[Bug 111218] New: Segmentation fault in nv50_ir::NVC0LegalizeSSA::handleDIV when dividing result of textureSize

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ@public.gmane.org]

[-- Attachment #1.1: Type: text/plain, Size: 5581 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=111218

            Bug ID: 111218
           Summary: Segmentation fault in
                    nv50_ir::NVC0LegalizeSSA::handleDIV when dividing
                    result of textureSize
           Product: Mesa
           Version: 19.0
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: Drivers/DRI/nouveau
          Assignee: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
          Reporter: mmgrqnv-WjRXt+NQiJIEUmgCuDUIdw@public.gmane.org
        QA Contact: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org

Created attachment 144869
  --> https://bugs.freedesktop.org/attachment.cgi?id=144869&action=edit
Source of small program and somewhat minimized shaders

Hi!

I was looking into a crash[1] in latest version of Blender, which turned out to
be a crash in the Nouveau shader code generator.
The crash occurs when linking shaders. I traced the crash to the following
lines in the shader code:

  ivec2 cell_co = ivec2(3, 2);
  int cell_per_row = textureSize(irradianceGrid, 0).x / cell_co.x;
  cell_co.x *= cell % cell_per_row;
  cell_co.y *= cell / cell_per_row;

The crash seems to occur when the result of dividing textureSize() value is
later used in division or modulo operations. Replacing the textureSize() call
with a constant avoids the crash. Replacing the division and modulo operations
with simple assignment (but keeping the first division / cell_co.x) also avoids
the crash.
This is the relevant stack trace:

(gdb) bt
#0  nv50_ir::NVC0LegalizeSSA::handleDIV (this=this@entry=0x7fffffffba50,
i=i@entry=0x555555e592c0) at
../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:54
#1  0x00007ffff2e6b38b in nv50_ir::NVC0LegalizeSSA::visit (this=0x7fffffffba50,
bb=<optimized out>) at
../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:334
#2  0x00007ffff2dc40d8 in nv50_ir::Pass::doRun (this=this@entry=0x7fffffffba50,
func=<optimized out>, ordered=ordered@entry=false, skipPhi=skipPhi@entry=true)
    at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:495
#3  0x00007ffff2dc41b4 in nv50_ir::Pass::doRun (this=this@entry=0x7fffffffba50,
prog=prog@entry=0x555555e6e9f0, ordered=ordered@entry=false,
skipPhi=skipPhi@entry=true)
    at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:466
#4  0x00007ffff2dc4273 in nv50_ir::Pass::run (this=this@entry=0x7fffffffba50,
prog=prog@entry=0x555555e6e9f0, ordered=ordered@entry=false,
skipPhi=skipPhi@entry=true)
    at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:457
#5  0x00007ffff2e66dd4 in nv50_ir::TargetNVC0::runLegalizePass (this=<optimized
out>, prog=0x555555e6e9f0, stage=<optimized out>) at
../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:3145
#6  0x00007ffff2dc150f in nv50_ir_generate_code
(info=info@entry=0x555555dcd9f0) at
../src/gallium/drivers/nouveau/codegen/nv50_ir.cpp:1265
#7  0x00007ffff2e0988a in nvc0_program_translate
(prog=prog@entry=0x555555d79fc0, chipset=<optimized out>,
debug=debug@entry=0x5555557a74c8) at
../src/gallium/drivers/nouveau/nvc0/nvc0_program.c:624
#8  0x00007ffff2e1121d in nvc0_sp_state_create (pipe=0x5555557a7100,
cso=0x7fffffffc490, type=1) at
../src/gallium/drivers/nouveau/nvc0/nvc0_state.c:605
#9  0x00007ffff3042963 in st_create_fp_variant (st=<optimized out>,
stfp=stfp@entry=0x555555d74db0, key=key@entry=0x7fffffffc630) at
../src/mesa/state_tracker/st_program.c:1231
#10 0x00007ffff3045253 in st_get_fp_variant (st=<optimized out>,
stfp=0x555555d74db0, key=0x7fffffffc630) at
../src/mesa/state_tracker/st_program.c:1258
#11 0x00007ffff3045a7c in st_precompile_shader_variant
(st=st@entry=0x5555557a4c10, prog=prog@entry=0x555555d74db0) at
../src/mesa/state_tracker/st_program.c:1965
#12 0x00007ffff30ece0b in st_program_string_notify (ctx=<optimized out>,
target=<optimized out>, prog=0x555555d74db0) at
../src/mesa/state_tracker/st_cb_program.c:250
#13 0x00007ffff3112f85 in st_link_shader (ctx=0x55555578aed0,
prog=0x5555557b6fd0) at ../src/mesa/state_tracker/st_glsl_to_tgsi.cpp:7461
#14 0x00007ffff30b5729 in _mesa_glsl_link_shader (ctx=ctx@entry=0x55555578aed0,
prog=prog@entry=0x5555557b6fd0) at ../src/mesa/program/ir_to_mesa.cpp:3174
#15 0x00007ffff3000f8d in link_program (no_error=<optimized out>,
shProg=<optimized out>, ctx=<optimized out>) at
../src/mesa/main/shaderapi.c:1206
#16 link_program_error (ctx=0x55555578aed0, shProg=0x5555557b6fd0) at
../src/mesa/main/shaderapi.c:1286
#17 0x00005555555553f2 in test_compile ()
#18 0x000055555555586b in main ()

I attach a small program along with preprocessed and *somewhat* minimized
shader code that reproduces the problem on my computer. This code crashes 100%
of the time.

To reproduce the crash:
$ gcc -Wall -o shad shad.c -lX11 -lGL -lGLU -lGLEW
$ ./shad s0vert.i s1frag.i s2geom.i
Compilation successful!
Segmentation fault


System information:
Ubuntu 18.04.2 LTS
Linux-4.15.0-55-generic-x86_64
Graphics card: NVIDIA Corporation GF108 [GeForce GT 730] (rev a1)
Graphics card driver: NVC1 nouveau 4.3 (Core Profile) Mesa 19.0.2
Using GNOME under X
libgl1-mesa-dri: 19.0.2-1ubuntu1.1~18.04.2

The original Blender crash report along with full shader source dump can be
found here:
[1] https://developer.blender.org/T67534

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 7304 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau