Crash below RB_SetColorGrading on window adjustments

[Viech]

On Linux running nvidia 343.36 graphics drivers, the client sometimes crashes inside the driver blob when the desktop workspace that has it is redisplayed. The window manager used is i3. Backtrace of a SIGSEGV in Thread 1:

Thread 4 (Thread 0x7fffbed8f700 (LWP 8111)):
#0  0x00007ffff3ee878d in recvmsg () from /usr/lib/libpthread.so.0
No symbol table info available.
#1  0x00007fffc923131b in NaClReceiveDatagram (handle=39, message=0x7fffbed8ebe0, flags=0) at /home/eris/src/Unvanquished/src/libs/nacl/native_client/src/shared/imc/linux/nacl_imc.cc:168
        msg = {msg_name = 0x0, msg_namelen = 0, msg_iov = 0x7fffbed8ec00, msg_iovlen = 2, msg_control = 0x7fffbed8eb20, msg_controllen = 48, msg_flags = 0}
        buf = "\000\000\000\000\000\000\000\000{\000\000\000|\000\000\000\000\005s\311\377\177\000\000 \000\000\270\377\177\000\000\370\000\002\000\000\000\000\000\320\355ؾ\377\177\000"
        count = <optimized out>
#2  0x00007fffc92224a0 in IPC::InternalRecvMsg (handle=39, reader=...) at /home/eris/src/Unvanquished/src/common/IPC.cpp:374
        internalHdr = {h = {xfer_protocol_version = 0, descriptor_data_bytes = 0}, pad = "\000\000\000\000\000\000\000"}
        desc_ptr = <optimized out>
        hdr = {iov = 0x7fffbed8ec00, iov_length = 2, handles = 0x7fffbed8ec20, handle_count = 8, flags = 0}
        iov = {{base = 0x7fffbed8ebd0, length = 16}, {base = 0x7fffb83c4e10, length = 131320}}
        h = {-1, -1, -1, -1, -1, -1, -1, -1}
        result = <optimized out>
        desc_end = <optimized out>
        handle_index = <optimized out>
#3  0x00007fffc92227f8 in IPC::Socket::RecvMsg (this=this@entry=0x7fffc9730500 <VM::rootChannel>) at /home/eris/src/Unvanquished/src/common/IPC.cpp:454
        out = {data = std::vector of length 0, capacity 0, handles = std::vector of length 0, capacity 0, pos = 0, handles_pos = 0}
#4  0x00007fffc9205373 in RecvMsg (this=0x7fffc9730500 <VM::rootChannel>) at /home/eris/src/Unvanquished/src/common/IPC.h:568
No locals.
#5  main (argc=<optimized out>, argv=<optimized out>) at /home/eris/src/Unvanquished/src/gamelogic/game/g_api.cpp:80
        reader = {data = std::vector of length 0, capacity 0, handles = std::vector of length 0, capacity 0, pos = 0, handles_pos = 0}
        id = <optimized out>
        writer = {data = std::vector of length 4, capacity 4 = {1 '\001', 0 '\000', 0 '\000', 0 '\000'}, handles = std::vector of length 0, capacity 0}
#6  0x00000000004433db in operator() (__closure=0x1dd62e8) at /home/eris/src/Unvanquished/src/engine/framework/VirtualMachine.cpp:362
        args = {0x65bf5c "vm", 0x3c982e8 "39"}
        inProcess = @0x6a86760: {thread = {_M_id = {_M_thread = 140736395278080}}, mutex = {<std::__mutex_base> = {_M_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, 
__list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}}, <No data fields>}, condition = {_M_cond = {__data = {__lock = 0, __futex = 0, __total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex = 
0x0, __nwaiters = 0, __broadcast_seq = 0}, __size = '\000' <repeats 47 times>, __align = 0}}, sharedLibHandle = 0x478a830, running = true}
        vmSocketArg = "39"
        vmMain = 0x7fffc9205217 <main(int, char**)>
#7  _M_invoke<> (this=0x1dd62e8) at /usr/include/c++/4.9.2/functional:1700
No locals.
#8  operator() (this=0x1dd62e8) at /usr/include/c++/4.9.2/functional:1688
No locals.
#9  std::thread::_Impl<std::_Bind_simple<VM::CreateInProcessNativeVM(std::pair<IPC::Socket, IPC::Socket>, Str::StringRef, VM::VMBase::InProcessInfo&)::<lambda()>()> >::_M_run(void) (this=0x1dd62d0) at 
/usr/include/c++/4.9.2/thread:115
No locals.
#10 0x00007ffff43c5d90 in execute_native_thread_routine () from /usr/lib/libstdc++.so.6
No symbol table info available.
#11 0x00007ffff3ee0314 in start_thread () from /usr/lib/libpthread.so.0
No symbol table info available.
#12 0x00007ffff3c1e5bd in clone () from /usr/lib/libc.so.6
No symbol table info available.

