Bug 14281

Summary:	SIGSEGV in flat_8A8B8G8R_line v7.0.2 inside glDrawArrays
Product:	Mesa	Reporter:	William K. Foster <wkf>
Component:	Mesa core	Assignee:	mesa-dev
Status:	RESOLVED WONTFIX	QA Contact:
Severity:	major
Priority:	high	CC:	idr
Version:	unspecified
Hardware:	IA64 (Itanium)
OS:	Linux (All)
Whiteboard:
i915 platform:		i915 features:

Description William K. Foster 2008-01-28 11:29:26 UTC

The following snippet of code:

  glEnableClientState(GL_VERTEX_ARRAY);
  glVertexPointer(2, ptType, 0, vertices);

  glPolygonMode(GL_FRONT_AND_BACK, GL_LINE);
  glDrawArrays(shapeType, 0, ptCount);

Sometimes causes a SIGSEGV inside glDrawArrays, but I am not able to cause the crash reliably, but it has happened several times to me (I am now trying v7.0.2 to see if it still occurs there):

#0  flat_8A8B8G8R_line (ctx=0x3f800000, vert0=0xfffffffffffffffc, vert1=0x2aaab296073c) at ../../src/mesa/swrast/s_linetemp.h:336
#1  0x00002b0bcd646c0c in _swsetup_render_line_tri (ctx=0x24f3c00, e0=4294967292, e1=2996176700, e2=4294966326, facing=4278190335) at swrast_setup/ss_triangle.c:94
#2  0x00002b0bcd64b4c5 in triangle_unfilled_rgba (ctx=0xfffffffffffff0d4, e0=4294965356, e1=4294963412, e2=970) at swrast_setup/ss_tritmp.h:153
#3  0x00002b0bcd5b20a2 in _tnl_render_poly_elts (ctx=0x24f3c00, start=1, count=4, flags=2) at tnl/t_vb_rendertmp.h:303
#4  0x00002b0bcd5b25c2 in _tnl_RenderClippedPolygon (ctx=0xfffffffffffff0d4, elts=0xfffffffffffffffc, n=2996176700) at tnl/t_vb_render.c:244
#5  0x00002b0bcd5ac9c6 in clip_quad_4 (ctx=0x24f3c00, v0=4294967292, v1=2996176700, v2=4294966326, v3=3, mask=192 'À') at tnl/t_vb_cliptmp.h:281
#6  0x00002b0bcd5ae987 in clip_render_quads_verts (ctx=0x24f3c00, start=3, count=4, flags=4294966326) at tnl/t_vb_rendertmp.h:334
#7  0x00002b0bcd5b2725 in run_render (ctx=0x24f3c00, stage=0xfffffffffffffffc) at tnl/t_vb_render.c:320
#8  0x00002b0bcd5a944a in _tnl_run_pipeline (ctx=0x24f3c00) at tnl/t_pipeline.c:158
#9  0x00002b0bcd5a991a in _tnl_draw_prims (ctx=0x24f3c00, arrays=0x2546aa8, prim=0x7fffef5bc3e0, nr_prims=1, ib=0x0, min_index=2996176700, max_index=4294967292) at tnl/t_draw.c:403
#10 0x00002b0bcd59c79f in vbo_exec_DrawArrays (mode=7, start=0, count=4) at vbo/vbo_exec_array.c:259

Comment 1 William K. Foster 2008-01-28 12:37:32 UTC

I have hit this using v7.0.2 too.

Comment 2 Brian Paul 2008-01-28 12:44:30 UTC

Can you provide a program to test with?

Does it also happen with a debug build?  Can you print some of the vars near the failure point?

Comment 3 William K. Foster 2008-01-28 15:59:02 UTC

Unfortunately, I can not provide a simple test program to test with.

However, here are two variables that I printed out earlier, when I hit it again, I will provide more local variables.  These are in the bottom frame:

  x0 == -4376.
  y0 == -2186.
  dx ==  1093.

