Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V3d 21.3 #3

Open
wants to merge 7 commits into
base: v3d-21.3
Choose a base branch
from
Open

Conversation

EinarArnason
Copy link

No description provided.

peyo-hd and others added 6 commits January 20, 2022 15:12
Change-Id: Ib054804437aa4606abb3eba99b940b8e52961d59
Future integration with minigbm require this library in a Soong
Blueprint format.

Starting from Android S 'libgbm' module name is occupied by minigbm
and used by other ChromeOS components. Using 'libgbm_mesa' name was
suggested by Google instead.

Signed-off-by: Roman Stratiienko <r.stratiienko@gmail.com>
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request Feb 11, 2022
Commit 17e62a3 made _mesa_make_current
begin calling ctx->Driver.Flush() in more cases, including when called
during context destruction, after _mesa_free_context_data has set
ctx->DrawBuffer to NULL.  i965's flush hook wasn't prepared for this,
and assumed that ctx->DrawBuffer was non-NULL.  This led to a crash
with the following backtrace:

 #0 0x00007ffff5bf97b5 in _mesa_is_winsys_fbo (fb=0x0)
    at ../../src/mesa/main/fbobject.h:52
 android-rpi#1 0x00007ffff5bfa359 in brw_flush_front (ctx=0x5555555a4110)
    at ../../src/mesa/drivers/dri/i965/brw_context.c:242
 android-rpi#2 0x00007ffff5bfa587 in brw_glFlush (ctx=0x5555555a4110,
    gallium_flush_flags=0) at ../../src/mesa/drivers/dri/i965/brw_context.c:301
 android-rpi#3 0x00007ffff5d46b2b in _mesa_make_current (newCtx=0x0, drawBuffer=0x0,
    readBuffer=0x0) at ../../src/mesa/main/context.c:1616
 #4 0x00007ffff5d46484 in _mesa_free_context_data (ctx=0x5555555a4110,
    destroy_debug_output=true) at ../../src/mesa/main/context.c:1309
 #5 0x00007ffff5bfcb59 in brw_destroy_context (driContextPriv=0x555555590260)
    at ../../src/mesa/drivers/dri/i965/brw_context.c:1301

There is really no point in worrying about front buffer flushing during
the context's destruction when we've already discarded the drawbuffer,
so just add a NULL check in brw_flush_front and skip that work.

Fixes: 17e62a3 ("mesa: (correctly) flush more in _mesa_make_current")
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/5957
Reviewed-by: Adam Jackson <ajax@redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/14828>
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Sep 15, 2022
This avoids u_blitter recursion:

 #0  util_blitter_set_running_flag
 android-rpi#1  util_blitter_custom_color
 android-rpi#2  si_blit_decompress_color
 android-rpi#3  si_decompress_dcc
 #4  si_texture_disable_dcc
 #5  si_update_ps_colorbuf0_slot
 #6  si_bind_ps_shader
 #7  util_blitter_restore_fragment_states
 #8  util_blitter_custom_color
 #9  si_blit_decompress_color
 #10 si_decompress_dcc
 #11 si_sdma_copy_image
 #12 si_blit

cc: mesa-stable

Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16962>
(cherry picked from commit 3d37291)

Conflicts:
	src/gallium/drivers/radeonsi/si_blit.c
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Feb 14, 2023
Direct leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x7fb6224340 in calloc (/usr/lib64/libasan.so.6.0.0+0xa4340)
    android-rpi#1 0x7facfdd5a0 in u_transfer_helper_create ../src/gallium/auxiliary/util/u_transfer_helper.c:580
    android-rpi#2 0x7facf2e09c in lima_resource_screen_init ../src/gallium/drivers/lima/lima_resource.c:935
    android-rpi#3 0x7facf23af4 in lima_screen_create ../src/gallium/drivers/lima/lima_screen.c:746
    #4 0x7fac83ed30 in kmsro_drm_screen_create ../src/gallium/winsys/kmsro/drm/kmsro_drm_winsys.c:124

Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Erico Nunes <nunes.erico@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/20764>
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Feb 14, 2023
This change requires the %destructor directive which is supported
by bison or yacc, yacc needs to be compiled with the back-tracking
functionality.