Thread 3 (Thread 0x7fffbe58e700 (LWP 8110)):
#0  0x00007ffff3c157bd in poll () from /usr/lib/libc.so.6
No symbol table info available.
#1  0x00007fffbfdeb8d6 in ?? () from /usr/lib/libasound.so.2
No symbol table info available.
#2  0x00007ffff594655a in ?? () from /usr/lib/libopenal.so.1
No symbol table info available.
#3  0x00007ffff594f0d7 in ?? () from /usr/lib/libopenal.so.1
No symbol table info available.
#4  0x00007ffff3ee0314 in start_thread () from /usr/lib/libpthread.so.0
No symbol table info available.
#5  0x00007ffff3c1e5bd in clone () from /usr/lib/libc.so.6
No symbol table info available.

Thread 1 (Thread 0x7ffff7fa9780 (LWP 8104)):
#0  0x00007ffff1b41157 in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#1  0x00007ffff170596d in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#2  0x00007ffff1814888 in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#3  0x00007ffff18150af in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#4  0x000000000051dd9c in RB_SetColorGrading (data=data@entry=0x7fffec4d203c) at /home/eris/src/Unvanquished/src/engine/renderer/tr_backend.cpp:4866
        cmd = 0x7fffec4d203c
#5  0x0000000000520689 in RB_ExecuteRenderCommands (data=0x7fffec4d203c, data@entry=0x7fffec4d2034) at /home/eris/src/Unvanquished/src/engine/renderer/tr_backend.cpp:5723
        t1 = 76647
        t2 = <optimized out>
#6  0x000000000052bc4e in R_IssueRenderCommands (runPerformanceCounters=1) at /home/eris/src/Unvanquished/src/engine/renderer/tr_cmds.cpp:183
        cmdList = 0x7fffec4d2034
        __PRETTY_FUNCTION__ = "void R_IssueRenderCommands(qboolean)"
#7  0x000000000052c686 in RE_EndFrame (frontEndMsec=0x3305012, backEndMsec=0x7fffcab1b388) at /home/eris/src/Unvanquished/src/engine/renderer/tr_cmds.cpp:862
        cmd = 0x0
#8  0x00000000004f8da1 in SCR_UpdateScreen () at /home/eris/src/Unvanquished/src/engine/client/cl_scrn.cpp:787
        recursive = 1
#9  0x00000000004f43a1 in CL_Frame (msec=10) at /home/eris/src/Unvanquished/src/engine/client/cl_main.cpp:3670
No locals.
#10 0x000000000044b397 in Com_Frame (GetInput=0x59ae43 <IN_Frame()>, DoneInput=0x59aefd <IN_FrameEnd()>) at /home/eris/src/Unvanquished/src/engine/qcommon/common.cpp:2374
        msec = 10
        timeBeforeEvents = 0
        timeBeforeClient = 0
        timeAfter = 0
        timeBeforeFirstEvents = 0
        timeBeforeServer = 0
        minMsec = 8
        lastTime = 76645
        watchdogTime = 0
        watchWarn = 0
#11 0x0000000000462c44 in main (argc=18, argv=0x7fffffffe8d8) at /home/eris/src/Unvanquished/src/engine/sys/sys_main.cpp:667
        i = 18
        commandLine = "\000set vm.game.type 4 \000set vm.sgame.type 4 \000set fs_basepath /usr/share/unvanquished \000set fs_extrapath . \000set fs_extrapaks \"assets git\" \000devmap plat23 ", '\000' <repeats 875 times>
        ver = {major = 2 '\002', minor = 0 '\000', patch = 3 '\003'}
        curses = 1

[Viech]

I could reproduce the crash twice; again below RB_SetColorGrading. It seems much more likely to happen after a vid_restart (but not reliably so).

[Kangz]

I am sorry, but it seems to be a driver bug: glGetTexImage with a PBO shouldn't crash as the driver will first check that the PBO has the memory allocated of the right size and then do the asynchronous transfer.

However I'd be interested in reproducing it, what do you mean by redisplayed?

