| Bug ID | 111167 |
|---|---|
| Summary | Dividing zero by a uniform in loop header causes segfault in nv50_ir::NVC0LegalizeSSA::handleDIV |
| Product | Mesa |
| Version | git |
| Hardware | x86-64 (AMD64) |
| OS | Linux (All) |
| Status | NEW |
| Severity | minor |
| Priority | medium |
| Component | Drivers/DRI/nouveau |
| Assignee | nouveau@lists.freedesktop.org |
| Reporter | abelbriggs1@hotmail.com |
| QA Contact | nouveau@lists.freedesktop.org |
Created attachment 144815 [details] Reproduction shader_test file, core dump of crash The attached archive contains a shader that, on the build and PC specified below, causes a segmentation fault in nouveau when run. A core dump of the crash is supplied as well. void main() { for(int i = 1; 1 >= (0 / int((injectionSwitch.y))); 1) { } } The value of injectionSwitch is set to (0.0, 1.0) - so (0 / int(injectionSwitch.y)) is equivalent to (0 / 1), which should evaluate to zero and make the two conditions equal. Notably, if you remove injectionSwitch and replace it with ‘1’, no segfault occurs. Steps to reproduce: ------------------------------------------------------------------------------- 1. Obtain and build piglit, the Mesa OpenGL test suite runner: https://gitlab.freedesktop.org/mesa/piglit 2. Download the attached archive. 3. From a terminal, execute the supplied test with the piglit GLES3 shader runner: $ bin/shader_runner_gles3 minimum_testcase.shader_test Expected results: ------------------------------------------------------------------------------- The shader should run without crashing (it’s an infinite loop that does nothing, but it still shouldn’t crash). Actual results: ------------------------------------------------------------------------------- The shader causes nouveau to segfault. Here is a backtrace obtained from using GDB on the core dump (exact command: $ gdb shader_runner_gles3 core): #0 std::_Deque_iterator<nv50_ir::ValueRef, nv50_ir::ValueRef&, nv50_ir::ValueRef*>::_Deque_iterator ( __x=<error reading variable: Cannot access memory at address 0xb0>, this=<synthetic pointer>) at /usr/include/c++/8/bits/stl_deque.h:1401 #1 std::_Deque_iterator<nv50_ir::ValueRef, nv50_ir::ValueRef&, nv50_ir::ValueRef*>::operator+ (__n=0, this=0xb0) at /usr/include/c++/8/bits/stl_deque.h:230 #2 std::_Deque_iterator<nv50_ir::ValueRef, nv50_ir::ValueRef&, nv50_ir::ValueRef*>::operator[] (__n=0, this=0xb0) at /usr/include/c++/8/bits/stl_deque.h:247 #3 std::deque<nv50_ir::ValueRef, std::allocator<nv50_ir::ValueRef> >::operator[] (__n=0, this=0xa0) at /usr/include/c++/8/bits/stl_deque.h:1404 #4 nv50_ir::Instruction::getSrc (s=0, this=0x0) at ../src/gallium/drivers/nouveau/codegen/nv50_ir.h:827 #5 nv50_ir::NVC0LegalizeSSA::handleDIV (this=0x7ffd7753af60, i=0x55d2e1b132a0) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:54 #6 0x00007fc7191cb4b3 in nv50_ir::NVC0LegalizeSSA::visit ( this=0x7ffd7753af60, bb=<optimized out>) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_lowering_nvc0.cpp:334 #7 0x00007fc719111928 in nv50_ir::Pass::doRun (this=0x7ffd7753af60, func=<optimized out>, ordered=<optimized out>, skipPhi=true) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_bb.cpp:500 #8 0x00007fc7191119f4 in nv50_ir::Pass::doRun (this=0x7ffd7753af60, prog=<optimized out>, ordered=false, skipPhi=true) at ../src/gallium/drivers/nouveau/codegen/nv50_ir_inlines.h:413 Build & PC specs: ------------------------------------------------------------------------------- CPU: Intel Core i7-5820k GPU: nVIDIA GTX 970 OS: Ubuntu 19.04 libdrm: git-5db0f7692d1fdf05f9f6c0c02ffa5a5f4379c1f3 Mesa: git-a110a8090d Xf86-video-nouveau: 1.0.16 Linux kernel version: 5.0.0-16-generic This bug was found with GraphicsFuzz: https://github.com/google/graphicsfuzz
You are receiving this mail because:
- You are the assignee for the bug.
- You are the QA Contact for the bug.
_______________________________________________ Nouveau mailing list Nouveau@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/nouveau
