Nouveau - Jul 2019 - [Bug 111218] New: Segmentation fault in nv50_ir::NVC0LegalizeSSA::handleDIV when dividing result of textureSize

https://bugs.freedesktop.org/show_bug.cgi?id=111218

            Bug ID: 111218
           Summary: Segmentation fault in
                    nv50_ir::NVC0LegalizeSSA::handleDIV when dividing
                    result of textureSize
           Product: Mesa
           Version: 19.0
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: Drivers/DRI/nouveau
          Assignee: nouveau at lists.freedesktop.org
          Reporter: mmgrqnv at jadamspam.pl
        QA Contact: nouveau at lists.freedesktop.org

Created attachment 144869
  --> https://bugs.freedesktop.org/attachment.cgi?id=144869&action=edit
Source of small program and somewhat minimized shaders

Hi!

I was looking into a crash[1] in latest version of Blender, which turned out to
be a crash in the Nouveau shader code generator.
The crash occurs when linking shaders. I traced the crash to the following
lines in the shader code:

  ivec2 cell_co = ivec2(3, 2);
  int cell_per_row = textureSize(irradianceGrid, 0).x / cell_co.x;
  cell_co.x *= cell % cell_per_row;
  cell_co.y *= cell / cell_per_row;

The crash seems to occur when the result of dividing textureSize() value is
later used in division or modulo operations. Replacing the textureSize() call
with a constant avoids the crash. Replacing the division and modulo operations
with simple assignment (but keeping the first division / cell_co.x) also avoids
the crash.
This is the relevant stack trace:

(gdb) bt
#0  nv50_ir::NVC0LegalizeSSA::handleDIV (this=this at entry=0x7fffffffba50,
i=i at entry=0x555555e592c0) at
../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:54
#1  0x00007ffff2e6b38b in nv50_ir::NVC0LegalizeSSA::visit (this=0x7fffffffba50,
bb=<optimized out>) at
../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:334
#2  0x00007ffff2dc40d8 in nv50_ir::Pass::doRun (this=this at
entry=0x7fffffffba50,
func=<optimized out>, ordered=ordered at entry=false, skipPhi=skipPhi at
entry=true)
    at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:495
#3  0x00007ffff2dc41b4 in nv50_ir::Pass::doRun (this=this at
entry=0x7fffffffba50,
prog=prog at entry=0x555555e6e9f0, ordered=ordered at entry=false,
skipPhi=skipPhi at entry=true)
    at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:466
#4  0x00007ffff2dc4273 in nv50_ir::Pass::run (this=this at entry=0x7fffffffba50,
prog=prog at entry=0x555555e6e9f0, ordered=ordered at entry=false,
skipPhi=skipPhi at entry=true)
    at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:457
#5  0x00007ffff2e66dd4 in nv50_ir::TargetNVC0::runLegalizePass
(this=<optimized
out>, prog=0x555555e6e9f0, stage=<optimized out>) at
../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:3145
#6  0x00007ffff2dc150f in nv50_ir_generate_code
(info=info at entry=0x555555dcd9f0) at
../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:1265
#7  0x00007ffff2e0988a in nvc0_program_translate
(prog=prog at entry=0x555555d79fc0, chipset=<optimized out>,
debug=debug at entry=0x5555557a74c8) at
../src/gallium/drivers/nouveau/nvc0/nvc0_program.c:624
#8  0x00007ffff2e1121d in nvc0_sp_state_create (pipe=0x5555557a7100,
cso=0x7fffffffc490, type=1) at
../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:605
#9  0x00007ffff3042963 in st_create_fp_variant (st=<optimized out>,
stfp=stfp at entry=0x555555d74db0, key=key at entry=0x7fffffffc630) at
../src/mesa/state_tracker/st_program.c:1231
#10 0x00007ffff3045253 in st_get_fp_variant (st=<optimized out>,
stfp=0x555555d74db0, key=0x7fffffffc630) at
../src/mesa/state_tracker/st_program.c:1258
#11 0x00007ffff3045a7c in st_precompile_shader_variant
(st=st at entry=0x5555557a4c10, prog=prog at entry=0x555555d74db0) at
../src/mesa/state_tracker/st_program.c:1965
#12 0x00007ffff30ece0b in st_program_string_notify (ctx=<optimized out>,
target=<optimized out>, prog=0x555555d74db0) at
../src/mesa/state_tracker/st_cb_program.c:250
#13 0x00007ffff3112f85 in st_link_shader (ctx=0x55555578aed0,
prog=0x5555557b6fd0) at ../src/mesa/state_tracker/st_glsl_to_tgsi.cpp:7461
#14 0x00007ffff30b5729 in _mesa_glsl_link_shader (ctx=ctx at
entry=0x55555578aed0,
prog=prog at entry=0x5555557b6fd0) at ../src/mesa/program/ir_to_mesa.cpp:3174
#15 0x00007ffff3000f8d in link_program (no_error=<optimized out>,
shProg=<optimized out>, ctx=<optimized out>) at
../src/mesa/main/shaderapi.c:1206
#16 link_program_error (ctx=0x55555578aed0, shProg=0x5555557b6fd0) at
../src/mesa/main/shaderapi.c:1286
#17 0x00005555555553f2 in test_compile ()
#18 0x000055555555586b in main ()

