Bug 855412

Summary: [abrt] xorg-x11-server-Xorg-1.12.3-1.fc17: Xorg server crashed
Product: [Fedora] Fedora Reporter: Rob Clark <robdclark>
Component: xorg-x11-serverAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:7f2eff342ae029e2236c045f8272bdeba74a05f4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-01 19:24:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: usr_share_xorg_conf_d.tar.gz
none
File: etc_X11_xorg_conf_d.tar.gz none

Description Rob Clark 2012-09-07 16:28:59 UTC 
Description of problem:
seems pretty easy to trigger..  a couple minutes w/ firefox will trigger it

Version-Release number of selected component:
xorg-x11-server-Xorg-1.12.3-1.fc17

Additional info:
libreport version: 2.0.13
abrt_version:   2.0.12
kernel:         3.5.3-1.fc17.x86_64

backtrace:
:0: /usr/bin/Xorg (xorg_backtrace+0x36) [0x4652a6]
:1: /usr/bin/Xorg (mieqEnqueue+0x26b) [0x5514ab]
:2: /usr/bin/Xorg (0x400000+0x47f02) [0x447f02]
:3: /usr/bin/Xorg (xf86PostMotionEvent+0xd0) [0x490070]
:4: /usr/lib64/xorg/modules/input/synaptics_drv.so (0x7ff106df1000+0x5025) [0x7ff106df6025]
:5: /usr/lib64/xorg/modules/input/synaptics_drv.so (0x7ff106df1000+0x6f44) [0x7ff106df7f44]
:6: /usr/bin/Xorg (0x400000+0x80787) [0x480787]
:7: /usr/bin/Xorg (0x400000+0xa4a80) [0x4a4a80]
:8: /lib64/libpthread.so.0 (0x32b0600000+0xefe0) [0x32b060efe0]
:9: /usr/bin/Xorg (0x400000+0x6ab70) [0x46ab70]
:10: /lib64/libpthread.so.0 (0x32b0600000+0xefe0) [0x32b060efe0]
:11: /lib64/libc.so.6 (ioctl+0x7) [0x32b02ea2f7]
:12: /lib64/libdrm.so.2 (drmIoctl+0x28) [0x32c8e03548]
:13: /lib64/libdrm.so.2 (drmCommandWrite+0x1b) [0x32c8e0577b]
:14: /lib64/libdrm_nouveau.so.1 (0x7ff10a7df000+0x3085) [0x7ff10a7e2085]
:15: /lib64/libdrm_nouveau.so.1 (nouveau_bo_map_range+0x103) [0x7ff10a7e26b3]
:16: /usr/lib64/xorg/modules/drivers/nouveau_drv.so (0x7ff10a9e5000+0x6718) [0x7ff10a9eb718]
:17: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0x5a7b) [0x7ff109d98a7b]
:18: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0x7f30) [0x7ff109d9af30]
:19: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0x11f68) [0x7ff109da4f68]
:20: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0xe898) [0x7ff109da1898]
:21: /usr/bin/Xorg (0x400000+0x102109) [0x502109]
:22: /usr/bin/Xorg (0x400000+0xfb074) [0x4fb074]
:23: /usr/bin/Xorg (0x400000+0x3444a) [0x43444a]
:24: /usr/bin/Xorg (0x400000+0x23485) [0x423485]
:25: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x32b0221735]
:26: /usr/bin/Xorg (0x400000+0x2375d) [0x42375d]
Comment 1 Rob Clark 2012-09-07 16:29:01 UTC 
Created attachment 610794 [details]
File: usr_share_xorg_conf_d.tar.gz
Comment 2 Rob Clark 2012-09-07 16:29:03 UTC 
Created attachment 610795 [details]
File: etc_X11_xorg_conf_d.tar.gz
Comment 3 Rob Clark 2012-09-14 15:26:33 UTC 
doesn't quite look like the same backtrace (assuming what xorg_backtrace generates is correct), but w/ gdb connected plus debug syms, I get a backtrace which is potentially more useful:

----


Program received signal SIGSEGV, Segmentation fault.
0x00007f26b799406a in memcpy (__len=1054, __src=0x187a9a0, __dest=0x0) at /usr/include/bits/string3.h:52
warning: Source file is more recent than executable.
52	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  0x00007f26b799406a in memcpy (__len=1054, __src=0x187a9a0, __dest=0x0) at /usr/include/bits/string3.h:52
#1  nouveau_exa_upload_to_screen (pdpix=pdpix@entry=0x18560e0, x=0, y=0, w=1054, h=32, src=0x187a9a0 "", src_pitch=1056) at nouveau_exa.c:278
#2  0x00007f26b6d41a7b in exaCopyDirty (migrate=<optimized out>, pValidDst=0x1856180, pValidSrc=0x1856170, transfer=0x7f26b7993e80 <nouveau_exa_upload_to_screen>, fallback_index=0, sync=0)
    at exa_migration_classic.c:220
#3  0x00007f26b6d43c75 in exaDoMigration_mixed (pixmaps=0x7fffb780c350, npixmaps=25668000, can_accel=-1225448672) at exa_migration_mixed.c:118
#4  0x00007f26b6d4a15d in exaTryDriverComposite (op=op@entry=3 '\003', pSrc=pSrc@entry=0xdf23d0, pMask=pMask@entry=0x18561b0, pDst=pDst@entry=0x1855c00, xSrc=xSrc@entry=3, ySrc=ySrc@entry=1, 
    xMask=xMask@entry=0, yMask=yMask@entry=0, xDst=xDst@entry=3, yDst=1, width=width@entry=1054, height=height@entry=32) at exa_render.c:719
#5  0x00007f26b6d4ab1a in exaComposite (op=3 '\003', pSrc=0xdf23d0, pMask=0x18561b0, pDst=0x1855c00, xSrc=3, ySrc=1, xMask=0, yMask=0, xDst=3, yDst=<optimized out>, width=1054, height=32)
    at exa_render.c:1006
#6  0x0000000000502109 in damageComposite (op=3 '\003', pSrc=0xdf23d0, pMask=0x18561b0, pDst=0x1855c00, xSrc=3, ySrc=1, xMask=0, yMask=0, xDst=3, yDst=1, width=1054, height=32) at damage.c:562
#7  0x00007f26b6d4b95f in exaTrapezoids (op=3 '\003', pSrc=0xdf23d0, pDst=0x1855c00, maskFormat=<optimized out>, xSrc=6, ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1eaf158)
    at exa_render.c:1149
#8  0x00000000004fbc4b in ProcRenderTrapezoids (client=0xddec30) at render.c:758
#9  0x000000000043444a in Dispatch () at dispatch.c:428
#10 0x0000000000423485 in main (argc=10, argv=0x7fffb780c808, envp=<optimized out>) at main.c:288

-----

I'm not quite sure that I have exact matching src for xf86-video-nouveau, but that looks to be crashing here:

	while (h) {
		lines = max_lines;
		if (lines > h)
			lines = h;

		nouveau_bo_map(pNv->GART, NOUVEAU_BO_WR, pNv->client);
		if (src_pitch == tmp_pitch) {
==>			memcpy(pNv->GART->map, src, src_pitch * lines);
			src += src_pitch * lines;
		} else {


-----

from dmesg:

[52760.051543] ACPI: EC: GPE storm detected, transactions will use polling mode
[602559.219701] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/channel/4
[602559.823271] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/channel/4
[602567.068143] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
[602660.248124] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - Unknown fault at address 00212db400
[602660.248129] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - e0c: 00000000, e18: 00000000, e1c: 00100002, e20: 00002a00, e24: 00030000
[602660.248131] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[602660.248134] [drm] nouveau 0000:03:00.0: PGRAPH - ch 2 (0x0000910000) subc 7 class 0x8397 mthd 0x15e0 data 0x00000000
[602660.248144] [drm] nouveau 0000:03:00.0: VM: trapped write at 0x00212db400 on ch 2 [0x00000910] PGRAPH/PROP/RT0 reason: PAGE_NOT_PRESENT

so I guess the map of the buffer fails, triggering this.
Comment 4 Rob Clark 2012-10-10 20:23:39 UTC 
from #nouveau:

