From mboxrd@z Thu Jan 1 00:00:00 1970
From: bugzilla-daemon@freedesktop.org
Subject: [Bug 106928] When starting a match Rocket League crashes on "Go"
Date: Fri, 29 Jun 2018 00:09:54 +0000
Message-ID:
References:
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0480886974=="
Return-path:
Received: from culpepper.freedesktop.org (culpepper.freedesktop.org
[131.252.210.165])
by gabe.freedesktop.org (Postfix) with ESMTP id CE0B36E09C
for ; Fri, 29 Jun 2018 00:09:54 +0000 (UTC)
In-Reply-To:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel"
To: dri-devel@lists.freedesktop.org
List-Id: dri-devel@lists.freedesktop.org
--===============0480886974==
Content-Type: multipart/alternative; boundary="15302309940.0bbCc8ad9.27651"
Content-Transfer-Encoding: 7bit
--15302309940.0bbCc8ad9.27651
Date: Fri, 29 Jun 2018 00:09:54 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://bugs.freedesktop.org/
Auto-Submitted: auto-generated
https://bugs.freedesktop.org/show_bug.cgi?id=3D106928
--- Comment #9 from Roland Scheidegger ---
(In reply to ubizjak from comment #7)
> Please configure the build with:
>=20
> CXXFLAGS=3D"-Wp,-D_GLIBCXX_ASSERTIONS" ./autogen.sh
That didn't do anything neither. However I figured out the problem more or =
less
in the code, and some googling said that using -D_GLIBCXX_DEBUG should make=
it
trigger reliably, and indeed it does...
The issue is that (you already showed that actually)
src =3D std::vector of length 2, capacity 3 =3D {0x7f94d905d110, 0x7f94d905=
cf70}}
And trying to access element src[2].
There's an early exit in the function if src.size() is < 3. Since this didn=
't
hit, apparently fold_assoc() resized the vector. And indeed it can do that
(there's an explicit n->src.resize(2) somewhere, and it would still return
false in this case).
I think something like this should do:
diff --git a/src/gallium/drivers/r600/sb/sb_expr.cpp
b/src/gallium/drivers/r600/sb/sb_expr.cpp
index 1df78da660..c77b9f2d7d 100644
--- a/src/gallium/drivers/r600/sb/sb_expr.cpp
+++ b/src/gallium/drivers/r600/sb/sb_expr.cpp
@@ -945,6 +945,8 @@ bool expr_handler::fold_alu_op3(alu_node& n) {
if (!sh.safe_math && (n.bc.op_ptr->flags & AF_M_ASSOC)) {
if (fold_assoc(&n))
return true;
+ else if (n.src.size() < 3)
+ return fold_alu_op2(n);
}
value* v0 =3D n.src[0]->gvalue();
But I'm not entirely convinced it's really the right thing to do (maybe what
fold_assoc() did isn't quite what it's supposed to do?).
It fixes the particular fold_alu_op3 crash for me, but the shader (not sure
it's actually the same one) crashes later anyway:
/usr/include/c++/4.8/debug/safe_iterator.h:225:
Error: attempt to copy from a singular iterator.
Objects involved in the operation:
iterator "this" @ 0x0x7ffff3c71e80 {
type =3D=20
Thread 1 "glretrace" received signal SIGSEGV, Segmentation fault.
...
#3 0x00007ffff36538cb in
__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator > >,
std::__debug::vector > >::operator=3D (this=3D0x7fffffffb8=
40,
__x=3D) at /usr/include/c++/4.8/debug/safe_iterator.h:221
#4 0x00007ffff365376d in
std::reverse_iterator<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_itera=
tor > >,
std::__debug::vector > > >::operator=3D (this=3D0x7fffffff=
b840) at
/usr/include/c++/4.8/bits/stl_iterator.h:96
#5 r600_sb::if_conversion::run (this=3D0x7fffffffbee0) at
sb/sb_if_conversion.cpp:46
#6 0x00007ffff3632765 in r600_sb_bytecode_process (rctx=3D0x10e4660,
bc=3D0x1980bf0, pshader=3D0x1980be8, dump_bytecode=3D1, optimize=3D1) at
sb/sb_core.cpp:195
I don't know though if that's just due to the D_GLIBCXX_DEBUG thing or it w=
ill
also cause crashes without it in some other libstdc++ versions... (in any c=
ase,
it probably should be fixed, but this code isn't my area of expertise).
