Created attachment 53059 [details] Test case for Firefox using llvmpipe as WebGL renderer Using the llvmpipe software renderer for WebGL in Firefox, the attached html testcase crashes: ir_swizzle @ 0x2e8f0a0 specifies a channel not present in the value. (swiz z (var_ref uni) ) Program received signal SIGABRT, Aborted. 0x00007ffff6eb8d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/raise.c (gdb) bt #0 0x00007ffff6eb8d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff6ebcab6 in abort () at abort.c:92 #2 0x00007fffd481cb27 in ir_validate::visit_leave (this=0x7fffffff8db0, ir=0x2e8f0a0) at src/glsl/ir_validate.cpp:457 #3 0x00007fffd4819f4c in ir_swizzle::accept (this=0x2e8f0a0, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:233 #4 0x00007fffd4819b23 in ir_expression::accept (this=0x2e82e90, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:146 #5 0x00007fffd481a1f0 in ir_assignment::accept (this=0x2e831f0, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:292 #6 0x00007fffd4819730 in visit_list_elements (v=0x7fffffff8db0, l=0x31822c0) at src/glsl/ir_hv_accept.cpp:48 #7 0x00007fffd48199dd in ir_function_signature::accept (this=0x3182270, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:120 #8 0x00007fffd4819730 in visit_list_elements (v=0x7fffffff8db0, l=0x300a310) at src/glsl/ir_hv_accept.cpp:48 #9 0x00007fffd4819a6c in ir_function::accept (this=0x300a2e0, v=0x7fffffff8db0) at src/glsl/ir_hv_accept.cpp:132 #10 0x00007fffd4819730 in visit_list_elements (v=0x7fffffff8db0, l=0x2dccac0) at src/glsl/ir_hv_accept.cpp:48 #11 0x00007fffd4819663 in ir_hierarchical_visitor::run (this=0x7fffffff8db0, instructions=0x2dccac0) at src/glsl/ir_hierarchical_visitor.cpp:282 #12 0x00007fffd481ce97 in validate_ir_tree (instructions=0x2dccac0) at src/glsl/ir_validate.cpp:570 #13 0x00007fffd46ef455 in _mesa_glsl_compile_shader (ctx=0x2ca9c70, shader=0x2dc55a0) at src/mesa/program/ir_to_mesa.cpp:3208 #14 0x00007fffd46b87ae in compile_shader (ctx=0x2ca9c70, shaderObj=1) at src/mesa/main/shaderapi.c:848 #15 0x00007fffd46b9188 in _mesa_CompileShaderARB (shaderObj=1) at src/mesa/main/shaderapi.c:1188 #16 0x00007ffff2c26c42 in mozilla::gl::GLContext::fCompileShader (this=0x2ce3c90, shader=1) at ../../../dist/include/GLContext.h:2261 #17 0x00007ffff2c3c06a in mozilla::WebGLContext::CompileShader (this=0x29c5390, sobj=0x2dc56a0) The test is similar to my previously reported bug (bug 42516) but the crash is different, so I can't really tell if the underlying issue is the same. Version information from glxinfo: OpenGL vendor string: VMware, Inc. OpenGL renderer string: Gallium 0.4 on llvmpipe OpenGL version string: 2.1 Mesa 7.11 OpenGL shading language version string: 1.20 If you need the full output, let me know.
Look to be a GLSL compiler issue. Assigning it to the glsl-compiler component. mesa-7.11/src/glsl/ir_validate.cpp 447 ir_visitor_status 448 ir_validate::visit_leave(ir_swizzle *ir) 449 { 450 int chans[4] = {ir->mask.x, ir->mask.y, ir->mask.z, ir->mask.w}; 451 452 for (unsigned int i = 0; i < ir->type->vector_elements; i++) { 453 if (chans[i] >= ir->val->type->vector_elements) { 454 printf("ir_swizzle @ %p specifies a channel not present " 455 "in the value.\n", (void *) ir); 456 ir->print(); 457 abort(); 458 } 459 } 460 461 return visit_continue; 462 }
It was initially really hard to look at this bug. The attachment was set as HTML, so it tried to render when I viewed it... and crashed. :p Looking at the shader: #define NUM_UNIFORMS 16 // See spec varying vec2 uni; void main() { vec4 c = vec4(0,0,0,0); for (int ii = 0; ii < NUM_UNIFORMS; ++ii) { c += uni[ii]; } } my guess is that the loop is unrolled, and something like 'c += uni[15];' is generated. Since uni is a vec2 and not an array, this is invalid. I'll have to poke at the spec because I'm not sure what we're supposed to do. I know that if the shader text contains 'c += uni[15];' we're supposed to generate a compilation error. I'm not sure what we're supposed to do if we can determine an out-of-bounds access would occur. I suspect this is one of the "undefined behavior" scenarios.
