<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body> <div> <a class="bz_bug_link bz_status_NEW " title="NEW --- - [REGRESSION,swrast] Memory-related crash with anti-aliasing enabled" href="https://bugs.freedesktop.org/show_bug.cgi?id=72926#c11">Comment # 11</a> on <a class="bz_bug_link bz_status_NEW " title="NEW --- - [REGRESSION,swrast] Memory-related crash with anti-aliasing enabled" href="https://bugs.freedesktop.org/show_bug.cgi?id=72926">bug 72926</a> from <a class="email" href="mailto:sroland@vmware.com" title="Roland Scheidegger <sroland@vmware.com>"> Roland Scheidegger</a> <pre>(In reply to <a href="show_bug.cgi?id=72926#c10">comment #10</a>) > Here is a small test program that crashes with Mesa 10.0 (and master). On > startup, it immediately crashes. A heap-buffer-overflow according to ASAN. > > Some notes: > - It has something to do with anti-aliasing (with GL_LINE_SMOOTH disabled, > it runs fine). Ahh yes this makes sense, this must be due to the additional pipeline stage draw injects for smooth lines (probably would crash with other additional pipeline stages too, not just the one for aa lines). I suspect the interaction with front face injection and those additional stages is just broken, as this probably wasn't tested all that much. > - The problem is probably related to negative vertices and clipping. If the > triangle vertex (-10,100) is changed to (-1,100), it still crashes but > (0,100) is fine. > - It is an combination of vertices, if I remove two vertices for GL_LINES, > then it won't crash. > > Another hint is the following assertion failure when replacing GL_LINES by > GL_POINTS: > > lp_setup_vbuf.c:112:lp_setup_unmap_vertices: Assertion > `setup->vertex_buffer_size >= (max_index+1) * setup->vertex_size' failed.</pre> </div> <hr> You are receiving this mail because: <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>