[Mesa-dev] Bug in 48157b904a9 found by Coverity

Ilia Mirkin imirkin at alum.mit.edu
Wed Nov 19 09:42:45 PST 2014 

On Wed, Nov 19, 2014 at 12:28 PM, Damien Lespiau
<damien.lespiau at intel.com> wrote:
> On Wed, Nov 19, 2014 at 12:13:41PM -0500, Ilia Mirkin wrote:
>> Hey guys,
>>
>> Just got around to looking at the Coverity email about newly
>> introduced bugs, and this seems like a legit issue. Based on the
>> context of the code, I'm guessing you meant to do (input_index - 16)
>> << 1.
>
> Oh my. The proposed fix looks good, mind crafting a patch?

Probably best done by someone with access to the hardware/simulator or
who has read the specs (are the gen9 specs even public yet? haven't
checked).

As an aside, it seems like there can be 32 var varyings, and there are
a bunch of additional slots on top of that... not sure if you meant to
start at VARYING_SLOT_VAR0 or if you wanted all the varying slots, and
there's some sort of additional mechanism that makes sure that at most
32 can be set. [I guess this is for FS, so it can't have a whole lot
of other inputs, but gl_FragCoord comes to mind. Perhaps that counts
against the varying max.]

>
> --
> Damien
>
>>
>> Cheers,
>>
>>   -ilia
>>
>> ** CID 1251308:  Bad bit shift operation  (BAD_SHIFT)
>> /src/mesa/drivers/dri/i965/gen8_sf_state.c: 99 in upload_sbe()
>>
>> ________________________________________________________________________________________________________
>> *** CID 1251308:  Bad bit shift operation  (BAD_SHIFT)
>> /src/mesa/drivers/dri/i965/gen8_sf_state.c: 99 in upload_sbe()
>> 93              if (!(brw->fragment_program->Base.InputsRead &
>> BITFIELD64_BIT(attr)))
>> 94                 continue;
>> 95
>> 96              if (input_index < 16)
>> 97                 dw4 |= (GEN9_SBE_ACTIVE_COMPONENT_XYZW <<
>> (input_index << 1));
>> 98              else
>> >>>     CID 1251308:  Bad bit shift operation  (BAD_SHIFT)
>> >>>     In expression "3 << (input_index << 1)", left shifting by more than 31 bits has undefined behavior.  The shift amount, "input_index << 1", is 32.
>> 99                 dw5 |= (GEN9_SBE_ACTIVE_COMPONENT_XYZW <<
>> (input_index << 1));
>> 100
>> 101              ++input_index;
>> 102           }
>> 103        }
>> 104        BEGIN_BATCH(sbe_cmd_length);

More information about the mesa-dev mailing list