From mboxrd@z Thu Jan 1 00:00:00 1970 From: bugzilla-daemon@freedesktop.org Subject: [Bug 97909] X-Plane 10 crashes with SIGSEGV on radeonsi Date: Fri, 29 Dec 2017 16:31:30 +0000 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0951905591==" Return-path: Received: from culpepper.freedesktop.org (culpepper.freedesktop.org [131.252.210.165]) by gabe.freedesktop.org (Postfix) with ESMTP id 868FA88C0A for ; Fri, 29 Dec 2017 16:31:30 +0000 (UTC) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org --===============0951905591== Content-Type: multipart/alternative; boundary="15145650900.e3ac2.3309"; charset="UTF-8" --15145650900.e3ac2.3309 Date: Fri, 29 Dec 2017 16:31:30 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated https://bugs.freedesktop.org/show_bug.cgi?id=3D97909 Thomas Rohloff changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |v10lator@myway.de --- Comment #9 from Thomas Rohloff --- (In reply to Nicolai H=C3=A4hnle from comment #5) > Okay, so I could reproduce this after all with the web demo. >=20 > There is a bug in X-Plane and also questionable behaviour of the driver. = The > bug in X-Plane is that it uses GL_AMD_pinned_memory with a size that is n= ot > a multiple of a page; as per the spec, the driver is allowed to reject th= at, > and we do (apparently unlike the closed source driver...). X-Plane doesn't > check this error condition, and continues rendering, hence the crash, whi= ch > would also happen with a simple sequence of: >=20 > glGenBuffers(1, &bo); > glBindBuffer(GL_ELEMENT_ARRAY_BUFFER, bo); > glDrawElements(...); >=20 > Somewhat surprisingly, the OpenGL spec never states that a draw call that > goes outside the element/index buffer should flag a GL_INVALID_OPERATION. > There is also no mention of this in the GL_ARB_robust_buffer_access_behav= ior > extension, which is surprising. >=20 > The patch you provide may or may not go in the right direction - I'm not > sure. If we want to check that, we should do it in api_validate.c, but I'm > not convinced that we should. Meanwhile, that check wouldn't properly fix > the issue in X-Plane. To work around the bug in X-Plane, you need to run > with: >=20 > MESA_EXTENSION_OVERRIDE=3D-GL_AMD_pinned_memory ./X-Plane-x86_64 --force_= run >=20 > which will work with an unmodified driver. I opened a bug report at X-Plane and will inform you in case they reply. BTW: Should I open a new bug report for the r600 bug (see below) ? Here the message I wrote to the X-Plane devs: Subject: Bug report: Wrog usage of GL_AMD_pinned_memory leads to undefined result on Mesa drivers From=3D v10lator@myway.de IP=3D [SNIPPED] Product=3D XPlane Version=3D 11.11 OS=3D Linux Summary=3D Wrog usage of GL_AMD_pinned_memory leads to undefined behavior o= n Mesa drivers Description=3D "The bug in X-Plane is that it uses GL_AMD_pinned_memory wit= h a size that is not a multiple of a page; as per the spec, the driver is allow= ed to reject that, and we do (apparently unlike the closed source driver...). X-Plane doesn't check this error condition, and continues rendering, hence = the crash" - Source: https://bugs.freedesktop.org/show_bug.cgi?id=3D97909#c5 Similar things as described in the linked bug report are happening on other Mesa drivers, too. For example see this stacktrace from r600: [ 1930.559125] general protection fault: 0000 [#1] PREEMPT SMP [ 1930.559980] Modules linked in: snd_seq_midi snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi vboxpci(O) vboxnetadp(O) vboxnetflt(O) nfsd vboxdrv(O) [ 1930.560867] CPU: 2 PID: 646 Comm: kworker/2:2 Tainted: G O=20= =20=20 4.13.0 #9 [ 1930.561771] Hardware name: To be filled by O.E.M. To be filled by O.E.M./SABERTOOTH 990FX R2.0, BIOS 2901 05/04/2016 [ 1930.562657] Workqueue: events radeon_mn_destroy [ 1930.563588] task: ffffa246244e5b00 task.stack: ffffa5f0409a0000 [ 1930.564509] RIP: 0010:__mutex_lock.isra.1+0x82/0x518 [ 1930.565425] RSP: 0018:ffffa5f0409a3d60 EFLAGS: 00010282 [ 1930.566312] RAX: 800000015e292268 RBX: ffffa2435d99c228 RCX: 800000015e29226f [ 1930.567238] RDX: 800000015e29226f RSI: ffffa246244e5b00 RDI: ffffffffb2a04c10 [ 1930.568174] RBP: ffffa5f0409a3df0 R08: ffffa2435d99c200 R09: 0000000100200007 [ 1930.569124] R10: ffffa5f0409a3e10 R11: ffffa2462c079ac0 R12: ffffa2463ec9c400 [ 1930.570037] R13: ffffa2435d99f9e8 R14: ffffa2463ec98300 R15: 0000000000000002 [ 1930.570982] FS: 0000000000000000(0000) GS:ffffa2463ec80000(0000) knlGS:0000000000000000 [ 1930.571938] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1930.572894] CR2: 0000000000ed7000 CR3: 00000003c8c51000 CR4: 00000000000406e0 [ 1930.573857] Call Trace: [ 1930.574783] ? __slab_free.isra.68+0x7a/0x210 [ 1930.575744] ? __slab_free.isra.68+0x7a/0x210 [ 1930.576698] ? radeon_mn_destroy+0x3a/0x188 [ 1930.577650] ? radeon_mn_destroy+0x3a/0x188 [ 1930.578577] ? process_one_work+0x151/0x2d0 [ 1930.579515] ? worker_thread+0x1f0/0x380 [ 1930.580450] ? kthread+0xf2/0x128 [ 1930.581381] ? process_one_work+0x2d0/0x2d0 [ 1930.582309] ? kthread_create_on_node+0x40/0x40 [ 1930.583195] ? ret_from_fork+0x22/0x30 [ 1930.584100] Code: 85 c0 0f 84 31 02 00 00 65 48 8b 04 25 80 c2 00 00 48 = 8b 00 a8 08 75 23 e8 dc be 72 ff 49 8b 45 00 48 83 e0 f8 0f 84 3e 02 00 00 <8b= > 58 60 e8 ee be 72 ff 85 db 0f 85 33 02 00 00 65 48 8b 04 25=20 [ 1930.585083] RIP: __mutex_lock.isra.1+0x82/0x518 RSP: ffffa5f0409a3d60 [ 1930.592739] ---[ end trace 397a922d2c74a9bd ]--- [ 1932.388592] sched: RT throttling activated [ 1935.978694] note: kworker/2:2[646] exited with preempt_count 1=20 Steps=3D Run X-Plane 11 on Linux with Mesa drivers. --=20 You are receiving this mail because: You are the assignee for the bug.= --15145650900.e3ac2.3309 Date: Fri, 29 Dec 2017 16:31:30 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated Thomas Rohloff changed bug 97909<= /a>
What Removed Added
CC   v10lator@myway.de

Comment= # 9 on bug 97909<= /a> from Thomas Rohloff 
(In reply to Nicolai H=C3=A4hnle from comment #5)
> Okay, so I could reproduce this after all with t=
he web demo.
>=20
> There is a bug in X-Plane and also questionable behaviour of the drive=
r. The
> bug in X-Plane is that it uses GL_AMD_pinned_memory with a size that i=
s not
> a multiple of a page; as per the spec, the driver is allowed to reject=
 that,
> and we do (apparently unlike the closed source driver...). X-Plane doe=
sn't
> check this error condition, and continues rendering, hence the crash, =
which
> would also happen with a simple sequence of:
>=20
>   glGenBuffers(1, &bo);
>   glBindBuffer(GL_ELEMENT_ARRAY_BUFFER, bo);
>   glDrawElements(...);
>=20
> Somewhat surprisingly, the OpenGL spec never states that a draw call t=
hat
> goes outside the element/index buffer should flag a GL_INVALID_OPERATI=
ON.
> There is also no mention of this in the GL_ARB_robust_buffer_access_be=
havior
> extension, which is surprising.
>=20
> The patch you provide may or may not go in the right direction - I'm n=
ot
> sure. If we want to check that, we should do it in api_validate.c, but=
 I'm
> not convinced that we should. Meanwhile, that check wouldn't properly =
fix
> the issue in X-Plane. To work around the bug in X-Plane, you need to r=
un
> with:
>=20
> MESA_EXTENSION_OVERRIDE=3D-GL_AMD_pinned_memory ./X-Plane-x86_64 --for=
ce_run
>=20
> which will work with an unmodified driver.

I opened a bug report at X-Plane and will inform you in case they reply.

BTW: Should I open a new bug report for the r600 bug (see below) ?

Here the message I wrote to the X-Plane devs:

Subject: Bug report: Wrog usage of GL_AMD_pinned_memory leads to undefined
result on Mesa drivers

From=3D v10lator@myway.de
IP=3D [SNIPPED]
Product=3D XPlane
Version=3D 11.11
OS=3D Linux
Summary=3D Wrog usage of GL_AMD_pinned_memory leads to undefined behavior o=
n Mesa
drivers
Description=3D "The bug in X-Plane is that it uses GL_AMD_pinned_memor=
y with a
size that is not a multiple of a page; as per the spec, the driver is allow=
ed
to reject that, and we do (apparently unlike the closed source driver...).
X-Plane doesn't check this error condition, and continues rendering, hence =
the
crash" - Source: https://bugs.freedesktop.org/show_bu=
g.cgi?id=3D97909#c5

Similar things as described in the linked bug report are happening on other
Mesa drivers, too. For example see this stacktrace from r600:

[ 1930.559125] general protection fault: 0000 [#1] PREEMPT SMP
[ 1930.559980] Modules linked in: snd_seq_midi snd_usb_audio snd_hwdep
snd_usbmidi_lib snd_rawmidi vboxpci(O) vboxnetadp(O) vboxnetflt(O) nfsd
vboxdrv(O)
[ 1930.560867] CPU: 2 PID: 646 Comm: kworker/2:2 Tainted: G           O=20=
=20=20
4.13.0 #9
[ 1930.561771] Hardware name: To be filled by O.E.M. To be filled by
O.E.M./SABERTOOTH 990FX R2.0, BIOS 2901 05/04/2016
[ 1930.562657] Workqueue: events radeon_mn_destroy
[ 1930.563588] task: ffffa246244e5b00 task.stack: ffffa5f0409a0000
[ 1930.564509] RIP: 0010:__mutex_lock.isra.1+0x82/0x518
[ 1930.565425] RSP: 0018:ffffa5f0409a3d60 EFLAGS: 00010282
[ 1930.566312] RAX: 800000015e292268 RBX: ffffa2435d99c228 RCX:
800000015e29226f
[ 1930.567238] RDX: 800000015e29226f RSI: ffffa246244e5b00 RDI:
ffffffffb2a04c10
[ 1930.568174] RBP: ffffa5f0409a3df0 R08: ffffa2435d99c200 R09:
0000000100200007
[ 1930.569124] R10: ffffa5f0409a3e10 R11: ffffa2462c079ac0 R12:
ffffa2463ec9c400
[ 1930.570037] R13: ffffa2435d99f9e8 R14: ffffa2463ec98300 R15:
0000000000000002
[ 1930.570982] FS:  0000000000000000(0000) GS:ffffa2463ec80000(0000)
knlGS:0000000000000000
[ 1930.571938] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1930.572894] CR2: 0000000000ed7000 CR3: 00000003c8c51000 CR4:
00000000000406e0
[ 1930.573857] Call Trace:
[ 1930.574783]  ? __slab_free.isra.68+0x7a/0x210
[ 1930.575744]  ? __slab_free.isra.68+0x7a/0x210
[ 1930.576698]  ? radeon_mn_destroy+0x3a/0x188
[ 1930.577650]  ? radeon_mn_destroy+0x3a/0x188
[ 1930.578577]  ? process_one_work+0x151/0x2d0
[ 1930.579515]  ? worker_thread+0x1f0/0x380
[ 1930.580450]  ? kthread+0xf2/0x128
[ 1930.581381]  ? process_one_work+0x2d0/0x2d0
[ 1930.582309]  ? kthread_create_on_node+0x40/0x40
[ 1930.583195]  ? ret_from_fork+0x22/0x30
[ 1930.584100] Code: 85 c0 0f 84 31 02 00 00 65 48 8b 04 25 80 c2 00 00 48 =
8b
00 a8 08 75 23 e8 dc be 72 ff 49 8b 45 00 48 83 e0 f8 0f 84 3e 02 00 00 <=
;8b> 58
60 e8 ee be 72 ff 85 db 0f 85 33 02 00 00 65 48 8b 04 25=20
[ 1930.585083] RIP: __mutex_lock.isra.1+0x82/0x518 RSP: ffffa5f0409a3d60
[ 1930.592739] ---[ end trace 397a922d2c74a9bd ]---
[ 1932.388592] sched: RT throttling activated
[ 1935.978694] note: kworker/2:2[646] exited with preempt_count 1=20
Steps=3D Run X-Plane 11 on Linux with Mesa drivers.

You are receiving this mail because:
  • You are the assignee for the bug.
= --15145650900.e3ac2.3309-- --===============0951905591== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== --===============0951905591==--