Bug 42517

Summary: Assertion failure: ir_swizzle @ 0x2e8f0a0 specifies a channel not present in the value.
Product: Mesa Reporter: Christian Holler (:decoder) <choller>
Component: glsl-compilerAssignee: Ian Romanick <idr>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: eric, idr, ingo.theiss
Version: 7.11   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on: 42516    
Bug Blocks:    
Attachments: Test case for Firefox using llvmpipe as WebGL renderer

Description Christian Holler (:decoder) 2011-11-02 07:32:05 UTC 
Created attachment 53059 [details]
Test case for Firefox using llvmpipe as WebGL renderer

Using the llvmpipe software renderer for WebGL in Firefox, the attached html testcase crashes:

ir_swizzle @ 0x2e8f0a0 specifies a channel not present in the value.
(swiz z (var_ref uni) )
Program received signal SIGABRT, Aborted.
0x00007ffff6eb8d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007ffff6eb8d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff6ebcab6 in abort () at abort.c:92
#2  0x00007fffd481cb27 in ir_validate::visit_leave (this=0x7fffffff8db0, ir=0x2e8f0a0) at src/glsl/ir_validate.cpp:457
#3  0x00007fffd4819f4c in ir_swizzle::accept (this=0x2e8f0a0, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:233
#4  0x00007fffd4819b23 in ir_expression::accept (this=0x2e82e90, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:146
#5  0x00007fffd481a1f0 in ir_assignment::accept (this=0x2e831f0, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:292
#6  0x00007fffd4819730 in visit_list_elements (v=0x7fffffff8db0, l=0x31822c0) at src/glsl/ir_hv_accept.cpp:48
#7  0x00007fffd48199dd in ir_function_signature::accept (this=0x3182270, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:120
#8  0x00007fffd4819730 in visit_list_elements (v=0x7fffffff8db0, l=0x300a310) at src/glsl/ir_hv_accept.cpp:48
#9  0x00007fffd4819a6c in ir_function::accept (this=0x300a2e0, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:132
#10 0x00007fffd4819730 in visit_list_elements (v=0x7fffffff8db0, l=0x2dccac0) at src/glsl/ir_hv_accept.cpp:48
#11 0x00007fffd4819663 in ir_hierarchical_visitor::run (this=0x7fffffff8db0, instructions=0x2dccac0) at src/glsl/ir_hierarchical_visitor.cpp:282
#12 0x00007fffd481ce97 in validate_ir_tree (instructions=0x2dccac0) at src/glsl/ir_validate.cpp:570
#13 0x00007fffd46ef455 in _mesa_glsl_compile_shader (ctx=0x2ca9c70, shader=0x2dc55a0) at src/mesa/program/ir_to_mesa.cpp:3208
#14 0x00007fffd46b87ae in compile_shader (ctx=0x2ca9c70, shaderObj=1) at src/mesa/main/shaderapi.c:848
#15 0x00007fffd46b9188 in _mesa_CompileShaderARB (shaderObj=1) at src/mesa/main/shaderapi.c:1188
#16 0x00007ffff2c26c42 in mozilla::gl::GLContext::fCompileShader (this=0x2ce3c90, shader=1) at ../../../dist/include/GLContext.h:2261
#17 0x00007ffff2c3c06a in mozilla::WebGLContext::CompileShader (this=0x29c5390, sobj=0x2dc56a0)

The test is similar to my previously reported bug (bug 42516) but the crash is different, so I can't really tell if the underlying issue is the same.

Version information from glxinfo:

OpenGL vendor string: VMware, Inc.
OpenGL renderer string: Gallium 0.4 on llvmpipe
OpenGL version string: 2.1 Mesa 7.11
OpenGL shading language version string: 1.20

If you need the full output, let me know.
Comment 1 Vinson Lee 2011-11-04 01:38:20 UTC 
Look to be a GLSL compiler issue. Assigning it to the glsl-compiler component.


mesa-7.11/src/glsl/ir_validate.cpp
   447  ir_visitor_status
   448  ir_validate::visit_leave(ir_swizzle *ir)
   449  {
   450     int chans[4] = {ir->mask.x, ir->mask.y, ir->mask.z, ir->mask.w};
   451  
   452     for (unsigned int i = 0; i < ir->type->vector_elements; i++) {
   453        if (chans[i] >= ir->val->type->vector_elements) {
   454           printf("ir_swizzle @ %p specifies a channel not present "
   455                  "in the value.\n", (void *) ir);
   456           ir->print();
   457           abort();
   458        }
   459     }
   460  
   461     return visit_continue;
   462  }
Comment 2 Ian Romanick 2011-11-04 10:25:15 UTC 
It was initially really hard to look at this bug.  The attachment was set as HTML, so it tried to render when I viewed it... and crashed. :p

Looking at the shader:

#define NUM_UNIFORMS 16 // See spec
varying vec2 uni;
void main()
{
    vec4 c = vec4(0,0,0,0);
    for (int ii = 0; ii < NUM_UNIFORMS; ++ii) {
       c += uni[ii];
    }
}

my guess is that the loop is unrolled, and something like 'c += uni[15];' is generated.  Since uni is a vec2 and not an array, this is invalid.

