Bug 855412 - [abrt] xorg-x11-server-Xorg-1.12.3-1.fc17: Xorg server crashed
[abrt] xorg-x11-server-Xorg-1.12.3-1.fc17: Xorg server crashed
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: X/OpenGL Maintenance List
Fedora Extras Quality Assurance
abrt_hash:7f2eff342ae029e2236c045f827...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-07 12:28 EDT by Rob Clark
Modified: 2013-08-01 15:24 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 15:24:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: usr_share_xorg_conf_d.tar.gz (1.55 KB, text/plain)
2012-09-07 12:29 EDT, Rob Clark
no flags Details
File: etc_X11_xorg_conf_d.tar.gz (382 bytes, text/plain)
2012-09-07 12:29 EDT, Rob Clark
no flags Details

  None (edit)
Description Rob Clark 2012-09-07 12:28:59 EDT
Description of problem:
seems pretty easy to trigger..  a couple minutes w/ firefox will trigger it

Version-Release number of selected component:
xorg-x11-server-Xorg-1.12.3-1.fc17

Additional info:
libreport version: 2.0.13
abrt_version:   2.0.12
kernel:         3.5.3-1.fc17.x86_64

backtrace:
:0: /usr/bin/Xorg (xorg_backtrace+0x36) [0x4652a6]
:1: /usr/bin/Xorg (mieqEnqueue+0x26b) [0x5514ab]
:2: /usr/bin/Xorg (0x400000+0x47f02) [0x447f02]
:3: /usr/bin/Xorg (xf86PostMotionEvent+0xd0) [0x490070]
:4: /usr/lib64/xorg/modules/input/synaptics_drv.so (0x7ff106df1000+0x5025) [0x7ff106df6025]
:5: /usr/lib64/xorg/modules/input/synaptics_drv.so (0x7ff106df1000+0x6f44) [0x7ff106df7f44]
:6: /usr/bin/Xorg (0x400000+0x80787) [0x480787]
:7: /usr/bin/Xorg (0x400000+0xa4a80) [0x4a4a80]
:8: /lib64/libpthread.so.0 (0x32b0600000+0xefe0) [0x32b060efe0]
:9: /usr/bin/Xorg (0x400000+0x6ab70) [0x46ab70]
:10: /lib64/libpthread.so.0 (0x32b0600000+0xefe0) [0x32b060efe0]
:11: /lib64/libc.so.6 (ioctl+0x7) [0x32b02ea2f7]
:12: /lib64/libdrm.so.2 (drmIoctl+0x28) [0x32c8e03548]
:13: /lib64/libdrm.so.2 (drmCommandWrite+0x1b) [0x32c8e0577b]
:14: /lib64/libdrm_nouveau.so.1 (0x7ff10a7df000+0x3085) [0x7ff10a7e2085]
:15: /lib64/libdrm_nouveau.so.1 (nouveau_bo_map_range+0x103) [0x7ff10a7e26b3]
:16: /usr/lib64/xorg/modules/drivers/nouveau_drv.so (0x7ff10a9e5000+0x6718) [0x7ff10a9eb718]
:17: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0x5a7b) [0x7ff109d98a7b]
:18: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0x7f30) [0x7ff109d9af30]
:19: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0x11f68) [0x7ff109da4f68]
:20: /usr/lib64/xorg/modules/libexa.so (0x7ff109d93000+0xe898) [0x7ff109da1898]
:21: /usr/bin/Xorg (0x400000+0x102109) [0x502109]
:22: /usr/bin/Xorg (0x400000+0xfb074) [0x4fb074]
:23: /usr/bin/Xorg (0x400000+0x3444a) [0x43444a]
:24: /usr/bin/Xorg (0x400000+0x23485) [0x423485]
:25: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x32b0221735]
:26: /usr/bin/Xorg (0x400000+0x2375d) [0x42375d]
Comment 1 Rob Clark 2012-09-07 12:29:01 EDT
Created attachment 610794 [details]
File: usr_share_xorg_conf_d.tar.gz
Comment 2 Rob Clark 2012-09-07 12:29:03 EDT
Created attachment 610795 [details]
File: etc_X11_xorg_conf_d.tar.gz
Comment 3 Rob Clark 2012-09-14 11:26:33 EDT
doesn't quite look like the same backtrace (assuming what xorg_backtrace generates is correct), but w/ gdb connected plus debug syms, I get a backtrace which is potentially more useful:

----


Program received signal SIGSEGV, Segmentation fault.
0x00007f26b799406a in memcpy (__len=1054, __src=0x187a9a0, __dest=0x0) at /usr/include/bits/string3.h:52
warning: Source file is more recent than executable.
52	  return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  0x00007f26b799406a in memcpy (__len=1054, __src=0x187a9a0, __dest=0x0) at /usr/include/bits/string3.h:52
#1  nouveau_exa_upload_to_screen (pdpix=pdpix@entry=0x18560e0, x=0, y=0, w=1054, h=32, src=0x187a9a0 "", src_pitch=1056) at nouveau_exa.c:278
#2  0x00007f26b6d41a7b in exaCopyDirty (migrate=<optimized out>, pValidDst=0x1856180, pValidSrc=0x1856170, transfer=0x7f26b7993e80 <nouveau_exa_upload_to_screen>, fallback_index=0, sync=0)
    at exa_migration_classic.c:220
#3  0x00007f26b6d43c75 in exaDoMigration_mixed (pixmaps=0x7fffb780c350, npixmaps=25668000, can_accel=-1225448672) at exa_migration_mixed.c:118
#4  0x00007f26b6d4a15d in exaTryDriverComposite (op=op@entry=3 '\003', pSrc=pSrc@entry=0xdf23d0, pMask=pMask@entry=0x18561b0, pDst=pDst@entry=0x1855c00, xSrc=xSrc@entry=3, ySrc=ySrc@entry=1, 
    xMask=xMask@entry=0, yMask=yMask@entry=0, xDst=xDst@entry=3, yDst=1, width=width@entry=1054, height=height@entry=32) at exa_render.c:719
#5  0x00007f26b6d4ab1a in exaComposite (op=3 '\003', pSrc=0xdf23d0, pMask=0x18561b0, pDst=0x1855c00, xSrc=3, ySrc=1, xMask=0, yMask=0, xDst=3, yDst=<optimized out>, width=1054, height=32)
    at exa_render.c:1006
#6  0x0000000000502109 in damageComposite (op=3 '\003', pSrc=0xdf23d0, pMask=0x18561b0, pDst=0x1855c00, xSrc=3, ySrc=1, xMask=0, yMask=0, xDst=3, yDst=1, width=1054, height=32) at damage.c:562
#7  0x00007f26b6d4b95f in exaTrapezoids (op=3 '\003', pSrc=0xdf23d0, pDst=0x1855c00, maskFormat=<optimized out>, xSrc=6, ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1eaf158)
    at exa_render.c:1149
#8  0x00000000004fbc4b in ProcRenderTrapezoids (client=0xddec30) at render.c:758
#9  0x000000000043444a in Dispatch () at dispatch.c:428
#10 0x0000000000423485 in main (argc=10, argv=0x7fffb780c808, envp=<optimized out>) at main.c:288

-----

I'm not quite sure that I have exact matching src for xf86-video-nouveau, but that looks to be crashing here:

	while (h) {
		lines = max_lines;
		if (lines > h)
			lines = h;

		nouveau_bo_map(pNv->GART, NOUVEAU_BO_WR, pNv->client);
		if (src_pitch == tmp_pitch) {
==>			memcpy(pNv->GART->map, src, src_pitch * lines);
			src += src_pitch * lines;
		} else {


-----

from dmesg:

[52760.051543] ACPI: EC: GPE storm detected, transactions will use polling mode
[602559.219701] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/channel/4
[602559.823271] [drm:drm_debugfs_create_files] *ERROR* Cannot create /sys/kernel/debug/dri/channel/4
[602567.068143] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
[602660.248124] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - Unknown fault at address 00212db400
[602660.248129] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - e0c: 00000000, e18: 00000000, e1c: 00100002, e20: 00002a00, e24: 00030000
[602660.248131] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[602660.248134] [drm] nouveau 0000:03:00.0: PGRAPH - ch 2 (0x0000910000) subc 7 class 0x8397 mthd 0x15e0 data 0x00000000
[602660.248144] [drm] nouveau 0000:03:00.0: VM: trapped write at 0x00212db400 on ch 2 [0x00000910] PGRAPH/PROP/RT0 reason: PAGE_NOT_PRESENT

so I guess the map of the buffer fails, triggering this.
Comment 4 Rob Clark 2012-10-10 16:23:39 EDT
from #nouveau:

<RSpliet> right, I think I've heard of more problems regarding NVAC(/NVAA/NVAF?) and nouveau
 something seems to be going wrong with stolen mem
 since the big massive rewrite... not sure if that's even landed in Fedora yet though... think not
 anyway, please add to the bug report the fact that it's an NVAC ;)
Comment 5 Adam Jackson 2012-10-18 17:46:46 EDT
Please update to at least xorg-x11-server-1.12.3-2.fc17 and reopen if this is still reproduceable.
Comment 6 Rob Clark 2012-10-19 00:22:20 EDT
fwiw:

----
Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
Installed Packages
xorg-x11-server-Xephyr.x86_64           1.12.3-2.fc17         @updates          
xorg-x11-server-Xorg.x86_64             1.12.3-2.fc17         @updates          
xorg-x11-server-common.x86_64           1.12.3-2.fc17         @updates          
xorg-x11-server-debuginfo.x86_64        1.12.3-1.fc17         @updates-debuginfo
xorg-x11-server-utils.x86_64            7.5-12.fc17           @anaconda-0       
----

do you think stuff like:

----
[ 1061.350226] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP_TEXTURE - TP0: Unhandled ustatus 0x00000003
[ 1061.350232] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - Unknown fault at address 00213d6400
[ 1061.350234] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_RT - TP 0 - e0c: 00000000, e18: 00000000, e1c: 00100002, e20: 00002a00, e24: 00030000
[ 1061.350235] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[ 1061.350238] [drm] nouveau 0000:03:00.0: PGRAPH - ch 4 (0x0001990000) subc 7 class 0x8397 mthd 0x15e0 data 0x00000000
[ 1061.350244] [drm] nouveau 0000:03:00.0: VM: trapped write at 0x00213d6400 on ch 4 [0x00001990] PGRAPH/PROP/RT0 reason: PAGE_NOT_PRESENT
[ 1061.350250] [drm] nouveau 0000:03:00.0: magic set 0:
[ 1061.350252] [drm] nouveau 0000:03:00.0:      0x00408604: 0x20096208
[ 1061.350253] [drm] nouveau 0000:03:00.0:      0x00408608: 0x00213ddf
[ 1061.350255] [drm] nouveau 0000:03:00.0:      0x0040860c: 0x80000e00
[ 1061.350257] [drm] nouveau 0000:03:00.0:      0x00408610: 0x3d600000
[ 1061.350258] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP_TEXTURE - TP0: Unhandled ustatus 0x00000003
[ 1061.350259] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[ 1061.350262] [drm] nouveau 0000:03:00.0: PGRAPH - ch 4 (0x0001990000) subc 2 class 0x502d mthd 0x08dc data 0x00000000
[ 1061.350268] [drm] nouveau 0000:03:00.0: VM: trapped read at 0x00213db600 on ch 4 [0x00001990] PGRAPH/TEXTURE/00 reason: PAGE_NOT_PRESENT
[ 1171.572658] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_2D - TP 0 - Unknown fault at address 004467c400
[ 1171.572663] [drm] nouveau 0000:03:00.0: PGRAPH_TRAP_TPDMA_2D - TP 0 - e0c: 00000000, e18: 00000000, e1c: 03100500, e20: 00000011, e24: 0c030000
[ 1171.572665] [drm] nouveau 0000:03:00.0: PGRAPH - TRAP
[ 1171.572669] [drm] nouveau 0000:03:00.0: PGRAPH - ch 4 (0x0001990000) subc 2 class 0x502d mthd 0x024c data 0x00000313
[ 1171.572676] [drm] nouveau 0000:03:00.0: VM: trapped read at 0x00213d6900 on ch 4 [0x00001990] PGRAPH/TEXTURE/00 reason: PAGE_NOT_PRESENT
----

is a symptom of some bogus cmdstream from userspace, or something going wrong in buffer mapping on kernel side?  RSpliet mentioned potential issue w/ stolen mem?

Fwiw, atm the kernel I have:

----
Linux laptop 3.5.4-2.fc17.x86_64 #1 SMP Wed Sep 26 21:58:50 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
----

I'd tried briefly to build latest (as of a week or two ago.. commit 11573aa) from:

git://anongit.freedesktop.org/nouveau/linux-2.6

although it didn't boot.. but I didn't spend too long on that.

Anyways, let me know what is more useful, spending time w/ latest kernel vs latest xf86-video-nouveau or mesa.  It's my old (ie. not primary) laptop so no problem to experiment.. but useful to know what areas to dig into more (kernel or userspace)..
Comment 7 Fedora End Of Life 2013-07-04 03:22:07 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 8 Fedora End Of Life 2013-08-01 15:24:46 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.