Bug 10071 - Invalid read in emit_vec16 r300_maos.c. Related probably to artifact.
Summary: Invalid read in emit_vec16 r300_maos.c. Related probably to artifact.
Status: RESOLVED FIXED
Alias: None
Product: DRI
Classification: Unclassified
Component: libGL (show other bugs)
Version: XOrg git
Hardware: Other All
: medium normal
Assignee: Default DRI bug account
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-02-23 01:46 UTC by Papadakos Panagiotis
Modified: 2007-02-25 15:58 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Artifact screenshot. (5.02 KB, image/jpeg)
2007-02-23 01:47 UTC, Papadakos Panagiotis 		no flags Details
The model for blender. Shows artifact in blender. (109.91 KB, application/octet-stream)
2007-02-23 01:48 UTC, Papadakos Panagiotis 		no flags Details
Proposed patch (799 bytes, text/x-diff)
2007-02-24 10:54 UTC, Papadakos Panagiotis 		no flags Details
View All

Description Papadakos Panagiotis 2007-02-23 01:46:34 UTC 
Valgrind reports the following error:
==8649== Invalid read of size 4
==8649==    at 0x4BA0ED9: r300EmitArrays (r300_maos.c:172)
==8649==    by 0x4B9648A: r300_run_vb_render (r300_render.c:341)
==8649==    by 0x4B96E8E: r300_run_tcl_render (r300_render.c:540)
==8649==    by 0x4C128A0: _tnl_run_pipeline (t_pipeline.c:159)
==8649==    by 0x4C9E8D8: _tnl_draw_prims (t_draw.c:400)
==8649==    by 0x4C97F42: vbo_exec_vtx_flush (vbo_exec_draw.c:215)
==8649==    by 0x4C93885: vbo_exec_wrap_buffers (vbo_exec_api.c:75)
==8649==    by 0x4C93D85: vbo_exec_vtx_wrap (vbo_exec_api.c:109)
==8649==    by 0x4C97289: vbo_Vertex3fv (vbo_attrib_tmp.h:61)
==8649==    by 0x4837BE1: glVertex3fv (glapitemp.h:770)
==8649==    by 0x42C32CE: osgParticle::Particle::render(osg::Vec3f const&, osg::Vec3f const&, osg::Vec3f const&, float) const (in /usr/lib/libosgParticle.so)
==8649==    by 0x42C9633: osgParticle::ParticleSystem::single_pass_render(osg::State&, osg::Matrixd const&) const (in /usr/lib/libosgParticle.so)
==8649==  Address 0x4DADB00 is 0 bytes after a block of size 65,536 alloc'd
==8649==    at 0x40227F4: memalign (vg_replace_malloc.c:448)
==8649==    by 0x4022844: posix_memalign (vg_replace_malloc.c:549)
==8649==    by 0x4BD5269: _mesa_align_malloc (imports.c:113)
==8649==    by 0x4C94329: vbo_exec_vtx_init (vbo_exec_api.c:638)
==8649==    by 0x4C935DC: vbo_exec_init (vbo_exec.c:52)
==8649==    by 0x4C934D0: _vbo_CreateContext (vbo_context.c:223)
==8649==    by 0x4B8CAA5: r300CreateContext (r300_context.c:297)
==8649==    by 0x4B84D9C: radeonCreateContext (radeon_screen.c:920)
==8649==    by 0x4B815A9: driCreateNewContext (dri_util.c:830)
==8649==    by 0x480A64E: CreateContext (glxcmds.c:353)
==8649==    by 0x480A984: glXCreateContext (glxcmds.c:430)
==8649==    by 0x48924DD: Producer::RenderSurface::_init() (in /usr/lib/libProducer.so)

It seems that somehow in emit_vec16 in r300_maos, data has less allocated memory from what count thinks, by one,
so we read out of the data bounds.

for (i = 0; i < count; i++) {
        out[0] = *(int *)data;  // Valgrind warns here
        out[1] = *(int *)(data + 4);// Valgrind warns and here
        out[2] = *(int *)(data + 8);// Valgrind warns and here
        out[3] = *(int *)(data + 12);// Valgrind warns and here
        out += 4;
        data += stride;
}

This happens when using a simple model which is not rendered correctly in blender and OSG.
The black line should not exist. Toggling light seems to remove the black line.
Comment 1 Papadakos Panagiotis 2007-02-23 01:47:18 UTC 
Created attachment 8822 [details]
Artifact screenshot.
Comment 2 Papadakos Panagiotis 2007-02-23 01:48:07 UTC 
Created attachment 8823 [details]
The model for blender. Shows artifact in blender.
Comment 3 Papadakos Panagiotis 2007-02-24 10:54:10 UTC 
Created attachment 8838 [details]
Proposed patch

Wrong max_index in vbo draw_prims.

P.S.
Artifact was blender's wrong normal calculations.
Nvidia was rendering it Ok though.
Comment 4 Aapo Tahkola 2007-02-25 15:58:47 UTC 
Looks ok by me. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.