I'll have to poke at the spec because I'm not sure what we're supposed to do.  I know that if the shader text contains 'c += uni[15];' we're supposed to generate a compilation error.  I'm not sure what we're supposed to do if we can determine an out-of-bounds access would occur.  I suspect this is one of the "undefined behavior" scenarios.
Comment 3 Ian Romanick 2011-11-07 11:13:50 UTC 
I've posted a patch to the mesa-dev mailing list that should fix this problem.  Could you test it?

http://lists.freedesktop.org/archives/mesa-dev/2011-November/014217.html
Comment 4 Christian Holler (:decoder) 2011-11-09 03:05:36 UTC 
(In reply to comment #3)
> I've posted a patch to the mesa-dev mailing list that should fix this problem. 
> Could you test it?
> 
> http://lists.freedesktop.org/archives/mesa-dev/2011-November/014217.html

I can confirm that this patch fixes the crash :) Thanks!
Comment 5 Ian Romanick 2011-11-09 14:06:54 UTC 
This bug is now fixed on master by the commit below.  I will close the bug once the fix is cherry picked to the 7.11 branch.

commit 6f5c73797087c6e7842665f84e41caedea59bb65
Author: Ian Romanick <ian.d.romanick@intel.com>
Date:   Mon Nov 7 10:58:00 2011 -0800

    glsl: Clamp vector indices when lowering to swizzles
    
    This prevents other code from seeing a swizzle of the 16th component
    of a vector, for example.
    
    NOTE: This is a candidate for the 7.11 branch.
    
    Signed-off-by: Ian Romanick <ian.d.romanick@intel.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=42517
    Reviewed-by: Kenneth Graunke <kenneth@whitecape.org>
    Reviewed-by: Paul Berry <stereotype441@gmail.com>
    Tested-by: Christian Holler <choller@mozilla.com>
Comment 6 Ingo Theiss 2011-11-12 10:11:07 UTC 
I´am sorry to say that this bug seems not to be fixed. Got this error while running the game Ryzom with the latest mesa trunk (7.12-devel (git-b618e78))

ir_swizzle @ 0xe9abf80 specifies a channel not present in the value.
(swiz w (constant float (0.000000)) )

Version from glxinfo:

OpenGL renderer string: Gallium 0.4 on AMD BARTS
OpenGL version string: 2.1 Mesa 7.12-devel (git-b618e78)

Her is the backtrace:

Core was generated by `/usr/games/ryzom_client'.
Program terminated with signal 6, Aborted.
#0  0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fe3ecf28680 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007fe3e4a33084 in ir_validate::visit_leave(ir_swizzle*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#3  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#4  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#5  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#6  0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#7  0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#8  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#9  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#10 0x00007fe3e4a2d37e in ir_assignment::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#11 0x00007fe3e4a2ce20 in ir_function_signature::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#12 0x00007fe3e4a2ced4 in ir_function::accept(ir_hierarchical_visitor*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#13 0x00007fe3e4a2cc00 in visit_list_elements(ir_hierarchical_visitor*, exec_list*, bool) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#14 0x00007fe3e4a335fa in validate_ir_tree(exec_list*) ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#15 0x00007fe3e49d50b8 in _mesa_get_fixed_func_fragment_program ()
   from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
#16 0x00007fe3e4951370 in update_program (ctx=0x3c037d0) at main/state.c:263
#17 _mesa_update_state_locked (ctx=0x3c037d0) at main/state.c:676
---Type <return> to continue, or q <return> to quit---
#18 0x00007fe3e495241f in _mesa_update_state (ctx=0x3c037d0) at main/state.c:709
#19 0x00007fe3e48b3039 in _mesa_valid_to_render (ctx=0x3c037d0, where=<optimized out>)
    at main/context.c:1723
#20 0x00007fe3e4a50737 in check_valid_to_render (ctx=0x3c037d0, function=<optimized out>)
    at main/api_validate.c:105
#21 0x00007fe3e4a515d2 in _mesa_validate_DrawElements (ctx=0x3c037d0, mode=<optimized out>, count=900, 
    type=5123, indices=0x7fe3cf01e2e0, basevertex=<optimized out>) at main/api_validate.c:253
#22 0x00007fe3e49a7a22 in vbo_exec_DrawElements (mode=4, count=900, type=5123, indices=0x7fe3cf01e2e0)
    at vbo/vbo_exec_array.c:1010
#23 0x00007fe3e6370381 in NL3D::CDriverGL::renderTriangles(NL3D::CMaterial&, unsigned int, unsigned int) ()
   from /usr/lib/nel/libnel_drv_opengl.so
#24 0x00007fe3ef89db27 in NL3D::CMeshMRMSkinnedGeom::renderSkinGroupSpecularRdrPass(NL3D::CMeshMRMSkinnedInstance*, unsigned int) () from /usr/lib/libnel3d.so.0
#25 0x00007fe3efa805cf in NL3D::CSkeletonModel::renderSkinList(NLMISC::CObjectVector<NL3D::CTransform*, false>&, float) () from /usr/lib/libnel3d.so.0
#26 0x00007fe3efa80a66 in NL3D::CSkeletonModel::renderSkins() () from /usr/lib/libnel3d.so.0
#27 0x00007fe3efa80c25 in NL3D::CSkeletonModel::traverseRender() () from /usr/lib/libnel3d.so.0
#28 0x00007fe3ef6f8ae1 in NL3D::CRenderTrav::traverse(NL3D::UScene::TRenderPart, bool) ()
   from /usr/lib/libnel3d.so.0
#29 0x00007fe3ef869bc2 in NL3D::CScene::renderPart(NL3D::UScene::TRenderPart, bool) ()
   from /usr/lib/libnel3d.so.0
#30 0x00007fe3ef86b7a9 in NL3D::CScene::render(bool) () from /usr/lib/libnel3d.so.0
#31 0x00007fe3ef9d93ce in NL3D::CSceneUser::render(bool, bool) () from /usr/lib/libnel3d.so.0
#32 0x00000000009fcbe8 in CInterface3DScene::draw() ()
#33 0x0000000000a6d6f6 in CInterfaceGroup::draw() ()
#34 0x0000000000bb7388 in CInterfaceManager::drawViews(NL3D::UCamera) ()
#35 0x0000000000bb78e7 in CInterfaceManager::updateFrameViews(NL3D::UCamera) ()
#36 0x00000000006bd407 in globalMenu() ()
#37 0x00000000006bf410 in connection(std::string const&, std::string const&) ()
#38 0x000000000064de65 in main ()
Comment 7 Ian Romanick 2011-12-22 17:25:24 UTC 
(In reply to comment #6)
> I´am sorry to say that this bug seems not to be fixed. Got this error while
> running the game Ryzom with the latest mesa trunk (7.12-devel (git-b618e78))
> 
> ir_swizzle @ 0xe9abf80 specifies a channel not present in the value.
> (swiz w (constant float (0.000000)) )
> 
> Version from glxinfo:
> 
> OpenGL renderer string: Gallium 0.4 on AMD BARTS
> OpenGL version string: 2.1 Mesa 7.12-devel (git-b618e78)
> 
> Her is the backtrace:
> 
> Core was generated by `/usr/games/ryzom_client'.
> Program terminated with signal 6, Aborted.
> #0  0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6
> (gdb) bt
> #0  0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6
> #1  0x00007fe3ecf28680 in abort () from /lib/x86_64-linux-gnu/libc.so.6
> #2  0x00007fe3e4a33084 in ir_validate::visit_leave(ir_swizzle*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #3  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #4  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #5  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #6  0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #7  0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #8  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #9  0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #10 0x00007fe3e4a2d37e in ir_assignment::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #11 0x00007fe3e4a2ce20 in
> ir_function_signature::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #12 0x00007fe3e4a2ced4 in ir_function::accept(ir_hierarchical_visitor*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so

If you're still able to reproduce this bug, could you 'up' to this point in the stack frame and 'call ir->print()' and attach the results?  Based on the rest of the stack frame, this is coming from a shader generated from fixed-function state, so the usual shader dump technique won't work.

> #13 0x00007fe3e4a2cc00 in visit_list_elements(ir_hierarchical_visitor*,
> exec_list*, bool) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #14 0x00007fe3e4a335fa in validate_ir_tree(exec_list*) ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
> #15 0x00007fe3e49d50b8 in _mesa_get_fixed_func_fragment_program ()
>    from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
Comment 8 Ian Romanick 2011-12-22 17:45:28 UTC 
Does this patch help?

http://lists.freedesktop.org/archives/mesa-dev/2011-December/016401.html
Comment 9 Ian Romanick 2012-01-03 19:25:03 UTC 
I've committed the new patch and cherry-picked the old patch to 7.11.  The new patch only affects code that does not exist in 7.11.  I'm also closing the bug.  If the problem still occurs, please open a new bug.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.