https://bugs.freedesktop.org/show_bug.cgi?id=93447
Bug ID: 93447 Summary: [r600g] llvm crash because of use of uninitialized stack Product: Mesa Version: git Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: normal Priority: medium Component: Drivers/Gallium/r600 Assignee: dri-devel@lists.freedesktop.org Reporter: notasas@gmail.com QA Contact: dri-devel@lists.freedesktop.org
Created attachment 120595 --> https://bugs.freedesktop.org/attachment.cgi?id=120595&action=edit hack patch
When replaying traces from Bug 92229 with R600_DEBUG=llvm specified a crash will occur (on my system) in LLVMBuildInsertElement() because uninitialized value in Index argument is passed. That value originates from radeon_llvm_emit_prepare_cube_coords() function's coords[3] stack variable. At that time, opcode = TGSI_OPCODE_TEX target = TGSI_TEXTURE_CUBE so nothing ever sets coords[3], which is copied to the caller and eventually finds it way to llvm.
Unfortunately I don't have any knowledge about that code, I hope somebody who knows more can take a look. A hack patch is attached but it's most likely wrong.
https://bugs.freedesktop.org/show_bug.cgi?id=93447
Michel Dänzer michel@daenzer.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX
--- Comment #1 from Michel Dänzer michel@daenzer.net --- R600_DEBUG=llvm is currently known broken in many ways and should only be enabled by developers who want to fix it.
https://bugs.freedesktop.org/show_bug.cgi?id=93447
--- Comment #2 from Grazvydas Ignotas notasas@gmail.com --- I believe this bug can also be triggered by radeonsi though, as it also calls radeon_llvm_emit_prepare_cube_coords(). When target == TGSI_TEXTURE_CUBE and opcode == TGSI_OPCODE_TXF, si_shader.c will take and use garbage value from that function.
Unfortunately I don't have any radeonsi hardware to make a testcase to prove my point. It might also be difficult anyway due to nature of uinitialized variable bugs (it's likely to end up with a value that doesn't cause a crash).
https://bugs.freedesktop.org/show_bug.cgi?id=93447
--- Comment #3 from Ilia Mirkin imirkin@alum.mit.edu --- (In reply to Grazvydas Ignotas from comment #2)
I believe this bug can also be triggered by radeonsi though, as it also calls radeon_llvm_emit_prepare_cube_coords(). When target == TGSI_TEXTURE_CUBE and opcode == TGSI_OPCODE_TXF, si_shader.c will take and use garbage value from that function.
You can't texelFetch() on a samplerCube.
dri-devel@lists.freedesktop.org
-
bugzilla-daemon@freedesktop.org