#149 segfault running viewperf on XPERT 128 PCI

ATI OpenGL (71)

Redhat 6.1
kernel 2.2.12
kit: dri-snapshot-2000-06-28.tar.gz
300 MHz Pentium II

Running the first test in the viewperf script DX-05.csh results in a segfault. Here's the call stack:

#0 0x40225ea4 in chunk_free (ar_ptr=0x402ba040, p=0x810d2f0) at malloc.c:3036
#1 0x40225d75 in __libc_free (mem=0x810d2f8) at malloc.c:2959
#2 0x404d67e4 in r128_fire_ring_locked (r128ctx=0x81033f8) at r128_cce.c:193
#3 0x404d7031 in r128FlushVerticesLocked (r128ctx=0x81033f8) at r128_cce.h:145
#4 0x404d6e76 in r128AllocVertexDwordsInlined (r128ctx=0x81033f8, dwords=24) at r128_cce.h:168
#5 0x404d6825 in r128AllocVertexDwords (r128ctx=0x81033f8, dwords=24) at r128_cce.c:204
#6 0x40508468 in triangle (ctx=0x80de5e8, e0=4, e1=5, e2=6, pv=6) at r128_tritmp.h:47
#7 0x40505425 in quad (ctx=0x80de5e8, v0=3, v1=4, v2=5, v3=6, pv=6) at r128_tritmp.h:131
#8 0x404bddfa in render_vb_quads_raw (VB=0x80ddf70, start=3, count=7, parity=0) at render_tmp.h:234
#9 0x404bee70 in gl_render_vb (VB=0x80ddf70) at vbrender.c:696
#10 0x403fc880 in gl_run_pipeline (VB=0x80ddf70) at pipeline.c:493
#11 0x404c355a in gl_execute_cassette (ctx=0x80de5e8, IM=0x80f4410) at vbxform.c:957
#12 0x40358db0 in gl_cva_compile_cassette (ctx=0x80de5e8, IM=0x80f4410) at cva.c:764
#13 0x404bf6ad in gl_maybe_transform_vb (IM=0x80f4410) at vbxform.c:74
#14 0x404bf73c in gl_flush_vb (ctx=0x80de5e8, where=0x40516420 "glShadeModel") at vbxform.c:92
#15 0x403c471d in _mesa_ShadeModel (mode=7424) at light.c:55
#16 0x805177f in title_screen ()warning: find_solib: Can't read pathname for load map: Input/output error

The segfault appears to be happening because r128_fire_ring_locked is freeing a block of memory that when allocated had a size of 0. There appear to be two questions that need to be answered to fix this problem.

1. Why when malloc was called with a size of 0 (r128scrn->vbBufSize=0) in r128_get_ring_locked did it return a non-null pointer? The man page on malloc clearly states that a malloc(0) should return a null pointer.

2. Why does r128_fire_ring_locked copy data in a memory region that was malloc'ed with the size of 0?


  • Bruce Stockwell

    Bruce Stockwell - 2000-06-30

    re 1: It's realloc that will return a null pointer, not malloc. Sorry for the confusion.

    re 2: The data is actually copied to badly allocated buffer in the function "triangle".

    It looks to me that the problem stems from the fact that r128scrn->vbBufSize is 0. The code appears to assume that vbBufSize will always to non-zero.

  • Gareth Hughes

    Gareth Hughes - 2000-07-01
    • assigned_to: nobody --> gareth
    • status: open --> open-fixed
  • Gareth Hughes

    Gareth Hughes - 2000-07-01

    I've fixed the vbBufSize settings, the X server wasn't initializing this for PCI cards. The driver will now malloc a non-zero fake vertex buffer and use that.

    Please test the latest trunk code to verify that it works for you.

  • Gareth Hughes

    Gareth Hughes - 2000-08-18

    Fixed in ati-4-1-1-branch.

    -- Gareth

  • Gareth Hughes

    Gareth Hughes - 2000-08-18
    • status: open-fixed --> closed-fixed

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks