Bug 89590

Summary: Crash in glLinkProgram with shaders with multiple constant arrays
Product: Mesa Reporter: James Legg <jlegg>
Component: Mesa coreAssignee: Tapani Pälli <lemody>
Status: VERIFIED FIXED QA Contact: mesa-dev
Severity: normal    
Priority: medium    
Version: 10.5   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Reproducer

Description James Legg 2015-03-16 12:45:47 UTC 
Created attachment 114347 [details]
Reproducer

glLinkProgram crashes if there are multiple shaders with used arrays of constants attached to the program, and the arrays have different numbers of elements. For example:

Vertex shader:
#version 330
in vec2 in_position;
void main()
{
	const float zs[4] = float[4](0, 0, 0, 0);
	gl_Position = vec4(in_position, zs[int(in_position.x) % 4], 1.0);
}


Fragment shader:
#version 330
void main()
{
	const vec4 colours[2] = vec4[2](vec4(1, 0, 0, 0), vec4(0, 1, 0, 0));
	gl_FragColor = colours[int(gl_FragCoord.x) % 2];
}

The attached program uses these shaders and reproduces the bug.

Backtrace from Mesa 10.5.1:
> #0 linker::copy_constant_to_storage(gl_constant_value*, ir_constant const*, glsl_base_type, unsigned int, unsigned int) glsl/link_uniform_initializers.cpp:66
> #1 linker::set_uniform_initializer(void*, gl_shader_program*, char const*, glsl_type const*, ir_constant*, unsigned int) glsl/link_uniform_initializers.cpp:210
> #2 link_set_uniform_initializers(gl_shader_program*, unsigned int) glsl/link_uniform_initializers.cpp:309
> #3 link_assign_uniform_locations(gl_shader_program*, unsigned int) glsl/link_uniforms.cpp:1034
> #4 link_shaders(gl_context*, gl_shader_program*) glsl/linker.cpp:2869
> #5 _mesa_glsl_link_shader mesa/program/ir_to_mesa.cpp:3031
> #6 link_program mesa/main/shaderapi.c:932

The second argument to linker::copy_constant_to_storage, val, appears bogus, as it points to something near 0x0.

The arrays of constants do not have to be declared const in the shader, as long as all the element's values are known at compile time.

I found this using an AMD PITCAIRN gpu on Fedora 21, x86_64 architecture.
Comment 1 Tapani Pälli 2015-03-18 13:20:13 UTC 
Problem is in the lower_const_arrays_to_uniforms pass that assigns overlapping names for uniforms from different stages. In this case zs[4] and colours[2] are will be both called 'constarray__0' and bad things happen when using wrong uniform storage.
Comment 2 Tapani Pälli 2015-03-19 10:46:07 UTC 
I've sent a fix to mesa-dev mailing list for review.
Comment 3 Tapani Pälli 2015-03-23 09:20:38 UTC 
fix pushed

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.