[RadeonSI] pb_cache_add_buffer / release_expired_buffers_locked segmentation fault
System information
System: Kernel: 5.10.75+ x86_64 bits: 64 compiler: gcc 11.2.1 Desktop: GNOME 40.5
tk: GTK 3.24.30 wm: gnome-shell dm: GDM Distro: Fedora release 34 (Thirty Four)
CPU: Info: 6-Core model: AMD Ryzen 5 1600X bits: 64 type: MCP arch: Zen rev: 1 cache: L2: 3 MiB
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 43197
Speed: 3092 MHz min/max: 2200/3600 MHz boost: enabled Core speeds (MHz): 1: 3092 2: 3053 3: 3150 4: 2964 5: 3058
6: 3030
Graphics: Device-1: AMD Lexa PRO [Radeon 540/540X/550/550X / RX 540X/550/550X] vendor: Sapphire Limited driver: amdgpu
v: kernel bus-ID: 0c:00.0 chip-ID: 1002:699f
Display: wayland server: X.Org 1.21.1.2 compositor: gnome-shell driver: loaded: amdgpu
unloaded: fbdev,modesetting,vesa resolution: 3840x2160~60Hz s-dpi: 96
OpenGL: renderer: Radeon RX550/550 Series (POLARIS12 DRM 3.40.0 5.10.75+ LLVM 12.0.1) v: 4.6 Mesa 21.2.4
direct render: Yes
mozjs78-78.15.0
glib-2.69.3
Describe the issue
This has happened several times, but I don't know how to reproduce.
Regression
Pretty recent
Backtrace
#0 release_expired_buffers_locked (current_time=171208657821, cache=0x567e068317f0) at ../src/gallium/auxiliary/pipebuffer/pb_cache.c:64
64 next = curr->next;
(gdb) list
59 {
60 struct list_head *curr, *next;
61 struct pb_cache_entry *entry;
62
63 curr = cache->next;
64 next = curr->next;
65 while (curr != cache) {
66 entry = LIST_ENTRY(struct pb_cache_entry, curr, head);
67
68 if (!os_time_timeout(entry->start, entry->end, current_time))
(gdb) bt
#0 release_expired_buffers_locked (current_time=171208657821, cache=0x567e068317f0) at ../src/gallium/auxiliary/pipebuffer/pb_cache.c:64
#1 pb_cache_add_buffer (entry=0x567e04b2f208) at ../src/gallium/auxiliary/pipebuffer/pb_cache.c:96
#2 0x0000735300f13bb6 in pb_destroy (buf=<optimized out>, winsys=<optimized out>) at ../src/gallium/auxiliary/pipebuffer/pb_buffer.h:259
#3 pb_reference_with_winsys (src=<optimized out>, dst=<optimized out>, winsys=<optimized out>) at ../src/gallium/auxiliary/pipebuffer/pb_buffer.h:282
#4 radeon_bo_reference (src=<optimized out>, dst=<optimized out>, rws=<optimized out>) at ../src/gallium/drivers/radeon/radeon_winsys.h:754
#5 si_resource_destroy (buf=0x567e078fbb00, screen=0x567e049cb640) at ../src/gallium/drivers/radeonsi/si_buffer.c:235
#6 si_resource_destroy (screen=0x567e049cb640, buf=0x567e078fbb00) at ../src/gallium/drivers/radeonsi/si_buffer.c:221
#7 0x000073530074a97c in pipe_resource_destroy (res=<optimized out>) at ../src/gallium/auxiliary/util/u_inlines.h:145
#8 pipe_resource_reference (src=0x0, dst=0x567e0777d690) at ../src/gallium/auxiliary/util/u_inlines.h:162
#9 st_FreeTextureImageBuffer (ctx=<optimized out>, texImage=0x567e0777d640) at ../src/mesa/state_tracker/st_cb_texture.c:227
#10 0x00007353008d8b3e in _mesa_delete_texture_image (ctx=<optimized out>, texImage=0x567e0777d640) at ../src/mesa/main/teximage.c:223
#11 0x00007353008ea409 in _mesa_delete_texture_object (ctx=0x567e04b64020, texObj=0x567e078fb6a0) at ../src/mesa/main/texobj.c:467
#12 0x00007353008ea521 in _mesa_reference_texobj_ (ptr=ptr@entry=0x7ffe85eb86e0, tex=tex@entry=0x0) at ../src/mesa/main/texobj.c:574
#13 0x00007353008ea99b in _mesa_reference_texobj (tex=0x0, ptr=0x7ffe85eb86e0) at ../src/mesa/main/texobj.h:96
#14 delete_textures (ctx=0x567e04b64020, n=<optimized out>, textures=<optimized out>) at ../src/mesa/main/texobj.c:1487
