Summary: | [HSW] Use after free with compute programs | ||
---|---|---|---|
Product: | Mesa | Reporter: | Ilia Mirkin <imirkin> |
Component: | Drivers/DRI/i965 | Assignee: | Kenneth Graunke <kenneth> |
Status: | RESOLVED FIXED | QA Contact: | Intel 3D Bugs Mailing List <intel-3d-bugs> |
Severity: | normal | ||
Priority: | medium | CC: | apinheiro, currojerez, idr, jljusten, mark.a.janes |
Version: | git | ||
Hardware: | Other | ||
OS: | All | ||
Whiteboard: | |||
i915 platform: | i915 features: |
Description
Ilia Mirkin
2016-01-20 13:43:57 UTC
Looks like this is usually enough to trigger it: --deqp-case=dEQP-GLES31.functional.shaders.builtin_functions.common.frexp.float_lowp_* First it runs the tests in the frag shader, then compute. The switch causes problems I guess? IMHO this is a pretty serious bug... just repro'd with bin/arb_shader_image_load_store-semantics -fbo -auto Program received signal SIGSEGV, Segmentation fault. update_stage_texture_surfaces (brw=brw@entry=0x7ffff7fcf040, prog=prog@entry=0xd62340, stage_state=stage_state@entry=0x7ffff7ff3cf0, for_gather=for_gather@entry=true) at brw_wm_surface_state.c:842 842 surf_offset[s] = 0; (gdb) bt #0 update_stage_texture_surfaces (brw=brw@entry=0x7ffff7fcf040, prog=prog@entry=0xd62340, stage_state=stage_state@entry=0x7ffff7ff3cf0, for_gather=for_gather@entry=true) at brw_wm_surface_state.c:842 #1 0x00007ffff03d5bb4 in brw_update_texture_surfaces (brw=0x7ffff7fcf040) at brw_wm_surface_state.c:891 #2 0x00007ffff03cdf4f in check_and_emit_atom (atom=0x7ffff7ff5610, state=<synthetic pointer>, brw=0x7ffff7fcf040) at brw_state_upload.c:771 #3 brw_upload_pipeline_state (pipeline=BRW_COMPUTE_PIPELINE, brw=0x7ffff7fcf040) at brw_state_upload.c:882 #4 brw_upload_compute_state (brw=0x7ffff7fcf040) at brw_state_upload.c:942 (gdb) p *stage_state->prog_data $2 = {binding_table = {size_bytes = 12, pull_constants_start = 3, texture_start = 1, gather_texture_start = 3503345872, ubo_start = 1, ssbo_start = 1, abo_start = 3503345872, image_start = 1, shader_time_start = 3503345872}, nr_params = 2, nr_pull_params = 0, nr_image_params = 2, curb_read_length = 1, total_scratch = 0, total_shared = 0, dispatch_grf_start_reg = 4, use_alt_mode = false, param = 0xc9f3a0, pull_param = 0x10ef6a0, image_param = 0x10d9070} which is the same thing as the valgrind complaint. The texgather value gets overwritten with 0xd0d0d0d0 (consistently so, it seems) and so the surf_offset is out in la-la land. But the underlying issue appears to be the use-after-free. Curro and Jordan: Can one of you guys look into this? I don't have a HSW system, and the piglit test mentioned in comment #2 is fine on my BDW. Mark: How does that piglit test fare on the CI? (In reply to Ian Romanick from comment #3) > I don't have a HSW > system, and the piglit test mentioned in comment #2 is fine on my BDW. I suspect that's because you don't have ARB_compute_shader enabled on there, due to the invocation situation/lack-of-SIMD32. I have not seen piglit.spec.arb_shader_image_load_store.semantics fail since it was fixed in piglit 9bd8454 (In reply to Mark Janes from comment #5) > I have not seen piglit.spec.arb_shader_image_load_store.semantics fail since > it was fixed in piglit 9bd8454 OK, well I'm at the latest piglit, here's the rest of my system: Mesa commit daa0fd7843df 00:02.0 VGA compatible controller [0300]: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller [8086:0412] (rev 06) ./configure --prefix=/home/ilia/install --with-dri-drivers=i965,nouveau --with-gallium-drivers=nouveau,swrast --enable-gallium-llvm --enable-gles1 --enable-gles2 --with-egl-platforms=drm,x11 --enable-texture-float --enable-debug CFLAGS='-fno-omit-frame-pointer -O2 -g' CXXFLAGS='-fno-omit-frame-pointer -O2 -g' LD_LIBRARY_PATH=/home/ilia/install/lib64:/home/ilia/install/lib valgrind bin/arb_shader_image_load_store-semantics -fbo -auto ... lots of output .... PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/image1D test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/image2D test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/image3D test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/image2DRect test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/imageCube test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/imageBuffer test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/image1DArray test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/image2DArray test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/r8i/imageCubeArray test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/image1D