[Mesa3d-dev] [Bug 22512] New: SIGFPE in _mesa_sse_transform_points3_3d_no_rot

Sat, 27 Jun 2009 10:44:28 -0700 

http://bugs.freedesktop.org/show_bug.cgi?id=22512

           Summary: SIGFPE in _mesa_sse_transform_points3_3d_no_rot
           Product: Mesa
           Version: unspecified
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Mesa core
        AssignedTo: mesa3d-dev@lists.sourceforge.net
        ReportedBy: arthur.huil...@free.fr


Hi,

MESA 7.4 crashes with a SIGFPE in _mesa_sse_transform_points3_3d_no_rot.
This can be reproduced with the FreedroidRPG game, and maybe other
applications.

Here is the relevant information:

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xa7a6c6d0 (LWP 5471)]
0xa6f7d2e3 in _mesa_sse_transform_points3_3d_no_rot () from
/usr/lib/xorg/modules/dri/libdricore.so
(gdb) print $xmm0
$1 = {v4_float = {556, 148, -nan(0x32b2b2), -nan(0x32b2b2)}, v2_double =
{1407375168946176, -1.3130212884391347e+307}, v16_int8 = {
    0, 0, 11, 68, 0, 0, 20, 67, -78, -78, -78, -1, -78, -78, -78, -1}, v8_int16
= {0, 17419, 0, 17172, -19790, -78, -19790, -78}, 
  v4_int32 = {1141571584, 1125384192, -5066062, -5066062}, v2_int64 =
{4833488301216956416, -21758566319607118}, 
  uint128 = 0xffb2b2b2ffb2b2b243140000440b0000}
(gdb) bt       
#0  0xa6f7d2e3 in _mesa_sse_transform_points3_3d_no_rot () from
/usr/lib/xorg/modules/dri/libdricore.so
#1  0xa6edb732 in run_vertex_stage () from
/usr/lib/xorg/modules/dri/libdricore.so
#2  0xa6ecfc53 in _tnl_run_pipeline () from
/usr/lib/xorg/modules/dri/libdricore.so
#3  0xa702fda9 in intelRunPipeline () from
/usr/lib/xorg/modules/dri/i915_dri.so
#4  0xa6ed096c in _tnl_draw_prims () from
/usr/lib/xorg/modules/dri/libdricore.so
#5  0xa6ec7374 in vbo_exec_vtx_flush () from
/usr/lib/xorg/modules/dri/libdricore.so
#6  0xa6ec307e in vbo_exec_wrap_buffers () from
/usr/lib/xorg/modules/dri/libdricore.so
#7  0xa6ec320c in vbo_exec_fixup_vertex () from
/usr/lib/xorg/modules/dri/libdricore.so
#8  0xa6ec3dd0 in vbo_Color4f () from /usr/lib/xorg/modules/dri/libdricore.so
#9  0xa6e0f21f in loopback_Color4ub_f () from
/usr/lib/xorg/modules/dri/libdricore.so

As you can see, %xmm0 has two of its values at NaN.
The crash occurs on the following instruction :

0xa6f7d2e3 <_mesa_sse_transform_points3_3d_no_rot+103>: mulps  %xmm1,%xmm0


As you can see, we are trying to multiply the *full* xmm0 register with xmm1,
but we have only loaded half of it, and the upper quadword is left to whatever
values were before. Multiplying four floats when only two were loaded is
dangerous.

I believe _mesa_sse_transform_points3_3d_no_rot should carefully zero the upper
quadword of xmm0 instead of relying on it not containing invalid values.

I cheat in the application by zeroing out the xmm0 register so it contains no
NaN, but it's obviously a dirty workaround.

Thanks.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

------------------------------------------------------------------------------
_______________________________________________
Mesa3d-dev mailing list
Mesa3d-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mesa3d-dev

Reply via email to