Bug 35961

Summary: src/gallium/auxiliary/util/u_draw.c:77:util_draw_max_index: Assertion `buffer_size - format_size <= buffer_size' failed.
Product: Mesa Reporter: Vinson Lee <vlee>
Component: Mesa coreAssignee: Jose Fonseca <jfonseca>
Status: CLOSED FIXED QA Contact:
Severity: critical    
Priority: medium CC: brianp
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Vinson Lee 2011-04-04 09:51:14 UTC 
mesa: a0fc40f0d5a04fa85f720c0a4a7aa27bbb19e114 (master)

Run piglit test fp-abs-01 on softpipe or llvmpipe.

$ ./bin/fp-abs-01 -auto
src/gallium/auxiliary/util/u_draw.c:77:util_draw_max_index: Assertion `buffer_size - format_size <= buffer_size' failed. 

(gdb) bt
#0  0x00f3f77f in _debug_assert_fail (expr=0x173c0c4 "buffer_size - format_size <= buffer_size", file=0x173bf9c "src/gallium/auxiliary/util/u_draw.c", line=77, 
    function=0x173c152 "util_draw_max_index") at src/gallium/auxiliary/util/u_debug.c:282
#1  0x00f419ac in util_draw_max_index (vertex_buffers=0x99e0658, nr_vertex_buffers=2, vertex_elements=0x99e07e0, nr_vertex_elements=2, info=0xbf86e4e0)
    at src/gallium/auxiliary/util/u_draw.c:77
#2  0x00f0c02c in draw_vbo (draw=0x99e05e8, info=0xbf86e4e0) at src/gallium/auxiliary/draw/draw_pt.c:473
#3  0x00c84336 in llvmpipe_draw_vbo (pipe=0x99ad680, info=0xbf86e4e0) at src/gallium/drivers/llvmpipe/lp_draw_arrays.c:81
#4  0x00dcba1e in st_draw_vbo (ctx=0x9a61f60, arrays=0x9aa5168, prims=0xbf86e57c, nr_prims=1, ib=0x0, index_bounds_valid=1 '\001', min_index=0, max_index=3)
    at src/mesa/state_tracker/st_draw.c:739
#5  0x00e5e44b in vbo_draw_arrays (ctx=0x9a61f60, mode=7, start=0, count=4, numInstances=1) at src/mesa/vbo/vbo_exec_array.c:644
#6  0x00e5e5b2 in vbo_exec_DrawArrays (mode=7, start=0, count=4) at src/mesa/vbo/vbo_exec_array.c:675
#7  0x0808f0e8 in piglit_draw_rect (x=1, y=1, w=32, h=32) at piglit/tests/util/piglit-util-gl.c:588
#8  0x0806a064 in piglit_display () at piglit/tests/shaders/fp-abs-01.c:136
#9  0x0806a157 in display () at piglit/tests/util/piglit-framework.c:48
#10 0x00125820 in fghRedrawWindow (window=DWARF-2 expression error: DW_OP_reg operations must be used either alone or in conjuction with DW_OP_piece or DW_OP_bit_piece.
) at freeglut_main.c:210
#11 fghcbDisplayWindow (window=DWARF-2 expression error: DW_OP_reg operations must be used either alone or in conjuction with DW_OP_piece or DW_OP_bit_piece.
) at freeglut_main.c:227
#12 0x00129660 in fgEnumWindows (enumCallback=0x125790 <fghcbDisplayWindow>, enumerator=0xbf86e788) at freeglut_structure.c:394
#13 0x00125cdb in fghDisplayAll () at freeglut_main.c:249
#14 glutMainLoopEvent () at freeglut_main.c:1450
#15 0x00126605 in glutMainLoop () at freeglut_main.c:1498
#16 0x0806a2fb in main (argc=1, argv=0xbf86ea14) at piglit/tests/util/piglit-framework.c:116
(gdb) frame 1
#1  0x00f419ac in util_draw_max_index (vertex_buffers=0x99e0658, nr_vertex_buffers=2, vertex_elements=0x99e07e0, nr_vertex_elements=2, info=0xbf86e4e0)
    at src/gallium/auxiliary/util/u_draw.c:77
77	      assert(buffer_size - format_size <= buffer_size);
(gdb) info locals
buffer = 0x99e0664
format_desc = 0x1809b60
format_size = 16
element = 0x99e07f0
buffer_size = 0
max_index = 3
i = 1
__FUNCTION__ = "util_draw_max_index"
Comment 1 Vinson Lee 2011-04-04 10:13:36 UTC 
3733da31e8b4405b65e1b6ca3b6599ecc5af5fe7 is the first bad commit
commit 3733da31e8b4405b65e1b6ca3b6599ecc5af5fe7
Author: José Fonseca <jfonseca@vmware.com>
Date:   Thu Mar 31 14:40:25 2011 +0100

    draw: Prevent out-of-bounds vertex buffer access.
    
    Based on some code and ideas from Keith Whitwell.

:040000 040000 b8144c16b0d642d2b79127b74bf02b08d14f90e9 556d7b6865ca394baf751a903aaadd0cf72a9e71 M	src
bisect run success
Comment 2 Brian Paul 2011-04-04 16:43:43 UTC 
Fixed with commit 6cab07685fa48174b310e52b26151a8fb8a8e6dc
Comment 3 Vinson Lee 2011-04-05 21:02:52 UTC 
mesa: 14b574433c7faedaa18f1c946159cb03630c7d9f (master)

The assert is still triggered with the piglit attribute0 test. attribute0 previously failed gracefully without an assert.

$ ./bin/attribute0 -auto
util/u_draw.c:77:util_draw_max_index: Assertion `buffer_size - format_size <= buffer_size' failed.
Comment 4 Jose Fonseca 2011-04-06 08:00:59 UTC 
I'm looking at this and other cases where this assertion fails.
Comment 5 Jose Fonseca 2011-04-07 04:21:18 UTC 
Should be fixed with commit 0c501bacef3738b55986292abca149dcfe76d72d:
Author: José Fonseca <jfonseca@vmware.com>
Date:   Thu Apr 7 12:19:14 2011 +0100

    mesa/st: Fix user buffer size computation when stride is zero.
    
    Although for GL a zero stride means tightly packed elements, Mesa
    internally uses zero strides for constant arrays.
    
    Therefore user buffers need to be defined from
    
      buffer_offset + src_offset + min_index*stride
    
    to
    
      buffer_offset + src_offset + max_index*stride + elem_size
    
    Simplifying the later with (max_index + 1)*stride will give zero
    sized buffers.
    
    This change also aggregates the st_context's info about user buffers
    into a single array.
Comment 6 Vinson Lee 2011-04-07 12:27:21 UTC 
mesa: 6638b4a590aa07dbe05f6647da90a00a4c0d57a8 (master)

Verified fixed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.