This issue could be checked with the following piglit programs:
glsl-invalid-asm-01, glsl-invalid-asm-02 or vp-bad-program

Direct leak of 5 byte(s) in 1 object(s) allocated from:
    #0 0x7f8dc89050 in __interceptor_strdup (/usr/lib64/libasan.so.6+0x59050)
    android-rpi#1 0x7f83791cbc in handle_ident ../src/mesa/program/program_lexer.l:129
    android-rpi#2 0x7f83791cbc in _mesa_program_lexer_lex ../src/mesa/program/program_lexer.l:312
    android-rpi#3 0x7f8377e8d8 in yylex ../src/mesa/program/program_parse.y:289
    #4 0x7f8377e8d8 in yyparse src/mesa/program/program_parse.tab.c:2124
    #5 0x7f83788c14 in _mesa_parse_arb_program ../src/mesa/program/program_parse.y:2584
    #6 0x7f8377371c in _mesa_parse_arb_fragment_program ../src/mesa/program/arbprogparse.c:82
    #7 0x7f8372d42c in set_program_string ../src/mesa/main/arbprogram.c:402

Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Acked-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21150>
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Mar 24, 2023
This invalid memory access is a consequence of wrong assumptions,
for instance:
"prog->sh.data is NULL if it's ARB_fragment_program"

This issue is triggered with piglit/fp-formats -auto -fbo:
==9747==ERROR: AddressSanitizer: heap-use-after-free on address 0x007f7c812d90 at pc 0x007f833c09f8 bp 0x007fd7eca750 sp 0x007fd7eca768
READ of size 4 at 0x007f7c812d90 thread T0
    #0 0x7f833c09f4 in st_get_sampler_views ../src/mesa/state_tracker/st_atom_texture.c:109
    android-rpi#1 0x7f833c0b48 in update_textures ../src/mesa/state_tracker/st_atom_texture.c:266
    android-rpi#2 0x7f82b2d120 in st_validate_state ../src/mesa/state_tracker/st_util.h:128
    android-rpi#3 0x7f82b2d120 in prepare_draw ../src/mesa/state_tracker/st_draw.c:88
    #4 0x7f82b2de64 in st_draw_gallium ../src/mesa/state_tracker/st_draw.c:141
    #5 0x7f83105940 in _mesa_draw_arrays ../src/mesa/main/draw.c:1202
    #6 0x7f8d5fa5cc in piglit_draw_rect_from_arrays piglit/tests/util/piglit-util-gl.c:711
    #7 0x7f8d5fac34 in piglit_draw_rect_custom piglit/tests/util/piglit-util-gl.c:833
    #8 0x4019e0 in piglit_display piglit/tests/shaders/fp-formats.c:67
    #9 0x7f8d643fc4 in run_test piglit/tests/util/piglit-framework-gl/piglit_fbo_framework.c:52
    #10 0x401624 in main piglit/tests/shaders/fp-formats.c:39

Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21175>
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request May 26, 2023
This change is inspired from iris_destroy_context().

For instance, this issue is triggered with
"piglit/bin/glsl-1.50-gs-max-output -scan 1 20 -auto -fbo":
Direct leak of 320 byte(s) in 2 object(s) allocated from:
    #0 0x7f34fc769987 in calloc (/usr/lib64/libasan.so.6+0xb1987)
    android-rpi#1 0x7f34f4fa168a in bo_calloc ../src/gallium/drivers/crocus/crocus_bufmgr.c:288
    android-rpi#2 0x7f34f4fa168a in alloc_fresh_bo ../src/gallium/drivers/crocus/crocus_bufmgr.c:350
    android-rpi#3 0x7f34f4fa168a in bo_alloc_internal ../src/gallium/drivers/crocus/crocus_bufmgr.c:419
    #4 0x7f34f4fe50a9 in crocus_get_scratch_space ../src/gallium/drivers/crocus/crocus_program.c:2678
    #5 0x7f34f55e8954 in crocus_upload_dirty_render_state ../src/gallium/drivers/crocus/crocus_state.c:6871
    #6 0x7f34f55e8954 in crocus_upload_render_state ../src/gallium/drivers/crocus/crocus_state.c:7812
    #7 0x7f34f5d9f680 in crocus_simple_draw_vbo ../src/gallium/drivers/crocus/crocus_draw.c:332
    #8 0x7f34f5d9f680 in crocus_draw_vbo ../src/gallium/drivers/crocus/crocus_draw.c:438
    #9 0x7f34f1d2eeba in tc_call_draw_single ../src/gallium/auxiliary/util/u_threaded_context.c:3735
    #10 0x7f34f1d12e03 in batch_execute ../src/gallium/auxiliary/util/u_threaded_context.c:394
    #11 0x7f34f1d12e03 in tc_batch_execute ../src/gallium/auxiliary/util/u_threaded_context.c:445
    #12 0x7f34f1d22c9a in _tc_sync ../src/gallium/auxiliary/util/u_threaded_context.c:680
    #13 0x7f34f1d238f8 in tc_texture_map ../src/gallium/auxiliary/util/u_threaded_context.c:2754
    #14 0x7f34f120b9d9 in pipe_texture_map_3d ../src/gallium/auxiliary/util/u_inlines.h:579
    #15 0x7f34f120b9d9 in st_ReadPixels ../src/mesa/state_tracker/st_cb_readpixels.c:530
    #16 0x7f34f10d7355 in read_pixels ../src/mesa/main/readpix.c:1178
    #17 0x7f34f10d7355 in _mesa_ReadnPixelsARB ../src/mesa/main/readpix.c:1195
    #18 0x7f34f10d7e10 in _mesa_ReadPixels ../src/mesa/main/readpix.c:1210