--=20
You are receiving this mail because:
You are the assignee for the bug.=
--15302309940.0bbCc8ad9.27651
Date: Fri, 29 Jun 2018 00:09:54 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://bugs.freedesktop.org/
Auto-Submitted: auto-generated
Commen=
t # 9
on bug 10692=
8
from Roland Scheidegger
(In reply to ubizjak from comment #7)
> Please configure the build with:
>=20
> CXXFLAGS=3D"-Wp,-D_GLIBCXX_ASSERTIONS" ./autogen.sh
That didn't do anything neither. However I figured out the problem more or =
less
in the code, and some googling said that using -D_GLIBCXX_DEBUG should make=
it
trigger reliably, and indeed it does...
The issue is that (you already showed that actually)
src =3D std::vector of length 2, capacity 3 =3D {0x7f94d905d110, 0x7f94d905=
cf70}}
And trying to access element src[2].
There's an early exit in the function if src.size() is < 3. Since this d=
idn't
hit, apparently fold_assoc() resized the vector. And indeed it can do that
(there's an explicit n->src.resize(2) somewhere, and it would still retu=
rn
false in this case).
I think something like this should do:
diff --git a/src/gallium/drivers/r600/sb/sb_expr.cpp
b/src/gallium/drivers/r600/sb/sb_expr.cpp
index 1df78da660..c77b9f2d7d 100644
--- a/src/gallium/drivers/r600/sb/sb_expr.cpp
+++ b/src/gallium/drivers/r600/sb/sb_expr.cpp
@@ -945,6 +945,8 @@ bool expr_handler::fold_alu_op3(alu_nod=
e& n) {
if (!sh.safe_math && (n.bc.op_ptr->flags & AF_M_ASSO=
C)) {
if (fold_assoc(&n))
return true;
+ else if (n.src.size() < 3)
+ return fold_alu_op2(n);
}
value* v0 =3D n.src[0]->gvalue();
But I'm not entirely convinced it's really the right thing to do (maybe what
fold_assoc() did isn't quite what it's supposed to do?).
It fixes the particular fold_alu_op3 crash for me, but the shader (not sure
it's actually the same one) crashes later anyway:
/usr/include/c++/4.8/debug/safe_iterator.h:225:
Error: attempt to copy from a singular iterator.
Objects involved in the operation:
iterator "this" @ 0x0x7ffff3c71e80 {
type =3D=20
Thread 1 "glretrace" received signal SIGSEGV, Segmentation fault.
...
#3 0x00007ffff36538cb in
__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<r600_sb::reg=
ion_node**,
std::__cxx1998::vector<r600_sb::region_node*,
std::allocator<r600_sb::region_node*> > >,
std::__debug::vector<r600_sb::region_node*,
std::allocator<r600_sb::region_node*> > >::operator=3D (this=3D=
0x7fffffffb840,
__x=3D) at /usr/include/c++/4.8/debug/safe_iterator.h:221
#4 0x00007ffff365376d in
std::reverse_iterator<__gnu_debug::_Safe_iterator<__gnu_cxx::__normal=
_iterator<r600_sb::region_node**,
std::__cxx1998::vector<r600_sb::region_node*,
std::allocator<r600_sb::region_node*> > >,
std::__debug::vector<r600_sb::region_node*,
std::allocator<r600_sb::region_node*> > > >::operator=3D (th=
is=3D0x7fffffffb840) at
/usr/include/c++/4.8/bits/stl_iterator.h:96
#5 r600_sb::if_conversion::run (this=3D0x7fffffffbee0) at
sb/sb_if_conversion.cpp:46
#6 0x00007ffff3632765 in r600_sb_bytecode_process (rctx=3D0x10e4660,
bc=3D0x1980bf0, pshader=3D0x1980be8, dump_bytecode=3D1, optimize=3D1) at
sb/sb_core.cpp:195
I don't know though if that's just due to the D_GLIBCXX_DEBUG thing or it w=
ill
also cause crashes without it in some other libstdc++ versions... (in any c=
ase,
it probably should be fixed, but this code isn't my area of expertise).
You are receiving this mail because:
- You are the assignee for the bug.
=
--15302309940.0bbCc8ad9.27651--
--===============0480886974==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs
IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz
dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg==
--===============0480886974==--