https://bugs.freedesktop.org/show_bug.cgi?id=93723
Bug ID: 93723
Summary: vblank_mode=3 segfaults SynMark 6.1 to:
intelDestroyContext() -> _mesa_meta_free() ->
_mesa_make_current()
Product: Mesa
Version: git
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: Mesa core
Assignee: mesa-dev@lists.freedesktop.org
Reporter: eero.t.tammi...@intel.com
QA Contact: mesa-dev@lists.freedesktop.org
Use case:
- vblank_mode=3 ./synmark2 OglBatch0
Result:
- Segfault in the program startup to NULL pointer access [1] within Mesa.
Notes:
- Mesa version is from today, rest is Ubuntu 15.04
- Crash happens only with EGL (v6.1) version of SynMark, not with the GLX
(v6.0) version of SynMark, so this may be EGL specific.
- Other vblank_mode values (0,1,2) work fine. With them SynMark doesn't call
eglDestroyContext() at the startup
Meta gets called from context destroy and tries to do make_current():
------------------------------------------------------
Program received signal SIGSEGV, Segmentation fault.
handle_first_current (ctx=0x7ffff7fa0038) at src/mesa/main/context.c:1620
1620 buffer = GL_BACK;
(gdb) bt
#0 handle_first_current (ctx=0x7ffff7fa0038) at src/mesa/main/context.c:1620
#1 _mesa_make_current (newCtx=newCtx@entry=0x7ffff7fa0038,
drawBuffer=drawBuffer@entry=0x0, readBuffer=readBuffer@entry=0x0)
at src/mesa/main/context.c:1745
#2 0x00007ffff221426c in _mesa_meta_free (ctx=ctx@entry=0x7ffff7fa0038) at
src/mesa/drivers/common/meta.c:440
#3 0x00007ffff2341a07 in intelDestroyContext (driContextPriv=0x8d8870) at
src/mesa/drivers/dri/i965/brw_context.c:1009
#4 0x00007ffff23267f3 in driDestroyContext (pcp=0x8d8870) at
src/mesa/drivers/dri/common/dri_util.c:478
#5 0x00007ffff6aec409 in dri2_destroy_context (drv=<optimized out>,
disp=<optimized out>, ctx=0x8da5c0)
at src/egl/drivers/dri2/egl_dri2.c:1160
#6 0x00007ffff6ae6d1f in eglDestroyContext (dpy=0x7b9280, ctx=<optimized out>)
at src/egl/main/eglapi.c:655
#7 0x00000000004e9030 in Ogl::ContextSys::ContextSys(Ogl::Ext::VersionId,
WndHandleSys const&, unsigned int, unsigned int, ApiTypes::ColorFormat,
------------------------------------------------------
[1] This crashes on access to ctx->DrawBuffer which is NULL:
------------------------------------------------------
(gdb) list
1615 * glDrawBuffers depends on the config of the first surface it is
bound to.
1616 * For GLES it is always GL_BACK which has a magic interpretation */
1617 if (!ctx->HasConfig && _mesa_is_desktop_gl(ctx)) {
1618 if (ctx->DrawBuffer != _mesa_get_incomplete_framebuffer()) {
1619 if (ctx->DrawBuffer->Visual.doubleBufferMode)
1620 buffer = GL_BACK;
1621 else
1622 buffer = GL_FRONT;
1623
1624 _mesa_drawbuffers(ctx, ctx->DrawBuffer, 1, &buffer,
(gdb) print ctx->DrawBuffer
$1 = (struct gl_framebuffer *) 0x0
(gdb) disassemble 0x7ffff206e850 , 0x7ffff206e85b
Dump of assembler code from 0x7ffff206e850 to 0x7ffff206e85b:
0x00007ffff206e850 <_mesa_make_current+704>: add %al,(%rax)
0x00007ffff206e852 <_mesa_make_current+706>: mov %rbx,%rdi
=> 0x00007ffff206e855 <_mesa_make_current+709>: cmpl $0x1,0x40(%rsi)
0x00007ffff206e859 <_mesa_make_current+713>: sbb %eax,%eax
(gdb) info registers
rax 0x7ffff2773240 140737261285952
rbx 0x7ffff7fa0038 140737353744440
rcx 0x7fffffffd9d4 140737488345556
rdx 0x1 1
rsi 0x0 0
...
------------------------------------------------------
This is how the code ends here:
------------------------------------------------------
(gdb) up
#1 _mesa_make_current (newCtx=newCtx@entry=0x7ffff7fa0038,
drawBuffer=drawBuffer@entry=0x0, readBuffer=readBuffer@entry=0x0)
at src/mesa/main/context.c:1745
1745 handle_first_current(newCtx);
(gdb) list
1744 if (newCtx->FirstTimeCurrent) {
1745 handle_first_current(newCtx);
1746 newCtx->FirstTimeCurrent = GL_FALSE;
1747 }
(gdb) up
#2 0x00007ffff221426c in _mesa_meta_free (ctx=ctx@entry=0x7ffff7fa0038) at
src/mesa/drivers/common/meta.c:440
440 _mesa_make_current(ctx, NULL, NULL);
(gdb) info locals
old_context = 0x0
(gdb) list
437 _mesa_meta_free(struct gl_context *ctx)
438 {
439 GET_CURRENT_CONTEXT(old_context);
440 _mesa_make_current(ctx, NULL, NULL);
(gdb) up
#3 0x00007ffff2341a07 in intelDestroyContext (driContextPriv=0x8d8870) at
src/mesa/drivers/dri/i965/brw_context.c:1009
1009 _mesa_meta_free(&brw->ctx);
(gdb) print *ctx
$3 = {Shared = 0x8dd370, API = API_OPENGL_COMPAT, Exec = 0x8fa680,
OutsideBeginEnd = 0x8fa680, Save = 0x900920, BeginEnd = 0x8fd7d0,
CurrentDispatch = 0x8fa680, Visual = {rgbMode = 0 '\000', floatMode = 0
'\000', doubleBufferMode = 0, stereoMode = 0,
haveAccumBuffer = 0 '\000', haveDepthBuffer = 0 '\000', haveStencilBuffer =
0 '\000', redBits = 0, greenBits = 0, blueBits = 0,
alphaBits = 0, redMask = 0, greenMask = 0, blueMask = 0, alphaMask = 0,
rgbBits = 0, indexBits = 0, accumRedBits = 0, accumGreenBits = 0,
accumBlueBits = 0, accumAlphaBits = 0, depthBits = 0, stencilBits = 0,
numAuxBuffers = 0, level = 0, visualRating = 0, transparentPixel = 0,
transparentRed = 0, transparentGreen = 0, transparentBlue = 0,
transparentAlpha = 0, transparentIndex = 0, sampleBuffers = 0, samples = 0,
maxPbufferWidth = 0, maxPbufferHeight = 0, maxPbufferPixels = 0,
optimalPbufferWidth = 0, optimalPbufferHeight = 0, swapMethod = 0,
bindToTextureRgb = 0, bindToTextureRgba = 0, bindToMipmapTexture = 0,
bindToTextureTargets = 0, yInverted = 0, sRGBCapable = 0},
DrawBuffer = 0x0, ReadBuffer = 0x0, WinSysDrawBuffer = 0x0, WinSysReadBuffer
= 0x0,
...
------------------------------------------------------
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
