Bug#562585: bug is in mesa unichrome driver

To: 562585@bugs.debian.org, control@bugs.debian.org
Subject: Bug#562585: bug is in mesa unichrome driver
From: Julien Viard de Galbert <julien@vdg.blogsite.org>
Date: Wed, 11 Aug 2010 13:00:18 +0200
Message-id: <[🔎] 20100811110018.GC17563@vdg.blogsite.org>
Mail-followup-to: Julien Viard de Galbert <julien@vdg.blogsite.org>, 562585@bugs.debian.org, control@bugs.debian.org
Reply-to: Julien Viard de Galbert <julien@vdg.blogsite.org>, 562585@bugs.debian.org

reassign 562585 libgl1-mesa-dri
retitle 562585 mesa [Drivers/DRI/Unichrome]:
"_mesa_reference_renderbuffer: Assertion `oldRb->Magic == 0xaabbccdd'
failed."

thanks

Trying to reproduce this bug I fell in the following assert:
_mesa_reference_renderbuffer: Assertion `oldRb->Magic == 0xaabbccdd'
failed.
Also the previous gdb trace by Vaclav Juza also stop on this assert.
(this looks like bug#550992 but I could not found reference to
unichrome/openchrome there except in message #60, so I did not merge the
two bugs)

The `Magic' field is used to check for the validity of the structure,
and it appears that when it's freed using viaDestroyBuffer it's no
longer valid. Something must have corrupted it...
To find what was going on, I used gdb, and placed a watchpoint on the
Magic's address. It appeared that the location is written to 0 by a free
in viaDestroyContext.
Just checked the via_context struct in
mesa/drivers/dri/unichrome/via_context.h and it include some
via_renderbuffer structs (with a comment saying they don't belong here,
but still they are!). So freeing the via_context will also free the
memory used by those renderbuffers, then when the renderbuffer in freed
normally, it's already wrong... so it crashes.

Find attached the log of the gdb session.

Regards
-- 
Julien Viard de Galbert                        <julien@vdg.blogsite.org>
http://silicone.homelinux.org/           <julien@silicone.homelinux.org>

GNU gdb (GDB) 7.1-debian
[...]
(gdb) b _mesa_init_renderbuffer
Breakpoint 1 at 0xb0fd75c5: file main/renderbuffer.c, line 1404.
(gdb) c
Continuing.

Breakpoint 1, _mesa_init_renderbuffer (rb=0x89c1954, name=0) at main/renderbuffer.c:1404
(gdb) p /x rb
$3 = 0x89c1954
(gdb) watch ((struct gl_renderbuffer*)0x89c1954)->Magic
Hardware watchpoint 2: ((struct gl_renderbuffer*)0x89c1954)->Magic
(gdb) c
Continuing.
Hardware watchpoint 2: ((struct gl_renderbuffer*)0x89c1954)->Magic
Old value = 0
New value = -1430532899
_mesa_init_renderbuffer (rb=0x89c1954, name=0) at main/renderbuffer.c:1407
(gdb) c
Continuing.
Hardware watchpoint 2: ((struct gl_renderbuffer*)0x89c1954)->Magic
Old value = -1430532899
New value = 0
0xb74ab444 in ?? () from /lib/libc.so.6
(gdb) bt
#0  0xb74ab444 in ?? () from /lib/libc.so.6
#1  0xb74aea1d in free () from /lib/libc.so.6
#2  0xb0fc5263 in _mesa_free (ptr=0x89c1948) at main/imports.c:92
#3  0xb0f3d5af in viaDestroyContext (driContextPriv=0x89d9720) at via_context.c:723
#4  0xb0f34374 in driDestroyContext (pcp=0x89d9720) at ../common/dri_util.c:546
#5  0xb7320229 in __glXDRIcontextDestroy (baseContext=0x89d8f28) at ../../glx/glxdri.c:293
#6  0xb73156b1 in __glXFreeContext (cx=0x89d8f28) at ../../glx/glxext.c:211
#7  0xb731570b in ContextGone (cx=0xb75803d0, id=18874394) at ../../glx/glxext.c:110
#8  0x08089962 in FreeResourceByType (id=18874394, type=56, skipFree=0) at ../../dix/resource.c:592
#9  0xb7311d17 in __glXDisp_DestroyContext (cl=0x885e8c8, pc=0x8b41500 "\232\004\002") at ../../glx/glxcmds.c:371
#10 0xb73159e2 in __glXDispatch (client=0x8883dd8) at ../../glx/glxext.c:578
#11 0x08080067 in Dispatch () at ../../dix/dispatch.c:439
#12 0x0806692a in main (argc=6, argv=0xbfffe944, envp=0xbfffe960) at ../../dix/main.c:285
(gdb) del 2
(gdb) c
Continuing.

Program received signal SIGABRT, Aborted.
0xb7469537 in raise () from /lib/libc.so.6
(gdb) bt
#0  0xb7469537 in raise () from /lib/libc.so.6
#1  0xb746c922 in abort () from /lib/libc.so.6
#2  0xb7462727 in __assert_fail () from /lib/libc.so.6
#3  0xb0fd8b73 in _mesa_reference_renderbuffer (ptr=0x8b412f8, rb=0x0) at main/renderbuffer.c:2067
#4  0xb0fa8330 in _mesa_free_framebuffer_data (fb=0x8b411d0) at main/framebuffer.c:200
#5  0xb0fa8252 in _mesa_destroy_framebuffer (fb=0x8b411d0) at main/framebuffer.c:177
#6  0xb0fa8449 in _mesa_reference_framebuffer (ptr=0x8b41164, fb=0x0) at main/framebuffer.c:241
#7  0xb0f44c5c in viaDestroyBuffer (driDrawPriv=0x8b41160) at via_screen.c:315
#8  0xb0f342e0 in dri_put_drawable (pdp=0x8b41160) at ../common/dri_util.c:508
#9  0xb0f34349 in driDestroyDrawable (pdp=0x8b41160) at ../common/dri_util.c:524
#10 0xb731f8a8 in __glXDRIdrawableDestroy (drawable=0x8b41110) at ../../glx/glxdri.c:234
#11 0xb7315b98 in DrawableGone (glxPriv=0x8b41110, xid=18874396) at ../../glx/glxext.c:163
#12 0x0808a2e2 in FreeResource (id=18874396, skipDeleteFuncType=0) at ../../dix/resource.c:556
#13 0x0807cabc in ProcDestroyWindow (client=0x8883dd8) at ../../dix/dispatch.c:745
#14 0x08080067 in Dispatch () at ../../dix/dispatch.c:439
#15 0x0806692a in main (argc=6, argv=0xbfffe944, envp=0xbfffe960) at ../../dix/main.c:285
(gdb) p /x *0x8b412f8
$14 = 0x89c1954
(gdb)

Reply to:

Follow-Ups:
- Processed (with 2 errors): bug is in mesa unichrome driver
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#592434: xserver-xorg-core: Broken GLX causes flash to crash when switching to full screen
Next by Date: Processed (with 2 errors): bug is in mesa unichrome driver
Previous by thread: Bug#578243: patch
Next by thread: Processed (with 2 errors): bug is in mesa unichrome driver
Index(es):
- Date
- Thread