I attach a small program along with preprocessed and *somewhat* minimized
shader code that reproduces the problem on my computer. This code crashes 100%
of the time.

To reproduce the crash:
$ gcc -Wall -o shad shad.c -lX11 -lGL -lGLU -lGLEW
$ ./shad s0vert.i s1frag.i s2geom.i
Compilation successful!
Segmentation fault


System information:
Ubuntu 18.04.2 LTS
Linux-4.15.0-55-generic-x86_64
Graphics card: NVIDIA Corporation GF108 [GeForce GT 730] (rev a1)
Graphics card driver: NVC1 nouveau 4.3 (Core Profile) Mesa 19.0.2
Using GNOME under X
libgl1-mesa-dri: 19.0.2-1ubuntu1.1~18.04.2

The original Blender crash report along with full shader source dump can be
found here:
[1] https://developer.blender.org/T67534

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190725/234e5e3b/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #1 from Ilia Mirkin <imirkin at alum.mit.edu> ---
I suspect that the issue is that cell is 0 (perhaps it's in a loop
that's
unrolled). This is fixed by
https://cgit.freedesktop.org/mesa/mesa/commit/?id=7493fbf032f5bcbf4c48187bc089c9a34f04a1d5

Note that this will only happen in debug mesa builds.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190725/b9888a9b/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #2 from mmgrqnv at jadamspam.pl ---
Hi! Thank you for the very quick response!

You are right! The value of cell was 0. Replacing that with 1 also avoids the
crash.
Do you know if there are any binary packages available that include that
commit?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190725/a2b41613/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #3 from Ilia Mirkin <imirkin at alum.mit.edu> ---
(In reply to mmgrqnv from comment #2)
> Hi! Thank you for the very quick response!
> 
> You are right! The value of cell was 0. Replacing that with 1 also avoids
> the crash.
[By the way, implicit in that isn't just that it's 0, but that it's
statically
determinable to be 0.]
> Do you know if there are any binary packages available that include that
> commit?
Sorry, that's not my forté... I think there are some Ubuntu PPA's which
track
mesa master? Perhaps something for Fedora Rawhide? There are a thousand binary
distros, and I use none of them, so it's hard to keep track.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190725/54cc217e/attachment-0001.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #4 from mmgrqnv at jadamspam.pl ---
I'm trying to build from source, but I can't get meson to produce the
nouveau_dri.so library. The documentation says:

