Bug 1226390

Summary: [abrt] xorg-x11-server-Xorg: kgem_end_batch(): Xorg killed by SIGSEGV
Product: [Fedora] Fedora Reporter: moshe
Component: xorg-x11-drv-intelAssignee: Adam Jackson <ajax>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: agosavi, ajax, amarchuk, cbredesen, eharney, hitesh, mteixeira, qguo, rhaggard, twaugh, vashirov, xgl-maint
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/a1d82796d45a9b4ba7e8685a48afa13dd74912be
Whiteboard: abrt_hash:695da1cf173b0bb5f5205b54e1b666d3ac127429
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 14:22:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages
none
xorg-x11-drv-intel-bluejeans-crash.patch
none
xorg-x11-drv-intel-bluejeans-crash.patch none

Description moshe 2015-05-29 15:47:31 UTC 
Description of problem:
It might have something to do with bluejeans.  Both myself and a colleage were in a bluejeans meeting and X crashed twice during the meeting for both of us at the same time.  

Version-Release number of selected component:
xorg-x11-server-Xorg-1.17.1-12.fc22

Additional info:
reporter:       libreport-2.5.1
backtrace_rating: 4
cmdline:        /usr/libexec/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -verbose 3
crash_function: kgem_end_batch
executable:     /usr/libexec/Xorg
global_pid:     8328
kernel:         4.0.4-301.fc22.x86_64
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 kgem_end_batch at kgem.c:2282
 #1 _kgem_submit at kgem.c:3852
 #2 kgem_submit at kgem.h:378
 #3 sna_accel_leave at sna_accel.c:18139
 #4 sna_leave_vt at sna_driver.c:900
 #5 glxDRILeaveVT at glxdri2.c:839
 #11 sna_blt_copy_boxes at sna_blt.c:3861
 #12 gen7_render_copy_boxes at gen7_render.c:2964
 #13 __sna_dri2_copy_region at sna_dri2.c:1176
 #14 dri2_copy_region at dri2.c:871
Comment 1 moshe 2015-05-29 15:47:33 UTC 
Created attachment 1032170 [details]
File: backtrace
Comment 2 moshe 2015-05-29 15:47:34 UTC 
Created attachment 1032171 [details]
File: cgroup
Comment 3 moshe 2015-05-29 15:47:35 UTC 
Created attachment 1032172 [details]
File: core_backtrace
Comment 4 moshe 2015-05-29 15:47:35 UTC 
Created attachment 1032173 [details]
File: dso_list
Comment 5 moshe 2015-05-29 15:47:36 UTC 
Created attachment 1032174 [details]
File: environ
Comment 6 moshe 2015-05-29 15:47:37 UTC 
Created attachment 1032175 [details]
File: limits
Comment 7 moshe 2015-05-29 15:47:38 UTC 
Created attachment 1032176 [details]
File: maps
Comment 8 moshe 2015-05-29 15:47:39 UTC 
Created attachment 1032177 [details]
File: mountinfo
Comment 9 moshe 2015-05-29 15:47:39 UTC 
Created attachment 1032178 [details]
File: namespaces
Comment 10 moshe 2015-05-29 15:47:40 UTC 
Created attachment 1032179 [details]
File: open_fds
Comment 11 moshe 2015-05-29 15:47:41 UTC 
Created attachment 1032180 [details]
File: proc_pid_status
Comment 12 moshe 2015-05-29 15:47:41 UTC 
Created attachment 1032181 [details]
File: var_log_messages
Comment 13 Eric Harney 2015-06-04 14:49:20 UTC 
Another user experienced a similar problem:

Crashed while loading bluejeans.com plugins in Firefox.

reporter:       libreport-2.5.1
backtrace_rating: 4
cmdline:        /usr/libexec/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -verbose 3
crash_function: kgem_end_batch
executable:     /usr/libexec/Xorg
global_pid:     3350
kernel:         4.0.4-303.fc22.x86_64
package:        xorg-x11-server-Xorg-1.17.1-12.fc22
reason:         Xorg killed by SIGSEGV
runlevel:       N 5
type:           CCpp
uid:            1000
Comment 14 Tim Waugh 2015-06-17 15:25:41 UTC 
Another user experienced a similar problem:

Happened while using bluejeans (video conferencing) in Firefox.

reporter:       libreport-2.5.1
backtrace_rating: 4
cmdline:        /usr/libexec/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -verbose 3
crash_function: kgem_end_batch
executable:     /usr/libexec/Xorg
global_pid:     1928
kernel:         4.0.4-303.fc22.x86_64
package:        xorg-x11-server-Xorg-1.17.1-14.fc22
reason:         Xorg killed by SIGSEGV
runlevel:       N 5
type:           CCpp
uid:            1000
Comment 15 Viktor Ashirov 2015-06-19 09:00:22 UTC 
The crash can be reliably reproduced with:
bjnplugin-2.100.41.8-1.x86_64
rbjnplugin-2.90.616.8-1.x86_64

To reproduce:
1. Dial-in in bluejeans conference.
2. Other person starts sharing screen.
3. Other person stops sharing screen. At this point my server crashes.
Comment 16 moshe 2015-06-26 14:36:25 UTC 
Another user experienced a similar problem:

I was having a team meeting with bluejeans via firefox and the bluejeans plugin ( npbjnplugin_2.100.41.8.so ).  A coworker stopped sharing his screen in the meeting and Xorg crashed.  Others in the meeting also had crashes.  Sometimes X crashes, sometimes it is gnome-session.  This is apparently a known issue with bluejeans support.  Uploading this BZ so they can have more info.

reporter:       libreport-2.6.0
backtrace_rating: 4
cmdline:        /usr/libexec/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -verbose 3
crash_function: kgem_end_batch
executable:     /usr/libexec/Xorg
global_pid:     1996
kernel:         4.0.5-300.fc22.x86_64
package:        xorg-x11-server-Xorg-1.17.2-1.fc22
reason:         Xorg killed by SIGSEGV
runlevel:       N 5
type:           CCpp
uid:            1000
Comment 17 Amit Gosavi- BlueJeans 2015-07-20 09:41:58 UTC 
Analysis by BlueJeans Dev Team##
Crash seems to happen @ API glXSwapBuffers(display_, window_); in file glx_renderer.cc.
Disabling glx extension (GLX_MESA_swap_control) seems to solve the crash issue, i.e. following code was disabled:

PFNGLXSWAPINTERVALEXTPROC glXSwapIntervalEXT_ = NULL;
PFNGLXSWAPINTERVALMESAPROC glXSwapIntervalMESA_ = NULL;

std::string extString;
const char* exts = glXQueryExtensionsString(display_, 0);
if (exts)
{ extString = exts; }

if (extString.find("GLX_EXT_swap_control") != std::string::npos)
{ glXSwapIntervalEXT_ = reinterpret_cast<PFNGLXSWAPINTERVALEXTPROC>( glXGetProcAddress((const GLubyte *)"glXSwapIntervalEXT")); }

else if (extString.find("GLX_MESA_swap_control") != std::string::npos)
{ glXSwapIntervalMESA_ = reinterpret_cast<PFNGLXSWAPINTERVALMESAPROC>( glXGetProcAddress((const GLubyte *)"glXSwapIntervalMESA")); }

if (glXSwapIntervalEXT_)
{ glXSwapIntervalEXT_(display_, window_, 0); }

else if (glXSwapIntervalMESA_)
{ glXSwapIntervalMESA_(0); }

else
{ LOG(LS_INFO) <<"GLX does not support GLX_EXT_swap_control or GLX_MESA_swap_control"; }

From Red Hat Team, If we can get any details with respect to above fix, that would be helpful for our Team to better handle it in future.
Comment 18 Tim Waugh 2015-07-23 21:04:23 UTC 
This seems to be a bug in the Intel driver. Actually, there are several bugs.
Comment 19 Tim Waugh 2015-07-23 21:08:32 UTC 
Created attachment 1055505 [details]
xorg-x11-drv-intel-bluejeans-crash.patch

I can't reproduce the crash with this patch.

* gen7_render_copy_boxes() can sometimes be called with n==0. I've included a work-around to make it handled this, but really the fix should be to avoid it being called in this situation.

* kgem_batch_space() calculated space incorrectly: if there was less than the reserved amount left it would return a negative int.

* sna_blt_copy_boxes() assumed there would always be space for a box. I don't think this can be guaranteed but I may be reading the code wrong.

Hopefully this is enough for someone who knows the code better to fix it properly.
Comment 20 Tim Waugh 2015-07-23 23:09:48 UTC 
Created attachment 1055522 [details]
xorg-x11-drv-intel-bluejeans-crash.patch

The fix for kgem_batch_space() wasn't right in the last patch (which I guess means the fix isn't required to prevent this crash). I've attached a fixed version anyway.
Comment 21 Amit Gosavi- BlueJeans 2015-07-24 08:56:57 UTC 
Hello Red Hat Team,

We will be delivering an updated Browser plugin version (with above fix) by end of this week. The repo will be updated with the latest plugin version.
Comment 22 Tim Waugh 2015-07-24 14:06:17 UTC 
Just to clarify: the patch above is for the Intel graphics driver for xorg-x11. Something the BlueJeans plugin does triggers this crash, but it's not the fault of the BlueJeans plugin as far as I can tell.
Comment 23 Tim Waugh 2015-07-31 08:48:14 UTC 
Note: to reproduce this now, you'll need to use an older version of the plugin package:
https://swdl.bluejeans.com/repos/bluejeans/x86_64/release/rpm/bjnplugin_2.100.85.8-1.x86_64.rpm
Comment 28 Fedora End Of Life 2016-07-19 14:22:57 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.