NULL pointer dereferences in some corner cases
Submitted by Vadim A. Misbakh-Soloviov (mva)
Assigned to Jason Ekstrand @jekstrand
Link to original bug (#103499)
Description
Hi there! Unfortunately, I'm facing strange issues with segfaults because of null pointer dereferences on my wife's laptop with Haswell.
Firstly, without "debug" symbols being built, gdb said that segfault is happening in intel_miptree_level_has_hiz
function (that made me think about this bug is being related to the one on the end of the message).
When I recompiled mesa with debug symbols, I got following backtrace:
Thread 1 (Thread 0x7ffff7e27800 (LWP 70027)): #0 0x00007fffdf2be4f9 in intel_miptree_check_level_layer (mt=0x0, level=0, layer=0) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:419 PRETTY_FUNCTION = "intel_miptree_check_level_layer" #1 (closed) 0x00007fffdf2c1987 in intel_miptree_level_has_hiz (mt=0x0, level=0) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:1826 No locals. #2 (closed) 0x00007fffdf2bd78b in intel_renderbuffer_has_hiz (irb=0x950430) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_fbo.c:934 No locals. #3 (closed) 0x00007fffdf27bf50 in brw_fast_clear_depth (ctx=0xb21b40) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_clear.c:114 brw = 0xb21b40 fb = 0xa50630 depth_irb = 0x950430 mt = 0x0 depth_att = 0xa50808 clear_value = 2.37853907e-38 #4 (closed) 0x00007fffdf27c37d in brw_clear (ctx=0xb21b40, mask=50) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_clear.c:228 brw = 0xb21b40 fb = 0xa50630 partial_clear = false tri_mask = 32767 PRETTY_FUNCTION = "brw_clear" #5 (closed) 0x00007fffdeda062d in clear (no_error=false, mask=17664, ctx=0xb21b40) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/main/clear.c:221 bufferMask = 50 #6 (closed) _mesa_Clear (mask=17664) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/main/clear.c:242 ctx = 0xb21b40 #7 (closed) 0x00007ffff5efa38a in QSGBatchRenderer::Renderer::renderBatches() () from /usr/lib64/libQt5Quick.so.5 <...>
After some discussion with Jason Ekstrand on the IRC, I've tried to apply that patch:
diff --git a/src/mesa/drivers/dri/i965/brw_clear.c b/src/mesa/drivers/dri/i965/brw_clear.c
index fe8634b..b0a6602 100644
--- a/src/mesa/drivers/dri/i965/brw_clear.c
+++ b/src/mesa/drivers/dri/i965/brw_clear.c
@@ -112,6 +112,9 @@ brw_fast_clear_depth(struct gl_context *ctx)
if (devinfo->gen < 6)
return false;
+ if (depth_irb->mt == NULL)
+ return false;
+
if (!intel_renderbuffer_has_hiz(depth_irb))
return false;
And now, backtrace looks like that:
Thread 1 (Thread 0x7ffff7e27800 (LWP 133740)): #0 0x00007fffdf01bbb6 in intel_miptree_render_aux_usage (brw=0xb28d70, mt=0x0, srgb_enabled=false, blend_enabled=false) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/intel_mipmap_tree.c:2575 No locals. #1 (closed) 0x00007fffdeffa1c7 in brw_update_renderbuffer_surface (brw=0xb28d70, rb=0xa4c8f0, flags=0, unit=0, surf_index=0) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:219 ctx = 0xb28d70 irb = 0xa4c8f0 mt = 0x0 aux_usage = ISL_AUX_USAGE_HIZ rb_format = MESA_FORMAT_X8B8G8R8_UNORM view = {usage = 0, format = 3691008000, base_level = 32767, levels = 4096, base_array_layer = 3, array_len = 9437200, swizzle = {r = ISL_CHANNEL_SELECT_ZERO, g = ISL_CHANNEL_SELECT_ZERO, b = ISL_CHANNEL_SELECT_ZERO, a = ISL_CHANNEL_SELECT_ZERO}} offset = 32767 #2 (closed) 0x00007fffdeffc097 in brw_update_renderbuffer_surfaces (brw=0xb28d70, fb=0xa6d970, render_target_start=0, surf_offset=0xb4f584) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1055 surf_index = 0 flags = 0 i = 0 w = 0 h = 0 s = 0 #3 (closed) 0x00007fffdeffc28f in update_renderbuffer_surfaces (brw=0xb28d70) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_wm_surface_state.c:1080 ctx = 0xb28d70 wm_prog_data = 0xa3a838 fb = 0xa6d970 #4 (closed) 0x00007fffdeff0c4c in check_and_emit_atom (brw=0xb28d70, state=0x7fffffffb320, atom=0xb4feb8) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:457 No locals. #5 (closed) 0x00007fffdeff053a in brw_upload_pipeline_state (brw=0xb28d70, pipeline=BRW_RENDER_PIPELINE) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:571 atom = 0xb4feb8 dirty_count = 0 ctx = 0xb28d70 i = 33 state = {mesa = 4294967295, brw = 18446744073709551615} fb_samples = 1 atoms = 0xb4fba0 num_atoms = 69 #6 (closed) 0x00007fffdeff0067 in brw_upload_render_state (brw=0xb28d70) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_state_upload.c:593 No locals. #7 (closed) 0x00007fffdefd7338 in brw_try_draw_prims (ctx=0xb28d70, arrays=0x1c351f8, prims=0x7fffffffb588, nr_prims=1, ib=0x7fffffffb5b0, index_bounds_valid=false, min_index=0, max_index=4294967295, xfb_obj=0x0, stream=0, indirect=0x0) at /var/tmp/portage/media-libs/mesa-17.2.3 /work/mesa-17.2.3/src/mesa/drivers/dri/i965/brw_draw.c:777 sampler_state_size = 16 new_basevertex = 0 estimated_max_prim_size = 5120 new_baseinstance = 0 vs_prog_data = 0x0 _warned = false msg_id = 0 brw = 0xb28d70 i = 0 fail_next = false #8 (closed) 0x00007fffdefd6c02 in brw_draw_prims (ctx=0xb28d70, prims=0x7fffffffb588, nr_prims=1, ib=0x7fffffffb5b0, index_bounds_valid=0 '\000', min_index=0, max_index=4294967295, gl_xfb_obj=0x0, stream=0, indirect=0x0) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2. 3/src/mesa/drivers/dri/i965/brw_draw.c:869 msg_id = 0 msg_id = 0 brw = 0xb28d70 arrays = 0x1c351f8 xfb_obj = 0x0 #9 (closed) 0x00007fffdeccb8fd in vbo_validated_drawrangeelements (ctx=0xb28d70, mode=5, index_bounds_valid=0 '\000', start=0, end=4294967295, count=4, type=5123, indices=0x2, basevertex=0, numInstances=1, baseInstance=0) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2 .3/src/mesa/vbo/vbo_exec_array.c:918 vbo = 0x1c31d30 ib = {count = 4, index_size = 2, obj = 0xa6b9d0, ptr = 0x2} prim = {mode = 5, indexed = 1, begin = 1, end = 1, weak = 0, no_current_update = 0, is_indirect = 0, pad = 0, start = 0, count = 4, basevertex = 0, num_instances = 1, base_instance = 0, draw_id = 0, indirect_offset = 2} #10 (closed) 0x00007fffdecc8745 in vbo_exec_DrawElements (mode=5, count=4, type=5123, indices=0x2) at /var/tmp/portage/media-libs/mesa-17.2.3/work/mesa-17.2.3/src/mesa/vbo/vbo_exec_array.c:1068 ctx = 0xb28d70 #11 (closed) 0x00007ffff5ef9b01 in QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const*) () from /usr/lib64/libQt5Quick.so.5 <...>
So, it's still falls into null pointer dereference, as far as I understand the situation.
I'd like to provide any additional info, if that was not enough to catch the problem.
P.S. this bug may (or may not) be related to https://bugs.freedesktop.org/show_bug.cgi?id=101539
P.P.S.: Unfortunately, bisecting would be too hard, since there was a huge version gap between "working" and "not working" state (13.0.2 -> 17.0.3) and it was also huge system upgrade (too much system packages was upgraded, including glibc, gcc, llvm, clang, whatever). So, proper bisecting can take forever :'(
Version: 17.2