<<MESA crashed>> Array Index Out of Range with Graphicsfuzz application
We are using Graphics Fuzz application (from Google) & encountered MESA crash with array index out of range in MESA (Backtrace are below)
We tested with MESA 18.2 version.
System panicking at below point & with array index 1707 / 4294947814
12-19 00:47:58.511 24692 24692 F DEBUG : #00 pc 000000000045c53a /vendor/lib64/dri/i965_dri.so **(ir_constant::ir_constant(ir_constant const*, unsigned int)+106)** (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
We are really surprised to see, MESA don’t have logic to handle index out of range scenario.
Note: GraphicsFuzz provides tools for automatically finding and simplifying bugs in graphics drivers, specifically graphics shader compilers.
02-19 22:52:20.938 12094 12115 W : //DEBUG TEST: Enter ir_constant::ir_constant
02-19 22:52:20.938 12094 12115 W : //DEBUG TEST: i=1
02-19 22:52:20.938 12094 12115 W : //DEBUG TEST: ir_constant *c is not NULL c=-1998529424
02-19 22:52:22.963 12094 12115 W : //DEBUG TEST: Enter ir_constant::ir_constant
02-19 22:52:22.963 12094 12115 W : //DEBUG TEST: i=3
02-19 22:52:22.963 12094 12115 W : //DEBUG TEST: ir_constant *c is not NULL c=-1996120688
02-19 22:52:25.436 12094 12115 W : //DEBUG TEST: Enter ir_constant::ir_constant
02-19 22:52:25.436 12094 12115 W : //DEBUG TEST: i=0
02-19 22:52:25.436 12094 12115 W : //DEBUG TEST: ir_constant *c is not NULL c=-1968548528
02-19 22:52:26.943 12094 12115 W : //DEBUG TEST: Enter ir_constant::ir_constant
02-19 22:52:26.943 12094 12115 W : //DEBUG TEST: **i=1707**
02-19 22:52:26.943 12094 12115 W : //DEBUG TEST: ir_constant *c is not NULL c=-1968932304
02-19 22:52:26.943 12094 12115 W : //DEBUG TEST: Enter ir_constant::ir_constant
02-19 22:52:26.943 12094 12115 W : //DEBUG TEST: **i=4294947814** <<< Crash occurs with this index.
12-19 00:47:58.413 24692 24692 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-19 00:47:58.413 24692 24692 F DEBUG : Build fingerprint: /titan_gm_my22/titan_gm_my22:10/QP1A.190711.019/40:userdebug/test-keys'
12-19 00:47:58.413 24692 24692 F DEBUG : Revision: '0'
12-19 00:47:58.413 24692 24692 F DEBUG : ABI: 'x86_64'
12-19 00:47:58.413 24692 24692 F DEBUG : Timestamp: 2019-12-19 00:47:58+0000
12-19 00:47:58.413 24692 24692 F DEBUG : pid: 24460, tid: 24484, name: GLThread 1441 >>> com.graphicsfuzz.glesworker:launcher <<
12-19 00:47:58.413 24692 24692 F DEBUG : uid: 1010103
12-19 00:47:58.413 24692 24692 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x796b361c708c
12-19 00:47:58.413 24692 24692 F DEBUG : rax 00000000fffec635 rbx 0000796736215a30 rcx 00007967372403d0 rdx 00000000fffec635
12-19 00:47:58.413 24692 24692 F DEBUG : r8 00000000000000b0 r9 0000000000000000 r10 0000000000000001 r11 0000000000000001
12-19 00:47:58.413 24692 24692 F DEBUG : r12 0000796736215790 r13 00000000366a1b01 r14 0000796736215790 r15 0000000000000000
12-19 00:47:58.413 24692 24692 F DEBUG : rdi 0000796737bf75d8 rsi 0000796736215790
12-19 00:47:58.413 24692 24692 F DEBUG : rbp 00000000fffec635 rsp 0000796737056bc0 rip 00007967375b753a
12-19 00:47:58.511 24692 24692 F DEBUG :
12-19 00:47:58.511 24692 24692 F DEBUG : backtrace:
12-19 00:47:58.511 24692 24692 F DEBUG : #00 pc 000000000045c53a /vendor/lib64/dri/i965_dri.so **(ir_constant::ir_constant(ir_constant const*, unsigned int)**+106) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.511 24692 24692 F DEBUG : #01 pc 000000000045a919 /vendor/lib64/dri/i965_dri.so (ir_dereference_array::constant_expression_value(void*, hash_table*)+361) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.511 24692 24692 F DEBUG : #02 pc 000000000049d6b7 /vendor/lib64/dri/i965_dri.so (ir_constant_fold(ir_rvalue**)+167) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.511 24692 24692 F DEBUG : #03 pc 000000000049e357 /vendor/lib64/dri/i965_dri.so ((anonymous