[Viech]

@Kangz by "redisplaying" I mean switching back to the desktop that has the Unvanquished client window on it. From what I experienced so far, switching away from Unvanquished's desktop never triggers such a crash, only switching back to it does.

It seems that this issue happens sometimes on plat23 but most of the time (so far: always) on spacetracks, even when no vid_restart was done.

[Viech]

Not unsimiliar to the bug described in this issue (and thus, I'm not sure whether it deserves an issue of its own), I could just trigger the following SIGSEGV when changing the client window position/size to fullscreen (not to be confused with daemon's r_fullscreen). This happened after I switched back to the desktop hosting the Unvanquished window (without a crash) on plat23.

Thread 1 (Thread 0x7ffff7fa9780 (LWP 15024)):
#0  0x00007ffff1b36333 in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#1  0x00007ffff1b01b51 in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#2  0x00007ffff1809b73 in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#3  0x00007ffff180a247 in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#4  0x00007ffff180a790 in ?? () from /usr/lib/libnvidia-glcore.so.343.36
No symbol table info available.
#5  0x000000000051b0cf in RB_RenderBloom () at /home/eris/src/Unvanquished/src/engine/renderer/tr_backend.cpp:2792
        i = <optimized out>
        j = <optimized out>
        flip = 0
        ortho = {0.00416666688, 0, 0, 0, 0, 0.00666666683, 0, 0, 0, 0, -1.00000998e-05, 0, -1, -1, -0, 1}
#6  0x000000000051c2af in RB_RenderView () at /home/eris/src/Unvanquished/src/engine/renderer/tr_backend.cpp:4596
        clearBits = <optimized out>
        startTime = 0
        endTime = <optimized out>
#7  0x000000000051f16d in RB_DrawView (data=data@entry=0x7fffec4d2054) at /home/eris/src/Unvanquished/src/engine/renderer/tr_backend.cpp:5333
        cmd = 0x7fffec4d2054
#8  0x00000000005206fa in RB_ExecuteRenderCommands (data=0x7fffec4d2054, data@entry=0x7fffec4d2034) at /home/eris/src/Unvanquished/src/engine/renderer/tr_backend.cpp:5751
        t1 = 523157
        t2 = <optimized out>
#9  0x000000000052bc64 in R_IssueRenderCommands (runPerformanceCounters=1) at /home/eris/src/Unvanquished/src/engine/renderer/tr_cmds.cpp:183
        cmdList = 0x7fffec4d2034
        __PRETTY_FUNCTION__ = "void R_IssueRenderCommands(qboolean)"
#10 0x000000000052c69c in RE_EndFrame (frontEndMsec=0x1d91620, backEndMsec=0x0) at /home/eris/src/Unvanquished/src/engine/renderer/tr_cmds.cpp:862
        cmd = 0xc59a4
#11 0x00000000004f8db7 in SCR_UpdateScreen () at /home/eris/src/Unvanquished/src/engine/client/cl_scrn.cpp:787
        recursive = 1
#12 0x00000000004f43b7 in CL_Frame (msec=8) at /home/eris/src/Unvanquished/src/engine/client/cl_main.cpp:3670
No locals.
#13 0x000000000044b3ad in Com_Frame (GetInput=0x59ae4d <IN_Frame()>, DoneInput=0x59aef9 <IN_FrameEnd()>) at /home/eris/src/Unvanquished/src/engine/qcommon/common.cpp:2374
        msec = 8
        timeBeforeEvents = 0
        timeBeforeClient = 0
        timeAfter = 0
        timeBeforeFirstEvents = 0
        timeBeforeServer = 0
        minMsec = 8
        lastTime = 523156
        watchdogTime = 0
        watchWarn = 0
#14 0x0000000000462c5a in main (argc=18, argv=0x7fffffffe8e8) at /home/eris/src/Unvanquished/src/engine/sys/sys_main.cpp:667
        i = 18
        commandLine = "\000set vm.game.type 4 \000set vm.sgame.type 4 \000set fs_basepath /usr/share/unvanquished \000set fs_extrapath . \000set language fr \000devmap plat23 ", '\000' <repeats 889 times>
        ver = {major = 2 '\002', minor = 0 '\000', patch = 3 '\003'}
        curses = 1

Maybe something is bad about the way that we (re)initialize things when a window manager induced adjustment is necessary?

[ghost]

Can anyone look at this?

[necessarily-equal]

I think we can assume this is fixed. I don't think we changed a lot of things in this part of the code, but since the crash happens in the nvidia driver code it may very well have been fixed by nvidia too.