Bug 91065 - Invalid read in intel_tiled_memcpy.c ytiled_to_linear
Summary: Invalid read in intel_tiled_memcpy.c ytiled_to_linear
Status: RESOLVED MOVED
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/DRI/i965 (show other bugs)
Version: 10.6
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Intel 3D Bugs Mailing List
QA Contact: Intel 3D Bugs Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-23 05:18 UTC by Jun Wu
Modified: 2019-09-25 18:54 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
apitrace of ppsspp part 1 of 2 (2.00 MB, application/octet-stream)
2015-06-23 10:43 UTC, Jun Wu
Details
apitrace of ppsspp part 2 of 2 (1.08 MB, application/octet-stream)
2015-06-23 10:45 UTC, Jun Wu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jun Wu 2015-06-23 05:18:30 UTC
Bug description:

Invalid read in mesa-10.6.0/src/mesa/drivers/dri/i965/intel_tiled_memcpy.c,
intel_readpixels_tiled_memcpy -> tiled_to_linear -> ytiled_to_linear_faster -> ytiled_to_linear.

See backtrace below for details.


System environment:
-- chipset: Haswell-ULT (i7-4500U)
-- system architecture: x86_64
-- mesa/libdrm version: 10.6.0/2.4.61
-- kernel version: 4.0.5-1-ARCH
-- xf86-video-intel: 2.99.917
-- xserver: 1.17.2
-- linux distribution: ArchLinux
-- machine model: Lenovo Thinkpad X240s (20AKA00DHH)


Reproduce steps:

1. Run ppsspp, play game like "Eiyuu Densetsu: Zero no Kiseki"
2. ppsspp will crash randomly


Additional info:

I tried to find a quick, confident fix but failed (unfamiliar with OpenGL / Intel). Any help is appreciated.

(gdb) bt
#0  0x00007ffff4476a00 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x00007fffe9190353 in ytiled_to_linear (x0=0, x1=0, x2=128, x3=128, y0=0, y1=32, 
    dst=0x5fa8400 ..., src=0x7fffe389e000 <error: Cannot access memory at address 0x7fffe389e000>, dst_pitch=512, swizzle_bit=0, 
    mem_copy=0x7ffff44768a0 <__memcpy_avx_unaligned>) at intel_tiled_memcpy.c:364
#2  0x00007fffe91909bd in ytiled_to_linear_faster (x0=0, x1=0, x2=128, x3=128, y0=0, y1=32, 
    dst=0x5fa8400 ..., src=0x7fffe389e000 <error: Cannot access memory at address 0x7fffe389e000>, dst_pitch=512, swizzle_bit=0, 
    // invalid src 0x7fffe389e000. In fact, 0x7fffe389e000-1 is the last valid byte.   
    mem_copy=0x7ffff44768a0 <__memcpy_avx_unaligned>) at intel_tiled_memcpy.c:521
#3  0x00007fffe91910a0 in tiled_to_linear (xt1=0, xt2=512, yt1=0, yt2=64, 
    dst=0x5fa4300 ..., 
    src=0x7fffe389a000 ..., dst_pitch=512, src_pitch=256, has_swizzling=false, tiling=2, 
    mem_copy=0x7ffff44768a0 <__memcpy_avx_unaligned>) at intel_tiled_memcpy.c:715
#4  0x00007fffe91892db in intel_readpixels_tiled_memcpy (ctx=0x243bb40, xoffset=0, yoffset=0, width=128, 
    height=64, format=6408, type=5121, pixels=0x5fa4300, pack=0x2456d00) at intel_pixel_read.c:199
#5  0x00007fffe9189495 in intelReadPixels (ctx=0x243bb40, x=0, y=0, width=128, height=64, format=6408, 
    type=5121, pack=0x2456d00, pixels=0x5fa4300) at intel_pixel_read.c:257
#6  0x00007fffe8da5147 in _mesa_ReadnPixelsARB (x=0, y=0, width=128, height=64, format=6408, type=5121, 
    bufSize=2147483647, pixels=0x5fa4300) at main/readpix.c:1088
#7  0x00007fffe8da5198 in _mesa_ReadPixels (x=0, y=0, width=128, height=64, format=6408, type=5121, 
    pixels=0x5fa4300) at main/readpix.c:1096
#8  0x0000000000a9cfd9 in FramebufferManager::PackFramebufferSync_ (this=0x3c2e2a0, vfb=0x6722c70, x=0, y=0, 
    w=128, h=64) at ppsspp-git/src/ppsspp/GPU/GLES/Framebuffer.cpp:1691
#9  0x0000000000a9bc4e in FramebufferManager::ReadFramebufferToMemory (this=0x3c2e2a0, vfb=0x66fcb90, 
    sync=true, x=0, y=0, w=128, h=64)
    at ppsspp-git/src/ppsspp/GPU/GLES/Framebuffer.cpp:1293
Comment 1 Matt Turner 2015-06-23 05:26:42 UTC
Could you try to make an apitrace that reproduces the bug?
Comment 2 Jun Wu 2015-06-23 10:43:21 UTC
Created attachment 116669 [details]
apitrace of ppsspp part 1 of 2

I just noticed apitrace is an existing excellent tool. I was trying to write a simple program to repro the issue but it seems not that easy. It seems basically glReadPixels needs a bound check somewhere.

The issue happens randomly (sometimes it won't happen after tens of minutes). I happened to have a 100% repro in seconds save state. However I have difficulty making the trace file < 3M. I am uploading 2 files.
Comment 3 Jun Wu 2015-06-23 10:45:13 UTC
Created attachment 116670 [details]
apitrace of ppsspp part 2 of 2
Comment 4 Jun Wu 2015-06-23 11:44:34 UTC
It seems the quick workaround is like:

--- a/src/mesa/drivers/dri/i965/intel_pixel_read.c
+++ b/src/mesa/drivers/dri/i965/intel_pixel_read.c
@@ -185,6 +185,14 @@ intel_readpixels_tiled_memcpy(struct gl_context * ctx,
       dst_pitch = -dst_pitch;
    }
 
+   /* For I915_TILING_Y, if src does not have enough pixels, decrease height
+    * silently to prevent invalid memory access.
+    */
+   uint32_t tiling = irb->mt->tiling;
+   if (tiling == I915_TILING_Y && bo->size < height * dst_pitch) {
+      height = bo->size / dst_pitch;
+   }
+
    /* We postponed printing this message until having committed to executing
     * the function.
     */
@@ -203,7 +211,7 @@ intel_readpixels_tiled_memcpy(struct gl_context * ctx,
       bo->virtual,
       dst_pitch, irb->mt->pitch,
       brw->has_swizzling,
-      irb->mt->tiling,
+      tiling,
       mem_copy
    );

However I am not sure about whether it is a correct fix or not.
Comment 5 Matt Turner 2017-03-22 05:13:21 UTC
Can you still reproduce this failure? I just tried on Mesa 17.0.1 and I cannot.
Comment 6 GitLab Migration User 2019-09-25 18:54:01 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/1485.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.