intel_miptree_map crash
@elmarco
Submitted by Marc-André Lureau Assigned to Intel 3D Bugs Mailing List
Link to original bug (#106811)
Description
When taking a screenshot with virt-viewer (spice with virgl enabled)
(gdb) bt
#0 0x00007fffa4f2621d in intel_miptree_map (brw=0x555555f4dc40, mt=0x0, level=0, slice=0, x=0, y=117, w=1024, h=768, mode=1, out_ptr=0x7fffffffbfe0, out_stride=0x7fffffffbfd8) at intel_mipmap_tree.c:3648
#1 0x00007fffa4f1b740 in intel_map_renderbuffer (ctx=0x555555f4dc40, rb=0x555555fe9510, x=0, y=117, w=1024, h=768, mode=1, out_map=0x7fffffffc080, out_stride=0x7fffffffc088) at intel_fbo.c:169
#2 0x00007fffa4b22541 in read_rgba_pixels (ctx=0x555555f4dc40, x=0, y=0, width=1024, height=768, format=6408, type=5121, pixels=0x555556634d80, packing=0x7fffffffc210) at main/readpix.c:464
#3 0x00007fffa4b23463 in _mesa_readpixels (ctx=0x555555f4dc40, x=0, y=0, width=1024, height=768, format=6408, type=5121, packing=0x7fffffffc210, pixels=0x555556634d80) at main/readpix.c:896
#4 0x00007fffa4f29fa1 in intelReadPixels (ctx=0x555555f4dc40, x=0, y=0, width=1024, height=768, format=6408, type=5121, pack=0x7fffffffc210, pixels=0x555556634d80) at intel_pixel_read.c:296
#5 0x00007fffa4b2451f in read_pixels (no_error=false, pixels=0x555556634d80, bufSize=2147483647, type=5121, format=6408, height=768, width=1024, y=0, x=0) at main/readpix.c:1136
#6 0x00007fffa4b2451f in _mesa_ReadnPixelsARB (x=0, y=0, width=1024, height=768, format=6408, type=5121, bufSize=2147483647, pixels=0x555556634d80) at main/readpix.c:1153
#7 0x00007fffa4b245b9 in _mesa_ReadPixels (x=0, y=0, width=1024, height=768, format=6408, type=5121, pixels=0x555556634d80) at main/readpix.c:1168
#8 0x00007ffff7f85521 in spice_display_get_pixbuf (display=<optimized out>) at spice-widget.c:3173
#9 0x0000555555574464 in virt_viewer_window_menu_file_screenshot ()
#10 0x00007ffff4238add in g_closure_invoke () at /lib64/libgobject-2.0.so.0
#11 0x00007ffff424bf43 in () at /lib64/libgobject-2.0.so.0
#12 0x00007ffff425506a in g_signal_emit_valist () at /lib64/libgobject-2.0.so.0
#13 0x00007ffff4255663 in g_signal_emit () at /lib64/libgobject-2.0.so.0
#14 0x00007ffff6397732 in gtk_widget_activate () at /lib64/libgtk-3.so.0
#15 0x00007ffff6264c76 in gtk_menu_shell_activate_item () at /lib64/libgtk-3.so.0
#16 0x00007ffff6264f13 in gtk_menu_shell_button_release () at /lib64/libgtk-3.so.0
#17 0x00007ffff62477a8 in _gtk_marshal_BOOLEAN__BOXEDv () at /lib64/libgtk-3.so.0
#18 0x00007ffff4238d36 in () at /lib64/libgobject-2.0.so.0
#19 0x00007ffff4254ae4 in g_signal_emit_valist () at /lib64/libgobject-2.0.so.0
#20 0x00007ffff4255663 in g_signal_emit () at /lib64/libgobject-2.0.so.0
#21 0x00007ffff6395134 in gtk_widget_event_internal () at /lib64/libgtk-3.so.0
#22 0x00007ffff62445d6 in propagate_event () at /lib64/libgtk-3.so.0
#23 0x00007ffff6246793 in gtk_main_do_event () at /lib64/libgtk-3.so.0
#24 0x00007ffff5d4f639 in _gdk_event_emit () at /lib64/libgdk-3.so.0
#25 0x00007ffff5dabac6 in gdk_event_source_dispatch () at /lib64/libgdk-3.so.0
#26 0x00007ffff3f5d8ad in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#27 0x00007ffff3f5dc78 in () at /lib64/libglib-2.0.so.0
#28 0x00007ffff3f5dd10 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#29 0x00007ffff4521675 in g_application_run () at /lib64/libgio-2.0.so.0
#30 0x0000555555566980 in main ()
#0 0x00007fffa4f2621d in intel_miptree_map (brw=0x555555f4dc40, mt=0x0, level=0, slice=0, x=0, y=117, w=1024, h=768, mode=1, out_ptr=0x7fffffffbfe0, out_stride=0x7fffffffbfd8) at intel_mipmap_tree.c:3648
3648 assert(mt->surf.samples == 1);
mt is NULL
spice-gtk code triggering the crash:
data = g_malloc0(d->area.width * d->area.height * 4);
glReadBuffer(GL_FRONT);
glPixelStorei(GL_UNPACK_ALIGNMENT, 1);
glReadPixels(0, 0, d->area.width, d->area.height,
GL_RGBA, GL_UNSIGNED_BYTE, data);