Debugger didn't want to print the variable 'i'. (No symbol "i" in current context)

Comment 4 William K. Foster 2008-01-28 16:36:41 UTC

Here is more debug info:

#0  flat_8A8B8G8R_line (ctx=0x3f800000, vert0=0x385, vert1=0x2aaaafe9f448) at ../../src/mesa/swrast/s_linetemp.h:376
#1  0x00002ac32202a2ac in _swsetup_render_line_tri (ctx=0x1fd8420, e0=901, e1=2951345224, e2=4294966395, facing=4294967295) at swrast_setup/ss_triangle.c:88
#2  0x00002ac32202ea25 in triangle_unfilled_rgba (ctx=0xffffffffffffee58, e0=4294965494, e1=4294962776, e2=4) at swrast_setup/ss_tritmp.h:153
#3  0x00002ac321f9427b in _tnl_render_poly_elts (ctx=0x1fd8420, start=1, count=4, flags=3) at tnl/t_vb_rendertmp.h:284
#4  0x00002ac321f94762 in _tnl_RenderClippedPolygon (ctx=0xffffffffffffee58, elts=0x385, n=2951345224) at tnl/t_vb_render.c:244
#5  0x00002ac321f8eb7e in clip_quad_4 (ctx=0x1fd8420, v0=901, v1=2951345224, v2=4294966395, v3=3, mask=64 '@') at tnl/t_vb_cliptmp.h:281
#6  0x00002ac321f90b27 in clip_render_quads_verts (ctx=0x1fd8420, start=3, count=4, flags=4294966395) at tnl/t_vb_rendertmp.h:334
#7  0x00002ac321f948c5 in run_render (ctx=0x1fd8420, stage=0x385) at tnl/t_vb_render.c:320
#8  0x00002ac321f8b57a in _tnl_run_pipeline (ctx=0x1fd8420) at tnl/t_pipeline.c:158
#9  0x00002ac321f8ba8f in _tnl_draw_prims (ctx=0x1fd8420, arrays=0x202b558, prim=0x7fff9abdb360, nr_prims=1, ib=0x0, min_index=2951345224, max_index=901) at tnl/t_draw.c:402
#10 0x00002ac321f7e766 in vbo_exec_DrawArrays (mode=7, start=0, count=4) at vbo/vbo_exec_array.c:259