Fixes: f363054 ("f3630548f1da crocus: initial gallium driver for Intel gfx 4-7")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Filip Gawin <filip.gawin@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23019>
(cherry picked from commit 6ee0bba)
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request Jun 12, 2023
For instance, this is triggered with "piglit/bin/ext_direct_state_access-named-program -auto -fbo":
==5695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000050031 at pc 0x7f78dfca8d46 bp 0x7ffd9043b4a0 sp 0x7ffd9043ac50
READ of size 50 at 0x606000050031 thread T0
    #0 0x7f78dfca8d45  (/usr/lib64/libasan.so.6+0x3fd45)
    android-rpi#1 0x7f78d450b18f in set_program_string ../src/mesa/main/arbprogram.c:385
    android-rpi#2 0x7f78d3fdbd3e in execute_list ../src/mesa/main/dlist.c:13025
    android-rpi#3 0x7f78d40c2564 in _mesa_CallList ../src/mesa/main/dlist.c:13451
    #4 0x7f78d42f380a in _mesa_unmarshal_CallList ../src/mesa/main/glthread_list.c:43
    #5 0x7f78d38e85c5 in glthread_unmarshal_batch ../src/mesa/main/glthread.c:122
    #6 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:382
    #7 0x7f78d38ea20d in _mesa_glthread_finish ../src/mesa/main/glthread.c:347
    #8 0x7f78d3d73f69 in _mesa_marshal_IsProgramARB src/mapi/glapi/gen/marshal_generated2.c:4256

Fixes: 0b196b4 ("mesa: don't compute the same SHA1 twice in glShaderSource")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23295>
(cherry picked from commit 44b960a)
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request Jun 12, 2023
The previous implementation was copying the data using the
aligned length (size_dw). The aligned length could overflow
the original buffer size.

For instance, this issue is triggered with "piglit/bin/draw-batch -auto -fbo":
==5736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff139c77e8 at pc 0x7f25b350a9a0 bp 0x7fff139c6cb0 sp 0x7fff139c6460
READ of size 8 at 0x7fff139c77e8 thread T0
    #0 0x7f25b350a99f in __interceptor_memcpy (/usr/lib64/libasan.so.6+0x3c99f)
    android-rpi#1 0x7f25a8fcdf24 in radeon_emit_array ../src/gallium/include/winsys/radeon_winsys.h:760
    android-rpi#2 0x7f25a8fcdf24 in r600_draw_vbo ../src/gallium/drivers/r600/r600_state_common.c:2448
    android-rpi#3 0x7f25a8ae7ba1 in u_vbuf_draw_vbo ../src/gallium/auxiliary/util/u_vbuf.c:1791
    #4 0x7f25a7bc18ca in _mesa_validated_drawrangeelements ../src/mesa/main/draw.c:1696
    #5 0x7f25a7bc7e53 in _mesa_DrawElements ../src/mesa/main/draw.c:1824

Fixes: 0cf5d1f ("gallium: remove PIPE_CAP_INFO_START_WITH_USER_INDICES and fix all drivers")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23436>
(cherry picked from commit 340311d)
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request Jun 28, 2023
Indeed, this function was not processing the linked
allocated list.

For instance, this issue is triggered with "piglit/bin/hiz-depth-read-fbo-d24-s0 -auto":
Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x7f6795638987 in calloc (/usr/lib64/libasan.so.6+0xb1987)
    android-rpi#1 0x7f678bac13b9 in nouveau_heap_alloc ../src/gallium/drivers/nouveau/nouveau_heap.c:64
    android-rpi#2 0x7f678bb6c7e4 in nv50_program_upload_code ../src/gallium/drivers/nouveau/nv50/nv50_program.c:490
    android-rpi#3 0x7f678bb83b92 in nv50_vertprog_validate ../src/gallium/drivers/nouveau/nv50/nv50_shader_state.c:161
    #4 0x7f678bba3000 in nv50_state_validate ../src/gallium/drivers/nouveau/nv50/nv50_state_validate.c:552
    #5 0x7f678bba3c4d in nv50_state_validate_3d ../src/gallium/drivers/nouveau/nv50/nv50_state_validate.c:575
    #6 0x7f678b9e3e92 in nv50_blit_3d ../src/gallium/drivers/nouveau/nv50/nv50_surface.c:1444
    #7 0x7f678b9e3e92 in nv50_blit ../src/gallium/drivers/nouveau/nv50/nv50_surface.c:1832
    #8 0x7f678a0b378a in blit_to_staging ../src/mesa/state_tracker/st_cb_readpixels.c:337
    #9 0x7f678a0b7358 in st_ReadPixels ../src/mesa/state_tracker/st_cb_readpixels.c:516
    #10 0x7f6789f82005 in read_pixels ../src/mesa/main/readpix.c:1178
    #11 0x7f6789f82005 in _mesa_ReadnPixelsARB ../src/mesa/main/readpix.c:1195
    #12 0x7f6789f82ac0 in _mesa_ReadPixels ../src/mesa/main/readpix.c:1210
...
SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).

