[Mesa-dev] Bogus bounds checking in api_validate.c?

Timothy Arceri t_arceri at yahoo.com.au
Mon Nov 10 12:12:00 PST 2014 

On Mon, 2014-11-10 at 06:09 -0800, Ian Romanick wrote:
> On 11/06/2014 11:40 PM, Kenneth Graunke wrote:
> > On Thursday, November 06, 2014 08:09:18 PM Ian Romanick wrote:
> >> While working on some other things, I came across some bounds checking
> >> code in _mesa_validate_DrawElements (and related functions) in
> >> api_validate.c.
> >>
> >>       /* use indices in the buffer object */
> >>       /* make sure count doesn't go outside buffer bounds */
> >>       if (index_bytes(type, count) > ctx->Array.VAO->IndexBufferObj->Size) {
> >>          _mesa_warning(ctx, "glDrawElements index out of buffer bounds");
> >>          return GL_FALSE;
> >>       }
> >>
> >> index_bytes calculates how many bytes of data "count" indices will
> >> occupy based on the type.  The problem is that this doesn't consider
> >> the base pointer.  As far as I can tell, if I had a 64 byte buffer
> >> object for my index data, and I did
> >>
> >>     glDrawElements(GL_POINTS, 16, GL_UNSIGNED_INT, 60);
> >>
> >> _mesa_validate_DrawElements would say, "Ok!"
> >>
> >> Am I missing something, or is this just broken?
> > 
> > It sure seems broken to me - but, thankfully, in a conservative fashion.  (It 
> > will say some invalid things are OK, but won't say legal things are invalid.)
> > 
> > Software drivers may be relying on this working to avoid a crash.
> > 
> > I checked the Ivybridge documentation, and found:
> > 
> > "Software is responsible for ensuring that accesses outside the IB do not
> >  occur. This is possible as software can compute the range of IB values
> >  referenced by a 3DPRIMITIVE command (knowing the StartVertexLocation,
> >  InstanceCount, and VerticesPerInstance values) and can then compare this
> >  range to the IB extent."
> > 
> > which makes it sound like an accurate computation is necessary.  But, right 
> > below that, it says:
> > 
> > "this field contains the address of the last valid byte in the index buffer.
> >  Any index buffer reads past this address returns an index value of 0 (as if
> >  the index buffer was zero-extended)."
> > 
> > So the earlier statement is false; i965 will draw the in-bounds elements 
> > correctly, and then repeat element 0 over and over for any out-of-bounds data, 
> > resulting in one strange primitive and a lot of degenerate ones.
> > 
> > It's proabbly worth fixing, but I doubt it's critical either.
> 
> Hmm... I came across this while looking at cachegrind traces of GL
> applications.  Time spent in _mesa_validate_Draw* was non-trivial.
> Since at least some hardware doesn't need this check, I think I want to
> move it down into drivers that actually need the check... which is kind
> of a bummer since I came up with a clever optimization for index_bytes.

I'm not sure what applications you looked at in cachegrind but OpenArena
and Nexuiz both spend a lot of time in here. On my Ivybridge:

OpenArena 5.4% out of a total 27.94% in i965_dri.so
Nexuiz 3.28% out of a total of 29.4% in i965_dri.so

For those not up to speed are you able to give a one line explanation of
why some hardware can get away without this check?

> 
> > A more interesting thing to fix, I think, would be enforcing alignment 
> > restrictions (i.e. your offset has to be a multiple of the IB element size).
> 
> That would probably be useful in debug builds, but I'm pretty sure the
> GL spec says the behavior is undefined specifically to avoid the check
> in the hot path.
> 
> > --Ken
> 
> 
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev

More information about the mesa-dev mailing list