Re: port-sparc/58120: xeyes dies with bus error/core dump on 10.0

[Martin Husemann <martin%duskware.de@localhost>]

The following reply was made to PR port-sparc/58120; it has been noted by GNATS.

From: Martin Husemann <martin%duskware.de@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: port-sparc/58120: xeyes dies with bus error/core dump on 10.0
Date: Fri, 12 Apr 2024 16:45:09 +0200

 This is also reproducable on -current:
 
 (gdb) bt
 #0  0xe5eaaa84 in wireToRawEvent (cookie=<optimized out>, in=0xe58d62d0, 
     info=<optimized out>)
     at /work/xsrc/external/mit/libXi/dist/src/XExtInt.c:1993
 #1  XInputWireToCookie (dpy=<optimized out>, cookie=<optimized out>, 
     event=0xe58d62d0) at /work/xsrc/external/mit/libXi/dist/src/XExtInt.c:1008
 #2  0xe5cc5858 in _XEnq (dpy=0xe5af6000, event=0xe58d62d0)
     at /work/xsrc/external/mit/libX11/dist/src/XlibInt.c:771
 #3  0xe5c9adb4 in handle_response (dpy=<optimized out>, response=0xe58d62d0, 
     in_XReply=0) at /work/xsrc/external/mit/libX11/dist/src/xcb_io.c:417
 #4  0xe5c9b5dc in _XEventsQueued (mode=1, dpy=0xe5af6000)
     at /work/xsrc/external/mit/libX11/dist/src/xcb_io.c:442
 #5  _XEventsQueued (dpy=0xe5af6000, mode=1)
     at /work/xsrc/external/mit/libX11/dist/src/xcb_io.c:423
 #6  0xe5c58ba4 in XEventsQueued (dpy=0xe5af6000, mode=1)
     at /work/xsrc/external/mit/libX11/dist/src/Pending.c:43
 #7  0xe5e2f704 in FindInputs (nfds=<optimized out>, 
     found_input=<optimized out>, dpy_no=<optimized out>, 
     ignoreInputs=<optimized out>, ignoreEvents=<optimized out>, 
     wf=<optimized out>, app=<optimized out>)
     at /work/xsrc/external/mit/libXt/dist/src/NextEvent.c:404
 #8  _XtWaitForSomething (app=0xe5b5a000, ignoreEvents=<optimized out>, 
     ignoreTimers=<optimized out>, ignoreInputs=<optimized out>, 
     ignoreSignals=<optimized out>, block=<optimized out>, drop_lock=0 '\000', 
     howlong=<optimized out>)
     at /work/xsrc/external/mit/libXt/dist/src/NextEvent.c:754
 #9  0xe5e30f40 in XtAppProcessEvent (app=0xe5b5a000, mask=15)
     at /work/xsrc/external/mit/libXt/dist/src/NextEvent.c:1419
 #10 0xe5e3ed90 in XtAppMainLoop (app=0xe5b5a000)
     at /work/xsrc/external/mit/libXt/dist/src/Event.c:1618
 #11 0x000139e0 in main (argc=<optimized out>, argv=<optimized out>)
     at /work/xsrc/external/mit/xeyes/dist/xeyes.c:145
 (gdb) x/16i $pc-32
    0xe5eaaa64 <XInputWireToCookie+584>: ldd  [ %g1 ], %f14
    0xe5eaaa68 <XInputWireToCookie+588>: fmovs  %f14, %f12
    0xe5eaaa6c <XInputWireToCookie+592>: b  0xe5eaaa78 <XInputWireToCookie+604>
    0xe5eaaa70 <XInputWireToCookie+596>: fmovs  %f15, %f13
    0xe5eaaa74 <XInputWireToCookie+600>: ld  [ %i0 + 0x34 ], %i3
    0xe5eaaa78 <XInputWireToCookie+604>: sll  %g2, 3, %g1
    0xe5eaaa7c <XInputWireToCookie+608>: ld  [ %i2 ], %f8
    0xe5eaaa80 <XInputWireToCookie+612>: fitod  %f8, %f8
 => 0xe5eaaa84 <XInputWireToCookie+616>: std  %f8, [ %i3 + %g1 ]
    0xe5eaaa88 <XInputWireToCookie+620>: ld  [ %i2 + 4 ], %i3
    0xe5eaaa8c <XInputWireToCookie+624>: ld  [ %i2 + 4 ], %f8
    0xe5eaaa90 <XInputWireToCookie+628>: cmp  %i3, 0
    0xe5eaaa94 <XInputWireToCookie+632>: fitod  %f8, %f8
    0xe5eaaa98 <XInputWireToCookie+636>: 
     bge  0xe5eaaab4 <XInputWireToCookie+664>
    0xe5eaaa9c <XInputWireToCookie+640>: ld  [ %i0 + 0x34 ], %g3
    0xe5eaaaa0 <XInputWireToCookie+644>: sethi  %hi(0), %i3
 (gdb) info registers  
 g0             0x0                 0
 g1             0x0                 0
 g2             0x0                 0
 g3             0x0                 0
 g4             0x10                16
 g5             0xe5b399e0          -441214496
 g6             0x0                 0
 g7             0xe5b76b58          -440964264
 o0             0xe57fa88c          -444618612
 o1             0xe58d62f8          -443718920
 o2             0x8                 8
 o3             0xe5b76130          -440966864
 o4             0x8                 8
 o5             0x0                 0
 sp             0xe7fff0e8          0xe7fff0e8
 o7             0xe5eaaa28          -437605848
 l0             0x51                81
 l1             0xe58d62f0          -443718928
 l2             0x2                 2
 l3             0xe838a400          -398941184
 l4             0xf096a9c0          -258561600
 l5             0x0                 0
 l6             0x0                 0
 l7             0xe5ebd45c          -437529508
 i0             0xe57fa850          -444618672
 i1             0x1c5ffd6           29753302
 i2             0xe58d62f8          -443718920
 i3             0xe57fa894          -444618604
 i4             0x14                20
 i5             0x2                 2
 fp             0xe7fff168          0xe7fff168
 i7             0xe5cc5850          -439592880
 y              0x0                 0
 psr            0x4001085           [ S EF ]
 wim            <unavailable>
 tbr            <unavailable>
 pc             0xe5eaaa84          0xe5eaaa84 <XInputWireToCookie+616>
 npc            0xe5eaaa88          0xe5eaaa88 <XInputWireToCookie+620>
 fsr            0x80020             [ NXC ]
 csr            <unavailable>
 
     values = (FP3232*)(((char*)&in[1]) + in->valuators_len * 4);
     for (i = 0; i < bits; i++)
     {
         out->valuators.values[i] = values->integral;
 	out->valuators.values[i] += ((double)values->frac / (1 << 16) / (1 << 16));
 
 
 (gdb) p &out->valuators.values[i]
 $11 = (double *) 0xe57fa894
 
 So output is not properly aligned for a double value.
 
 A few lines before:
 
 	out->valuators.values = next_block(&ptr, bits * sizeof(double));
 
 and 
 
 (gdb) p bits
 $13 = 2
 
 and next_block() does not care about alignment, but just moves the ptr
 forward by the size given.
 
 So first next_block() advances by sizeof(XIRawEvent) 
 (gdb) p sizeof(XIRawEvent)
 $14 = 60
 
 next one by out->valuators.mask_len
 (gdb) p out->valuators.mask_len
 $15 = 8
 
 and that is the only-4-byte aligned offset we try to write the double to.
 
 Martin