=<value optimized out>, w=<value optimized out>, h=<value optimized out>,
    format=2, planeMask=4294967295, d=0x9404258 "")
    at ../../exa/exa_accel.c:1228
 pixmaps = {{as_dst = 0, as_src = 1, pPix = 0xa28a3008,
    pReg = 0xbf9e5318}}
---Type <return> to continue, or q <return> to quit---
 Reg = {extents = {x1 = 422, y1 = 505, x2 = 507, y2 = 551}, data = 0x0}
 pPix = (PixmapPtr) 0x0
 xoff = <value optimized out>
 yoff = <value optimized out>
 ok = <value optimized out>

If you have trouble with setting breaks on this code (the routine is called a lot), maybe pepper some fprintfs in there, sort of like I've sketched out in the attached patch.

Bryce Harrington (bryce) on 2009-03-18
description: updated

Manoj,

I've forwarded this bug upstream to http://bugs.freedesktop.org/show_bug.cgi?id=20739 - make sure you subscribe to it in case upstream has further questions or wishes you to test something.

Changed in xserver-xorg-video-intel:
status: Unknown → Confirmed
Bryce Harrington (bryce) wrote :

bug #298868 seems to be crashing in a similar spot, although the conditions and particulars of the crash are quite a bit different.

Martin Pitt (pitti) wrote :

Taking off the Jaunty RC radar, this looks more like a corner case.

Changed in xserver-xorg-video-intel (Ubuntu Jaunty):
status: Triaged → Won't Fix
Martin Pitt (pitti) on 2009-04-03
Changed in xserver-xorg-video-intel (Ubuntu Jaunty):
assignee: nobody → canonical-desktop-team
status: Won't Fix → Triaged

bryce - as this is effects one of our target netbooks, could you see if there is at least a "bandaid" approach that could cover us for Jaunty?

Changed in xserver-xorg-video-intel (Ubuntu Jaunty):
assignee: canonical-desktop-team → bryceharrington
Bryce Harrington (bryce) wrote :

@Rick, there isn't a bandaid solution I know of at this time. I would need access to the hardware myself, or someone remotely who can test debugging patches like the one in comment #14, or advice from upstream.

Can you clarify by "target netbook" is it meant, "a netbook we are supporting as one of our customers", or "a hardware device not shipping with Ubuntu, but which we'd like to support"?

I can't reproduce this with xf86-video-intel git from today and a fairly recent 2.6.29 version of drm-intel, I'll try 2.6.1 next. This could have been fixed by one of the many fence reg related fixes that went in post 2.6.1.

Can't reproduce on 2.6.29 w/2.6.1 either, must have been a GEM fix between Jaunty's 2.6.28 and the current code... Several fencing related fixes from Chris Wilson went in after 2.6.28 came out, it would be worth trying those. But there have been a ton of changes (mostly fixes), and unless Jaunty's 2.6.28 includes GTT mapping support, the fencing fixes aren't likely to help.

Bryce, can you get Manoj to try with a newer 2D driver and/or newer kernel? I'll try grabbing Jaunty's kernel in the meantime.

Ok I finally got the Jaunty bits and saw the crash with 2.6.28-11-generic and the 2.6.1 driver, but with the latest Jaunty 2.6.3 driver things seem stable. Can you confirm that?

Target Netbook means that the Mobile team wants users to be able to install UNR on it.

Bryce Harrington (bryce) wrote :

Manoj, Jesse says he was able to reproduce this with the 2.6.1 driver but not with our current 2.6.3 driver. So I think this is solved now. Can you please confirm?

If it does still happen, can you comment on the upstream bug report? I think Jesse is waiting for word from you before proceeding.

Created an attachment (id=24678)
Manage pixmaps in the driver w/EXA

Here's a crazy patch to fix this bug. The real bug is in the server somewhere (EXA pixmap migration appears to be broken, judging by the corruption shown in the text case vs. UXA and EXA with this patch). But rather than deal with the server's EXA migration code (scary) why not just make our driver do pixmap management itself? It should avoid migration altogether but may affect performance or have other bugs... Please test.

Manoj, I built a package with this patch and stuck it in my ppa, if you want to use a deb for this.
(I had to modify the patch slightly to apply to Ubuntu).

I was able to recreate the problem with 2.6.3-0ubuntu8 driver & latest jaunty kernel.

Manoj Iyer (manjo) wrote :

 ii xserver-xorg-video-intel 2:2.6.3-0ubuntu8
 00:02.1 Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03)

Bryce Harrington (bryce) on 2009-04-09
Changed in xserver-xorg-video-intel (Ubuntu Jaunty):
status: Triaged → In Progress

(In reply to comment #4)
> Here's a crazy patch to fix this bug. The real bug is in the server somewhere
> (EXA pixmap migration appears to be broken, judging by the corruption shown in
> the text case vs. UXA and EXA with this patch). But rather than deal with the
> server's EXA migration code (scary) why not just make our driver do pixmap
> management itself?

