| Summary: | [GLSL bisected] implicit sized array triggers segfault in ir_to_mesa_visitor::copy_propagate | ||
|---|---|---|---|
| Product: | Mesa | Reporter: | Gordon Jin <gordon.jin> |
| Component: | glsl-compiler | Assignee: | Ian Romanick <idr> |
| Status: | VERIFIED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | high | CC: | vlee |
| Version: | 7.10 | Keywords: | regression |
| Hardware: | All | ||
| OS: | Linux (All) | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: | new piglit test case | ||
|
Description
Gordon Jin
2011-01-17 17:54:41 UTC
I did a little debugging on this, and I suspect the problem was added when the copy propagation pass was added. The acp buffer is being over-run. It seems the expectation that this->next_temp is greater than any in-use register index is not being held. The assertion below fails for this test case.
#3 0x00007ffff5599bb2 in ir_to_mesa_visitor::copy_propagate (this=0x7fffffffdcb0) at program/ir_to_mesa.cpp:2657
(gdb) print inst->dst_reg.index
$3 = 2
(gdb) print this->next_temp
$4 = 2
As a result, the buffer gets over-run at either line 2729 or 2746.
This probably wouldn't crash without dynamic memory allocation
diff --git a/src/mesa/program/ir_to_mesa.cpp b/src/mesa/program/ir_to_mesa.cpp
index 786fdfb..ddcf883 100644
--- a/src/mesa/program/ir_to_mesa.cpp
+++ b/src/mesa/program/ir_to_mesa.cpp
@@ -2652,6 +2652,8 @@ ir_to_mesa_visitor::copy_propagate(void)
foreach_iter(exec_list_iterator, iter, this->instructions) {
ir_to_mesa_instruction *inst = (ir_to_mesa_instruction *)iter.get();
+
+ assert(inst->dst_reg.index < this->next_temp);
/* First, do any copy propagation possible into the src regs. */
for (int r = 0; r < 3; r++) {
With a little more digging, it seems that there is still a variable in the linked program with an unset array size. This causes type_size to return 0, and next_temp does not get advanced. This should not be able to happen due to checks in the linker for 0-sized arrays.
diff --git a/src/mesa/program/ir_to_mesa.cpp b/src/mesa/program/ir_to_mesa.cpp
index 786fdfb..7b5b424 100644
--- a/src/mesa/program/ir_to_mesa.cpp
+++ b/src/mesa/program/ir_to_mesa.cpp
@@ -651,6 +651,7 @@ type_size(const struct glsl_type *type)
return 1;
}
case GLSL_TYPE_ARRAY:
+ assert(type->length > 0);
return type_size(type->fields.array) * type->length;
case GLSL_TYPE_STRUCT:
size = 0;
I added two piglit test cases that reproduce this and a related bug. The following patch series should fix both. I'm leaving the bug open but resetting the version to 7.10 until the patches are cherry picked. commit 0f4b2a0a23650d8f773c53d84cb2ead1f6d4fc8e Author: Ian Romanick <ian.d.romanick@intel.com> Date: Tue Jan 25 12:06:18 2011 -0800 linker: Propagate max_array_access while linking functions Update the max_array_access of a global as functions that use that global are pulled into the linked shader. Fixes piglit test glsl-fs-implicit-array-size-01 and bugzilla #33219. NOTE: This is a candidate for the 7.9 and 7.10 branches. commit c87e9ef4d291b3fc18f7af2c7a7646b9a860f4af Author: Ian Romanick <ian.d.romanick@intel.com> Date: Tue Jan 25 12:04:08 2011 -0800 linker: Set sizes for non-global arrays as well Previously only global arrays with implicit sizes would be patched. This causes all arrays that are actually accessed to be sized. Fixes piglit test glsl-fs-implicit-array-size-02. NOTE: This is a candidate for the 7.9 and 7.10 branches. Fixed by 2b115017 (7.9) and 3370f9b6 (7.10). verified |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.