bugzilla-daemon at freedesktop.org
2019-Jul-18 15:38 UTC
[Nouveau] [Bug 111167] New: Dividing zero by a uniform in loop header causes segfault in nv50_ir::NVC0LegalizeSSA::handleDIV
https://bugs.freedesktop.org/show_bug.cgi?id=111167 Bug ID: 111167 Summary: Dividing zero by a uniform in loop header causes segfault in nv50_ir::NVC0LegalizeSSA::handleDIV Product: Mesa Version: git Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: minor Priority: medium Component: Drivers/DRI/nouveau Assignee: nouveau at lists.freedesktop.org Reporter: abelbriggs1 at hotmail.com QA Contact: nouveau at lists.freedesktop.org Created attachment 144815 --> https://bugs.freedesktop.org/attachment.cgi?id=144815&action=edit Reproduction shader_test file, core dump of crash The attached archive contains a shader that, on the build and PC specified below, causes a segmentation fault in nouveau when run. A core dump of the crash is supplied as well. void main() { for(int i = 1; 1 >= (0 / int((injectionSwitch.y))); 1) { } } The value of injectionSwitch is set to (0.0, 1.0) - so (0 / int(injectionSwitch.y)) is equivalent to (0 / 1), which should evaluate to zero and make the two conditions equal. Notably, if you remove injectionSwitch and replace it with ‘1’, no segfault occurs. Steps to reproduce: ------------------------------------------------------------------------------- 1. Obtain and build piglit, the Mesa OpenGL test suite runner: https://gitlab.freedesktop.org/mesa/piglit 2. Download the attached archive. 3. From a terminal, execute the supplied test with the piglit GLES3 shader runner: $ bin/shader_runner_gles3 minimum_testcase.shader_test Expected results: ------------------------------------------------------------------------------- The shader should run without crashing (it’s an infinite loop that does nothing, but it still shouldn’t crash). Actual results: ------------------------------------------------------------------------------- The shader causes nouveau to segfault. Here is a backtrace obtained from using GDB on the core dump (exact command: $ gdb shader_runner_gles3 core): #0 std::_Deque_iterator<nv50_ir::ValueRef, nv50_ir::ValueRef&, nv50_ir::ValueRef*>::_Deque_iterator ( __x=<error reading variable: Cannot access memory at address 0xb0>, this=<synthetic pointer>) at /usr/include/c++/8/bits/stl_deque.h:1401 #1 std::_Deque_iterator<nv50_ir::ValueRef, nv50_ir::ValueRef&, nv50_ir::ValueRef*>::operator+ (__n=0, this=0xb0) at /usr/include/c++/8/bits/stl_deque.h:230 #2 std::_Deque_iterator<nv50_ir::ValueRef, nv50_ir::ValueRef&, nv50_ir::ValueRef*>::operator[] (__n=0, this=0xb0) at /usr/include/c++/8/bits/stl_deque.h:247 #3 std::deque<nv50_ir::ValueRef, std::allocator<nv50_ir::ValueRef>>::operator[] (__n=0, this=0xa0) at /usr/include/c++/8/bits/stl_deque.h:1404#4 nv50_ir::Instruction::getSrc (s=0, this=0x0) at ../src/gallium/drivers/nouveau/codegen/nv50_ir.h:827 #5 nv50_ir::NVC0LegalizeSSA::handleDIV (this=0x7ffd7753af60, i=0x55d2e1b132a0) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:54 #6 0x00007fc7191cb4b3 in nv50_ir::NVC0LegalizeSSA::visit ( this=0x7ffd7753af60, bb=<optimized out>) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:334 #7 0x00007fc719111928 in nv50_ir::Pass::doRun (this=0x7ffd7753af60, func=<optimized out>, ordered=<optimized out>, skipPhi=true) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:500 #8 0x00007fc7191119f4 in nv50_ir::Pass::doRun (this=0x7ffd7753af60, prog=<optimized out>, ordered=false, skipPhi=true) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_inlines.h:413 Build & PC specs: ------------------------------------------------------------------------------- CPU: Intel Core i7-5820k GPU: nVIDIA GTX 970 OS: Ubuntu 19.04 libdrm: git-5db0f7692d1fdf05f9f6c0c02ffa5a5f4379c1f3 Mesa: git-a110a8090d Xf86-video-nouveau: 1.0.16 Linux kernel version: 5.0.0-16-generic This bug was found with GraphicsFuzz: https://github.com/google/graphicsfuzz -- You are receiving this mail because: You are the assignee for the bug. You are the QA Contact for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20190718/af7aa02d/attachment.html>
bugzilla-daemon at freedesktop.org
2019-Jul-18 15:49 UTC
[Nouveau] [Bug 111167] Dividing zero by a uniform in loop header causes segfault in nv50_ir::NVC0LegalizeSSA::handleDIV
https://bugs.freedesktop.org/show_bug.cgi?id=111167 --- Comment #1 from Ilia Mirkin <imirkin at alum.mit.edu> --- Right... Instruction *ld = i->getSrc(s)->getInsn(); assert(ld->getSrc(0) != NULL); We must end up propagating the zero imm directly into DIV's args. This is generally legal even for ops that don't allow imms because of the RZ thing. However in this case ... it screws things up, since we have to move the value to a fixed reg. It looks like the assert() is just misplaced there. It should go into the "else" clause below and all will be well... we handle the "!ld" / "ld is not a load/mov" cases already just fine. -- You are receiving this mail because: You are the QA Contact for the bug. You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20190718/9bc2af27/attachment.html>
bugzilla-daemon at freedesktop.org
2019-Jul-26 13:09 UTC
[Nouveau] [Bug 111167] Dividing zero by a uniform in loop header causes segfault in nv50_ir::NVC0LegalizeSSA::handleDIV
https://bugs.freedesktop.org/show_bug.cgi?id=111167 mmgrqnv at jadamspam.pl changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mmgrqnv at jadamspam.pl --- Comment #2 from mmgrqnv at jadamspam.pl --- *** Bug 111218 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. You are the QA Contact for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20190726/4c211a95/attachment.html>
bugzilla-daemon at freedesktop.org
2019-Sep-18 20:49 UTC
[Nouveau] [Bug 111167] Dividing zero by a uniform in loop header causes segfault in nv50_ir::NVC0LegalizeSSA::handleDIV
https://bugs.freedesktop.org/show_bug.cgi?id=111167 GitLab Migration User <gitlab-migration at fdo.invalid> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |MOVED --- Comment #3 from GitLab Migration User <gitlab-migration at fdo.invalid> --- -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/1187. -- You are receiving this mail because: You are the QA Contact for the bug. You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20190918/d22510dc/attachment.html>
Apparently Analagous Threads
- [Bug 111218] New: Segmentation fault in nv50_ir::NVC0LegalizeSSA::handleDIV when dividing result of textureSize
- [PATCH] nv50/ir: use unordered_set instead of list to keep our instructions in uses
- [PATCH] nv50/ir: use unordered_set instead of list to keep track of var defs
- [PATCH RESEND] nv50/ir: use unordered_set instead of list to keep track of var defs
- [Bug 108032] New: nv50_ir_lowering_gm107.cpp:326: undefined reference to `nv50_ir::NVC0LoweringPass::loadMsAdjInfo32(nv50_ir::TexInstruction::Target, unsigned int, int, nv50_ir::Value*, bool)'