Bug 109086

Summary: Crash software mesa with gl_select render mode
Product: Mesa Reporter: Dmitry <fagot2709>
Component: Drivers/Gallium/softpipeAssignee: mesa-dev
Status: RESOLVED FIXED QA Contact: mesa-dev
Severity: critical    
Priority: medium    
Version: 18.3   
Hardware: Other   
OS: Windows (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: example application with crash source code
bug
hwhwhw

Description Dmitry 2018-12-18 11:58:09 UTC
Created attachment 142847 [details]
example application with crash source code

Drawing elements with glRenderMode(GL_SELECT) crashes Windows applications.

Steps to reproduce:
1) build example application from souce code in attachment:
cl -Zi -IF:\mesa-18.3.0\include -IF:\freeglut\include mesacrash.c -link /DEBUG /LIBPATH:F:\freeglut\lib\x64 /LIBPATH:F:\build\mesa-18.3.0\build\windows-x86_64-debug\gallium\targets\libgl-gdi
2) run mesacrash.exe application.

Application crash with follow error message
  Problem event name:	APPCRASH
  Application name:	mesacrash.exe
  Application version:	0.0.0.0
  Application timestamp:	5c18c2cb
  Name of module with error:	OPENGL32.dll
  Version of module with error:	0.0.0.0
  Timestamp of module with error:	5c10fa47
  Exception code:	c0000005
  Exception offset:	000000000058f49a
  OS version:	6.1.7601.2.1.0.256.48
  Language code:	1049
  Additional information 1:	0e8c
  Additional information 2:	0e8cbb272bc4decc2d93e964b4efe7e3
  Additional information 3:	ca58
  Additional information 4:	ca586625bbe3e94cfe8752da92509f27

Expected results:
Application should draw dummy without crash.

Stacktrace:
opengl32.dll!util_format_r32g32b32_float_fetch_rgba_float(float * dst, const unsigned char * src, unsigned int i, unsigned int j) Line 10081	C
opengl32.dll!generic_run_one(translate_generic * tg, unsigned int elt, unsigned int start_instance, unsigned int instance_id, void * vert) Line 631	C
opengl32.dll!generic_run(translate * translate, unsigned int start, unsigned int count, unsigned int start_instance, unsigned int instance_id, void * output_buffer) Line 724	C
opengl32.dll!draw_pt_fetch_run_linear(pt_fetch * fetch, unsigned int start, unsigned int count, char * verts) Line 200	C
opengl32.dll!fetch(pt_fetch * fetch, const draw_fetch_info * fetch_info, char * output) Line 165	C
opengl32.dll!fetch_pipeline_generic(draw_pt_middle_end * middle, const draw_fetch_info * fetch_info, const draw_prim_info * in_prim_info) Line 272	C
opengl32.dll!fetch_pipeline_linear_run(draw_pt_middle_end * middle, unsigned int start, unsigned int count, unsigned int prim_flags) Line 437	C
opengl32.dll!vsplit_segment_simple_linear(vsplit_frontend * vsplit, unsigned int flags, unsigned int istart, unsigned int icount) Line 227	C
opengl32.dll!vsplit_run_linear(draw_pt_front_end * frontend, unsigned int start, unsigned int count) Line 103	C
opengl32.dll!draw_pt_arrays(draw_context * draw, unsigned int prim, unsigned int start, unsigned int count) Line 151	C
opengl32.dll!draw_vbo(draw_context * draw, const pipe_draw_info * info) Line 566	C
opengl32.dll!draw_arrays(draw_context * draw, unsigned int mode, unsigned int start, unsigned int count) Line 105	C
opengl32.dll!st_feedback_draw_vbo(gl_context * ctx, const _mesa_prim * prims, unsigned int nr_prims, const _mesa_index_buffer * ib, unsigned char index_bounds_valid, unsigned int min_index, unsigned int max_index, gl_transform_feedback_object * tfb_vertcount, unsigned int stream, gl_buffer_object * indirect) Line 261	C
opengl32.dll!_mesa_validated_drawrangeelements(gl_context * ctx, unsigned int mode, unsigned char index_bounds_valid, unsigned int start, unsigned int end, int count, unsigned int type, const void * indices, int basevertex, unsigned int numInstances, unsigned int baseInstance) Line 853	C
opengl32.dll!_mesa_exec_DrawElements(unsigned int mode, int count, unsigned int type, const void * indices) Line 1006	C
mesacrash.exe!draw() Line 13637	C
mesacrash.exe!displayCB() Line 13680	C
freeglut.dll!000007feeec2e3d8()	Unknown
freeglut.dll!000007feeec2e580()	Unknown
freeglut.dll!000007feeec2ee51()	Unknown
mesacrash.exe!main(int argc, char * * argv) Line 13712	C
[External Code]	