namespace)::ir_constant_propagation_visitor::handle_rvalue(ir_rvalue)+887) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.511 24692 24692 F DEBUG : #04 pc 0000000000464491 /vendor/lib64/dri/i965_dri.so (ir_rvalue_visitor::visit_leave(ir_expression*)+49) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.511 24692 24692 F DEBUG : #05 pc 0000000000461c60 /vendor/lib64/dri/i965_dri.so (ir_expression::accept(ir_hierarchical_visitor*)+80) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #06 pc 0000000000461c60 /vendor/lib64/dri/i965_dri.so (ir_expression::accept(ir_hierarchical_visitor*)+80) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #07 pc 0000000000461f7b /vendor/lib64/dri/i965_dri.so (ir_assignment::accept(ir_hierarchical_visitor*)+75) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #08 pc 0000000000461915 /vendor/lib64/dri/i965_dri.so (visit_list_elements(ir_hierarchical_visitor*, exec_list*, bool)+85) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #09 pc 000000000049dba2 /vendor/lib64/dri/i965_dri.so ((anonymous namespace)::ir_constant_propagation_visitor::visit_enter(ir_function_signature*)+98) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #10 pc 0000000000461a9c /vendor/lib64/dri/i965_dri.so (ir_function_signature::accept(ir_hierarchical_visitor*)+28) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #11 pc 0000000000461beb /vendor/lib64/dri/i965_dri.so (ir_function::accept(ir_hierarchical_visitor*)+107) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #12 pc 0000000000461915 /vendor/lib64/dri/i965_dri.so (visit_list_elements(ir_hierarchical_visitor*, exec_list*, bool)+85) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #13 pc 000000000049dac9 /vendor/lib64/dri/i965_dri.so (do_constant_propagation(exec_list*)+153) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #14 pc 000000000044b5f5 /vendor/lib64/dri/i965_dri.so (do_common_optimization(exec_list*, bool, bool, gl_shader_compiler_options const*, bool)+261) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #15 pc 000000000044b2ae /vendor/lib64/dri/i965_dri.so (_mesa_glsl_compile_shader+2510) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #16 pc 00000000006c2656 /vendor/lib64/dri/i965_dri.so (_mesa_compile_shader+150) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #17 pc 00000000006c3249 /vendor/lib64/dri/i965_dri.so (_mesa_CompileShader+57) (BuildId: 2605846b0aace93518352675f4ba09a427565a50)
12-19 00:47:58.512 24692 24692 F DEBUG : #18 pc 0000000000173641 /apex/com.android.runtime/lib64/libart.so (art_quick_generic_jni_trampoline+209) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.512 24692 24692 F DEBUG : #19 pc 0000000000168354 /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_stub+756) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.512 24692 24692 F DEBUG : #20 pc 0000000000178bf0 /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+288) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.512 24692 24692 F DEBUG : #21 pc 000000000033b1c9 /apex/com.android.runtime/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+377) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.512 24692 24692 F DEBUG : #22 pc 0000000000335a89 /apex/com.android.runtime/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+1017) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.512 24692 24692 F DEBUG : #23 pc 0000000000653cba /apex/com.android.runtime/lib64/libart.so (MterpInvokeInterface+1354) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.512 24692 24692 F DEBUG : #24 pc 0000000000161a19 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_interface+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #25 pc 000000000020c0cc /data/app/com.graphicsfuzz.glesworker-6As6XVCvEklKqCbedAap2Q==/oat/x86_64/base.vdex (com.badlogic.gdx.graphics.glutils.ShaderProgram.loadShader+36)
