108498 – ir_dereference_record nullptr segfault in radeonsi_dri.so

Bug 108498 - ir_dereference_record nullptr segfault in radeonsi_dri.so

Summary: ir_dereference_record nullptr segfault in radeonsi_dri.so

Status:	RESOLVED MOVED

Alias:	None

Product:	Mesa
Classification:	Unclassified
Component:	glsl-compiler (show other bugs)
Version:	18.1
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	mesa-dev
QA Contact:	Intel 3D Bugs Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-19 12:55 UTC by claude
Modified:	2019-09-18 19:46 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
tarball of GLSL source code for use in Fragmentarium (16.24 KB, application/gzip) 2018-10-19 12:55 UTC, claude	Details
processed fragment shader than glslangValidator doesn't complain about (52.52 KB, text/plain) 2018-10-19 14:11 UTC, claude	Details
View All

Description claude 2018-10-19 12:55:27 UTC

Created attachment 142095 [details]
tarball of GLSL source code for use in Fragmentarium

I'm using $ apt-cache policy libgl1-mesa-dri
libgl1-mesa-dri:
  Installed: 18.1.7-1
  Candidate: 18.1.7-1
  Version table:
     18.2.0-1 1
          1 http://ftp.uk.debian.org/debian experimental/main amd64 Packages
     18.1.9-1 500
        500 http://ftp.uk.debian.org/debian unstable/main amd64 Packages
 *** 18.1.7-1 990
        990 http://ftp.uk.debian.org/debian buster/main amd64 Packages
        100 /var/lib/dpkg/status

I will try to compile upstream Mesa soon to see if it is a Debian-specific issue, or whether it has already been fixed in a later version.


Fragmentarium (from https://github.com/3Dickulus/FragM ) crashes inside radeonsi_dri.so when I try to compile part of a large shader project (~50kB of GLSL transcluded from the main 'raymond/example.frag').  The problematic part is the last half of 'raymond/Raymond-Trace.frag' in the attached tarball, setting #if 0 stops it from crashing and emits an error message in the shader compile log about missing function definitions (this is expected, the hard crash with #if 1 is not).


It seems to be caused by something that passes a nullptr as a field name in compiler/glsl/ir.cpp:1401, gdb backtrace is large:

