Valgrind reports Invalid read of size 8 in llvmpipe during SDL_GL_SwapWindow when running modified Globulation 2
Before submitting your bug report:
- Check if a new version of Mesa is available which might have fixed the problem.
- If you can, check if the latest development version (git main) works better.
- Check if your bug has already been reported here.
- For any logs, backtraces, etc - use code blocks, GitLab removes line breaks without this.
- Do not paste long logs directly into the description. Use https://gitlab.freedesktop.org/-/snippets/new, attachments, or a pastebin with a long expiration instead.
- As examples of good bug reports you may review one of these - #2598 (closed), #2615 (closed), #2608 (closed)
Otherwise, please fill the requested information below. And please remove anything that doesn't apply to keep things readable :)
The title should effectively distinguish this bug report from others and be specific to issue you encounter. When writing the title of the bug report, include a short description of the issue, the hardware/driver(s) affected and application(s) affected.
System information
Please post inxi -GSC -xx
output (fenced with triple backticks) OR fill information below manually
imxi -GSC -xx output:
System:
Host: localhost.localdomain Kernel: 5.14.21-150500.30-default arch: x86_64
bits: 64 compiler: gcc v: 7.5.0 Desktop: KDE Plasma v: 5.24.4 tk: Qt
v: 5.15.2 wm: kwin_x11 dm: SDDM Distro: openSUSE Leap 15.5 Alpha
CPU:
Info: triple core model: Intel Core i7-8750H bits: 64 type: MCP
arch: Coffee Lake rev: A cache: L1: 192 KiB L2: 768 KiB L3: 27 MiB
Speed (MHz): avg: 2208 min/max: N/A cores: 1: 2208 2: 2208 3: 2208
bogomips: 13248
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3
Graphics:
Device-1: VMware SVGA II Adapter driver: vmwgfx v: 2.18.1.0 ports:
active: Virtual-1 empty: Virtual-2, Virtual-3, Virtual-4, Virtual-5,
Virtual-6, Virtual-7, Virtual-8
bus-ID: 00:02.0 chip-ID: 15ad:0405
Display: x11 server: X.Org v: 1.20.3 with: Xwayland v: 21.1.4
compositor: kwin_x11 driver: X: loaded: vmware
unloaded: fbdev,modesetting,vesa gpu: vmwgfx display-ID: :0 screens: 1
Screen-1: 0 s-res: 1920x975 s-dpi: 96
Monitor-1: Virtual-1 mapped: Virtual1 res: 1920x975 size: N/A
OpenGL: renderer: llvmpipe (LLVM 11.0.1 256 bits) v: 4.5 Mesa 21.2.4
compat-v: 3.1 direct render: Yes
- OS: (
cat /etc/os-release | grep "NAME"
) openSUSE 15.5 in VirtualBox 6.1.40 on Windows 10 - GPU: (
lspci -nn | grep VGA
orlshw -C display -numeric
) GeForce GTX 1060 - Kernel version: (run
uname -a
)Linux localhost.localdomain 5.14.21-150500.34-default #1 SMP PREEMPT_DYNAMIC Thu Nov 3 11:02:02 UTC 2022 (c8fa035) x86_64 x86_64 x86_64 GNU/Linux
- Mesa version: (
glxinfo -B | grep "OpenGL version string"
) Mesa 21.3.9 (78c96ae5) compiled from sources with GCC 11.3.0. Issue also present with package Mesa-dri-21.2.4-150400.68.9.1.x86_64 - Xserver version (if applicable): (
sudo X -version
) 1.21.1.4 - Desktop manager and compositor: KDE
If applicable
- DXVK version:
- Wine/Proton version:
Describe the issue
Please describe what you are doing, what you expect and what you're seeing instead. How frequent is the issue? As often as I try to start the game. Is it a one time occurrence? No, it happens every time I resize the window on Linux. Does it appear multiple times but randomly? No. Can you easily reproduce it? Yes.
"It doesn't work" usually is not a helpful description of an issue. The more detail about how things are going wrong, the better.
I am trying to make resizing the Globulation 2 game window work on both Windows and Linux. It works fine on Windows 10 (albeit with graphical glitches), but on Linux it crashes every time in SDL_GL_SwapWindow as soon as I resize the window. To be more specific, the game crashes at dri_sw_displaytarget_display()
(dri_sw_winsys.c:251) with dt
equal to 0x4545454545454545, which is "EEEEEEEE" in ASCII. However, when I debug glob2 with Valgrind's vgdb instead of VS Code, then the pointer mentioned in the error message has a different address. The frame above that is llvmpipe_flush_frontbuffer()
(lp_screen.c:827), which seems to use a VBO (at least, I think its a VBO, not sure) which has already been freed.
The VBO seems to be created by glColor4ub in GraphicContext::drawSurface (GraphicContext.cpp:1683) and destroyed somewhere in st_context_flush call called by dri_sw_swapbuffers (drisw.c:256).
It's a reference-counting bug leading to a use-after-free. pipe_surface_reference()
(u_inlines.h:116) destroys the resource when pipe_reference_described()
(u_inlines.h:75) returns true, which happens when reference count of dst
hits zero. Then later on, llvmpipe_flush_frontbuffer()
tries to use the VBO but objects that have been freed can't be used.
This bug can probably be easily fixed by incrementing the reference count in the right place, but as I am not familiar with Mesa's source code, I wouldn't know where to put the p_atomic_inc()
call.
Globulation 2 version: 778a7d6f (Quipyowert2/resize-attempt5 "Disallow resizing to smaller than minimum size")
To compile:
- clone github.com/Quipyowert2/glob2
- checkout resize-attempt5 branch
cd ~/src/glob2
mkdir build
scons --build=build -j6
To reproduce the bug:
- Start the game:
gdb build/src/glob2
orvalgrind --num-callers=100 --vgdb-error=1 build/src/glob2
- Wait for the loading screen to finish (wait for yellow to go all the way to the right). You can tell when the loading screen finishes by there being ten buttons and it says "Globulation 2".
- Resize the window; the game will either crash (if using plain GDB) or a Valgrind error message will be printed.
- If using Valgrind: In another Konsole window or tab, run
gdb build/src/glob2
and then in gdb, typetarget remote | vgdb --pid=PID
where PID is the process ID of Globulation 2.--pid=PID
is optional if there is only one vgdb process running.
Dependencies:
-
scons
for building Glob2 - libSDL2{_net,_ttf,_image}
- boost_thread
- boost_date_time
- speex
- vorbisfile
- ogg
Optional dependencies:
- fribidi
- portaudio
Regression
Did it used to work? It can greatly help to know when the issue started.
Log files as attachment
- Output of
dmesg
- Backtrace
- Gpu hang details