Fixes: 67635a0 ("nouveau: get rid of tabs")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Karol Herbst <kherbst@redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23592>
(cherry picked from commit 1980934)
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request Jun 28, 2023
This change fixes a buffer overflow by implementing the
special swizzles. This behavior is already available with
evergreen_convert_border_color().

For instance, this issue is triggered on a cayman gpu with
"piglit/bin/texwrap bordercolor -auto -fbo" or "piglit/bin/max-samplers -auto -fbo":
==5610==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000012d20 at pc 0x7fb798cb876f bp 0x7ffd78670460 sp 0x7ffd78670458
READ of size 4 at 0x603000012d20 thread T0
    #0 0x7fb798cb876e in cayman_convert_border_color ../src/gallium/drivers/r600/evergreen_state.c:2444
    android-rpi#1 0x7fb798cb876e in evergreen_emit_sampler_states ../src/gallium/drivers/r600/evergreen_state.c:2539
    android-rpi#2 0x7fb7989e6cb2 in r600_emit_atom ../src/gallium/drivers/r600/r600_pipe.h:655
    android-rpi#3 0x7fb7989e6cb2 in r600_draw_vbo ../src/gallium/drivers/r600/r600_state_common.c:2333
    #4 0x7fb7985082c7 in u_vbuf_draw_vbo ../src/gallium/auxiliary/util/u_vbuf.c:1497
    #5 0x7fb796ef2eda in cso_draw_vbo ../src/gallium/auxiliary/cso_cache/cso_context.h:262
    #6 0x7fb796ef2eda in st_draw_gallium_multimode ../src/mesa/state_tracker/st_draw.c:170
    #7 0x7fb7970d9cfd in vbo_exec_vtx_flush ../src/mesa/vbo/vbo_exec_draw.c:341
    #8 0x7fb7970d32d7 in vbo_exec_FlushVertices_internal ../src/mesa/vbo/vbo_exec_api.c:693
    #9 0x7fb7970d32d7 in vbo_exec_FlushVertices ../src/mesa/vbo/vbo_exec_api.c:1193
    #10 0x7fb7975f237c in enable_texture ../src/mesa/main/enable.c:337

Fixes: 923d635 ("r600: fix some border color swizzles on CAYMAN")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23435>
(cherry picked from commit 4284705)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Jul 20, 2023
Fixes: 5b205ef
   r600: Store nir shaders serialized to save memory

Direct leak of 4096 byte(s) in 1 object(s) allocated from:
    #0 0x7faf89c3bb48 in __interceptor_realloc (/usr/lib64/libasan.so.6+0xb1b48)
    android-rpi#1 0x7faf7be5981d in grow_to_fit ../src/util/blob.c:67
    android-rpi#2 0x7faf7be5a538 in grow_to_fit ../src/util/blob.c:49
    android-rpi#3 0x7faf7be5a538 in blob_reserve_bytes ../src/util/blob.c:177
    #4 0x7faf7be5a538 in blob_reserve_uint32 ../src/util/blob.c:190
    #5 0x7faf7d248a8c in nir_serialize ../src/compiler/nir/nir_serialize.c:2109
    #6 0x7faf7df4fdbb in r600_pipe_shader_create ../src/gallium/drivers/r600/r600_shader.c:401

Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21443>
(cherry picked from commit 9b4eb73)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Jul 20, 2023
For instance, with "piglit/bin/arb_shader_image_load_store-host-mem-barrier --quick -auto -fbo":
==18549==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000a059 at pc 0x7f65d8937b80 bp 0x7fff6ed19a00 sp 0x7fff6ed199f8
READ of size 1 at 0x61200000a059 thread T0
    #0 0x7f65d8937b7f in evergreen_set_shader_images ../src/gallium/drivers/r600/evergreen_state.c:4277
    android-rpi#1 0x7f65d6b471b8 in st_bind_images ../src/mesa/state_tracker/st_atom_image.c:172
    android-rpi#2 0x7f65d6b76b26 in st_validate_state ../src/mesa/state_tracker/st_util.h:129
    android-rpi#3 0x7f65d6b76b26 in prepare_draw ../src/mesa/state_tracker/st_draw.c:88
    #4 0x7f65d6b77c8a in st_draw_gallium ../src/mesa/state_tracker/st_draw.c:141
    #5 0x7f65d72698a2 in _mesa_draw_arrays ../src/mesa/main/draw.c:1202

