https://bugs.freedesktop.org/show_bug.cgi?id=29901
Summary: [r300g] Programs crash with segfault Product: Mesa Version: git Platform: x86-64 (AMD64) OS/Version: Linux (All) Status: NEW Severity: major Priority: medium Component: Drivers/DRI/r300 AssignedTo: dri-devel@lists.freedesktop.org ReportedBy: ncl@privat.dk
In the last week a lot of my program crash with a segfault (OpenSceneGraph, Blender 2.5.3, Make Human etc.). Other program with gallium works ok. They all crash the same way and here are my (gdb) bt:
Program received signal SIGSEGV, Segmentation fault.
#0 0x00007fffe52fd130 in r300_emit_aos_swtcl (r300=0xfceb40, indexed=0 '\000') at r300_emit.c:847 #1 0x00007fffe52fec13 in r300_render_draw_arrays (render=0xb01750, start=<value optimised out>, count=4) at r300_render.c:834 #2 0x00007fffe54bb52b in draw_pt_emit_linear (emit=<value optimised out>, vert_info=<value optimised out>, prim_info=0x7fffffff9930) at draw/draw_pt_emit.c:265 #3 0x00007fffe54ba49e in emit (middle=0xa69800, fetch_info=0x7fffffff9960, prim_info=0x7fffffff9930) at draw/draw_pt_fetch_shade_pipeline_llvm.c:200 #4 llvm_pipeline_generic (middle=0xa69800, fetch_info=0x7fffffff9960, prim_info=0x7fffffff9930) at draw/draw_pt_fetch_shade_pipeline_llvm.c:288 #5 0x00007fffe54ba5a4 in llvm_middle_end_linear_run (middle=0xc7, start=<value optimised out>, count=4, prim_flags=201) at draw/draw_pt_fetch_shade_pipeline_llvm.c:348 #6 0x00007fffe5479981 in vsplit_segment_simple_linear (frontend=0xff60c0, start=368, count=4) at draw/draw_pt_vsplit_tmp.h:229 #7 vsplit_run_linear (frontend=0xff60c0, start=368, count=4) at draw/draw_split_tmp.h:61 #8 0x00007fffe5475ba5 in draw_pt_arrays (draw=0xfe1570, info=0x7fffffffa170) at draw/draw_pt.c:113 #9 draw_vbo (draw=0xfe1570, info=0x7fffffffa170) at draw/draw_pt.c:398 #10 0x00007fffe52ffc86 in r300_swtcl_draw_vbo (pipe=0xfceb40, info=0x7fffffffa170) at r300_render.c:687 #11 0x00007fffe5430b8b in st_draw_vbo (ctx=<value optimised out>, arrays=<value optimised out>, prims=<value optimised out>, nr_prims=<value optimised out>, ib=0x0, index_bounds_valid=<value optimised out>, min_index=0, max_index=511) at state_tracker/st_draw.c:722 #12 0x00007fffe5454588 in vbo_save_playback_vertex_list (ctx=0x100cc20, data=0xe178b0) at vbo/vbo_save_draw.c:287 #13 0x00007fffe5340d7a in ext_opcode_execute (ctx=0x100cc20, list=<value optimised out>) at main/dlist.c:533 #14 execute_list (ctx=0x100cc20, list=<value optimised out>) at main/dlist.c:6883 #15 0x00007fffe5343922 in _mesa_CallList (list=3) at main/dlist.c:8140
My system: Radeon 1250x (rs600), ubuntu maverick 10.10 64 bit, running mesa from xorg-edgers fresh X crack (mesa from 30/8/2010).
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #1 from Tom Stellard tstellar@gmail.com 2010-09-05 20:35:27 PDT --- Created an attachment (id=38465) --> (https://bugs.freedesktop.org/attachment.cgi?id=38465) Output from civ4 with RADEON_DEBUG=swtcl
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #2 from Tom Stellard tstellar@gmail.com 2010-09-05 20:36:44 PDT --- I have the same problem running civ4 via wine on my RC410. I've bisected this bug and the first bad commit is eb430b0e948caf02b9f4095d0e1435880073c2aa
https://bugs.freedesktop.org/show_bug.cgi?id=29901
Tom Stellard tstellar@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|[r300g] Programs crash with |[r300g] Commit |segfault |eb430b0e948caf02b9f4095d0e1 | |435880073c2aa breaks swtcl
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #3 from Dave Airlie airlied@freedesktop.org 2010-09-06 15:33:01 PDT --- weird I'm having trouble reproducing this on real r300 using RADEON_NO_TCL=1
Niels can you give me an exact OSG example to run?
blender 2.4 seems fine here.
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #4 from Tom Stellard tstellar@gmail.com 2010-09-09 16:41:17 PDT --- I can reproduce this bug with the game nexuiz (http://alientrap.org/nexuiz/). This is on an RV515 with RADEON_NO_TCL=1. The game crashes right right before the main menu loads.
https://bugs.freedesktop.org/show_bug.cgi?id=29901
Matt Turner mattst88@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|Drivers/DRI/r300 |Drivers/Gallium/r300
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #5 from Marek Olšák maraeo@gmail.com 2010-09-13 04:30:10 PDT --- The problem is:
- r300_render_allocate_vertices allocates a vertex buffer. - Draw stores vertices in the buffer. - r300_render_draw_arrays is called. - r300_prepare_for_rendering is called and inside that function, assume the command stream is full and must be flushed. r300_flush calls r300_draw_flush_vbuf, which releases the vertex buffer. - r300_prepare_for_rendering begins to emit states. - r300_emit_aos_swtcl is called, which crashes due to the buffer having been deleted.
