[Mesa-dev] [PATCH] nv50/ir/ra: fix memory corruption when spilling
Karol Herbst
kherbst at redhat.com
Tue Nov 12 23:34:02 UTC 2019
When doing RA we end up with adding ValueDef references to Values across
all over the shader. This is all fine until we remove the Instruction
defining those Values, which happens when spilling values. So before
actually removing those instructions, clean up any stale references to its
definitions.
fixes following libasan report:
=================================================================
==612087==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150003ea380 at pc 0x7f1d12142fe9 bp 0x7fffca6fd120 sp 0x7fffca6fd110
READ of size 8 at 0x6150003ea380 thread T0
#0 0x7f1d12142fe8 in nv50_ir::ValueDef::get() const ../src/gallium/drivers/nouveau/codegen/nv50_ir.h:648
#1 0x7f1d12143c02 in nv50_ir::Value::getUniqueInsn() const ../src/gallium/drivers/nouveau/codegen/nv50_ir_inlines.h:229
#2 0x7f1d1221530d in nv50_ir::RegAlloc::BuildIntervalsPass::addLiveRange(nv50_ir::Value*, nv50_ir::BasicBlock const*, int) ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:333
#3 0x7f1d1221872e in nv50_ir::RegAlloc::BuildIntervalsPass::visit(nv50_ir::BasicBlock*) ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:686
#4 0x7f1d1215676c in nv50_ir::Pass::doRun(nv50_ir::Function*, bool, bool) ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:495
#5 0x7f1d121563ed in nv50_ir::Pass::run(nv50_ir::Function*, bool, bool) ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:477
#6 0x7f1d122262b8 in nv50_ir::RegAlloc::execFunc() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1910
#7 0x7f1d122256b0 in nv50_ir::RegAlloc::exec() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1849
#8 0x7f1d12226f1e in nv50_ir::Program::registerAllocation() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1970
#9 0x7f1d1214092a in nv50_ir_generate_code ../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:1275
#10 0x7f1d1227461b in nvc0_program_translate ../src/gallium/drivers/nouveau/nvc0/nvc0_program.c:634
#11 0x7f1d12294b21 in nvc0_sp_state_create ../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:620
#12 0x7f1d12294d90 in nvc0_fp_state_create ../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:661
#13 0x7f1d12ad4912 in st_create_fp_variant ../src/mesa/state_tracker/st_program.c:1498
#14 0x7f1d12ad4cd5 in st_get_fp_variant ../src/mesa/state_tracker/st_program.c:1525
#15 0x7f1d12ad8252 in st_precompile_shader_variant ../src/mesa/state_tracker/st_program.c:2053
#16 0x7f1d12c9c851 in st_program_string_notify ../src/mesa/state_tracker/st_cb_program.c:185
#17 0x7f1d12d17731 in st_link_tgsi ../src/mesa/state_tracker/st_glsl_to_tgsi.cpp:7441
#18 0x7f1d12cabaf0 in st_link_shader ../src/mesa/state_tracker/st_glsl_to_ir.cpp:175
#19 0x7f1d127c85ca in _mesa_glsl_link_shader ../src/mesa/program/ir_to_mesa.cpp:3186
#20 0x7f1d1252a9f7 in link_program ../src/mesa/main/shaderapi.c:1285
#21 0x7f1d1252a9f7 in link_program_error ../src/mesa/main/shaderapi.c:1384
#22 0x7f1d1252deb3 in _mesa_LinkProgram ../src/mesa/main/shaderapi.c:1876
#23 0x403e13 in main._omp_fn.0 /home/kherbst/git/shader-db/run.c:926
#24 0x7f1d17b8b4b5 in GOMP_parallel (/lib64/libgomp.so.1+0x124b5)
#25 0x4029e4 in main /home/kherbst/git/shader-db/run.c:765
#26 0x7f1d179b51a2 in __libc_start_main ../csu/libc-start.c:308
#27 0x402d1d in _start (/home/kherbst/git/shader-db/run+0x402d1d)
0x6150003ea380 is located 0 bytes inside of 504-byte region [0x6150003ea380,0x6150003ea578)
freed by thread T0 here:
#0 0x7f1d17e5d96f in operator delete(void*) (/usr/lib64/libasan.so.5.0.0+0x11096f)
#1 0x7f1d1214ec0f in __gnu_cxx::new_allocator<nv50_ir::ValueDef>::deallocate(nv50_ir::ValueDef*, unsigned long) /usr/include/c++/9/ext/new_allocator.h:128
#2 0x7f1d1214dc00 in std::allocator_traits<std::allocator<nv50_ir::ValueDef> >::deallocate(std::allocator<nv50_ir::ValueDef>&, nv50_ir::ValueDef*, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:470
#3 0x7f1d1214c5fb in std::_Deque_base<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::_M_deallocate_node(nv50_ir::ValueDef*) /usr/include/c++/9/bits/stl_deque.h:624