The reported crash is not likely to be directly related to EXA migration, as that doesn't have any impact on the size of memory mappings.

So while I very much like this patch (I wish this approach had been taken in the first place rather than the whole UXA silliness...), I'm afraid it can only solve the problem indirectly. (Not to mention it won't help people without a kernel memory manager)

Yeah, I think the corruption I saw is due to migration code (or more specifically the dirty update stuff), but the crash must be due to either an unmap happing at the wrong time or the mapping size changing like you say. If you have a driver that doesn't manage pixmaps it's pretty easy to see the corruption with the default migration scheme (always I think?) at the Java test page referenced in this bug.

I'd like to solve the problem properly as well, but I'll have to dig through the EXA code a lot more (I haven't looked at the migration or sys vs offscreen mapping code much at all).

Manoj, there is a patch (and debs with the patch) waiting for you to test, on the upstream bug.

(In reply to comment #7)
> Yeah, I think the corruption I saw is due to migration code (or more
> specifically the dirty update stuff), but the crash must be due to either an
> unmap happing at the wrong time or the mapping size changing like you say. If
> you have a driver that doesn't manage pixmaps it's pretty easy to see the
> corruption with the default migration scheme (always I think?) at the Java test
> page referenced in this bug.

Does

    Option "EXAOptimizeMigration" "off"

work around the corruption? Also I'm having a hard time reproducing reports of problems with that option enabled with xserver master, can you reproduce it with that?

> I'd like to solve the problem properly as well, but I'll have to dig through
> the EXA code a lot more (I haven't looked at the migration or sys vs offscreen
> mapping code much at all).

It's not clear to me at this point it's an EXA bug at all... some values in the backtrace look way off, but the trace may just be inaccurate, or even if not the question is which layer would be responsible for sanitizing them.

Manoj, we need you to test upstream's patch and give feedback. I packaged the patch and put it in my ppa a while ago; I've now moved it into a separate ppa since I need my main ppa for working on other bugs:

  https://edge.launchpad.net/~bryceharrington/+archive/blue

They have also suggested an alternate workaround, setting this in the Device section of your xorg.conf, that you should test as well:

  Option "EXAOptimizeMigration" "off"

Bryce Harrington (bryce) wrote :

Manoj, ping?

I am wondering if your lack of response can be taken as an indication that you don't feel strongly that this bug must be solved in Jaunty?

Seems the same to what happens to me, although the linked applet does not seem to crash here.
see https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/324998

Can you try if the program attached in the comment crashes X? (It does on my laptop)
https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/324998/comments/3

Bryce Harrington (bryce) wrote :

Dropping targeting and assignment due to lack of reply on the fix proposed upstream.

Changed in xserver-xorg-video-intel (Ubuntu Jaunty):
assignee: Bryce Harrington (bryceharrington) → nobody
status: In Progress → Won't Fix

Haven't heard from the reporter in awhile, but:
  - there's a patch available that "fixes" this for me, distros can pick it up if
    desired
  - EXA is no longer in the driver and UXA doesn't have this bug afaict
so I'm going to mark this invalid.

Changed in xserver-xorg-video-intel:
status: Confirmed → Invalid
Bryce Harrington (bryce) on 2009-05-05
summary: - [i945] X crashes in fbBlt() when using Sun Java Plugin 6 + firefox3.0 on
- Asus EEEPC 1000
+ [i945] (Needs UXA) X crashes in fbBlt() when using Sun Java Plugin 6 +
+ firefox3.0 on Asus EEEPC 1000
Bryce Harrington (bryce) on 2009-05-06
tags: added: crash
holodad (holodad-aol) wrote :

Hello

I have a dell D630 with 00:02.0 VGA compatible controller: Intel Corporation Mobile GM965/GL960 Integrated Graphics Controller (rev 0c)

I have this problem since Gutsy and now, with Jaunty 2.6.28-12-generic
The X server crashes when i use in combination:
- Java-jre1.6
- Compiz Fusion with the SVN branch or ppa.

When i use this two application specially when i start lauching a Java app with jre, X crashes.
The problem disappears when i disable compiz.

I tried many things without any good results.
I'am currently testing Bryce debs.
I will update asap.
Cheers

holodad (holodad-aol) wrote :

Hello

Have the same issue with Bryce Debs.
I'm not testing the Option "EXAOptimizeMigration" "off" in xorg.conf.
I'll update asap
Cheers

holodad (holodad-aol) wrote :

Hi

Unfortunately, it's the same issue with the "EXAOptimizeMigration" "off option in xorg.
It seems that DRI2 is causing the issue via UXA accel. I will now test in EXA and update
The error message i get in Xorg.log is:
dme

chocobanana (sergioc) wrote :

Same issue here with a stock Ubuntu 9.04.

X Server crashes and restarts when starting certain (and plenty) Java applets inside Firefox.

