Bug 88662

Summary: unaligned access to gl_dlist_node
Product: Mesa Reporter: Jonathan Gray <jsg>
Component: Mesa coreAssignee: mesa-dev
Status: RESOLVED FIXED QA Contact: mesa-dev
Severity: normal    
Priority: medium    
Version: 10.4   
Hardware: SPARC   
OS: OpenBSD   
Whiteboard:
i915 platform: i915 features:
Attachments: proposed patch

Description Jonathan Gray 2015-01-21 13:27:57 UTC 
As part of testing for an update to Mesa 10.4 in OpenBSD Matthieu Herrb found an alignment related crash with classic swrast on mips64el.  I've also reproduced this on sparc64 which also has a requirement for strict 8 byte pointer alignment.

As tracked down by Mark Kettenis since 483dc973c431cadec69b36e58a4559c734a7ef16 union gl_dlist_node no longer has a pointer in it so pointers returned from 
_mesa_dlist_alloc are only guaranteed to be 4 byte aligned.

_mesa_dlist_alloc(struct gl_context *ctx, GLuint opcode, GLuint bytes)
{
   Node *n = dlist_alloc(ctx, (OpCode) opcode, bytes);
   if (n)
      return n + 1;  /* return pointer to payload area, after opcode */
   else
      return NULL;
}

commit 483dc973c431cadec69b36e58a4559c734a7ef16
Author: Brian Paul <brianp@vmware.com>
Date:   Wed Dec 4 09:45:38 2013 -0700

    mesa: remove gl_dlist_node::next pointer to reduce dlist memory use
    
    Now, sizeof(gl_dlist_node)==4 even on 64-bit systems.  This can
    halve the memory used by some display lists on 64-bit systems.
    
    Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>

0x000000c387368914 in _save_compile_vertex_list (ctx=0xc3532de000)
    at /usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/vbo/vbo_save_api.c:393
393        node->prim = save->prim;
(gdb) bt
#0  0x000000c387368914 in _save_compile_vertex_list (ctx=0xc3532de000)
    at /usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/vbo/vbo_save_api.c:393
#1  0x000000c387396914 in vbo_save_SaveFlushVertices (ctx=0xc3532de000)
    at /usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/vbo/vbo_save_api.c:1421
#2  0x000000c387501fd0 in save_Attr3fNV (attr=2, x=0, y=0, z=-1)
    at /usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/main/dlist.c:5062
#3  0x000000c37fefe188 in glNormal3f (nx=0, ny=0, nz=-1) at glapi_mapi_tmp.h:1920
#4  0x000000c0abc02d7c in atexit () from /usr/X11R6/bin/glxgears

(gdb) p node
$1 = (struct vbo_save_vertex_list *) 0xc35bf3ac3c
(gdb) p (uint64_t)node % 8
$2 = 4
(gdb) p save
$3 = (struct vbo_save_context *) 0xc37b53d5a8
(gdb) p (uint64_t)save % 8
$4 = 0
(gdb) p &node->prim
$6 = (struct _mesa_prim **) 0xc35bf3ad44
(gdb) p (uint64_t)&node->prim % 8
$7 = 4
(gdb) p &save->prim
$8 = (struct _mesa_prim **) 0xc37b53e968
(gdb) p (uint64_t)&save->prim % 8
$9 = 0

Adding a void * pointer back to gl_dlist_node prevents the crash.
Comment 1 Brian Paul 2015-01-27 03:43:16 UTC 
Created attachment 112872 [details] [review]
proposed patch

Hi Jonathan,

Here's a patch which should fix the issue.  Can you test?
Comment 2 Jonathan Gray 2015-01-27 15:56:47 UTC 
Yes, I can confirm that the patch fixes the crash on sparc64.
Tested with 10.4.3 so I had to change

fprintf(f, "NOP\n"); -> printf("NOP\n");

to make it build but it otherwise seems fine, thanks.
Comment 3 Brian Paul 2015-01-30 16:42:08 UTC 
Fixed in the master and 10.4 branches.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.