Bug 5721

Summary: doom3 segfaults sometimes in the _tnl_DrawElements code
Product: Mesa Reporter: Roland Scheidegger <sroland>
Component: Mesa coreAssignee: mesa-dev
Status: RESOLVED NOTOURBUG QA Contact:
Severity: normal    
Priority: high    
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: insert an assertion to make the problem more apparent

Description Roland Scheidegger 2006-01-26 03:10:33 UTC 
Even with tcl_mode=0 (on the radeon 9000pro) doom3 sometimes segfaults. It's
kinda hard to trigger, but it seems to happen always around the same places (one
place is at the end of the game, just some moments before approaching the
cyberdemon - just walking by there has a chance of around 20% to crash). There
are also some obvious rendering errors there (looks like misspecified polyons or
something like that, though it could just be z-fighting issues) which may be
related.
Program received signal SIGSEGV, Segmentation fault
#0  0x3c44e509 in loopback_Color4ubv_f (
    v=0x11e57638 <Address 0x11e57638 out of bounds>) at main/api_loopback.c:280
#1  0x3c37a158 in _ae_loopback_array_elt (elt=1290) at main/api_arrayelt.c:788
#2  0x3c47768f in fallback_drawelements (ctx=Variable "ctx" is not available.
) at tnl/t_array_api.c:75
#3  0x3c477c25 in _tnl_DrawElements (mode=4, count=306, type=5125,
    indices=0x666) at tnl/t_array_api.c:375
#4  0x08156450 in ?? ()

(Now, with indices 666 it must just go wrong :-). Though "mode" and "type"
always seem to be the same.)
I'd suspect it's not a r200 driver specific problem, but I'd need days until I
would hit a crash with the software renderer...
Comment 1 Ian Romanick 2006-01-26 03:54:09 UTC 
Is it possible to record a demo at the place where the SEGFAULT is hit?  If
there's only a 20% hitting it (that isn't dependent on exact view parameters),
looping the demo 5 times should be able to consistently reproduce it.
Comment 2 Roland Scheidegger 2006-01-26 06:43:22 UTC 
(In reply to comment #1)
> Is it possible to record a demo at the place where the SEGFAULT is hit?  If
> there's only a 20% hitting it (that isn't dependent on exact view parameters),
> looping the demo 5 times should be able to consistently reproduce it.
This is a good idea. I've recorded a short, yet 6MB, demo,
http://homepage.hispeed.ch/rscheidegger/segfault.demo. However, I'm not sure
anymore this is easily reproducible, it seems very highly moon-phase dependant.
For instance, if it succeeds once, it will always succeed in subsequent runs, it
looks like you need to restart doom3 or at least run a different demo (like
demo1). You can try your luck :-).
Comment 3 Roland Scheidegger 2006-11-22 17:05:56 UTC 
this bug has unfortunately easily survived all tnl changes so far, a newer
backtrace with some more information:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1077327872 (LWP 24516)]
0x41a76d87 in loopback_Color4ubv_f (
    v=0x11845334 <Address 0x11845334 out of bounds>) at main/api_loopback.c:280
280        COLORF( UBYTE_TO_FLOAT(v[0]), UBYTE_TO_FLOAT(v[1]),
(gdb) bt
#0  0x41a76d87 in loopback_Color4ubv_f (
    v=0x11845334 <Address 0x11845334 out of bounds>) at main/api_loopback.c:280
#1  0x4190cae2 in _ae_loopback_array_elt (elt=1391) at main/api_arrayelt.c:1293
#2  0x41ac128f in fallback_drawelements (ctx=0xb93bc00, mode=4, count=336, 
    indices=0x52456f60) at tnl/t_array_api.c:75
#3  0x41ac1b48 in _tnl_DrawElements (mode=4, count=336, type=5125, 
    indices=0x52456f60) at tnl/t_array_api.c:393
#4  0x08156450 in ?? ()

(gdb) print *aa->array
$25 = {Size = 4, Type = 5121, Stride = 60, StrideB = 60, 
  Ptr = 0x38 <Address 0x38 out of bounds>, Enabled = 1, Normalized = 1 '\001', 
  BufferObj = 0xa9de738, _MaxElement = 326, Flags = 1}

That doesn't sound right. _MaxElement is only 326, and we're tryiing to access
element 1391? I'll wonder what's going on here - some problem if stride isn't 0?
Comment 4 Roland Scheidegger 2006-11-22 18:06:48 UTC 
Created attachment 7868 [details] [review]
insert an assertion to make the problem more apparent

this diff inserts an assertion to make the problem more visible. With it doom3
will reproducibly instantly fail an assertion where previously some garbage
triangles were seen and where it was a bit hard to reproduce a segfault. It
will also crash in the intro movie at always the same place, even with software
renderer if you're patient enough... (just make sure you use r_renderer arb, at
least r_renderer r200 does not appear to be affected).
Comment 5 Roland Scheidegger 2006-11-23 06:17:43 UTC 
(In reply to comment #4)
> Created an attachment (id=7868) [edit]
> insert an assertion to make the problem more apparent
I looked a bit closer but couldn't find anything which goes wrong. So I suspect
this is a bug in the doom3 arb render path, it seems to simply sometimes use a
(color) vertex buffer which does not contain all elements (given the stride)
it'll try to address. This (depending on how the buffers are laid out in memory)
usually just means random data will be used, but sometimes result in a segfault.
The spec only mentions "implementation dependant behaviour" in such a case, so
if that includes segfaults mesa's behaviour should be fine...
Comment 6 Oliver McFadden 2007-03-27 02:23:16 UTC 
Sorry for the bug hijacking; this isn't related to Doom 3 at all, but it could
be the same bug. I'm not sure.

I have actually noticed some cases with my own code where it appears to get
"random" data (vertices, texcoords, colors, ...); so far I haven't found the
cause of this... So maybe there is a bug in the DrawElements code.

I also haven't been able to reliably reproduce this with my code. It seems to
randomly happen 1 times in 100, maybe more. :(

This is on R300, btw.
Comment 7 Brian Paul 2007-03-27 06:11:03 UTC 
Sounds like a job for valgrind.  It'll be slow, but valgrind is probably the best tool for solving intermediate crashes/glitches.
Comment 8 Roland Scheidegger 2007-03-27 12:18:45 UTC 
(In reply to comment #6)
> Sorry for the bug hijacking; this isn't related to Doom 3 at all, but it could
> be the same bug. I'm not sure.
I don't think so. I'm pretty sure the issue with doom3 is a game bug (nobody uses arb path really, so it's probably not that well tested). If you enable CheckArrayBounds you can see (with some additional debug output) that exactly at the places where it sometimes used to segfault some DrawRangeElements calls are ignored because it tries to access array elements beyond the allocated buffer. This happens ONLY with the arb path (with todays's mesa git fixes), and I believe it's always due to the colorPointer buffer. I don't think there is anything mesa can do about that (well other than always using array bounds checking, which sucks and doesn't work if you don't use ARB_vbo anyway).
Thus closing this bug now. Open a new bug for your issues, but I'm afraid you need to be more specific.

(In reply to comment #7)
> Sounds like a job for valgrind.  It'll be slow, but valgrind is probably the
> best tool for solving intermediate crashes/glitches.
I've actually tried that, but it's not practical for doom3 at least, simply because it's way too slow - that and you need to filter the output a lot because it detects tons of bogus things by mistake.
Comment 9 Adam Jackson 2009-08-24 12:23:40 UTC 
Mass version move, cvs -> git

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.