[Mesa-dev] [Bug 88662] unaligned access to gl_dlist_node

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jan 21 05:27:57 PST 2015 

https://bugs.freedesktop.org/show_bug.cgi?id=88662

            Bug ID: 88662
           Summary: unaligned access to gl_dlist_node
           Product: Mesa
           Version: 10.4
          Hardware: SPARC
                OS: OpenBSD
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Mesa core
          Assignee: mesa-dev at lists.freedesktop.org
          Reporter: jsg at openbsd.org
        QA Contact: mesa-dev at lists.freedesktop.org

As part of testing for an update to Mesa 10.4 in OpenBSD Matthieu Herrb found
an alignment related crash with classic swrast on mips64el.  I've also
reproduced this on sparc64 which also has a requirement for strict 8 byte
pointer alignment.

As tracked down by Mark Kettenis since 483dc973c431cadec69b36e58a4559c734a7ef16
union gl_dlist_node no longer has a pointer in it so pointers returned from 
_mesa_dlist_alloc are only guaranteed to be 4 byte aligned.

_mesa_dlist_alloc(struct gl_context *ctx, GLuint opcode, GLuint bytes)
{
   Node *n = dlist_alloc(ctx, (OpCode) opcode, bytes);
   if (n)
      return n + 1;  /* return pointer to payload area, after opcode */
   else
      return NULL;
}

commit 483dc973c431cadec69b36e58a4559c734a7ef16
Author: Brian Paul <brianp at vmware.com>
Date:   Wed Dec 4 09:45:38 2013 -0700

    mesa: remove gl_dlist_node::next pointer to reduce dlist memory use

    Now, sizeof(gl_dlist_node)==4 even on 64-bit systems.  This can
    halve the memory used by some display lists on 64-bit systems.

    Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>

0x000000c387368914 in _save_compile_vertex_list (ctx=0xc3532de000)
    at
/usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/vbo/vbo_save_api.c:393
393        node->prim = save->prim;
(gdb) bt
#0  0x000000c387368914 in _save_compile_vertex_list (ctx=0xc3532de000)
    at
/usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/vbo/vbo_save_api.c:393
#1  0x000000c387396914 in vbo_save_SaveFlushVertices (ctx=0xc3532de000)
    at
/usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/vbo/vbo_save_api.c:1421
#2  0x000000c387501fd0 in save_Attr3fNV (attr=2, x=0, y=0, z=-1)
    at
/usr/xenocara/lib/libGL/mesa/libmesa/../../../../dist/Mesa/src/mesa/main/dlist.c:5062
#3  0x000000c37fefe188 in glNormal3f (nx=0, ny=0, nz=-1) at
glapi_mapi_tmp.h:1920
#4  0x000000c0abc02d7c in atexit () from /usr/X11R6/bin/glxgears

(gdb) p node
$1 = (struct vbo_save_vertex_list *) 0xc35bf3ac3c
(gdb) p (uint64_t)node % 8
$2 = 4
(gdb) p save
$3 = (struct vbo_save_context *) 0xc37b53d5a8
(gdb) p (uint64_t)save % 8
$4 = 0
(gdb) p &node->prim
$6 = (struct _mesa_prim **) 0xc35bf3ad44
(gdb) p (uint64_t)&node->prim % 8
$7 = 4
(gdb) p &save->prim
$8 = (struct _mesa_prim **) 0xc37b53e968
(gdb) p (uint64_t)&save->prim % 8
$9 = 0

Adding a void * pointer back to gl_dlist_node prevents the crash.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20150121/a0481734/attachment-0001.html>

More information about the mesa-dev mailing list