<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Invalid read in intel_tiled_memcpy.c ytiled_to_linear"
href="https://bugs.freedesktop.org/show_bug.cgi?id=91065">91065</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Invalid read in intel_tiled_memcpy.c ytiled_to_linear
</td>
</tr>
<tr>
<th>Product</th>
<td>Mesa
</td>
</tr>
<tr>
<th>Version</th>
<td>10.6
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86-64 (AMD64)
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>Drivers/DRI/i965
</td>
</tr>
<tr>
<th>Assignee</th>
<td>idr@freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>arcppzju+fdbug@gmail.com
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>intel-3d-bugs@lists.freedesktop.org
</td>
</tr></table>
<p>
<div>
<pre>Bug description:
Invalid read in mesa-10.6.0/src/mesa/drivers/dri/i965/intel_tiled_memcpy.c,
intel_readpixels_tiled_memcpy -> tiled_to_linear -> ytiled_to_linear_faster ->
ytiled_to_linear.
See backtrace below for details.
System environment:
-- chipset: Haswell-ULT (i7-4500U)
-- system architecture: x86_64
-- mesa/libdrm version: 10.6.0/2.4.61
-- kernel version: 4.0.5-1-ARCH
-- xf86-video-intel: 2.99.917
-- xserver: 1.17.2
-- linux distribution: ArchLinux
-- machine model: Lenovo Thinkpad X240s (20AKA00DHH)
Reproduce steps:
1. Run ppsspp, play game like "Eiyuu Densetsu: Zero no Kiseki"
2. ppsspp will crash randomly
Additional info:
I tried to find a quick, confident fix but failed (unfamiliar with OpenGL /
Intel). Any help is appreciated.
(gdb) bt
#0 0x00007ffff4476a00 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1 0x00007fffe9190353 in ytiled_to_linear (x0=0, x1=0, x2=128, x3=128, y0=0,
y1=32,
dst=0x5fa8400 ..., src=0x7fffe389e000 <error: Cannot access memory at
address 0x7fffe389e000>, dst_pitch=512, swizzle_bit=0,
mem_copy=0x7ffff44768a0 <__memcpy_avx_unaligned>) at
intel_tiled_memcpy.c:364
#2 0x00007fffe91909bd in ytiled_to_linear_faster (x0=0, x1=0, x2=128, x3=128,
y0=0, y1=32,
dst=0x5fa8400 ..., src=0x7fffe389e000 <error: Cannot access memory at
address 0x7fffe389e000>, dst_pitch=512, swizzle_bit=0,
// invalid src 0x7fffe389e000. In fact, 0x7fffe389e000-1 is the last valid
byte.
mem_copy=0x7ffff44768a0 <__memcpy_avx_unaligned>) at
intel_tiled_memcpy.c:521
#3 0x00007fffe91910a0 in tiled_to_linear (xt1=0, xt2=512, yt1=0, yt2=64,
dst=0x5fa4300 ...,
src=0x7fffe389a000 ..., dst_pitch=512, src_pitch=256, has_swizzling=false,
tiling=2,
mem_copy=0x7ffff44768a0 <__memcpy_avx_unaligned>) at
intel_tiled_memcpy.c:715
#4 0x00007fffe91892db in intel_readpixels_tiled_memcpy (ctx=0x243bb40,
xoffset=0, yoffset=0, width=128,
height=64, format=6408, type=5121, pixels=0x5fa4300, pack=0x2456d00) at
intel_pixel_read.c:199
#5 0x00007fffe9189495 in intelReadPixels (ctx=0x243bb40, x=0, y=0, width=128,
height=64, format=6408,
type=5121, pack=0x2456d00, pixels=0x5fa4300) at intel_pixel_read.c:257
#6 0x00007fffe8da5147 in _mesa_ReadnPixelsARB (x=0, y=0, width=128, height=64,
format=6408, type=5121,
bufSize=2147483647, pixels=0x5fa4300) at main/readpix.c:1088
#7 0x00007fffe8da5198 in _mesa_ReadPixels (x=0, y=0, width=128, height=64,
format=6408, type=5121,
pixels=0x5fa4300) at main/readpix.c:1096
#8 0x0000000000a9cfd9 in FramebufferManager::PackFramebufferSync_
(this=0x3c2e2a0, vfb=0x6722c70, x=0, y=0,
w=128, h=64) at ppsspp-git/src/ppsspp/GPU/GLES/Framebuffer.cpp:1691
#9 0x0000000000a9bc4e in FramebufferManager::ReadFramebufferToMemory
(this=0x3c2e2a0, vfb=0x66fcb90,
sync=true, x=0, y=0, w=128, h=64)
at ppsspp-git/src/ppsspp/GPU/GLES/Framebuffer.cpp:1293</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>