#4 0x7f1d121498c4 in std::_Deque_base<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::_M_destroy_nodes(nv50_ir::ValueDef**, nv50_ir::ValueDef**) /usr/include/c++/9/bits/stl_deque.h:758
#5 0x7f1d1214704d in std::_Deque_base<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::~_Deque_base() /usr/include/c++/9/bits/stl_deque.h:680
#6 0x7f1d12145371 in std::deque<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::~deque() /usr/include/c++/9/bits/stl_deque.h:1069
#7 0x7f1d1213bc5b in nv50_ir::Instruction::~Instruction() ../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:615
#8 0x7f1d1213fb2f in nv50_ir::Program::releaseInstruction(nv50_ir::Instruction*) ../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:1148
#9 0x7f1d122250fb in nv50_ir::SpillCodeInserter::run(std::__cxx11::list<std::pair<nv50_ir::Value*, nv50_ir::Value*>, std::allocator<std::pair<nv50_ir::Value*, nv50_ir::Value*> > > const&) ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1830
#10 0x7f1d12221445 in nv50_ir::GCRA::allocateRegisters(nv50_ir::ArrayList&) ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1541
#11 0x7f1d122262e9 in nv50_ir::RegAlloc::execFunc() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1913
#12 0x7f1d122256b0 in nv50_ir::RegAlloc::exec() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1849
#13 0x7f1d12226f1e in nv50_ir::Program::registerAllocation() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1970
#14 0x7f1d1214092a in nv50_ir_generate_code ../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:1275
#15 0x7f1d1227461b in nvc0_program_translate ../src/gallium/drivers/nouveau/nvc0/nvc0_program.c:634
#16 0x7f1d12294b21 in nvc0_sp_state_create ../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:620
#17 0x7f1d12294d90 in nvc0_fp_state_create ../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:661
#18 0x7f1d12ad4912 in st_create_fp_variant ../src/mesa/state_tracker/st_program.c:1498
#19 0x7f1d12ad4cd5 in st_get_fp_variant ../src/mesa/state_tracker/st_program.c:1525
#20 0x7f1d12ad8252 in st_precompile_shader_variant ../src/mesa/state_tracker/st_program.c:2053
#21 0x7f1d12c9c851 in st_program_string_notify ../src/mesa/state_tracker/st_cb_program.c:185
#22 0x7f1d12d17731 in st_link_tgsi ../src/mesa/state_tracker/st_glsl_to_tgsi.cpp:7441
#23 0x7f1d12cabaf0 in st_link_shader ../src/mesa/state_tracker/st_glsl_to_ir.cpp:175
#24 0x7f1d127c85ca in _mesa_glsl_link_shader ../src/mesa/program/ir_to_mesa.cpp:3186
#25 0x7f1d1252a9f7 in link_program ../src/mesa/main/shaderapi.c:1285
#26 0x7f1d1252a9f7 in link_program_error ../src/mesa/main/shaderapi.c:1384
#27 0x7f1d1252deb3 in _mesa_LinkProgram ../src/mesa/main/shaderapi.c:1876
#28 0x403e13 in main._omp_fn.0 /home/kherbst/git/shader-db/run.c:926
previously allocated by thread T0 here:
#0 0x7f1d17e5c9d7 in operator new(unsigned long) (/usr/lib64/libasan.so.5.0.0+0x10f9d7)
#1 0x7f1d1215046f in __gnu_cxx::new_allocator<nv50_ir::ValueDef>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
#2 0x7f1d1214ebec in std::allocator_traits<std::allocator<nv50_ir::ValueDef> >::allocate(std::allocator<nv50_ir::ValueDef>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:444
#3 0x7f1d1214dbd3 in std::_Deque_base<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::_M_allocate_node() /usr/include/c++/9/bits/stl_deque.h:617
#4 0x7f1d1214c464 in std::_Deque_base<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::_M_create_nodes(nv50_ir::ValueDef**, nv50_ir::ValueDef**) (/home/kherbst/local/lib64/dri//nouveau_dri.so+0x829464)
#5 0x7f1d121495cd in std::_Deque_base<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::_M_initialize_map(unsigned long) /usr/include/c++/9/bits/stl_deque.h:716
#6 0x7f1d12146f7d in std::_Deque_base<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::_Deque_base() /usr/include/c++/9/bits/stl_deque.h:507
#7 0x7f1d1214518d in std::deque<nv50_ir::ValueDef, std::allocator<nv50_ir::ValueDef> >::deque() /usr/include/c++/9/bits/stl_deque.h:912
#8 0x7f1d1213b9c9 in nv50_ir::Instruction::Instruction(nv50_ir::Function*, nv50_ir::operation, nv50_ir::DataType) ../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:605
#9 0x7f1d1224dd44 in nv50_ir::Function::convertToSSA() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ssa.cpp:385