The commit 0392e48867c27f2aa445c5c9b35f4a52ecef2f2d in Mesa fixes the regressions I was able to reproduce.
I have split r300_prepare_for_rendering into 2 parts: - r300_reserve_cs_dwords, which is called before r300_render_allocate_vertices - r300_emit_states, which is called instead of r300_prepare_for_rendering
Please test.
https://bugs.freedesktop.org/show_bug.cgi?id=29901
Marek Olšák maraeo@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|[r300g] Commit |[r300g] emit_aos_swtcl |eb430b0e948caf02b9f4095d0e1 |crash |435880073c2aa breaks swtcl |
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #6 from Tom Stellard tstellar@gmail.com 2010-09-14 20:26:59 PDT --- nexuiz works now, but I am still having problems running civ4 with wine. Using mesa from git, commit fd7f70af4897e4e31b11562eb1c473f0ee00fce5 I get this assertion failure:
r300_render.c:973:r300_render_draw_elements: Assertion `6 + (short_count+1)/2 <= (cs_copy->ndw - cs_copy->cdw)' failed.
With commit 0b9eb5c9bb03e5134d9a41786178100109e80c5a wine segfaults. Here is the backtrace:
Backtrace: =>0 0x7cf4b24f radeon_bo_get_tiling+0xf() in libdrm_radeon.so.1 (0x0033edc4) 1 0x7d0759de radeon_drm_bufmgr_get_tiling+0x4d(ws=0x3, _buf=0x300091fc, microtiled=0x1, macrotiled=(nil)) [/home/steltho/mesa/src/gallium/winsys/radeon/drm/radeon_drm_ buffer.c:379] in r300_dri.so (0x0033edc4) 2 0x00000000 (0x7c04f798) 3 0x7d074460 in r300_dri.so (+0x11345f) (0x7d074670) 4 0x8b182474 (0x891cec83) 0x7cf4b24f radeon_bo_get_tiling+0xf in libdrm_radeon.so.1: movl 0x0(%edx),%edx
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #7 from Marek Olšák maraeo@gmail.com 2010-09-15 05:52:12 PDT --- The crash in radeon_bo_get_tiling has been fixed by commit 09ef8e9283f17. I'll look into the assertion failure.
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #8 from Marek Olšák maraeo@gmail.com 2010-09-15 17:10:22 PDT --- Created an attachment (id=38727) View: https://bugs.freedesktop.org/attachment.cgi?id=38727 Review: https://bugs.freedesktop.org/review?bug=29901&attachment=38727
possible fix
Could you please test this patch?
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #9 from Tom Stellard tstellar@gmail.com 2010-09-15 20:00:07 PDT --- (In reply to comment #8)
Created an attachment (id=38727)
View: https://bugs.freedesktop.org/attachment.cgi?id=38727 Review: https://bugs.freedesktop.org/review?bug=29901&attachment=38727
possible fix
Could you please test this patch?
This patch causes the game to freeze (no more assertion failure) and outputs the following errors: Mesa: User error: GL_INVALID_OPERATION in glGetUniformfv(program) Mesa: 2105 similar GL_INVALID_OPERATION errors Mesa: User error: GL_INVALID_OPERATION in glUseProgram(program 17 not linked) Mesa: User error: GL_INVALID_OPERATION in glGetUniformfv(program) Mesa: 19 similar GL_INVALID_OPERATION errors Mesa: User error: GL_INVALID_OPERATION in glUseProgram(program 17 not linked) Mesa: User error: GL_INVALID_OPERATION in glUseProgram(program 17 not linked)
I've seen errors like this before, so they might not be directly related to this bug.
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #10 from Marek Olšák maraeo@gmail.com 2010-09-16 03:01:08 PDT --- We have 2 options for 7.9. Either I'll commit this patch but I must be sure there are no regressions, or I'll revert all swtcl fixes and the Dave's commit (in 7.9, not in master), and will get to it later when I have some time.
I'll do some additional testing here later.
https://bugs.freedesktop.org/show_bug.cgi?id=29901
--- Comment #11 from Tom Stellard tstellar@gmail.com 2010-09-16 11:05:32 PDT --- (In reply to comment #8)
Created an attachment (id=38727)
View: https://bugs.freedesktop.org/attachment.cgi?id=38727 Review: https://bugs.freedesktop.org/review?bug=29901&attachment=38727
possible fix
Could you please test this patch?
I upgraded from 2.6.34 to 2.6.35 and applied this patch and now civ4 doesn't crash. I tested 2.6.35 without this patch and I still saw the assertion failure, so your patch fixed the assertion failure and upgrading to 2.6.35 fixed the lockup.
https://bugs.freedesktop.org/show_bug.cgi?id=29901
Marek Olšák maraeo@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #12 from Marek Olšák maraeo@gmail.com 2010-09-16 11:38:50 PDT --- OK, I've pushed the patch and additional testing here shows no other regression. Closing..
dri-devel@lists.freedesktop.org
-
bugzilla-daemon@freedesktop.org