(gdb) p x0
$185 = -4520
(gdb) p y0
$186 = -1802
(gdb) p dy
$187 = 901
(gdb) p i
No symbol "i" in current context.
(gdb) p errorInc
$188 = 0
(gdb) p dx
$189 = 4
(gdb) p error
$190 = -901
(gdb) p errorDec
$192 = -1802
(gdb) p span
$195 = {
  x = -1698836480, 
  y = 32767, 
  end = 901, 
  writeAll = 0 '\0', 
  primitive = 6913, 
  facing = 0, 
  interpMask = 0, 
  attrStart = {{1.53400143e-41, 1.47715355e-38, 0, 1}, {1.53400143e-41, 0, 1.84971397e-42, 1.67952199e-36}, {0, -7.84429148e-23, 4.59163468e-41, 4.84620802e-18}, {1.53400143e-41, 1.67952199e-36, 0, 1.67952486e-36}, {0, 1.67952199e-36, 0, 1.82010027e-22}, {1.53400143e-41, -7.84435206e-23, 4.59163468e-41, 4.76441478e-44}, {0, -7.850461e-23, 4.59163468e-41, 0}, {0, 0, 0, 1.44805756e-22}, {1.53400143e-41, 1.34358515e-38, 2.3509887e-38, 1.34358515e-38}, {0, -7.84435206e-23, 4.59163468e-41, 1.64045994e-27}, {1.53400143e-41, 2.34787369e-15, 1.40129846e-45, 1.34358515e-38}, {0, -7.84437226e-23, 4.59163468e-41, 2.94091191e-24}, {1.53400143e-41, 1.34358515e-38, 0, -7.84450352e-23}, {4.59163468e-41, -7.84455401e-23, 4.59163468e-41, 1.20350345e-16}, {1.53400143e-41, -7.84462469e-23, 4.59163468e-41, 1.82010027e-22}, {1.53400143e-41, -7.84444294e-23, 4.59163468e-41, 4.76441478e-44}, {0, -7.850461e-23, 4.59163468e-41, 0}, {0, 0, 0, 1.44805756e-22}, {1.53400143e-41, 1.47715355e-38, 0, 1.65527104e-15}, {1.53400143e-41, 0, 0, 2.90652619e-38}}, 
  attrStepX = {{0, -7.84447323e-23, 4.59163468e-41, 0}, {1.53400143e-41, 2.90652619e-38, 0, 2.90653068e-38}, {0, 0, 0, -7.84451362e-23}, {4.59163468e-41, -7.84450352e-23, 4.59163468e-41, 1.43936097e-23}, {1.53400143e-41, -7.850461e-23, 4.59163468e-41, 0}, {3.57331108e-43, 1.34461146e-38, 0, -7.84451362e-23}, {4.59163468e-41, 1.37874092e-38, 2.3509887e-38, 1.37874092e-38}, {0, -7.84453382e-23, 4.59163468e-41, 1.64045994e-27}, {1.53400143e-41, 2.34787369e-15, 1.40129846e-45, 1.37874092e-38}, {0, -7.84455401e-23, 4.59163468e-41, 2.94091191e-24}, {1.53400143e-41, 1.37874092e-38, 0, -7.84468528e-23}, {4.59163468e-41, -7.84473576e-23, 4.59163468e-41, 1.20350345e-16}, {1.53400143e-41, -7.84480645e-23, 4.59163468e-41, 1.82010027e-22}, {1.53400143e-41, -7.84462469e-23, 4.59163468e-41, 4.76441478e-44}, {0, -7.850461e-23, 4.59163468e-41, 0}, {0, 0, 0, 1.44805756e-22}, {1.53400143e-41, 1.47715355e-38, 0, 1.65527104e-15}, {1.53400143e-41, 2.80259693e-45, 2.80259693e-45, 1.67815881e-36}, {0, -7.84465498e-23, 4.59163468e-41, 4.84620802e-18}, {1.53400143e-41, 1.67815881e-36, 0, 1.67816168e-36}}, 
  attrStepY = {{0, 0, 0, 0}, {4.59163468e-41, -7.84468528e-23, 4.59163468e-41, 1.43936097e-23}, {1.53400143e-41, -7.850461e-23, 4.59163468e-41, 0}, {3.57331108e-43, 1.36543587e-38, 0, -7.84469537e-23}, {4.59163468e-41, 1.39233015e-38, 2.3509887e-38, 1.39233015e-38}, {0, -7.84471557e-23, 4.59163468e-41, 1.64045994e-27}, {1.53400143e-41, 2.34787369e-15, 1.40129846e-45, 1.39233015e-38}, {0, -7.84473576e-23, 4.59163468e-41, 2.94091191e-24}, {1.53400143e-41, 1.39233015e-38, 0, -7.84486703e-23}, {4.59163468e-41, -7.84491752e-23, 4.59163468e-41, 1.20350345e-16}, {1.53400143e-41, -7.8449882e-23, 4.59163468e-41, 1.82010027e-22}, {1.53400143e-41, -7.84480645e-23, 4.59163468e-41, 4.76441478e-44}, {0, -7.850461e-23, 4.59163468e-41, 0}, {0, 0, 0, 1.44805756e-22}, {1.53400143e-41, 1.47715355e-38, 0, 1.65527104e-15}, {1.53400143e-41, 0, 0, 2.9134004e-38}, {0, -7.84483674e-23, 4.59163468e-41, 4.84620802e-18}, {1.53400143e-41, 2.9134004e-38, 0, 2.91340488e-38}, {0, 0, 0, -7.84487713e-23}, {4.59163468e-41, -7.84486703e-23, 4.59163468e-41, 1.43936097e-23}}, 
  red = 10947, 
  redStep = -1698836480, 
  green = 32767, 
  greenStep = 0, 
  blue = 255, 
  blueStep = 10376348, 
  alpha = 0, 
  alphaStep = 33391648, 
  specRed = 0, 
  specRedStep = 33585232, 
  specGreen = 0, 
  specGreenStep = 38054752, 
  specBlue = 0, 
  specBlueStep = 38055456, 
  index = 0, 
  indexStep = 38055456, 
  z = 0, 
  zStep = 33391648, 
  intTex = {0, 570362374}, 
  intTexStep = {10947, -1698845264}, 
  arrayMask = 2048, 
  array = 0x2036f80
}

Comment 5 Ian Romanick 2011-01-04 14:42:31 UTC

Are you still able to reproduce this on more recent versions of Mesa?  This code has seen a lot of change in the last two years.

Comment 6 William K. Foster 2011-01-04 15:15:42 UTC

I am no longer working on the product with which I originally hit this bug and thus cannot offer any more information about this issue that I had hit.

Comment 7 Ian Romanick 2011-01-04 15:52:49 UTC

Okay.  I'll go ahead and close the bug.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.