#15 0x0000735307eabc59 in _cogl_delete_gl_texture (gl_texture=<optimized out>) at ../cogl/cogl/driver/gl/cogl-pipeline-opengl.c:212
#16 _cogl_texture_2d_gl_free (tex_2d=0x567e07995900) at ../cogl/cogl/driver/gl/cogl-texture-2d-gl.c:66
#17 0x0000735307ecf279 in _cogl_texture_2d_free (tex_2d=0x567e07995900) at ../cogl/cogl/cogl-texture-2d.c:78
#18 _cogl_object_texture_2d_indirect_free (obj=0x567e07995900) at ../cogl/cogl/cogl-texture-2d.c:60
#19 0x0000735308479b45 in meta_background_image_finalize (object=0x567e05841500) at ../src/compositor/meta-background-image.c:301
#20 0x000073530922eb60 in g_object_unref (_object=<optimized out>) at ../gobject/gobject.c:3587
#21 g_object_unref (_object=0x567e05841500) at ../gobject/gobject.c:3479
#22 0x0000735308479a49 in set_file
(self=self@entry=0x7352e008e130, filep=filep@entry=0x7352e008e170, imagep=imagep@entry=0x7352e008e178, file=file@entry=0x0, force_reload=force_reload@entry=0)
at ../src/compositor/meta-background.c:250
#23 0x000073530847efd6 in meta_background_dispose (object=0x7352e008e130) at ../src/compositor/meta-background.c:300
#24 0x000073530922ead8 in g_object_unref (_object=<optimized out>) at ../gobject/gobject.c:3549
#25 g_object_unref (_object=0x7352e008e130) at ../gobject/gobject.c:3479
#26 0x0000735308781f71 in ObjectInstance::disassociate_js_gobject() (this=0x567e0904f2a0) at ../gi/object.cpp:1565
#27 0x00007353087cff33 in std::function<void (ObjectInstance*)>::operator()(ObjectInstance*) const (__args#0=<optimized out>, this=0x7ffe85eb8990)
at /usr/include/c++/10/bits/std_function.h:622
#28 operator() (link=0x567e0904f2a0, __closure=0x7ffe85eb8970) at ../gi/object.cpp:1120
#29 __gnu_cxx::__ops::_Iter_pred<ObjectInstance::remove_wrapped_gobjects_if(const Predicate&, const Action&)::<lambda(ObjectInstance*)> >::operator()<__gnu_cxx::__normal_iterator<ObjectInstance**, std::vector<ObjectInstance*> > >Python Exception <class 'gdb.error'>: value has been optimized out
(__it=, this=0x7ffe85eb8970) at /usr/include/c++/10/bits/predefined_ops.h:316
#30 std::__remove_if<__gnu_cxx::__normal_iterator<ObjectInstance**, std::vector<ObjectInstance*> >, __gnu_cxx::__ops::_Iter_pred<ObjectInstance::remove_wrapped_gobjects_if(const Predicate&, const Action&)::<lambda(ObjectInstance*)> > > (__pred=..., __last=0x567e095a1090, __first=0x567e0904f2a0)
at /usr/include/c++/10/bits/stl_algo.h:847
#31 std::remove_if<__gnu_cxx::__normal_iterator<ObjectInstance**, std::vector<ObjectInstance*> >, ObjectInstance::remove_wrapped_gobjects_if(const Predicate&, const Action&)::<lambda(ObjectInstance*)> >Python Exception <class 'gdb.error'>: value has been optimized out
Python Exception <class 'gdb.error'>: value has been optimized out
(__pred=..., __last=, __first=) at /usr/include/c++/10/bits/stl_algo.h:919
#32 ObjectInstance::remove_wrapped_gobjects_if(std::function<bool (ObjectInstance*)> const&, std::function<void (ObjectInstance*)> const&) [clone .constprop.0]
(predicate=..., action=...) at ../gi/object.cpp:1124
#33 0x000073530877c669 in ObjectInstance::update_heap_wrapper_weak_pointers(JSContext*, JS::Compartment*, void*) () at ../gi/object.cpp:1412
#34 0x0000735305c20ada in js::gc::GCRuntime::beginSweepingSweepGroup(JSFreeOp*, js::SliceBudget&) (this=0x567e051d24f8, fop=0x7ffe85eb9100, budget=<optimized out>)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/gc/GC.cpp:1641
#35 0x0000735305c1867e in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) (this=0x567e051e4040, args=...)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/gc/GC.cpp:5981
