<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - [SNB+]Ogles3conform ES3-CTS.shaders.struct.uniform.sampler_array_vertex crash"
href="https://bugs.freedesktop.org/show_bug.cgi?id=83215#c6">Comment # 6</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW --- - [SNB+]Ogles3conform ES3-CTS.shaders.struct.uniform.sampler_array_vertex crash"
href="https://bugs.freedesktop.org/show_bug.cgi?id=83215">bug 83215</a>
from <span class="vcard"><a class="email" href="mailto:idr@freedesktop.org" title="Ian Romanick <idr@freedesktop.org>"> <span class="fn">Ian Romanick</span></a>
</span></b>
<pre>I did a little more digging. Valgrind produces the output below. All of the
use-after-free problems are in memory freed by
vec4_live_variables::~vec4_live_variables. This felt like a little bit of a
red herring, so I added
assert((src->reg * 4 + 0) < (virtual_grf_count * 4));
assert((src->reg * 4 + 1) < (virtual_grf_count * 4));
assert((src->reg * 4 + 2) < (virtual_grf_count * 4));
assert((src->reg * 4 + 3) < (virtual_grf_count * 4));
at line 227 of vec4_visitor::opt_cse_local. This got hit! src->reg was 18 and
virtual_grf_count was 7. entry->generator has some information. Notice that
src[1].reg is 18, but file is ATTR. Should this loop even process that?
Looking at vec4_visitor::virtual_grf_alloc, it appears that virtual_grf_count
is only incremented when a register with file == GRF is allocated.
{
<backend_instruction> = {
<exec_node> = {next = 0x17dcc60, prev = 0x17df150},
ir = 0x144b770,
annotation = 0x0,
texture_offset = 0,
offset = 0,
mlen = 0 '\000',
base_mrf = 0 '\000',
target = 0 '\000',
opcode = BRW_OPCODE_MAD,
conditional_mod = BRW_CONDITIONAL_NONE,
predicate = BRW_PREDICATE_NONE,
predicate_inverse = false,
writes_accumulator = false,
force_writemask_all = false,
no_dd_clear = false,
no_dd_check = false,
saturate = false
},
dst = {
<backend_reg> = {
file = GRF,
type = BRW_REGISTER_TYPE_F,
reg = 4,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
writemask = 3,
reladdr = 0x0
},
src = {
{
<backend_reg> = {
file = UNIFORM,
type = BRW_REGISTER_TYPE_F,
reg = 1,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
swizzle = 170,
reladdr = 0x0
},
{
<backend_reg> = {
file = ATTR,
type = BRW_REGISTER_TYPE_F,
reg = 18,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
swizzle = 84,
reladdr = 0x0
},
{
<backend_reg> = {
file = GRF,
type = BRW_REGISTER_TYPE_F,
reg = 3,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
swizzle = 228,
reladdr = 0x0
}
},
shadow_compare = false,
urb_write_flags = BRW_URB_WRITE_NO_FLAGS,
header_present = false
}
==30600== Invalid read of size 4
==30600== at 0x7C5641A: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a00 is 0 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==
==30600== Invalid read of size 4
==30600== at 0x7C5641E: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a04 is 4 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==
==30600== Invalid read of size 4
==30600== at 0x7C56423: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a08 is 8 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==
==30600== Invalid read of size 4
==30600== at 0x7C56428: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a0c is 12 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>