Fixes: a6b3792 ("r600: add core pieces of image support.")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Gert Wollny <gert.wollny@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/22273>
(cherry picked from commit e0ed2b2)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Jul 20, 2023
For instance, with "piglit/bin/shader_runner tests/spec/glsl-1.10/execution/glsl-vs-arrays-2.shader_test -auto -fbo":
Direct leak of 12 byte(s) in 1 object(s) allocated from:
    #0 0x7f33c3f3d097 in operator new[](unsigned long) (/usr/lib64/libasan.so.6+0xb3097)
    android-rpi#1 0x7f33b9af1e5b in r600::ValueFactory::get_shader_info(r600_shader*) ../src/gallium/drivers/r600/sfn/sfn_valuefactory.cpp:1056
    android-rpi#2 0x7f33b9a96860 in r600::Shader::get_shader_info(r600_shader*) ../src/gallium/drivers/r600/sfn/sfn_shader.cpp:1445
    android-rpi#3 0x7f33b99ddd07 in r600_shader_from_nir ../src/gallium/drivers/r600/sfn/sfn_nir.cpp:1032
    #4 0x7f33b9c3e701 in r600_pipe_shader_create ../src/gallium/drivers/r600/r600_shader.c:231

Fixes: 79ca456 ("r600/sfn: rewrite NIR backend")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/22262>
(cherry picked from commit e45fa93)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Jul 20, 2023
Indeed, the function nir_to_tgsi() returns an ureg_get_tokens() allocated
object which is assigned locally. The ureg_get_tokens() allocated object
should be freed.

For instance, this issue is triggered with a llvm enabled lima,
"piglit/bin/gl-1.0-rendermode-feedback -auto -fbo":
Direct leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x7faeaa4500 in __interceptor_realloc (/usr/lib64/libasan.so.6+0xa4500)
    android-rpi#1 0x7fa4a88f1c in tokens_expand ../src/gallium/auxiliary/tgsi/tgsi_ureg.c:239
    android-rpi#2 0x7fa4a88f1c in get_tokens ../src/gallium/auxiliary/tgsi/tgsi_ureg.c:262
    android-rpi#3 0x7fa4a900f4 in copy_instructions ../src/gallium/auxiliary/tgsi/tgsi_ureg.c:2079
    #4 0x7fa4a900f4 in ureg_finalize ../src/gallium/auxiliary/tgsi/tgsi_ureg.c:2129
    #5 0x7fa4a91dfc in ureg_get_tokens ../src/gallium/auxiliary/tgsi/tgsi_ureg.c:2206
    #6 0x7fa4b20a2c in nir_to_tgsi_options ../src/gallium/auxiliary/nir/nir_to_tgsi.c:4011
    #7 0x7fa4a0c914 in draw_create_vertex_shader ../src/gallium/auxiliary/draw/draw_vs.c:77

Fixes: b5e782f ("aux/draw: use nir_to_tgsi for draw shader in llvm path")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Emma Anholt <emma@anholt.net>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21924>
(cherry picked from commit 6a8e671)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Jul 20, 2023
This change is inspired from iris_destroy_context().