Thread 1 "Fragmentarium-2" received signal SIGSEGV, Segmentation fault.
__strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:173
173	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0  0x00007ffff64c40b6 in __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:173
#1  0x00007fffe24c7d6d in glsl_type::field_type(char const*) const (this=<optimized out>, name=name@entry=0x0) at ../../../src/compiler/glsl_types.cpp:1228
#2  0x00007fffe24cba3f in ir_dereference_record::ir_dereference_record(ir_rvalue*, char const*) (this=0x555556f46e00, value=<optimized out>, field=0x0) at ../../../src/compiler/glsl/ir.cpp:1401
#3  0x00007fffe24ce720 in ir_dereference_record::clone(void*, hash_table*) const (this=<optimized out>, mem_ctx=<optimized out>, ht=<optimized out>) at ../../../src/compiler/glsl/list.h:58
#4  0x00007fffe2456ab4 in ast_expression::do_hir(exec_list*, _mesa_glsl_parse_state*, bool) (this=0x555556d12bf8, instructions=0x555556f459d0, state=0x555556341530, needs_rvalue=<optimized out>)
    at ../../../src/compiler/glsl/ast.h:86
#5  0x00007fffe2458b43 in ast_expression_statement::hir(exec_list*, _mesa_glsl_parse_state*) (this=<optimized out>, instructions=<optimized out>, state=<optimized out>)
    at ../../../src/compiler/glsl/ast_to_hir.cpp:2228
#6  0x00007fffe2458b9f in ast_compound_statement::hir(exec_list*, _mesa_glsl_parse_state*) (this=0x555556d12cc8, instructions=0x555556f459d0, state=0x555556341530)
    at ../../../src/compiler/glsl/ast_to_hir.cpp:2244
#7  0x00007fffe2460f0e in ast_iteration_statement::hir(exec_list*, _mesa_glsl_parse_state*) (this=0x555556d12d28, instructions=<optimized out>, state=0x555556341530)
    at ../../../src/compiler/glsl/ast_to_hir.cpp:6902
#8  0x00007fffe2458b9f in ast_compound_statement::hir(exec_list*, _mesa_glsl_parse_state*) (this=0x555556d12e70, instructions=0x555556ff6690, state=0x555556341530)
    at ../../../src/compiler/glsl/ast_to_hir.cpp:2244
#9  0x00007fffe245f462 in ast_function_definition::hir(exec_list*, _mesa_glsl_parse_state*) (this=0x555556d12ed0, instructions=<optimized out>, state=0x555556341530)
    at ../../../src/compiler/glsl/ast_to_hir.cpp:6182
#10 0x00007fffe2455b70 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*) (instructions=0x5555564c7570, state=0x555556341530) at ../../../src/compiler/glsl/ast_to_hir.cpp:156
#11 0x00007fffe24b9551 in _mesa_glsl_compile_shader(gl_context*, gl_shader*, bool, bool, bool) (ctx=ctx@entry=0x55555604a230, shader=shader@entry=0x555556496b40, dump_ast=dump_ast@entry=false, dump_hir=dump_hir@entry=false, force_recompile=force_recompile@entry=false) at ../../../src/compiler/glsl/glsl_parser_extras.cpp:2106
#12 0x00007fffe235b4d0 in _mesa_compile_shader (ctx=0x55555604a230, sh=0x555556496b40) at ../../../src/mesa/main/shaderapi.c:1131
#13 0x00007ffff748697f in QOpenGLFunctions::glCompileShader(unsigned int) (this=<optimized out>, shader=6) at opengl/qopenglfunctions.h:1280
#14 0x00007ffff748697f in QOpenGLShaderPrivate::compile(QOpenGLShader*) (this=this@entry=0x555556485120, q=q@entry=0x5555563adf10) at opengl/qopenglshaderprogram.cpp:352
#15 0x00007ffff7487275 in QOpenGLShader::compileSourceCode(char const*) (this=this@entry=0x5555563adf10, source=source@entry=0x555556b80488 "#version 330 compatibility\n// #donotrun\n\nconst float pi = 3.141592653589793;\nconst vec3 X = vec3(1.0, 0.0, 0.0);\nconst vec3 Y = vec3(0.0, 1.0, 0.0);\nconst vec3 Z = vec3(0.0, 0.0, 1.0);\n\n// #donotrun\n\n"...) at opengl/qopenglshaderprogram.cpp:678
#16 0x00007ffff748ce2e in QOpenGLShaderProgram::addShaderFromSourceCode(QFlags<QOpenGLShader::ShaderTypeBit>, char const*) (this=this@entry=0x7fffec005bf0, type=..., source=0x555556b80488 "#version 330 compatibility\n// #donotrun\n\nconst float pi = 3.141592653589793;\nconst vec3 X = vec3(1.0, 0.0, 0.0);\nconst vec3 Y = vec3(0.0, 1.0, 0.0);\nconst vec3 Z = vec3(0.0, 0.0, 1.0);\n\n// #donotrun\n\n"...)
    at opengl/qopenglshaderprogram.cpp:980
#17 0x00007ffff748cf8b in QOpenGLShaderProgram::addShaderFromSourceCode(QFlags<QOpenGLShader::ShaderTypeBit>, QString const&) (this=0x7fffec005bf0, type=..., source=...)
    at ../../include/QtCore/../../src/corelib/tools/qarraydata.h:206
#18 0x00005555555e0acd in Fragmentarium::GUI::DisplayWidget::initFragmentShader() (this=0x5555558e0c00)
    at /home/claude/code/github.com/3Dickulus/FragM/Fragmentarium-Source/Fragmentarium/GUI/DisplayWidget.cpp:439
