Bug 104703

Summary: GraphicsFuzz Android Benchmark crash Firefox on shader06
Product: Mesa Reporter: Leonardo <kinetocore>
Component: Drivers/DRI/i965Assignee: Intel 3D Bugs Mailing List <intel-3d-bugs>
Status: RESOLVED DUPLICATE QA Contact: Intel 3D Bugs Mailing List <intel-3d-bugs>
Severity: normal    
Priority: medium CC: lemody
Version: 17.3   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Leonardo 2018-01-19 13:25:27 UTC 
System environment:
-- chipset: G965
-- system architecture: 64-bit
-- xf86-video-intel: 1:2.99.917+802+gaf6d8e9e-1 
-- xserver:1.19.6
-- mesa: 17.3.2
-- libdrm:2.4.89
-- kernel:4.14.13
-- Linux distribution: Manjaro
-- Machine or mobo model: Asus laptop F55V (Core i3-2350M)

Go to https://www.graphicsfuzz.com/benchmark/android-v1.html and let the test run. All the shader test pass except the shader06 where it crash Firefox with "link crash" error, asking for resume the tab (Firefox 57.0.4). It happens all the time (100% reproducibility). If you need more information let me know.
Comment 1 Tapani Pälli 2018-01-23 11:33:01 UTC 
I've reproduced this with Chrome on SKL and HSW. I took a brief look and there might be some issues in the testsuite itself. I've dumped the shaders but I haven't figured out which shaders are used by 'shader06' test.


I can see at least following errors from apitrace that indicates browser/app issues:

--- 8< ---
54120: message: major api error 80: GL_INVALID_OPERATION in glGetNamedBufferPointerv(non-existent buffer object 21)
54120 @0 glDeleteBuffers(n = 1, buffers = &21)
54120: warning: glGetError(glDeleteBuffers) = GL_INVALID_OPERATION
54696: message: major api error 80: GL_INVALID_OPERATION in glGetNamedBufferPointerv(non-existent buffer object 16)
54696 @0 glDeleteBuffers(n = 1, buffers = &16)
54696: warning: glGetError(glDeleteBuffers) = GL_INVALID_OPERATION


...

92498: message: api issue 4: FBO incomplete: Unsupported HW texture/renderbuffer format attached: MESA_FORMAT_RGB_FLOAT32
92498: message: api issue 5: FBO incomplete: driver marked FBO as incomplete [-1]

...

112229: message: major shader compiler issue 120: 0:77(11): warning: `webgl_dfd20e96eeb1f964' used uninitialized
112229 @0 glCompileShader(shader = 74)
112229: warning: 0:77(11): warning: `webgl_dfd20e96eeb1f964' used uninitialized
Comment 2 vadym 2018-01-25 15:47:06 UTC 
Issue is reproducible on my laptop:

OS: Ubuntu 17.10 64-bit
CPU: Intel® Core™ i7-7500U CPU @ 2.70GHz × 4
GPU: Intel® HD Graphics 620 (Kaby Lake GT2)
mesa: 18.1.0-devel (git-7d4007d58a)
kernel: 4.13.0-31-generic

In dmesg I noticed this message after firefox crash:

[23838.361098] traps: Web Content[30658] trap divide error ip:7f6dee287e9f sp:7ffc7d493f20 error:0 in i965_dri.so[7f6dedf27000+8dd000]


Additionally I run firefox with gdb and got following error message:

Thread 1 "Web Content" received signal SIGFPE, Arithmetic exception.

0x00007f18ffe87e9f in evaluate_idiv (num_components=1, bit_size=<optimized out>, _src=_src@entry=0x7ffc0c2fb620) at nir/nir_constant_expressions.c:8791
8791	            int32_t dst = src0 / src1;
(gdb) 
Continuing.

At this point src1 equals to zero.
Comment 3 Tapani Pälli 2018-02-01 07:58:58 UTC 
seems like something has changed, for me tests 4, 6, 9, 11 fail
Comment 4 vadym 2018-02-28 13:14:00 UTC 
Bisected:

40e9f2f13847ddd94e1216088aa00456d7b02d2b is the first bad commit
commit 40e9f2f13847ddd94e1216088aa00456d7b02d2b
Author: Timothy Arceri <timothy.arceri@collabora.com>
Date:   Tue Dec 13 11:37:25 2016 +1100

    i965: disable loop unrolling in GLSL IR
    
    There is a single regression in loop unrolling which is:
    
    loops HURT:   shaders/orbital_explorer.shader_test GS SIMD8:    0 -> 1
    
    However the loop is huge so it seems reasonable not to unroll it. It's
    surprising that GLSL IR does unroll it.
    
    shader-db results BDW:
    
    total instructions in shared programs: 13037455 -> 13036947 (-0.00%)
    instructions in affected programs: 17982 -> 17474 (-2.83%)
    helped: 63
    HURT: 25
    
    total cycles in shared programs: 262217870 -> 262227990 (0.00%)
    cycles in affected programs: 2287046 -> 2297166 (0.44%)
    helped: 969
    HURT: 844
    
    total loops in shared programs: 2951 -> 2952 (0.03%)
    loops in affected programs: 0 -> 1
    helped: 0
    HURT: 1
    
    LOST:   0
    GAINED: 1
    
    Reviewed-by: Jason Ekstrand <jason@jlekstrand.net>
Comment 5 vadym 2018-02-28 13:16:57 UTC 
Issue is already fixed in https://bugs.freedesktop.org/show_bug.cgi?id=105271 by the following commit:

commit 0c1f37cc2d8555223ade73b244a3ee374be8d9cd
Author: Timothy Arceri <tarceri@itsqueeze.com>
Date:   Wed Feb 28 14:33:55 2018 +1100

    nir: fix interger divide by zero crash during constant folding
    
    From the GLSL 4.60 spec Section 5.9 (Expressions):
    
       "Dividing by zero does not cause an exception but does result in
        an unspecified value."
    
    Fixes: 89285e4d47a6 "nir: add new constant folding infrastructure"
    
    Reviewed-by: Jason Ekstrand <jason@jlekstrand.net>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105271

So this can be marked as duplicate.
Comment 6 vadym 2018-02-28 14:03:01 UTC 

*** This bug has been marked as a duplicate of bug 105271 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.