For instance, this issue is triggered with
"piglit/bin/glsl-1.50-gs-max-output -scan 1 20 -auto -fbo":
Direct leak of 320 byte(s) in 2 object(s) allocated from:
    #0 0x7f34fc769987 in calloc (/usr/lib64/libasan.so.6+0xb1987)
    android-rpi#1 0x7f34f4fa168a in bo_calloc ../src/gallium/drivers/crocus/crocus_bufmgr.c:288
    android-rpi#2 0x7f34f4fa168a in alloc_fresh_bo ../src/gallium/drivers/crocus/crocus_bufmgr.c:350
    android-rpi#3 0x7f34f4fa168a in bo_alloc_internal ../src/gallium/drivers/crocus/crocus_bufmgr.c:419
    #4 0x7f34f4fe50a9 in crocus_get_scratch_space ../src/gallium/drivers/crocus/crocus_program.c:2678
    #5 0x7f34f55e8954 in crocus_upload_dirty_render_state ../src/gallium/drivers/crocus/crocus_state.c:6871
    #6 0x7f34f55e8954 in crocus_upload_render_state ../src/gallium/drivers/crocus/crocus_state.c:7812
    #7 0x7f34f5d9f680 in crocus_simple_draw_vbo ../src/gallium/drivers/crocus/crocus_draw.c:332
    #8 0x7f34f5d9f680 in crocus_draw_vbo ../src/gallium/drivers/crocus/crocus_draw.c:438
    #9 0x7f34f1d2eeba in tc_call_draw_single ../src/gallium/auxiliary/util/u_threaded_context.c:3735
    #10 0x7f34f1d12e03 in batch_execute ../src/gallium/auxiliary/util/u_threaded_context.c:394
    #11 0x7f34f1d12e03 in tc_batch_execute ../src/gallium/auxiliary/util/u_threaded_context.c:445
    #12 0x7f34f1d22c9a in _tc_sync ../src/gallium/auxiliary/util/u_threaded_context.c:680
    #13 0x7f34f1d238f8 in tc_texture_map ../src/gallium/auxiliary/util/u_threaded_context.c:2754
    #14 0x7f34f120b9d9 in pipe_texture_map_3d ../src/gallium/auxiliary/util/u_inlines.h:579
    #15 0x7f34f120b9d9 in st_ReadPixels ../src/mesa/state_tracker/st_cb_readpixels.c:530
    #16 0x7f34f10d7355 in read_pixels ../src/mesa/main/readpix.c:1178
    #17 0x7f34f10d7355 in _mesa_ReadnPixelsARB ../src/mesa/main/readpix.c:1195
    #18 0x7f34f10d7e10 in _mesa_ReadPixels ../src/mesa/main/readpix.c:1210

Fixes: f363054 ("f3630548f1da crocus: initial gallium driver for Intel gfx 4-7")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Filip Gawin <filip.gawin@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/23019>
(cherry picked from commit 6ee0bba)
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request Aug 17, 2023
    ../src/panfrost/compiler/compiler.h:89:14: runtime error: left shift of 51966 by 16 places cannot be represented in type 'int'
        #0 0x55c72fd7dda4 in bi_apply_swizzle ../src/panfrost/compiler/compiler.h:89
        android-rpi#1 0x55c72fd808d6 in bi_source_value ../src/panfrost/compiler/bi_opt_constant_fold.c:35
        android-rpi#2 0x55c72fd80a83 in bi_fold_constant ../src/panfrost/compiler/bi_opt_constant_fold.c:52
        android-rpi#3 0x55c72fb2080c in constant_fold_pred ../src/panfrost/compiler/test/test-constant-fold.cpp:48
        #4 0x55c72fb21a65 in ConstantFold_Swizzles_Test::TestBody() ../src/panfrost/compiler/test/test-constant-fold.cpp:103
        #5 0x55c73070cc97 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) ../src/gtest/src/gtest.cc:2621
        #6 0x55c7306f0df7 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) ../src/gtest/src/gtest.cc:2657
        #7 0x55c730694add in testing::Test::Run() ../src/gtest/src/gtest.cc:2696
        #8 0x55c73069798d in testing::TestInfo::Run() ../src/gtest/src/gtest.cc:2845
        #9 0x55c73069b684 in testing::TestSuite::Run() ../src/gtest/src/gtest.cc:3004
        #10 0x55c7306ccfcb in testing::internal::UnitTestImpl::RunAllTests() ../src/gtest/src/gtest.cc:5890
        #11 0x55c73071053c in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) ../src/gtest/src/gtest.cc:2621
        #12 0x55c7306f4ed3 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) ../src/gtest/src/gtest.cc:2657
        #13 0x55c7306c23fa in testing::UnitTest::Run() ../src/gtest/src/gtest.cc:5455
        #14 0x55c730748faf in RUN_ALL_TESTS() ../src/gtest/include/gtest/gtest.h:2314
        #15 0x55c730748ffa in main ../src/gtest/src/gtest_main.cc:63
        #16 0x7f8554bcc1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #17 0x7f8554bcc284 in __libc_start_main_impl ../csu/libc-start.c:360
        #18 0x55c72fb18be0 in _start (/builds/mesa/mesa/_build/src/panfrost/compiler/bifrost_tests+0xbd0be0)

Cc: mesa-stable
Signed-off-by: Eric Engestrom <eric@igalia.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/24610>
(cherry picked from commit 54c7099)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Sep 7, 2023
    ../src/panfrost/compiler/compiler.h:89:14: runtime error: left shift of 51966 by 16 places cannot be represented in type 'int'
        #0 0x55c72fd7dda4 in bi_apply_swizzle ../src/panfrost/compiler/compiler.h:89
        android-rpi#1 0x55c72fd808d6 in bi_source_value ../src/panfrost/compiler/bi_opt_constant_fold.c:35
        android-rpi#2 0x55c72fd80a83 in bi_fold_constant ../src/panfrost/compiler/bi_opt_constant_fold.c:52
        android-rpi#3 0x55c72fb2080c in constant_fold_pred ../src/panfrost/compiler/test/test-constant-fold.cpp:48
        #4 0x55c72fb21a65 in ConstantFold_Swizzles_Test::TestBody() ../src/panfrost/compiler/test/test-constant-fold.cpp:103
        #5 0x55c73070cc97 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) ../src/gtest/src/gtest.cc:2621
        #6 0x55c7306f0df7 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) ../src/gtest/src/gtest.cc:2657
        #7 0x55c730694add in testing::Test::Run() ../src/gtest/src/gtest.cc:2696
        #8 0x55c73069798d in testing::TestInfo::Run() ../src/gtest/src/gtest.cc:2845
        #9 0x55c73069b684 in testing::TestSuite::Run() ../src/gtest/src/gtest.cc:3004
        #10 0x55c7306ccfcb in testing::internal::UnitTestImpl::RunAllTests() ../src/gtest/src/gtest.cc:5890
        #11 0x55c73071053c in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) ../src/gtest/src/gtest.cc:2621
        #12 0x55c7306f4ed3 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) ../src/gtest/src/gtest.cc:2657
        #13 0x55c7306c23fa in testing::UnitTest::Run() ../src/gtest/src/gtest.cc:5455
        #14 0x55c730748faf in RUN_ALL_TESTS() ../src/gtest/include/gtest/gtest.h:2314
        #15 0x55c730748ffa in main ../src/gtest/src/gtest_main.cc:63
        #16 0x7f8554bcc1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #17 0x7f8554bcc284 in __libc_start_main_impl ../csu/libc-start.c:360
        #18 0x55c72fb18be0 in _start (/builds/mesa/mesa/_build/src/panfrost/compiler/bifrost_tests+0xbd0be0)

Cc: mesa-stable
Signed-off-by: Eric Engestrom <eric@igalia.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/24610>
(cherry picked from commit 54c7099)
KonstaT pushed a commit to lineage-rpi/android_external_mesa3d that referenced this pull request Sep 13, 2023
Huge thanks to Tapani Pälli for debugging this issue, figuring out
what was going wrong, proposing fixes, and walking me through where
things were going off the rails.

BLORP always disables tessellation and geometry shaders.  Our handling
tried to look at ice->shaders.uncompiled[] to determine whether the next
draw needed those shaders.  If not, we can leave BLORP's residual state
that disabled those stages in place, and skip looking at it.

Unfortunately, predicting the future is a bit fraught, in part due to
the uncompiled[] and prog[] arrays being slightly out of sync at times.

Consider the following case:

1. Draw with tessellation shaders in place

   => uncompiled[TES] and prog[TES] will both point at valid shaders.

2. Gallium calls pipe->bind_tes_state(NULL).

   => This makes uncompiled[TES] point at NULL, and flags
      IRIS_STAGE_DIRTY_UNCOMPILED_TES.

      Because iris_update_compiled_shaders() hasn't happened yet,
      uncompiled[TES] is NULL but prog[TES] has the stale TES from
      the previous draw still.

3. BLORP operations happen

   => BLORP sees uncompiled[TES] == NULL and decides that tessellation
      is off for the upcoming draws.  So it skips flagging tess state.

4. Gallium calls pipe->bind_tes_state(shader from step android-rpi#1).

   => uncompiled[TES] points at the original shader.
      IRIS_STAGE_DIRTY_UNCOMPILED_TES gets flagged again.

5. Draw again

   => This calls iris_update_compiled_shaders(), which sees that
      a TES is bound, and calls iris_update_compiled_tes().  But
      because the same shader was bound as before, the program it
      comes up with is identical to the one already bound at
      ice->shaders.prog[TES].  So, it thinks it doesn't have to
      flag any tessellation state dirty because it was already
      set up for the last draw.

This random unbind and rebind between draws leads to a situation
where, at step android-rpi#3, BLORP thinks it can skip flagging tessellation
state (nothing is bound), and at step #5, normal state handling
thinks it can skip flagging tessellation state (nothing changed
since last time).  So nobody does, and things break.

This unbind appears to be happening when st_release_variants()
decides it wants to free some shaders.  Then a rebind happens to
put back the actual shader for the draw.  So, it's not theoretical.

To fix this, we change BLORP to look at ice->shaders.prog[] rather
than uncompiled[].  This is equivalent to thinking about the previous
draw, rather than the next.  If the last draw had tessellation off,
then BLORP's disabling was a no-op, and the GPU is still in the same
state as the previous draw.  This is more reliable than predicting
the future.

