[Bug 104338] NULL pointer access crash on Sacha Willems' Vulkan raytracing demo after "spirv: Add basic type validation for OpLoad, OpStore, and OpCopyMemory"

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Dec 19 15:21:09 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=104338

            Bug ID: 104338
           Summary: NULL pointer access crash on Sacha Willems' Vulkan
                    raytracing demo after "spirv: Add basic type
                    validation for OpLoad, OpStore, and OpCopyMemory"
           Product: Mesa
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Drivers/DRI/i965
          Assignee: jason at jlekstrand.net
          Reporter: eero.t.tamminen at intel.com
        QA Contact: intel-3d-bugs at lists.freedesktop.org

Mesa has started to segfault to NULL pointer access during Sacha Willems'
"raytracing" demo compute shader compilation.  I'm not seeing that with other
cases, like happened with bug 104213.

Bisecting points this as the commit where these started:
--------------------------------------------------------
commit 6737b1b859aadad64e5fe04a92d196a672413e06
Author:     Jason Ekstrand <jason.ekstrand at intel.com>
AuthorDate: Tue Dec 5 22:51:53 2017 -0800
Commit:     Jason Ekstrand <jason.ekstrand at intel.com>
CommitDate: Mon Dec 11 22:28:34 2017 -0800

    spirv: Add basic type validation for OpLoad, OpStore, and OpCopyMemory

    Reviewed-by: Samuel Iglesias Gonsálvez <siglesias at igalia.com>
--------------------------------------------------------

The crash is due to OpStore validation:
--------------------------------------------------------
(gdb) break _vtn_fail
Function "_vtn_fail" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (_vtn_fail) pending.

(gdb) run
Starting program: raytracing 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, _vtn_fail (b=0x8a3b70, file=file at entry=0x7ffff6249f10
"../../../src/compiler/spirv/vtn_variables.c", line=line at entry=2009, 
    fmt=fmt at entry=0x7ffff624a7c8 "Value and pointer types of OpStore do not
match") at ../../../src/compiler/spirv/spirv_to_nir.c:112

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
anv_shader_compile_to_nir (pipeline=0x8a2e60, pipeline=0x8a2e60,
spec_info=0x6bdd10, stage=MESA_SHADER_COMPUTE, entrypoint_name=0x7fffffffb3c0
"", 
    module=0x8a7dd0, mem_ctx=0x879c40) at
../../../src/intel/vulkan/anv_pipeline.c:153
153        nir_shader *nir = entry_point->shader;
(gdb) bt
#0  anv_shader_compile_to_nir (pipeline=0x8a2e60, pipeline=0x8a2e60,
spec_info=0x6bdd10, stage=MESA_SHADER_COMPUTE, entrypoint_name=0x7fffffffb3c0
"", 
    module=0x8a7dd0, mem_ctx=0x879c40) at
../../../src/intel/vulkan/anv_pipeline.c:153
#1  anv_pipeline_compile (pipeline=pipeline at entry=0x8a2e60,
mem_ctx=mem_ctx at entry=0x879c40, module=module at entry=0x8a7dd0, 
    entrypoint=entrypoint at entry=0x45e14a "main",
stage=stage at entry=MESA_SHADER_COMPUTE, spec_info=spec_info at entry=0x0,
prog_data=0x7fffffffb3c0, 
    map=0x7fffffffb310) at ../../../src/intel/vulkan/anv_pipeline.c:395
#2  0x00007ffff5e323cc in anv_pipeline_compile_cs
(pipeline=pipeline at entry=0x8a2e60, cache=cache at entry=0x8792a0,
info=info at entry=0x7fffffffe4d0, 
    module=0x8a7dd0, entrypoint=0x45e14a "main", spec_info=0x0) at
../../../src/intel/vulkan/anv_pipeline.c:1019
#3  0x00007ffff5fbfe27 in compute_pipeline_create
(_device=_device at entry=0x868c00, cache=cache at entry=0x8792a0,
pCreateInfo=pCreateInfo at entry=0x7fffffffe4d0, 
    pAllocator=pAllocator at entry=0x0, pPipeline=pPipeline at entry=0x696890) at
../../../src/intel/vulkan/genX_pipeline.c:1770
#4  0x00007ffff5fd2916 in gen9_CreateComputePipelines (_device=0x868c00,
pipelineCache=0x8792a0, count=1, pCreateInfos=<optimized out>, pAllocator=0x0, 
    pPipelines=0x696890) at ../../../src/intel/vulkan/genX_pipeline.c:1895
#5  0x00007ffff798ec65 in vkCreateComputePipelines () from
VulkanTools/build/loader/libvulkan.so.1
#6  0x00000000004387c8 in VulkanExample::prepareCompute() ()
#7  0x00000000004393f9 in VulkanExample::prepare() ()
#8  0x0000000000432f92 in main ()

(gdb) info locals
device = <optimized out>
spec_entries = 0x0
spirv_options = {lower_workgroup_access_to_offsets = true, caps = {float64 =
true, image_ms_array = false, tessellation = true, draw_parameters = true, 
    image_read_without_format = false, image_write_without_format = true, int64
= true, multiview = true, variable_pointers = true, storage_16bit = true}, 
  debug = {func = 0x0, private_data = 0x0}}
entry_point = <optimized out>
nir = <optimized out>
compiler = 0x6bdd10
nir_options = 0x7ffff6226000 <scalar_nir_options>
spirv = 0x8a7de8
num_spec_entries = 0

(gdb) disassemble 
Dump of assembler code for function anv_pipeline_compile:
...
   0x00007ffff5e30a50 <+256>:   callq  0x7ffff61d5170 <spirv_to_nir>
=> 0x00007ffff5e30a55 <+261>:   mov    0x18(%rax),%rbx
   0x00007ffff5e30a59 <+265>:   mov    0x20(%rsp),%rdi

(gdb) info registers rax rbx
rax            0x0      0
rbx            0x0      0
--------------------------------------------------------

Does this check need also relaxing?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20171219/62b1de0f/attachment-0001.html>

More information about the intel-3d-bugs mailing list