I've posted a patch to the mesa-dev mailing list that should fix this problem. Could you test it? http://lists.freedesktop.org/archives/mesa-dev/2011-November/014217.html
(In reply to comment #3) > I've posted a patch to the mesa-dev mailing list that should fix this problem. > Could you test it? > > http://lists.freedesktop.org/archives/mesa-dev/2011-November/014217.html I can confirm that this patch fixes the crash :) Thanks!
This bug is now fixed on master by the commit below. I will close the bug once the fix is cherry picked to the 7.11 branch. commit 6f5c73797087c6e7842665f84e41caedea59bb65 Author: Ian Romanick <ian.d.romanick@intel.com> Date: Mon Nov 7 10:58:00 2011 -0800 glsl: Clamp vector indices when lowering to swizzles This prevents other code from seeing a swizzle of the 16th component of a vector, for example. NOTE: This is a candidate for the 7.11 branch. Signed-off-by: Ian Romanick <ian.d.romanick@intel.com> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=42517 Reviewed-by: Kenneth Graunke <kenneth@whitecape.org> Reviewed-by: Paul Berry <stereotype441@gmail.com> Tested-by: Christian Holler <choller@mozilla.com>
I´am sorry to say that this bug seems not to be fixed. Got this error while running the game Ryzom with the latest mesa trunk (7.12-devel (git-b618e78)) ir_swizzle @ 0xe9abf80 specifies a channel not present in the value. (swiz w (constant float (0.000000)) ) Version from glxinfo: OpenGL renderer string: Gallium 0.4 on AMD BARTS OpenGL version string: 2.1 Mesa 7.12-devel (git-b618e78) Her is the backtrace: Core was generated by `/usr/games/ryzom_client'. Program terminated with signal 6, Aborted. #0 0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt #0 0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007fe3ecf28680 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007fe3e4a33084 in ir_validate::visit_leave(ir_swizzle*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #3 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #4 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #5 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #6 0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #7 0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #8 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #9 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #10 0x00007fe3e4a2d37e in ir_assignment::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #11 0x00007fe3e4a2ce20 in ir_function_signature::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #12 0x00007fe3e4a2ced4 in ir_function::accept(ir_hierarchical_visitor*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #13 0x00007fe3e4a2cc00 in visit_list_elements(ir_hierarchical_visitor*, exec_list*, bool) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #14 0x00007fe3e4a335fa in validate_ir_tree(exec_list*) () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #15 0x00007fe3e49d50b8 in _mesa_get_fixed_func_fragment_program () from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so #16 0x00007fe3e4951370 in update_program (ctx=0x3c037d0) at main/state.c:263 #17 _mesa_update_state_locked (ctx=0x3c037d0) at main/state.c:676 ---Type <return> to continue, or q <return> to quit--- #18 0x00007fe3e495241f in _mesa_update_state (ctx=0x3c037d0) at main/state.c:709 #19 0x00007fe3e48b3039 in _mesa_valid_to_render (ctx=0x3c037d0, where=<optimized out>) at main/context.c:1723 #20 0x00007fe3e4a50737 in check_valid_to_render (ctx=0x3c037d0, function=<optimized out>) at main/api_validate.c:105 #21 0x00007fe3e4a515d2 in _mesa_validate_DrawElements (ctx=0x3c037d0, mode=<optimized out>, count=900, type=5123, indices=0x7fe3cf01e2e0, basevertex=<optimized out>) at main/api_validate.c:253 #22 0x00007fe3e49a7a22 in vbo_exec_DrawElements (mode=4, count=900, type=5123, indices=0x7fe3cf01e2e0) at vbo/vbo_exec_array.c:1010 #23 0x00007fe3e6370381 in NL3D::CDriverGL::renderTriangles(NL3D::CMaterial&, unsigned int, unsigned int) () from /usr/lib/nel/libnel_drv_opengl.so #24 