System specification:
* Operation system is Windows 7 x64 (installed on Virtual Box machine)
* Mesa version is 18.3.0 builded from sources with Visual Studio 2015 (build command: scons build=debug machine=x86_64)
* freeglut prebuild binaries
* 2D and 3D acceleration is enabled in Virtual Vox machine, VBGuest drivers are installed.

Additional Builds and Platforms:
Crash is reproduced with x86 and x64 mesa builds. Also reproduced with Windows 10 x64.
Comment 1 Vian 2018-12-19 02:40:30 UTC
Created attachment 142849 [details]
bug
Comment 2 Vian 2018-12-19 02:42:17 UTC
Created attachment 142850 [details]
hwhwhw
Comment 3 Daniel Stone 2018-12-19 02:49:11 UTC
The content of attachment 142849 [details] has been deleted for the following reason:

spam
Comment 4 Daniel Stone 2018-12-19 02:49:17 UTC
The content of attachment 142850 [details] has been deleted for the following reason:

spam
Comment 5 Ilia Mirkin 2018-12-19 02:53:50 UTC
With valgrind, forcing DRAW_USE_LLVM=0 to make our lives a little easier, it dies in:

==12812== Process terminating with default action of signal 11 (SIGSEGV)
==12812==  Access not within mapped region at address 0x332000
==12812==    at 0x9C8ADF0: util_format_r32g32b32_float_fetch_rgba_float (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0x9D0D2C1: generic_run (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA26E99F: fetch_pipeline_generic.constprop.1 (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA26EDEE: fetch_pipeline_linear_run (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA27389C: vsplit_run_linear (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA26D117: draw_pt_arrays (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA26D564: draw_vbo (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA083D65: st_feedback_draw_vbo (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA062B0A: _mesa_validated_drawrangeelements (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0xA06384B: _mesa_exec_DrawElements (in /usr/lib64/dri/nouveau_dri.so)
==12812==    by 0x1092CB: draw (in /home/ilia/Downloads/mesacrash)
==12812==    by 0x109427: displayCB (in /home/ilia/Downloads/mesacrash)

Note that the address is (very likely) bogus. It also dies with draw using llvm (same address), but ... harder to debug that. Will try to investigate further. Since this is a client-side buffer, could be the application doing something illegal.
Comment 6 Ilia Mirkin 2018-12-19 03:23:30 UTC
(In reply to Ilia Mirkin from comment #5)
> Note that the address is (very likely) bogus. It also dies with draw using
> llvm (same address), but ... harder to debug that. Will try to investigate
> further. Since this is a client-side buffer, could be the application doing
> something illegal.

Looks like we're not treating glDrawElements properly for GL_SELECT. st_feedback_draw_vbo tries to set it all up, but then calls draw_vbo with a min_index/max_index configured for arrays.

Will try to fix it up...
Comment 7 Ilia Mirkin 2018-12-19 03:51:33 UTC
Patch available at: https://patchwork.freedesktop.org/patch/268721/

Makes this example work, and doesn't appear to regress existing piglit tests.
Comment 8 Dmitry 2018-12-19 09:57:01 UTC
Works good with my applications. When will this patch be included in the release?
Comment 9 Ilia Mirkin 2018-12-27 00:36:09 UTC
Pushed as

commit bac85342672a265735316049ecf36b74e1f2a852
Author: Ilia Mirkin <imirkin@alum.mit.edu>
Date:   Tue Dec 18 22:47:05 2018 -0500

    st/mesa: allow glDrawElements to work with GL_SELECT feedback
    
    Not sure if this ever worked, but the current logic for setting the
    min/max index is definitely wrong for indexed draws. While we're at it,
    bring in all the usual logic from the non-indirect drawing path.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109086
    Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
    Reviewed-by: Brian Paul <brianp@vmware.com>
    Reviewed-by: Roland Scheidegger <sroland@vmware.com>

As for being included in a release, the next natural one is 19.0, due out some time early 2019.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.