I also have the same problem with two Qt4 apps: Scribus NG and Fontmatrix. Here it is more difficult to tell when does the problem occur exactly, it happens randomly during usage.

Specs are:
- Ubuntu 9.04
- Ati x600 64mb (no fglrx, of course)
- Sun Java 6

Like others have said, the problem only manifests when desktop effects are enabled.

Let me know if you need more info.

On Sun, May 10, 2009 at 09:43:37AM -0000, chocobanana wrote:
> Same issue here with a stock Ubuntu 9.04.
>
> X Server crashes and restarts when starting certain (and plenty) Java
> applets inside Firefox.
>
> I also have the same problem with two Qt4 apps: Scribus NG and
> Fontmatrix. Here it is more difficult to tell when does the problem
> occur exactly, it happens randomly during usage.
>
> Specs are:
> - Ubuntu 9.04
> - Ati x600 64mb (no fglrx, of course)
> - Sun Java 6
>
> Like others have said, the problem only manifests when desktop effects
> are enabled.
>
> Let me know if you need more info.

Does the issue go away if you downgrade Qt to the earlier version?
I heard there were some bugs with the new Qt in jaunty that could
cause problems with X.

Bryce

chocobanana (sergioc) wrote :

If I use Scribus 1.3.3 (QT3) I have no issues. With Scribus NG or 1.3.5 (QT4) the issue occurs. It also happens with Java applets which is what the original bug filing is about.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xserver-xorg-video-intel - 2:2.7.99.1+git20090602.ec2fde7c-0ubuntu1

---------------
xserver-xorg-video-intel (2:2.7.99.1+git20090602.ec2fde7c-0ubuntu1) karmic; urgency=low

  * Update to git 20090602 (master branch) up to commit ec2fde7c
    - xvmc is disabled since DRI1 no longer supported
    - LP: #96991 - 3D stuff breaks with Compiz: Redirected Direct Rendering
      is needed in DRI
    - LP: #120834 - X freezes with I830WaitLpRing error when running OpenGL apps
    - LP: #337608 - X crashes in fbBlt() when using Sun Java Plugin 6 + firefox3.0
    - LP: #339555 - compiz slowmotion after Jaunty upgrade
    - LP: #363900 - X.org freezes with intel driver, no apparent trigger
    - LP: #331719 - VT switching doesn't work on Intel 915GM
    - LP: #339091 - X freezes a few minutes after resuming
    - LP: #348436 - Kubuntu: X server crash when screensaver is started (4500MHD)
    - LP: #279727 - Kubuntu: Display Corruption w/ Intel 4700MHD
    - LP: #357851 - Kubuntu: Distorted display after switching virtual desktops w/ exa
    - LP: #158415 - Front buffer dynamic resize not supported
    - LP: #324998 - x server restarts itself w/ compiz on Intel 945GM
    - LP: #355593 - after upgrade to 9.04, rotating desktop cube ran slow
    - LP: #357290 - 1 fps in 3d apps like neverball with EXA
    - LP: #360774 - Graphical Corruption with EXA on X4500
    - LP: #364126 - screensaver prefs dialog in 9.04 RC livecd leaves dirt
    - LP: #375712 - Native resolution for dell "2005fpw" monitor not listed
    - LP: #375264 - Choppy flash video and poor performance with compiz
    - LP: #349568 - Jaunty / Compiz slow and tearing on GMA 4500MHD
    - LP: #356056 - window tearing during movement on 965 (no compiz)
    - LP: #330460 - xorg shows black image/hangs with jpg in firefox
    - LP: #347587 - X asserts on pI830->batch_ptr != 0 on resume from suspend
  * Merge with Debian experimental. Remaining Ubuntu changes:
    - Add lpia architecture
    - Re-enable the patch system, add quilt to build-deps.
    - 110_quirk_hp_mini.patch: quirk (sent upstream)
    - 117_quirk_thinkpad_x30.patch: quirk (sent upstream)
  * Drop 116_8xx_disable_dri.patch. There have been fixes for 3d on 8xx
    chipsets upstream, so drop the DRI disablement so the fixes can be
    re-tested.
  * Drop 103_quirk_intel_mb890.patch. Better quirk available upstream.
    (LP: #305269)

 -- Bryce Harrington <email address hidden> Tue, 02 Jun 2009 10:47:32 -0700

Changed in xserver-xorg-video-intel (Ubuntu):
status: In Progress → Fix Released
chocobanana (sergioc) wrote :

Since that was fixed with a new Intel driver, how about users of the open source Ati driver? Open new bug report?

On Wed, Jun 03, 2009 at 06:22:09AM -0000, chocobanana wrote:
> Since that was fixed with a new Intel driver, how about users of the
> open source Ati driver? Open new bug report?

Yes, thanks

Changed in xserver-xorg-video-intel:
importance: Unknown → Critical
Changed in xserver-xorg-video-intel:
importance: Critical → Unknown
Changed in xserver-xorg-video-intel:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.