From patchwork Fri Jun 29 00:09:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: bugzilla-daemon@freedesktop.org X-Patchwork-Id: 10495379 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1FC35602B3 for ; Fri, 29 Jun 2018 00:10:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF9E229D79 for ; Fri, 29 Jun 2018 00:10:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E2F5129D99; Fri, 29 Jun 2018 00:10:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=2.0 tests=BAYES_00,HTML_MESSAGE, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED, URIBL_BLACK autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7E3A129D79 for ; Fri, 29 Jun 2018 00:09:58 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 1941E6EEE3; Fri, 29 Jun 2018 00:09:56 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from culpepper.freedesktop.org (culpepper.freedesktop.org [131.252.210.165]) by gabe.freedesktop.org (Postfix) with ESMTP id CE0B36E09C for ; Fri, 29 Jun 2018 00:09:54 +0000 (UTC) Received: by culpepper.freedesktop.org (Postfix, from userid 33) id 98D2672139; Fri, 29 Jun 2018 00:09:54 +0000 (UTC) From: bugzilla-daemon@freedesktop.org To: dri-devel@lists.freedesktop.org Subject: [Bug 106928] When starting a match Rocket League crashes on "Go" Date: Fri, 29 Jun 2018 00:09:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Mesa X-Bugzilla-Component: Drivers/Gallium/r600 X-Bugzilla-Version: 18.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: sroland@vmware.com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: medium X-Bugzilla-Assigned-To: dri-devel@lists.freedesktop.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP https://bugs.freedesktop.org/show_bug.cgi?id=106928 --- Comment #9 from Roland Scheidegger --- (In reply to ubizjak from comment #7) > Please configure the build with: > > CXXFLAGS="-Wp,-D_GLIBCXX_ASSERTIONS" ./autogen.sh That didn't do anything neither. However I figured out the problem more or less in the code, and some googling said that using -D_GLIBCXX_DEBUG should make it trigger reliably, and indeed it does... The issue is that (you already showed that actually) src = std::vector of length 2, capacity 3 = {0x7f94d905d110, 0x7f94d905cf70}} And trying to access element src[2]. There's an early exit in the function if src.size() is < 3. Since this didn't hit, apparently fold_assoc() resized the vector. And indeed it can do that (there's an explicit n->src.resize(2) somewhere, and it would still return false in this case). I think something like this should do: But I'm not entirely convinced it's really the right thing to do (maybe what fold_assoc() did isn't quite what it's supposed to do?). It fixes the particular fold_alu_op3 crash for me, but the shader (not sure it's actually the same one) crashes later anyway: /usr/include/c++/4.8/debug/safe_iterator.h:225: Error: attempt to copy from a singular iterator. Objects involved in the operation: iterator "this" @ 0x0x7ffff3c71e80 { type = Thread 1 "glretrace" received signal SIGSEGV, Segmentation fault. ... #3 0x00007ffff36538cb in __gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator > >, std::__debug::vector > >::operator= (this=0x7fffffffb840, __x=) at /usr/include/c++/4.8/debug/safe_iterator.h:221 #4 0x00007ffff365376d in std::reverse_iterator<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator > >, std::__debug::vector > > >::operator= (this=0x7fffffffb840) at /usr/include/c++/4.8/bits/stl_iterator.h:96 #5 r600_sb::if_conversion::run (this=0x7fffffffbee0) at sb/sb_if_conversion.cpp:46 #6 0x00007ffff3632765 in r600_sb_bytecode_process (rctx=0x10e4660, bc=0x1980bf0, pshader=0x1980be8, dump_bytecode=1, optimize=1) at sb/sb_core.cpp:195 I don't know though if that's just due to the D_GLIBCXX_DEBUG thing or it will also cause crashes without it in some other libstdc++ versions... (in any case, it probably should be fixed, but this code isn't my area of expertise). diff --git a/src/gallium/drivers/r600/sb/sb_expr.cpp b/src/gallium/drivers/r600/sb/sb_expr.cpp index 1df78da660..c77b9f2d7d 100644 --- a/src/gallium/drivers/r600/sb/sb_expr.cpp +++ b/src/gallium/drivers/r600/sb/sb_expr.cpp @@ -945,6 +945,8 @@ bool expr_handler::fold_alu_op3(alu_node& n) { if (!sh.safe_math && (n.bc.op_ptr->flags & AF_M_ASSOC)) { if (fold_assoc(&n)) return true; + else if (n.src.size() < 3) + return fold_alu_op2(n); } value* v0 = n.src[0]->gvalue();