[Bug 83215] [SNB+]Ogles3conform ES3-CTS.shaders.struct.uniform.sampler_array_vertex crash
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Sep 10 17:56:05 PDT 2014
https://bugs.freedesktop.org/show_bug.cgi?id=83215
--- Comment #6 from Ian Romanick <idr at freedesktop.org> ---
I did a little more digging. Valgrind produces the output below. All of the
use-after-free problems are in memory freed by
vec4_live_variables::~vec4_live_variables. This felt like a little bit of a
red herring, so I added
assert((src->reg * 4 + 0) < (virtual_grf_count * 4));
assert((src->reg * 4 + 1) < (virtual_grf_count * 4));
assert((src->reg * 4 + 2) < (virtual_grf_count * 4));
assert((src->reg * 4 + 3) < (virtual_grf_count * 4));
at line 227 of vec4_visitor::opt_cse_local. This got hit! src->reg was 18 and
virtual_grf_count was 7. entry->generator has some information. Notice that
src[1].reg is 18, but file is ATTR. Should this loop even process that?
Looking at vec4_visitor::virtual_grf_alloc, it appears that virtual_grf_count
is only incremented when a register with file == GRF is allocated.
{
<backend_instruction> = {
<exec_node> = {next = 0x17dcc60, prev = 0x17df150},
ir = 0x144b770,
annotation = 0x0,
texture_offset = 0,
offset = 0,
mlen = 0 '\000',
base_mrf = 0 '\000',
target = 0 '\000',
opcode = BRW_OPCODE_MAD,
conditional_mod = BRW_CONDITIONAL_NONE,
predicate = BRW_PREDICATE_NONE,
predicate_inverse = false,
writes_accumulator = false,
force_writemask_all = false,
no_dd_clear = false,
no_dd_check = false,
saturate = false
},
dst = {
<backend_reg> = {
file = GRF,
type = BRW_REGISTER_TYPE_F,
reg = 4,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
writemask = 3,
reladdr = 0x0
},
src = {
{
<backend_reg> = {
file = UNIFORM,
type = BRW_REGISTER_TYPE_F,
reg = 1,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
swizzle = 170,
reladdr = 0x0
},
{
<backend_reg> = {
file = ATTR,
type = BRW_REGISTER_TYPE_F,
reg = 18,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
swizzle = 84,
reladdr = 0x0
},
{
<backend_reg> = {
file = GRF,
type = BRW_REGISTER_TYPE_F,
reg = 3,
reg_offset = 0,
fixed_hw_reg = {
type = BRW_REGISTER_TYPE_UD,
file = 0,
nr = 0,
subnr = 0,
negate = 0,
abs = 0,
vstride = 0,
width = 0,
hstride = 0,
address_mode = 0,
pad0 = 0,
dw1 = {
bits = {
swizzle = 0,
writemask = 0,
indirect_offset = 0,
pad1 = 0
},
f = 0,
d = 0,
ud = 0
}
},
negate = false,
abs = false
},
swizzle = 228,
reladdr = 0x0
}
},
shadow_compare = false,
urb_write_flags = BRW_URB_WRITE_NO_FLAGS,
header_present = false
}
==30600== Invalid read of size 4
==30600== at 0x7C5641A: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a00 is 0 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==
==30600== Invalid read of size 4
==30600== at 0x7C5641E: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a04 is 4 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==
==30600== Invalid read of size 4
==30600== at 0x7C56423: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a08 is 8 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==
==30600== Invalid read of size 4
==30600== at 0x7C56428: brw::vec4_visitor::opt_cse_local(bblock_t*)
(brw_vec4_cse.cpp:228)
==30600== by 0x7C565C4: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:256)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600== by 0x7B0B553: _mesa_glsl_link_shader (ir_to_mesa.cpp:3038)
==30600== by 0x7A174E0: link_program (shaderapi.c:915)
==30600== by 0x7A18C7E: _mesa_LinkProgram (shaderapi.c:1383)
==30600== by 0xBD6F01: glu::Program::linkProgram(unsigned int, unsigned int,
unsigned int, std::string&, unsigned long&) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== by 0xBD63F5: glu::Program::Program(glu::RenderContext const&, char
const*, char const*) (in
/home/idr/devel/graphics/ESCTS-3.0.3.0-20140530.build/cts/glcts)
==30600== Address 0x87f2a0c is 12 bytes inside a block of size 80 free'd
==30600== at 0x4A077E6: free (vg_replace_malloc.c:446)
==30600== by 0x7B98FFD: unsafe_free (ralloc.c:255)
==30600== by 0x7B98FDD: unsafe_free (ralloc.c:248)
==30600== by 0x7B99126: ralloc_free (ralloc.c:218)
==30600== by 0x7C5C5A2: brw::vec4_live_variables::~vec4_live_variables()
(brw_vec4_live_variables.cpp:173)
==30600== by 0x7C5C810: brw::vec4_visitor::calculate_live_intervals()
(brw_vec4_live_variables.cpp:267)
==30600== by 0x7C5659F: brw::vec4_visitor::opt_cse() (brw_vec4_cse.cpp:253)
==30600== by 0x7C54F45: brw::vec4_visitor::run() (brw_vec4.cpp:1787)
==30600== by 0x7C551AC: brw_vs_emit (brw_vec4.cpp:1865)
==30600== by 0x7C716C9: do_vs_prog (brw_vs.c:295)
==30600== by 0x7C71F12: brw_vs_precompile (brw_vs.c:545)
==30600== by 0x7C4D103: brw_link_shader (brw_shader.cpp:79)
==30600==
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20140911/45ceea1a/attachment-0001.html>
More information about the intel-3d-bugs
mailing list