PHC crash in [@ nv50_validate_tic] (buffer overflow?)
Categories
(Core :: Graphics: WebRender, defect, P2)
Tracking
()
People
(Reporter: jcristau, Assigned: aosmond)
References
(Blocks 1 open bug, )
Details
(Keywords: crash, sec-vector)
Crash Data
Attachments
(1 obsolete file)
This bug is for crash report bp-f1db01f8-55fd-4487-ab73-2d29f0200330.
Top 10 frames of crashing thread:
0 libgallium_dri.so nv50_validate_tic ../src/gallium/drivers/nouveau/nv50/nv50_tex.c:324
1 libgallium_dri.so nv50_validate_textures ../src/gallium/drivers/nouveau/nv50/nv50_tex.c:339
2 libgallium_dri.so nv50_state_validate ../src/gallium/drivers/nouveau/nv50/nv50_state_validate.c:549
3 libgallium_dri.so nv50_state_validate_3d ../src/gallium/drivers/nouveau/nv50/nv50_state_validate.c:572
4 libgallium_dri.so nv50_draw_vbo ../src/gallium/drivers/nouveau/nv50/nv50_vbo.c:799
5 libgallium_dri.so cso_draw_arrays ../src/gallium/auxiliary/cso_cache/cso_context.c:1756
6 libgallium_dri.so st_pbo_draw ../src/mesa/state_tracker/st_pbo.c:282
7 libgallium_dri.so try_pbo_upload_common ../src/mesa/state_tracker/st_cb_texture.c:1322
8 libgallium_dri.so st_TexSubImage ../src/mesa/state_tracker/st_cb_texture.c:1561
9 libgallium_dri.so <name omitted> ../src/mesa/main/teximage.c:3584
Alloc stack from PHC:
0 firefox-bin replace_calloc(unsigned long, unsigned long)+0xe4
1 libgallium_dri.so nouveau_buffer_create+0x31 ../src/gallium/drivers/nouveau/nouveau_buffer.c:644
2 libgallium_dri.so st_bufferobj_data+0x27a ../src/mesa/main/bufferobj.c:2087
3 libgallium_dri.so <name omitted>+0xbe ../src/mesa/main/bufferobj.c:2087
4 libgallium_dri.so <name omitted>+0xf3 ../src/mesa/main/bufferobj.c:2130
5 libxul.so webrender::device::gl::Device::create_upload_buffer+0x4f
6 libxul.so webrender::renderer::Renderer::update_gpu_cache+0x3bd7
7 libxul.so webrender::renderer::Renderer::render_impl+0x69d7
8 libxul.so webrender::renderer::Renderer::render+0x46
9 libxul.so wr_renderer_render+0x68
10 libxul.so mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool, mozilla::wr::RendererStats*)+0x163
11 libxul.so mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool)+0x1fa
12 libxul.so mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool)+0x227
13 libxul.so mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run()+0x2f
14 libxul.so base::MessagePumpDefault::Run(base::MessagePump::Delegate*)+0x674
15 libxul.so MessageLoop::Run()+0x4f
I reported this to mesa, @karolherbst says:
"If I would make a guess, this issue is probably due to our multithreading issues we have. Essentially creating multiple OpenGL contexts within the same process leads to random crashes and is not something which is easily fixable as of right now.
Do you have the possibility to limit rendering to one thread? I know that this isn't a great solution here, but to actual fix this it requires a bigger rework of the driver and probably nothing we would backport to older versions of mesa anyway."
Filing this here in case we want to do something on our end.
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
The mesa issue link is broken. Julien can you provide the correct one?
We should probably just disable WebRender on nouveau because of this for now.
|
Reporter | |
Comment 2•5 years ago
|
||
The link is correct but I marked the issue confidential there out of caution...
|
||
Updated•5 years ago
|
|
|
||
Comment 3•5 years ago
|
||
Andrew - can you disable WR as per: https://bugzilla.mozilla.org/show_bug.cgi?id=1626898#c1
|
Assignee | |
Comment 4•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 5•5 years ago
|
||
I don't think I need sec-approval for this to land, given it only ships on nightly configurations (hence no need to an uplift)?
|
|
Assignee | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 7•5 years ago
|
||
|
||
Comment 8•5 years ago
|
||
Note that we're seeing crashes all the way to Mesa 20.0.2.0. We probably need to block that version and every other one below.
https://crash-stats.mozilla.com/report/index/c63cd304-c9f9-4e5b-b53c-340de0200403
|
|
||
Comment 9•5 years ago
|
||
And BTW this should prevent a number of other fairly high volume Linux crashes such as nv30_fp_state_bind and nv30_draw_vbo.
|
|
Assignee | |
Comment 10•5 years ago
|
||
(In reply to Gabriele Svelto [:gsvelto] from comment #8)
Note that we're seeing crashes all the way to Mesa 20.0.2.0. We probably need to block that version and every other one below.
https://crash-stats.mozilla.com/report/index/c63cd304-c9f9-4e5b-b53c-340de0200403
I see that it is 20.1.0-devel in master. Do we know if they will do a point release with this fix, and thus I could just block up to 20.0.3.0, or need I block up to 20.1.0.0?
|
|
Reporter | |
Comment 11•5 years ago
|
||
The fix is marked cc: mesa-stable which I think means it might get backported to a point release. Maybe 20.0.5 (20.0.4 was just released today).
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 13•5 years ago
|
||
mesa 20.0.5 was released this week with the fix.
|
|
Reporter | |
Updated•5 years ago
|
|
|
||
Comment 15•4 years ago
|
||
The upstream bug in mesa has been fixed and given the volume went to zero it must have been rolled out to most major distros. For some reason the issue on mesa's issue tracker has been deleted. Either way I'm closing this as FIXED.
|
||
Updated•4 years ago
|
|
|
Reporter | |
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
Description
•