Mesa (master): vc4: Fix termination of the initial scan for branch targets.

Fri Oct 21 21:12:56 UTC 2016

Module: Mesa
Branch: master
Commit: 1d7874fa7b4683cba8f8bc78c139402b989dd9df
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=1d7874fa7b4683cba8f8bc78c139402b989dd9df

Author: Eric Anholt <eric at anholt.net>
Date:   Thu Oct 20 16:48:12 2016 -0700

vc4: Fix termination of the initial scan for branch targets.

The loop is scanning until the original max_ip (size of the BO), but we
want to not examine any code after the PROG_END's delay slots.  There was
a block trying to do that, except that we had some early continue
statements if the signal wasn't a PROG_END or a BRANCH.

The failure mode would be that a valid shader is rejected because some
undefined memory after the PROG_END slots is parsed as a branch and the
rest of its setup is illegal.  I haven't seen this in the wild, but
valgrind was complaining and the new userland simulator code started
triggering it.

---

 src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c b/src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c
index 82717ca..0ff3d01 100644
--- a/src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c
+++ b/src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c
@@ -603,9 +603,7 @@ static bool
 vc4_validate_branches(struct vc4_shader_validation_state *validation_state)
 {
 	uint32_t max_branch_target = 0;
-	bool found_shader_end = false;
 	int ip;
-	int shader_end_ip = 0;
 	int last_branch = -2;
 
 	for (ip = 0; ip < validation_state->max_ip; ip++) {
@@ -616,8 +614,13 @@ vc4_validate_branches(struct vc4_shader_validation_state *validation_state)
 		uint32_t branch_target_ip;
 
 		if (sig == QPU_SIG_PROG_END) {
-			shader_end_ip = ip;
-			found_shader_end = true;
+			/* There are two delay slots after program end is
+			 * signaled that are still executed, then we're
+			 * finished.  validation_state->max_ip is the
+			 * instruction after the last valid instruction in the
+			 * program.
+			 */
+			validation_state->max_ip = ip + 3;
 			continue;
 		}
 
@@ -671,15 +674,9 @@ vc4_validate_branches(struct vc4_shader_validation_state *validation_state)
 		}
 		set_bit(after_delay_ip, validation_state->branch_targets);
 		max_branch_target = max(max_branch_target, after_delay_ip);
-
-		/* There are two delay slots after program end is signaled
-		 * that are still executed, then we're finished.
-		 */
-		if (found_shader_end && ip == shader_end_ip + 2)
-			break;
 	}
 
-	if (max_branch_target > shader_end_ip) {
+	if (max_branch_target > validation_state->max_ip - 3) {
 		DRM_ERROR("Branch landed after QPU_SIG_PROG_END");
 		return false;
 	}


