Bug 10071

Summary: Invalid read in emit_vec16 r300_maos.c. Related probably to artifact.
Product: DRI Reporter: Papadakos Panagiotis <papadako>
Component: libGLAssignee: Default DRI bug account <dri-devel>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: XOrg git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Artifact screenshot.
none
The model for blender. Shows artifact in blender.
none
Proposed patch none

Description Papadakos Panagiotis 2007-02-23 01:46:34 UTC 
Valgrind reports the following error:
==8649== Invalid read of size 4
==8649==    at 0x4BA0ED9: r300EmitArrays (r300_maos.c:172)
==8649==    by 0x4B9648A: r300_run_vb_render (r300_render.c:341)
==8649==    by 0x4B96E8E: r300_run_tcl_render (r300_render.c:540)
==8649==    by 0x4C128A0: _tnl_run_pipeline (t_pipeline.c:159)
==8649==    by 0x4C9E8D8: _tnl_draw_prims (t_draw.c:400)
==8649==    by 0x4C97F42: vbo_exec_vtx_flush (vbo_exec_draw.c:215)
==8649==    by 0x4C93885: vbo_exec_wrap_buffers (vbo_exec_api.c:75)
==8649==    by 0x4C93D85: vbo_exec_vtx_wrap (vbo_exec_api.c:109)
==8649==    by 0x4C97289: vbo_Vertex3fv (vbo_attrib_tmp.h:61)
==8649==    by 0x4837BE1: glVertex3fv (glapitemp.h:770)
==8649==    by 0x42C32CE: osgParticle::Particle::render(osg::Vec3f const&, osg::Vec3f const&, osg::Vec3f const&, float) const (in /usr/lib/libosgParticle.so)
==8649==    by 0x42C9633: osgParticle::ParticleSystem::single_pass_render(osg::State&, osg::Matrixd const&) const (in /usr/lib/libosgParticle.so)
==8649==  Address 0x4DADB00 is 0 bytes after a block of size 65,536 alloc'd
==8649==    at 0x40227F4: memalign (vg_replace_malloc.c:448)
==8649==    by 0x4022844: posix_memalign (vg_replace_malloc.c:549)
==8649==    by 0x4BD5269: _mesa_align_malloc (imports.c:113)
==8649==    by 0x4C94329: vbo_exec_vtx_init (vbo_exec_api.c:638)
==8649==    by 0x4C935DC: vbo_exec_init (vbo_exec.c:52)
==8649==    by 0x4C934D0: _vbo_CreateContext (vbo_context.c:223)
==8649==    by 0x4B8CAA5: r300CreateContext (r300_context.c:297)
==8649==    by 0x4B84D9C: radeonCreateContext (radeon_screen.c:920)
==8649==    by 0x4B815A9: driCreateNewContext (dri_util.c:830)
==8649==    by 0x480A64E: CreateContext (glxcmds.c:353)
==8649==    by 0x480A984: glXCreateContext (glxcmds.c:430)
==8649==    by 0x48924DD: Producer::RenderSurface::_init() (in /usr/lib/libProducer.so)

It seems that somehow in emit_vec16 in r300_maos, data has less allocated memory from what count thinks, by one,
so we read out of the data bounds.

for (i = 0; i < count; i++) {
        out[0] = *(int *)data;  // Valgrind warns here
        out[1] = *(int *)(data + 4);// Valgrind warns and here
        out[2] = *(int *)(data + 8);// Valgrind warns and here
        out[3] = *(int *)(data + 12);// Valgrind warns and here
        out += 4;
        data += stride;
}

This happens when using a simple model which is not rendered correctly in blender and OSG.
The black line should not exist. Toggling light seems to remove the black line.
Comment 1 Papadakos Panagiotis 2007-02-23 01:47:18 UTC 
Created attachment 8822 [details]
Artifact screenshot.
Comment 2 Papadakos Panagiotis 2007-02-23 01:48:07 UTC 
Created attachment 8823 [details]
The model for blender. Shows artifact in blender.
Comment 3 Papadakos Panagiotis 2007-02-24 10:54:10 UTC 
Created attachment 8838 [details]
Proposed patch

Wrong max_index in vbo draw_prims.

P.S.
Artifact was blender's wrong normal calculations.
Nvidia was rendering it Ok though.
Comment 4 Aapo Tahkola 2007-02-25 15:58:47 UTC 
Looks ok by me. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.