  If you built the DRI hardware drivers, you'll also see the DRI drivers:
    -rwxr-xr-x   1 brian users 16895413 Jul 21 12:11 i915_dri.so
    -rwxr-xr-x   1 brian users 16895413 Jul 21 12:11 i965_dri.so
    -rwxr-xr-x   1 brian users 11849858 Jul 21 12:12 r200_dri.so
    -rwxr-xr-x   1 brian users 11757388 Jul 21 12:12 radeon_dri.so

... but that is not what I am seeing, the only libraries I get are:

  $ find . -iname "*dri*.so" 
  ./builddir/src/mesa/drivers/dri/libmesa_dri_drivers.so
  ./builddir/src/gallium/targets/dri/libgallium_dri.so

I tried:

  $ meson configure builddir/ -Ddri-drivers=nouveau -Dgallium-drivers=nouveau

but that does not help.
Could you please point me somewhere that explains how to get the nouveau_dri.so
library?

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190726/e342169f/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #5 from Ilia Mirkin <imirkin at alum.mit.edu> ---
(In reply to mmgrqnv from comment #4)
> I'm trying to build from source, but I can't get meson to produce
the
> nouveau_dri.so library. The documentation says:
> 
>   If you built the DRI hardware drivers, you'll also see the DRI
drivers:
>     -rwxr-xr-x   1 brian users 16895413 Jul 21 12:11 i915_dri.so
>     -rwxr-xr-x   1 brian users 16895413 Jul 21 12:11 i965_dri.so
>     -rwxr-xr-x   1 brian users 11849858 Jul 21 12:12 r200_dri.so
>     -rwxr-xr-x   1 brian users 11757388 Jul 21 12:12 radeon_dri.so
> 
> ... but that is not what I am seeing, the only libraries I get are:
> 
>   $ find . -iname "*dri*.so" 
>   ./builddir/src/mesa/drivers/dri/libmesa_dri_drivers.so
>   ./builddir/src/gallium/targets/dri/libgallium_dri.so
This looks correct.
> 
> I tried:
> 
>   $ meson configure builddir/ -Ddri-drivers=nouveau
-Dgallium-drivers=nouveau
> 
> but that does not help.
> Could you please point me somewhere that explains how to get the
> nouveau_dri.so library?
I think you forgot to "install". I'd recommend putting it into
some prefix,
e.g. ~/install (which you can tell meson to do with --prefix=foo), and then you
can test with LD_LIBRARY_PATH=~/install ... (not 100% the '~' actually
works in
the LD_LIBRARY_PATH though)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190726/92644943/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

mmgrqnv at jadamspam.pl changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|NEW                         |RESOLVED

--- Comment #6 from mmgrqnv at jadamspam.pl ---
That was it. I can confirm that the commit you linked fixes my problem.
I will mark this bug as a duplicate of 111167 and close.
Thank you very much for your help!

*** This bug has been marked as a duplicate of bug 111167 ***

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190726/36494b46/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #7 from Ilia Mirkin <imirkin at alum.mit.edu> ---
(In reply to mmgrqnv from comment #6)
> That was it. I can confirm that the commit you linked fixes my problem.
> I will mark this bug as a duplicate of 111167 and close.
> Thank you very much for your help!
> 
> *** This bug has been marked as a duplicate of bug 111167 ***
By the way, what distro is shipping mesa built with asserts enabled? Our
(mesa's) assumption has always been that distros would NOT have asserts
enabled
in the binaries they ship to users. [And this issue only pops up in an assert.]

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190726/818b872c/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #8 from mmgrqnv at jadamspam.pl ---
This was on Ubuntu 18.04.2 LTS.
Specific package version: libgl1-mesa-dri: 19.0.2-1ubuntu1.1~18.04.2.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190726/5ef6f026/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=111218

--- Comment #9 from Timo Aaltonen <tjaalton at ubuntu.com> ---
for the record, we already set '-Db_ndebug=true' which was supposed to
disable
debug builds (and asserts) with meson

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20190808/9796b3f5/attachment.html>