Bug 107366

Summary: NIR verification crashes on piglit tests
Product: Mesa Reporter: Mark Janes <mark.a.janes>
Component: Drivers/DRI/i965Assignee: Danylo <danylo.piliaiev>
Status: RESOLVED FIXED QA Contact: Intel 3D Bugs Mailing List <intel-3d-bugs>
Severity: normal    
Priority: medium CC: baker.dylan.c, jason
Version: gitKeywords: bisected, regression
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Mark Janes 2018-07-24 17:24:44 UTC 
Running piglit tests with NIR_TEST_CLONE=true NIR_TEST_SERIALIZE=true, thousands of piglit tests crash:

NIR_TEST_CLONE=true NIR_TEST_SERIALIZE=true /tmp/build_root/m64/lib/piglit/bin/shader_runner /tmp/build_root/m64/lib/piglit/generated_tests/spec/arb_tessellation_shader/execution/built-in-functions/tcs-op-mult-float-mat4.shader_test -auto -fbo
piglit: debug: Requested an OpenGL 3.2 Core Context, and received a matching 4.5 context

Segmentation fault


Bisected to:
d219521379626ebf2bff63e4a9c2f92725b3926a is the first bad commit
commit d219521379626ebf2bff63e4a9c2f92725b3926a
Author: Danylo Piliaiev <danylo.piliaiev@gmail.com>
Date:   Wed Jul 11 15:29:00 2018 +0300
    i965: Sweep NIR after linking phase to free held memory
    
    After optimization passes and many trasfromations most of memory
    NIR holds is a garbage which was being freed only after shader deletion.
    Freeing it at the end of linking will save memory which would be useful
    in case there are a lot of complex shaders being compiled.
    The common case for this issue is 32bit game running under Wine.
    
    The cost of the optimization is around ~3-5% of compilation speed
    with complex shaders.
    
    V2: by Jason Ekstrand
        - Move nir_sweep up, right after the last change of NIR
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103274
    Signed-off-by: Danylo Piliaiev <danylo.piliaiev@globallogic.com>
    Reviewed-by: Jason Ekstrand <jason@jlekstrand.net>
    Cc: mesa-stable@lists.freedesktop.org
Comment 1 Jason Ekstrand 2018-07-24 19:35:48 UTC 
Fixed by the following commit in master:

commit f214baf72ff89ba03342067f89c38b4bc84e298b (public/master)
Author: Jason Ekstrand <jason.ekstrand@intel.com>
Date:   Tue Jul 24 11:01:20 2018 -0700

    nir/serialize: Alloc constants off the variable
    
    nir_sweep assumes that constants area always allocated off the variable
    to which they belong.  Violating this assumption causes them to get
    freed early and leads to use-after-free bugs.
    
    Fixes: 120da00975541 "nir: add serialization and deserialization"
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107366
    Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
    Tested-by: Mark Janes <mark.a.janes@intel.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.