#36 0x0000735305c314ca in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) (this=0x567e051c0720, args=...)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/gc/GC.cpp:6016
#37 0x0000735305c27c0b in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) (budget=..., this=<optimized out>)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/dist/include/mozilla/UniquePtr.h:287
#38 js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&)
(this=<optimized out>, budget=..., gckind=<optimized out>, reason=JS::GCReason::DESTROY_RUNTIME, session=...)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/gc/GC.cpp:6694
#39 0x0000735305c379f9 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason)
(this=<optimized out>, nonincrementalByAPI=<optimized out>, budget=..., gckind=<optimized out>, reason=JS::GCReason::DESTROY_RUNTIME)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/gc/GC.cpp:7104
#40 0x0000735305c397a2 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason)
(this=0x567e051d24f8, nonincrementalByAPI=<optimized out>, budget=..., gckindArg=<optimized out>, reason=JS::GCReason::DESTROY_RUNTIME)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/gc/GC.cpp:7314
#41 0x00007353059f1f94 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason) (reason=JS::GCReason::DESTROY_RUNTIME, gckind=GC_NORMAL, this=0x567e051d24f8)
at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/gc/GC.cpp:7391
#42 JSRuntime::destroyRuntime() (this=0x567e051d2000) at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/vm/Runtime.cpp:287
#43 0x0000735305870ff6 in js::DestroyContext(JSContext*) (cx=0x567e051d69f0) at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/vm/JSContext.cpp:223
#44 JS_DestroyContext(JSContext*) (cx=0x567e051d69f0) at /usr/src/debug/mozjs78-78.15.0-1.fc34.x86_64/jsapi.cpp:396
#45 0x000073530879c539 in GjsContextPrivate::dispose() (this=0x567e051d1030) at ../gjs/context.cpp:455
#46 GjsContextPrivate::dispose() (this=0x567e051d1030) at ../gjs/context.cpp:405
#47 gjs_context_dispose(GObject*) (object=<optimized out>) at ../gjs/context.cpp:385
#48 0x000073530922ead8 in g_object_unref (_object=<optimized out>) at ../gobject/gobject.c:3549
#49 g_object_unref (_object=0x567e051d1190) at ../gobject/gobject.c:3479
#50 0x0000567e045ffced in main ()
(gdb) frame 1
#1 pb_cache_add_buffer (entry=0x567e04b2f208) at ../src/gallium/auxiliary/pipebuffer/pb_cache.c:96
96 release_expired_buffers_locked(&mgr->buckets[i], current_time);
(gdb) p *entry
$5 = {head = {prev = 0x0, next = 0x0}, buffer = 0x567e04b2f1a0, mgr = 0x567e04a0a6b8, start = 0, end = 0, bucket_index = 0}
(gdb) p *entry->buffer
$6 = {reference = {count = 0}, placement = 4 '\004', alignment_log2 = 21 '\025', usage = 19, size = 33554432, vtbl = 0x735301b171c0 <amdgpu_winsys_bo_vtbl>}
(gdb) p *entry->mgr
$7 = {buckets = 0x567e068317f0, mutex = {__data = {__lock = 130409776, __count = 22142, __owner = 130741504, __nusers = 22142, __kind = -1, __spins = 0,
__elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = "0\345\305\a~V\000\000\000\365\312\a~V\000\000\377\377\377\377", '\000' <repeats 19 times>,
__align = 95099296277808}, winsys = 0x567e04a0a6b0, cache_size = 0, max_cache_size = 1073741824, num_heaps = 15, usecs = 500000, num_buffers = 0,
bypass_usage = 0, size_factor = 2, destroy_buffer = 0x735300f431d0 <amdgpu_bo_destroy>, can_reclaim = 0x735300f435c0 <amdgpu_bo_can_reclaim>}
(gdb) p i
$8 = 0