#19 0x00005555555deeaf in Fragmentarium::GUI::DisplayWidget::setFragmentShader(Fragmentarium::Parser::FragmentSource) (this=0x5555558e0c00, fs=...)
    at /home/claude/code/github.com/3Dickulus/FragM/Fragmentarium-Source/Fragmentarium/GUI/DisplayWidget.cpp:183
#20 0x000055555561b6f2 in Fragmentarium::GUI::MainWindow::initializeFragment() (this=0x555555852650) at /home/claude/code/github.com/3Dickulus/FragM/Fragmentarium-Source/Fragmentarium/GUI/MainWindow.cpp:2239
#21 0x0000555555684895 in Fragmentarium::GUI::MainWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (_o=0x555555852650, _c=QMetaObject::InvokeMetaMethod, _id=35, _a=0x7fffffffcfd0)
    at /home/claude/code/github.com/3Dickulus/FragM/Fragmentarium-Source/build/Fragmentarium-2.5.0_autogen/S5HU6OSMQS/moc_MainWindow.cpp:456
#22 0x00007ffff6b107cb in QMetaObject::activate(QObject*, int, int, void**) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#23 0x00007ffff7731ef2 in QAction::triggered(bool) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff7734500 in QAction::activate(QAction::ActionEvent) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff781fd2d in  () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff781ff65 in QAbstractButton::mouseReleaseEvent(QMouseEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff7909cba in QToolButton::mouseReleaseEvent(QMouseEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff77767d8 in QWidget::event(QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff7909d63 in QToolButton::event(QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff77384a1 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff773fd28 in QApplication::notify(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff6ae7589 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#33 0x00007ffff773f029 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff7791314 in  () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff7793e9e in  () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff77384a1 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff773fae0 in QApplication::notify(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
---Type <return> to continue, or q <return> to quit---
#38 0x00007ffff6ae7589 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#39 0x00007ffff716baab in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (event=0x7fffffffd8a0, receiver=0x555555aec440) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:237
#40 0x00007ffff716baab in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (e=0x55555602a370) at kernel/qguiapplication.cpp:2081
#41 0x00007ffff716d9a5 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) (e=e@entry=0x55555602a370) at kernel/qguiapplication.cpp:1816
#42 0x00007ffff71480db in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (flags=...) at kernel/qwindowsysteminterface.cpp:1032
#43 0x00007ffff2830eeb in QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x5555557ffb90, flags=...) at qeventdispatcher_glib.cpp:70
#44 0x00007ffff6ae625b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#45 0x00007ffff6aee3d2 in QCoreApplication::exec() () at /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#46 0x00005555555d35f3 in main(int, char**) (argc=1, argv=0x7fffffffe158) at /home/claude/code/github.com/3Dickulus/FragM/Fragmentarium-Source/Fragmentarium/Main.cpp:199

Comment 1 Danylo 2018-10-19 13:52:11 UTC

It is probably an issue described and fixed in commit https://gitlab.freedesktop.org/mesa/mesa/commit/6f3c7374b11299c21d829db794fad3b756af60fb

The shaders in the tarball require some post-processing so I cannot quickly test it to confirm.

Comment 2 claude 2018-10-19 14:10:57 UTC

I managed to use glslangValidator to debug the issue.  The cause was referencing a non-existent "position" field in struct Ray (the V variable in those functions). Replacing it with the correct field name, "origin", stopped it crashing.  A different struct Surface has a "position" field of type vec3, the same type as the "origin" field of struct Ray.

Comment 3 claude 2018-10-19 14:11:43 UTC

Created attachment 142096 [details]
processed fragment shader than glslangValidator doesn't complain about

Comment 4 GitLab Migration User 2019-09-18 19:46:20 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/mesa/mesa/issues/821.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.