0x00007fe3ef89db27 in NL3D::CMeshMRMSkinnedGeom::renderSkinGroupSpecularRdrPass(NL3D::CMeshMRMSkinnedInstance*, unsigned int) () from /usr/lib/libnel3d.so.0 #25 0x00007fe3efa805cf in NL3D::CSkeletonModel::renderSkinList(NLMISC::CObjectVector<NL3D::CTransform*, false>&, float) () from /usr/lib/libnel3d.so.0 #26 0x00007fe3efa80a66 in NL3D::CSkeletonModel::renderSkins() () from /usr/lib/libnel3d.so.0 #27 0x00007fe3efa80c25 in NL3D::CSkeletonModel::traverseRender() () from /usr/lib/libnel3d.so.0 #28 0x00007fe3ef6f8ae1 in NL3D::CRenderTrav::traverse(NL3D::UScene::TRenderPart, bool) () from /usr/lib/libnel3d.so.0 #29 0x00007fe3ef869bc2 in NL3D::CScene::renderPart(NL3D::UScene::TRenderPart, bool) () from /usr/lib/libnel3d.so.0 #30 0x00007fe3ef86b7a9 in NL3D::CScene::render(bool) () from /usr/lib/libnel3d.so.0 #31 0x00007fe3ef9d93ce in NL3D::CSceneUser::render(bool, bool) () from /usr/lib/libnel3d.so.0 #32 0x00000000009fcbe8 in CInterface3DScene::draw() () #33 0x0000000000a6d6f6 in CInterfaceGroup::draw() () #34 0x0000000000bb7388 in CInterfaceManager::drawViews(NL3D::UCamera) () #35 0x0000000000bb78e7 in CInterfaceManager::updateFrameViews(NL3D::UCamera) () #36 0x00000000006bd407 in globalMenu() () #37 0x00000000006bf410 in connection(std::string const&, std::string const&) () #38 0x000000000064de65 in main ()
(In reply to comment #6) > I´am sorry to say that this bug seems not to be fixed. Got this error while > running the game Ryzom with the latest mesa trunk (7.12-devel (git-b618e78)) > > ir_swizzle @ 0xe9abf80 specifies a channel not present in the value. > (swiz w (constant float (0.000000)) ) > > Version from glxinfo: > > OpenGL renderer string: Gallium 0.4 on AMD BARTS > OpenGL version string: 2.1 Mesa 7.12-devel (git-b618e78) > > Her is the backtrace: > > Core was generated by `/usr/games/ryzom_client'. > Program terminated with signal 6, Aborted. > #0 0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6 > (gdb) bt > #0 0x00007fe3ecf25405 in raise () from /lib/x86_64-linux-gnu/libc.so.6 > #1 0x00007fe3ecf28680 in abort () from /lib/x86_64-linux-gnu/libc.so.6 > #2 0x00007fe3e4a33084 in ir_validate::visit_leave(ir_swizzle*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #3 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #4 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #5 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #6 0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #7 0x00007fe3e4a2d17d in ir_swizzle::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #8 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #9 0x00007fe3e4a2cf78 in ir_expression::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #10 0x00007fe3e4a2d37e in ir_assignment::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #11 0x00007fe3e4a2ce20 in > ir_function_signature::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #12 0x00007fe3e4a2ced4 in ir_function::accept(ir_hierarchical_visitor*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so If you're still able to reproduce this bug, could you 'up' to this point in the stack frame and 'call ir->print()' and attach the results? Based on the rest of the stack frame, this is coming from a shader generated from fixed-function state, so the usual shader dump technique won't work. > #13 0x00007fe3e4a2cc00 in visit_list_elements(ir_hierarchical_visitor*, > exec_list*, bool) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #14 0x00007fe3e4a335fa in validate_ir_tree(exec_list*) () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so > #15 0x00007fe3e49d50b8 in _mesa_get_fixed_func_fragment_program () > from /opt/mesa/lib/x86_64-linux-gnu/dri/r600_dri.so
Does this patch help? http://lists.freedesktop.org/archives/mesa-dev/2011-December/016401.html
I've committed the new patch and cherry-picked the old patch to 7.11. The new patch only affects code that does not exist in 7.11. I'm also closing the bug. If the problem still occurs, please open a new bug.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.