Cc: mesa-stable
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/8308
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/9678
Reviewed-by: Tapani Pälli <tapani.palli@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/24880>
(cherry picked from commit d693027)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Sep 26, 2023
Huge thanks to Tapani Pälli for debugging this issue, figuring out
what was going wrong, proposing fixes, and walking me through where
things were going off the rails.

BLORP always disables tessellation and geometry shaders.  Our handling
tried to look at ice->shaders.uncompiled[] to determine whether the next
draw needed those shaders.  If not, we can leave BLORP's residual state
that disabled those stages in place, and skip looking at it.

Unfortunately, predicting the future is a bit fraught, in part due to
the uncompiled[] and prog[] arrays being slightly out of sync at times.

Consider the following case:

1. Draw with tessellation shaders in place

   => uncompiled[TES] and prog[TES] will both point at valid shaders.

2. Gallium calls pipe->bind_tes_state(NULL).

   => This makes uncompiled[TES] point at NULL, and flags
      IRIS_STAGE_DIRTY_UNCOMPILED_TES.

      Because iris_update_compiled_shaders() hasn't happened yet,
      uncompiled[TES] is NULL but prog[TES] has the stale TES from
      the previous draw still.

3. BLORP operations happen

   => BLORP sees uncompiled[TES] == NULL and decides that tessellation
      is off for the upcoming draws.  So it skips flagging tess state.

4. Gallium calls pipe->bind_tes_state(shader from step android-rpi#1).

   => uncompiled[TES] points at the original shader.
      IRIS_STAGE_DIRTY_UNCOMPILED_TES gets flagged again.

5. Draw again

   => This calls iris_update_compiled_shaders(), which sees that
      a TES is bound, and calls iris_update_compiled_tes().  But
      because the same shader was bound as before, the program it
      comes up with is identical to the one already bound at
      ice->shaders.prog[TES].  So, it thinks it doesn't have to
      flag any tessellation state dirty because it was already
      set up for the last draw.

This random unbind and rebind between draws leads to a situation
where, at step android-rpi#3, BLORP thinks it can skip flagging tessellation
state (nothing is bound), and at step #5, normal state handling
thinks it can skip flagging tessellation state (nothing changed
since last time).  So nobody does, and things break.

This unbind appears to be happening when st_release_variants()
decides it wants to free some shaders.  Then a rebind happens to
put back the actual shader for the draw.  So, it's not theoretical.

To fix this, we change BLORP to look at ice->shaders.prog[] rather
than uncompiled[].  This is equivalent to thinking about the previous
draw, rather than the next.  If the last draw had tessellation off,
then BLORP's disabling was a no-op, and the GPU is still in the same
state as the previous draw.  This is more reliable than predicting
the future.

Cc: mesa-stable
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/8308
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/9678
Reviewed-by: Tapani Pälli <tapani.palli@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/24880>
(cherry picked from commit d693027)
peyo-hd pushed a commit to peyo-hd/external_mesa3d that referenced this pull request Jan 25, 2024
For instance, this issue is triggered with
vs-to-fs-overlap.shader_test -auto -fbo:
Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7fe64f58e9a7 in calloc (/usr/lib64/libasan.so.6+0xb19a7)
    android-rpi#1 0x7fe642ca2839 in _mesa_symbol_table_ctor ../src/mesa/program/symbol_table.c:286
    android-rpi#2 0x7fe642ff003d in gl_nir_cross_validate_outputs_to_inputs ../src/compiler/glsl/gl_nir_link_varyings.c:728
    android-rpi#3 0x7fe642d7c7d8 in gl_nir_link_glsl ../src/compiler/glsl/gl_nir_linker.c:1357
    #4 0x7fe642be6931 in st_link_glsl_to_nir ../src/mesa/state_tracker/st_glsl_to_nir.cpp:562
    #5 0x7fe642be6931 in st_link_shader ../src/mesa/state_tracker/st_glsl_to_nir.cpp:944
    #6 0x7fe642acab55 in link_program ../src/mesa/main/shaderapi.c:1336
    #7 0x7fe642acab55 in link_program_error ../src/mesa/main/shaderapi.c:1447
    #8 0x7fe6424aa389 in _mesa_unmarshal_LinkProgram src/mapi/glapi/gen/marshal_generated2.c:1911
    #9 0x7fe641fd912b in glthread_unmarshal_batch ../src/mesa/main/glthread.c:139
    #10 0x7fe641f48d48 in util_queue_thread_func ../src/util/u_queue.c:309
    #11 0x7fe641fa442a in impl_thrd_routine ../src/c11/impl/threads_posix.c:67

Fixes: 7d1948e ("glsl: implement cross_validate_outputs_to_inputs() in nir linker")
Signed-off-by: Patrick Lerda <patrick9876@free.fr>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27071>
(cherry picked from commit bacace8634346f853547f51a0ea6ff8082a8dcb8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants