Bug#282645: xserver-xfree86 nv xaa crash on nvidia tnt2 64

[Branden Robinson <branden@debian.org>]

retitle 282645 xserver-xfree86: [nv] SEGV in NVDmaWait() when using XAA on NV5M64 [RIVA TNT2 Model 64/Model 64 Pro] rev 21
severity 282645 important
tag 282645 + upstream moreinfo help
thanks

On Tue, Nov 23, 2004 at 04:25:27PM +0100, Joost Kooij wrote:
> Package: xserver-xfree86
> Architecture: i386
> Version: 4.3.0.dfsg.1-8
> 
> Hi,
> 
> The xserver-xfree86 nv module crashes on my no-name Nvidia TNT2 64 card.
> 
> Included below is:
> -backtrace obtained from xserver-xfree86-dbg package;
> -/var/log/XFree86.log
> 
> If you need more information from me, just ask.

Thank you for the detailed report!

It would be nice to have your XF86Config-4, just for completeness.

I assume from the title of your report that the problem goes away if you
specify 'Option "NoAccel"' in the "Device" section of your XF86Config-4?

Here's the relevant part of the source code:

   117  /* There is a HW race condition with videoram command buffers.
   118     You can't jump to the location of your put offset.  We write put
   119     at the jump offset + SKIPS dwords with noop padding in between
   120     to solve this problem */
   121  #define SKIPS  8
   122
   123  void
   124  NVDmaWait (
   125     NVPtr pNv,
   126     int size
   127  ){
   128      int dmaGet;
   129
   130      size++;
   131
   132      while(pNv->dmaFree < size) {
   133         dmaGet = READ_GET(pNv);
   134
   135         if(pNv->dmaPut >= dmaGet) {
   136             pNv->dmaFree = pNv->dmaMax - pNv->dmaCurrent;
   137             if(pNv->dmaFree < size) {
   138                 NVDmaNext(pNv, 0x20000000);
   139                 if(dmaGet <= SKIPS) {
   140                     if(pNv->dmaPut <= SKIPS) /* corner case - will be idle */
   141                        WRITE_PUT(pNv, SKIPS + 1);
   142                     do { dmaGet = READ_GET(pNv); }
   143                     while(dmaGet <= SKIPS);
   144                 }
   145                 WRITE_PUT(pNv, SKIPS);
   146                 pNv->dmaCurrent = pNv->dmaPut = SKIPS;
   147                 pNv->dmaFree = dmaGet - (SKIPS + 1);
   148             }
   149         } else
   150             pNv->dmaFree = dmaGet - pNv->dmaCurrent - 1;
   151      }
   152  }

This sort of problem is way over my head.  Tagging "help".

> (gdb) bt full
> #0  0x080de288 in NVDmaWait (pNv=0x8b6c060, size=2) at nv_xaa.c:138
> 	dmaGet = 0
> #1  0x080def8f in NVSetupForMono8x8PatternFill (pScrn=0x8b6bb68, patternx=-289677961, patterny=-289677961, fg=-16777216, bg=-1, 
>     rop=3, planemask=4278190080) at nv_xaa.c:390
> 	pNv = 0x8b6c060
> #2  0x08382def in XAAFillMono8x8PatternRectsScreenOrigin (pScrn=0x8b6bb68, fg=0, bg=16777215, rop=3, planemask=4294967295, 
>     nBox=1, pBox=0xbffffcf0, pattern0=-289677961, pattern1=-289677961, xorigin=0, yorigin=0) at xaaFillRect.c:438
> 	infoRec = 0x8b6e860
> 	patx = -289677961
> 	paty = -289677961
> 	xorg = -289677961
> 	yorg = -289677961
> #3  0x083907e3 in XAAPaintWindow (pWin=0x8b9e790, prgn=0xbffffcf0, what=0) at xaaPaintWin.c:137
> 	pPriv = 0x8c5caac
> 	NoCache = 0
> 	xorg = 0
> 	pBgWin = 0x8b9e790
> 	yorg = 0
> 	pScreen = 0x8b6d968
> 	infoRec = 0x8b6e860
> 	nBox = 1
> 	pBox = 0xbffffcf0
> 	fg = -1
> 	pPix = 0x8c5ca78
> #4  0x0863a5c9 in miSpritePaintWindowBackground (pWin=0x8b9e790, pRegion=0xbffffcf0, what=0) at misprite.c:845
> 	pScreen = 0x8b6d968
> 	pScreenPriv = 0x8b81990
> #5  0x0861c489 in miWindowExposures (pWin=0x8b9e790, prgn=0xbffffcf0, other_exposed=0x0) at miexpose.c:536
> 	expRec = {extents = {x1 = 0, y1 = 0, x2 = -848, y2 = -16385}, data = 0x8c5ca78}
> 	clientInterested = 0
> 	exposures = 0xbffffcf0
> #6  0x0849ee99 in xf86XVWindowExposures (pWin=0x8b9e790, reg1=0xbffffcf0, reg2=0x0) at xf86xv.c:1035
> 	pScreen = 0x8b6d968
> 	ScreenPriv = 0x8b80f38
> 	WinPriv = 0x0
> 	pPrev = 0xbffffcc0
> 	pPriv = 0x0
> 	AreasExposed = 0
> #7  0x08507fad in MapWindow (pWin=0x8b9e790, client=0x8b5eb60) at window.c:2867
> 	temp = {extents = {x1 = 0, y1 = 0, x2 = 640, y2 = 480}, data = 0x0}
> 	pScreen = 0x8b6d968
> 	pParent = 0x0
> 	dosave = 0
> 	pLayerWin = 0x8b9e1f0
> #8  0x08503394 in InitRootWindow (pWin=0x8b9e790) at window.c:520
> 	pScreen = 0x8b6d968
> #9  0x084f5862 in main (argc=1, argv=0xbffffe34, envp=0xbffffe3c) at main.c:454
> 	i = 0
> 	j = 2
> 	k = 2
> 	error = -1208181990
> 	xauthfile = 0x0
> 	alwaysCheckForInput = {0, 1}
> (gdb) The program is running.  Exit anyway? (y or n) y

-- 
G. Branden Robinson                |     I'm a firm believer in not drawing
Debian GNU/Linux                   |     trend lines before you have data
branden@debian.org                 |     points.
http://people.debian.org/~branden/ |     -- Tim Ottinger

Attachment: signature.asc
Description: Digital signature