<RSpliet> right, I think I've heard of more problems regarding NVAC(/NVAA/NVAF?) and nouveau
 something seems to be going wrong with stolen mem
 since the big massive rewrite... not sure if that's even landed in Fedora yet though... think not
 anyway, please add to the bug report the fact that it's an NVAC ;)
Comment 5 Adam Jackson 2012-10-18 21:46:46 UTC 
Please update to at least xorg-x11-server-1.12.3-2.fc17 and reopen if this is still reproduceable.
Comment 6 Rob Clark 2012-10-19 04:22:20 UTC 
fwiw:

----
Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
Installed Packages
xorg-x11-server-Xephyr.x86_64           1.12.3-2.fc17         @updates          
xorg-x11-server-Xorg.x86_64             1.12.3-2.fc17         @updates          
xorg-x11-server-common.x86_64           1.12.3-2.fc17         @updates          
xorg-x11-server-debuginfo.x86_64        1.12.3-1.fc17         @updates-debuginfo
xorg-x11-server-utils.x86_64            7.5-12.fc17           @anaconda-0       
----

do you think stuff like:

----
[ 1061.350226] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP_TEXTURE - TP0: Unhandled ustatus 0x00000003
[ 1061.350232] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - Unknown fault at address 00213d6400
[ 1061.350234] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - e0c: 00000000, e18: 00000000, e1c: 00100002, e20: 00002a00, e24: 00030000
[ 1061.350235] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[ 1061.350238] [drm] nouveau 0000:03:00.0: PGRAPH - ch 4 (0x0001990000) subc 7 class 0x8397 mthd 0x15e0 data 0x00000000
[ 1061.350244] [drm] nouveau 0000:03:00.0: VM: trapped write at 0x00213d6400 on ch 4 [0x00001990] PGRAPH/PROP/RT0 reason: PAGE_NOT_PRESENT
[ 1061.350250] [drm] nouveau 0000:03:00.0: magic set 0:
[ 1061.350252] [drm] nouveau 0000:03:00.0:      0x00408604: 0x20096208
[ 1061.350253] [drm] nouveau 0000:03:00.0:      0x00408608: 0x00213ddf
[ 1061.350255] [drm] nouveau 0000:03:00.0:      0x0040860c: 0x80000e00
[ 1061.350257] [drm] nouveau 0000:03:00.0:      0x00408610: 0x3d600000
[ 1061.350258] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP_TEXTURE - TP0: Unhandled ustatus 0x00000003
[ 1061.350259] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[ 1061.350262] [drm] nouveau 0000:03:00.0: PGRAPH - ch 4 (0x0001990000) subc 2 class 0x502d mthd 0x08dc data 0x00000000
[ 1061.350268] [drm] nouveau 0000:03:00.0: VM: trapped read at 0x00213db600 on ch 4 [0x00001990] PGRAPH/TEXTURE/00 reason: PAGE_NOT_PRESENT
[ 1171.572658] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_2D - TP 0 - Unknown fault at address 004467c400
[ 1171.572663] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_2D - TP 0 - e0c: 00000000, e18: 00000000, e1c: 03100500, e20: 00000011, e24: 0c030000
[ 1171.572665] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[ 1171.572669] [drm] nouveau 0000:03:00.0: PGRAPH - ch 4 (0x0001990000) subc 2 class 0x502d mthd 0x024c data 0x00000313
[ 1171.572676] [drm] nouveau 0000:03:00.0: VM: trapped read at 0x00213d6900 on ch 4 [0x00001990] PGRAPH/TEXTURE/00 reason: PAGE_NOT_PRESENT
----

is a symptom of some bogus cmdstream from userspace, or something going wrong in buffer mapping on kernel side?  RSpliet mentioned potential issue w/ stolen mem?

Fwiw, atm the kernel I have:

----
Linux laptop 3.5.4-2.fc17.x86_64 #1 SMP Wed Sep 26 21:58:50 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
----

I'd tried briefly to build latest (as of a week or two ago.. commit 11573aa) from:

git://anongit.freedesktop.org/nouveau/linux-2.6

although it didn't boot.. but I didn't spend too long on that.

Anyways, let me know what is more useful, spending time w/ latest kernel vs latest xf86-video-nouveau or mesa.  It's my old (ie. not primary) laptop so no problem to experiment.. but useful to know what areas to dig into more (kernel or userspace)..
Comment 7 Fedora End Of Life 2013-07-04 07:22:07 UTC 
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 8 Fedora End Of Life 2013-08-01 19:24:46 UTC 
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.