test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/image2D test" : "pass"}} ==12712== Invalid read of size 4 ==12712== at 0xCB75549: get_pipeline_state_l3_weights (gen7_l3_state.c:311) ==12712== by 0xCB75549: emit_l3_state (gen7_l3_state.c:480) ==12712== by 0xCB5B87E: check_and_emit_atom (brw_state_upload.c:771) ==12712== by 0xCB5B87E: brw_upload_pipeline_state (brw_state_upload.c:882) ==12712== by 0xCB5B87E: brw_upload_compute_state (brw_state_upload.c:942) ==12712== by 0xCB39207: brw_dispatch_compute_common.part.2 (brw_compute.c:140) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== Address 0xe4a1cf4 is 212 bytes inside a block of size 512 free'd ==12712== at 0x4C2B1DC: free (vg_replace_malloc.c:473) ==12712== by 0xCB57C10: brw_clear_cache (brw_state_cache.c:374) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== ==12712== Invalid read of size 4 ==12712== at 0xCB75551: get_pipeline_state_l3_weights (gen7_l3_state.c:311) ==12712== by 0xCB75551: emit_l3_state (gen7_l3_state.c:480) ==12712== by 0xCB5B87E: check_and_emit_atom (brw_state_upload.c:771) ==12712== by 0xCB5B87E: brw_upload_pipeline_state (brw_state_upload.c:882) ==12712== by 0xCB5B87E: brw_upload_compute_state (brw_state_upload.c:942) ==12712== by 0xCB39207: brw_dispatch_compute_common.part.2 (brw_compute.c:140) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== Address 0xe4a1cec is 204 bytes inside a block of size 512 free'd ==12712== at 0x4C2B1DC: free (vg_replace_malloc.c:473) ==12712== by 0xCB57C10: brw_clear_cache (brw_state_cache.c:374) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== ==12712== Invalid read of size 4 ==12712== at 0xCB7550A: get_pipeline_state_l3_weights (gen7_l3_state.c:312) ==12712== by 0xCB7550A: emit_l3_state (gen7_l3_state.c:480) ==12712== by 0xCB5B87E: check_and_emit_atom (brw_state_upload.c:771) ==12712== by 0xCB5B87E: brw_upload_pipeline_state (brw_state_upload.c:882) ==12712== by 0xCB5B87E: brw_upload_compute_state (brw_state_upload.c:942) ==12712== by 0xCB39207: brw_dispatch_compute_common.part.2 (brw_compute.c:140) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== Address 0xe4a1cf8 is 216 bytes inside a block of size 512 free'd ==12712== at 0x4C2B1DC: free (vg_replace_malloc.c:473) ==12712== by 0xCB57C10: brw_clear_cache (brw_state_cache.c:374) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== ==12712== Invalid read of size 4 ==12712== at 0xCB63262: update_stage_texture_surfaces (brw_wm_surface_state.c:838) ==12712== by 0xCB6336A: brw_update_texture_surfaces (brw_wm_surface_state.c:879) ==12712== by 0xCB5B87E: check_and_emit_atom (brw_state_upload.c:771) ==12712== by 0xCB5B87E: brw_upload_pipeline_state (brw_state_upload.c:882) ==12712== by 0xCB5B87E: brw_upload_compute_state (brw_state_upload.c:942) ==12712== by 0xCB39207: brw_dispatch_compute_common.part.2 (brw_compute.c:140) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== Address 0xe4a1cc8 is 168 bytes inside a block of size 512 free'd ==12712== at 0x4C2B1DC: free (vg_replace_malloc.c:473) ==12712== by 0xCB57C10: brw_clear_cache (brw_state_cache.c:374) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== ==12712== Invalid read of size 4 ==12712== at 0xCB63262: update_stage_texture_surfaces (brw_wm_surface_state.c:838) ==12712== by 0xCB633DB: brw_update_texture_surfaces (brw_wm_surface_state.c:883) ==12712== by 0xCB5B87E: check_and_emit_atom (brw_state_upload.c:771) ==12712== by 0xCB5B87E: brw_upload_pipeline_state (brw_state_upload.c:882) ==12712== by 0xCB5B87E: brw_upload_compute_state (brw_state_upload.c:942) ==12712== by 0xCB39207: brw_dispatch_compute_common.part.2 (brw_compute.c:140) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== Address 0xe47b240 is 160 bytes inside a block of size 520 free'd ==12712== at 0x4C2B1DC: free (vg_replace_malloc.c:473) ==12712== by 0xCB57C10: brw_clear_cache (brw_state_cache.c:374) ==12712== by 0xC83501B: _mesa_DispatchCompute (compute.c:44) ==12712== by 0x406135: draw_grid (grid.c:349) ==12712== by 0x403A65: run_test (semantics.c:337) ==12712== by 0x403BBD: piglit_init (semantics.c:368) ==12712== by 0x4F6F75D: run_test (piglit_fbo_framework.c:50) ==12712== by 0x4F55AC4: piglit_gl_test_run (piglit-framework-gl.c:199) ==12712== by 0x402E20: main (semantics.c:55) ==12712== PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/image3D test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/image2DRect test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/imageCube test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/imageBuffer test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/image1DArray