#10 0x7f1d1224d381 in nv50_ir::Program::convertToSSA() ../src/gallium/drivers/nouveau/codegen/nv50_ir_ssa.cpp:310
#11 0x7f1d121407c0 in nv50_ir_generate_code ../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:1264
#12 0x7f1d1227461b in nvc0_program_translate ../src/gallium/drivers/nouveau/nvc0/nvc0_program.c:634
#13 0x7f1d12294b21 in nvc0_sp_state_create ../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:620
#14 0x7f1d12294d90 in nvc0_fp_state_create ../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:661
#15 0x7f1d12ad4912 in st_create_fp_variant ../src/mesa/state_tracker/st_program.c:1498
#16 0x7f1d12ad4cd5 in st_get_fp_variant ../src/mesa/state_tracker/st_program.c:1525
#17 0x7f1d12ad8252 in st_precompile_shader_variant ../src/mesa/state_tracker/st_program.c:2053
#18 0x7f1d12c9c851 in st_program_string_notify ../src/mesa/state_tracker/st_cb_program.c:185
#19 0x7f1d12d17731 in st_link_tgsi ../src/mesa/state_tracker/st_glsl_to_tgsi.cpp:7441
#20 0x7f1d12cabaf0 in st_link_shader ../src/mesa/state_tracker/st_glsl_to_ir.cpp:175
#21 0x7f1d127c85ca in _mesa_glsl_link_shader ../src/mesa/program/ir_to_mesa.cpp:3186
#22 0x7f1d1252a9f7 in link_program ../src/mesa/main/shaderapi.c:1285
#23 0x7f1d1252a9f7 in link_program_error ../src/mesa/main/shaderapi.c:1384
#24 0x7f1d1252deb3 in _mesa_LinkProgram ../src/mesa/main/shaderapi.c:1876
#25 0x403e13 in main._omp_fn.0 /home/kherbst/git/shader-db/run.c:926
SUMMARY: AddressSanitizer: heap-use-after-free ../src/gallium/drivers/nouveau/codegen/nv50_ir.h:648 in nv50_ir::ValueDef::get() const
Shadow bytes around the buggy address:
0x0c2a80075420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80075430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80075440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a80075450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c2a80075460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a80075470:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80075480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80075490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a800754a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2a800754b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a800754c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==612087==ABORTING
Signed-off-by: Karol Herbst <kherbst at redhat.com>
---
.../drivers/nouveau/codegen/nv50_ir_ra.cpp | 34 ++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp b/src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp
index 6df2664da22..d72932748f1 100644
--- a/src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp
+++ b/src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp
@@ -1745,6 +1745,34 @@ value_cmp(ValueRef *a, ValueRef *b) {
return ai->serial < bi->serial;
}
+class RepairSSAAfterSpillPass : public Pass
+{
+public:
+ RepairSSAAfterSpillPass(Instruction *insn) : insn(insn) {}
+private:
+ void removeStaleRefs(Instruction *it, ValueDef *def) {
+ for (int d = 0; it->defExists(d); ++d) {
+ std::list<ValueDef *> &defs = it->getDef(d)->defs;
+ std::list<ValueDef *>::iterator it = std::find(defs.begin(), defs.end(), def);
+ if (it != defs.end())
+ defs.erase(it);
+ }
+ }
+
+ virtual bool visit(Instruction *it)
+ {
+ if (it == insn)
+ return true;
+
+ for (int d = 0; insn->defExists(d); ++d)
+ removeStaleRefs(it, &insn->def(d));
+
+ return true;
+ }
+
+ Instruction *insn;
+};
+
// For each value that is to be spilled, go through all its definitions.
// A value can have multiple definitions if it has been coalesced before.
// For each definition, first go through all its uses and insert an unspill
@@ -1815,8 +1843,12 @@ SpillCodeInserter::run(const std::list<ValuePair>& lst)
}
for (unordered_set<Instruction *>::const_iterator it = to_del.begin();
- it != to_del.end(); ++it)
+ it != to_del.end(); ++it) {
+ Instruction *insn = *it;
+ RepairSSAAfterSpillPass repair(insn);
+ repair.run(insn->bb->getFunction());
delete_Instruction(func->getProgram(), *it);
+ }
}
// TODO: We're not trying to reuse old slots in a potential next iteration.
--
2.23.0
More information about the mesa-dev
mailing list