[Mesa-dev] [PATCH] i965: Fix segfault in WebGL Conformance on Ivybridge (v2)

Chad Versace chad.versace at linux.intel.com
Tue Nov 18 16:06:12 PST 2014 

Fixes regression of WebGL Conformance test texture-size-limit [1] on
Ivybridge Mobile GT2 0x0166 with Google Chrome R38.

Regression introduced by

    commit 6c044231535b93c5d16404528946cad618d96bd9
    Author: Kenneth Graunke <kenneth at whitecape.org>
    Date:   Sun Feb 2 02:58:42 2014 -0800

        i965: Bump GL_MAX_CUBE_MAP_TEXTURE_SIZE to 8192.

The test regressed because the pointer offset arithmetic in
intel_miptree_map_gtt() overflows for large textures. The pointer
arithmetic is not 64-bit safe.

[1] https://github.com/KhronosGroup/WebGL/blob/52f0dc240f04dce31b1b8e2b8107fe2b8332dc90/sdk/tests/conformance/textures/texture-size-limit.html

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=78770
Fixes: Intel CHRMOS-1377
Reported-by: Lu Hua <huax.lu at intel.com>
Signed-off-by: Chad Versace <chad.versace at linux.intel.com>
---

v2:
    - Simplify diff. Change types of x,y to intptr_t instead of casting
        intermediate arithmetic expressions to intptr_t.
    - Remove big TODO comment, because my original TODO comment might be the
        wrong thing to do :/

 src/mesa/drivers/dri/i965/intel_mipmap_tree.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c
index 8fda25d..7081f1d 100644
--- a/src/mesa/drivers/dri/i965/intel_mipmap_tree.c
+++ b/src/mesa/drivers/dri/i965/intel_mipmap_tree.c
@@ -1745,8 +1745,8 @@ intel_miptree_map_gtt(struct brw_context *brw,
    unsigned int bw, bh;
    void *base;
    unsigned int image_x, image_y;
-   int x = map->x;
-   int y = map->y;
+   intptr_t x = map->x;
+   intptr_t y = map->y;
 
    /* For compressed formats, the stride is the number of bytes per
     * row of blocks.  intel_miptree_get_image_offset() already does
@@ -1772,7 +1772,8 @@ intel_miptree_map_gtt(struct brw_context *brw,
       map->ptr = base + y * map->stride + x * mt->cpp;
    }
 
-   DBG("%s: %d,%d %dx%d from mt %p (%s) %d,%d = %p/%d\n", __FUNCTION__,
+   DBG("%s: %d,%d %dx%d from mt %p (%s) "
+       "%"PRIiPTR",%"PRIiPTR" = %p/%d\n", __FUNCTION__,
        map->x, map->y, map->w, map->h,
        mt, _mesa_get_format_name(mt->format),
        x, y, map->ptr, map->stride);
-- 
2.1.0-rc0

More information about the mesa-dev mailing list