test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/image2DArray test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgba16/imageCubeArray test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgb10_a2/image1D test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgb10_a2/image2D test" : "pass"}} PIGLIT: {"subtest": {"imageStore/Compute shader/rgb10_a2/image3D test" : "pass"}} So it hardly happens every draw. I don't know what triggers it... (Also this is not the first time I see the l3 thing, but it doesn't happen each time either.) Nice, something's apparently freeing the brw_stage_prog_data struct for some stage (brw_state_cache_check_size() maybe?) and leaving dangling pointers pointing at it. (In reply to Ilia Mirkin from comment #4) > (In reply to Ian Romanick from comment #3) > > I don't have a HSW > > system, and the piglit test mentioned in comment #2 is fine on my BDW. > > I suspect that's because you don't have ARB_compute_shader enabled on there, > due to the invocation situation/lack-of-SIMD32. I don't get the segfault even if I run with MESA_EXTENSION_OVERRIDE=+GL_ARB_compute_shader. I haven't tried it with valgrind yet. My tree is at 739ac3d3. (In reply to Ian Romanick from comment #8) > (In reply to Ilia Mirkin from comment #4) > > (In reply to Ian Romanick from comment #3) > > > I don't have a HSW > > > system, and the piglit test mentioned in comment #2 is fine on my BDW. > > > > I suspect that's because you don't have ARB_compute_shader enabled on there, > > due to the invocation situation/lack-of-SIMD32. > > I don't get the segfault even if I run with > MESA_EXTENSION_OVERRIDE=+GL_ARB_compute_shader. I haven't tried it with > valgrind yet. My tree is at 739ac3d3. On the off chance it matters, I'm using "gcc version 4.9.3 (Gentoo 4.9.3 p1.2, pie-0.6.3)" to build everything. x86_64 (not that there are a ton of haswell gpu's on arm devices...) Patches on the mailing list: https://lists.freedesktop.org/archives/mesa-dev/2016-February/107141.html https://lists.freedesktop.org/archives/mesa-dev/2016-February/107142.html https://lists.freedesktop.org/archives/mesa-dev/2016-February/107143.html https://lists.freedesktop.org/archives/mesa-dev/2016-February/107144.html I think this should fix the problem. I tested on Broadwell with: MESA_EXTENSION_OVERRIDE=GL_ARB_compute_shader valgrind bin/arb_shader_image_load_store-semantics -fbo -auto --quick and saw valgrind errors before these patches, and none after. I haven't tried running dEQP through valgrind, though. (In reply to Kenneth Graunke from comment #10) > Patches on the mailing list: > > https://lists.freedesktop.org/archives/mesa-dev/2016-February/107141.html > https://lists.freedesktop.org/archives/mesa-dev/2016-February/107142.html > https://lists.freedesktop.org/archives/mesa-dev/2016-February/107143.html > https://lists.freedesktop.org/archives/mesa-dev/2016-February/107144.html As those are already on master, and just in case people didn't have time to test again this bug... > > I think this should fix the problem. I tested on Broadwell with: > > MESA_EXTENSION_OVERRIDE=GL_ARB_compute_shader valgrind > bin/arb_shader_image_load_store-semantics -fbo -auto --quick > > and saw valgrind errors before these patches, and none after. I haven't > tried running dEQP through valgrind, though. ... I tried the scenarios pointed at comment #0 and at comment #1 on haswell. Although there are still some valgrind warnings, the one pointed by the bug (use after free, example "Address 0xd3e8ca4 is 884 bytes inside a block of size 1,040 free'd") are gone. So probably it is safe to close the bug now. Will let Ilia give the final word. (In reply to Alejandro Piñeiro (freenode IRC: apinheiro) from comment #11) > (In reply to Kenneth Graunke from comment #10) > > I think this should fix the problem. I tested on Broadwell with: > > > > MESA_EXTENSION_OVERRIDE=GL_ARB_compute_shader valgrind > > bin/arb_shader_image_load_store-semantics -fbo -auto --quick > > > > and saw valgrind errors before these patches, and none after. I haven't > > tried running dEQP through valgrind, though. > > ... I tried the scenarios pointed at comment #0 and at comment #1 on > haswell. Although there are still some valgrind warnings, the one pointed by > the bug (use after free, example "Address 0xd3e8ca4 is 884 bytes inside a > block of size 1,040 free'd") are gone. > > So probably it is safe to close the bug now. Will let Ilia give the final > word. Hm, I don't think I saw any valgrind warnings... this is fixed as far as I'm concerned, thanks guys! |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.