12-19 00:47:58.513 24692 24692 F DEBUG : #26 pc 0000000000654cf1 /apex/com.android.runtime/lib64/libart.so (MterpInvokeDirect+1361) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #27 pc 0000000000161919 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #28 pc 000000000020c538 /data/app/com.graphicsfuzz.glesworker-6As6XVCvEklKqCbedAap2Q==/oat/x86_64/base.vdex (com.badlogic.gdx.graphics.glutils.ShaderProgram.compileShaders+24)
12-19 00:47:58.513 24692 24692 F DEBUG : #29 pc 0000000000654cf1 /apex/com.android.runtime/lib64/libart.so (MterpInvokeDirect+1361) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #30 pc 0000000000161919 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #31 pc 000000000020c40e /data/app/com.graphicsfuzz.glesworker-6As6XVCvEklKqCbedAap2Q==/oat/x86_64/base.vdex (com.badlogic.gdx.graphics.glutils.ShaderProgram.+278)
12-19 00:47:58.513 24692 24692 F DEBUG : #32 pc 0000000000654cf1 /apex/com.android.runtime/lib64/libart.so (MterpInvokeDirect+1361) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #33 pc 0000000000161919 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #34 pc 000000000058d20c /data/app/com.graphicsfuzz.glesworker-6As6XVCvEklKqCbedAap2Q==/oat/x86_64/base.vdex (com.graphicsfuzz.glesworker.MyShaderProgram.)
12-19 00:47:58.513 24692 24692 F DEBUG : #35 pc 0000000000654cf1 /apex/com.android.runtime/lib64/libart.so (MterpInvokeDirect+1361) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #36 pc 0000000000161919 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #37 pc 000000000058b892 /data/app/com.graphicsfuzz.glesworker-6As6XVCvEklKqCbedAap2Q==/oat/x86_64/base.vdex (com.graphicsfuzz.glesworker.Main.prepareProgram+62)
12-19 00:47:58.513 24692 24692 F DEBUG : #38 pc 000000000030880d /apex/com.android.runtime/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.17217001537915276687+237) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #39 pc 0000000000641663 /apex/com.android.runtime/lib64/libart.so (artQuickToInterpreterBridge+1203) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #40 pc 00000000001737cc /apex/com.android.runtime/lib64/libart.so (art_quick_to_interpreter_bridge+140) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #41 pc 0000000002014c78 /memfd:/jit-cache (deleted) (com.graphicsfuzz.glesworker.Main.render+13240)
12-19 00:47:58.513 24692 24692 F DEBUG : #42 pc 0000000000168354 /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_stub+756) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #43 pc 0000000000178bf0 /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+288) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #44 pc 000000000033b1c9 /apex/com.android.runtime/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+377) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #45 pc 0000000000335a89 /apex/com.android.runtime/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+1017) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #46 pc 0000000000653cba /apex/com.android.runtime/lib64/libart.so (MterpInvokeInterface+1354) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.513 24692 24692 F DEBUG : #47 pc 0000000000161a19 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_interface+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #48 pc 00000000001b68c8 /data/app/com.graphicsfuzz.glesworker-6As6XVCvEklKqCbedAap2Q==/oat/x86_64/base.vdex (com.badlogic.gdx.backends.android.AndroidGraphics.onDrawFrame+468)
12-19 00:47:58.514 24692 24692 F DEBUG : #49 pc 0000000000653fcd /apex/com.android.runtime/lib64/libart.so (MterpInvokeInterface+2141) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #50 pc 0000000000161a19 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_interface+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #51 pc 00000000002d2456 /system/framework/framework.jar (android.opengl.GLSurfaceView$GLThread.guardedRun+1086)
12-19 00:47:58.514 24692 24692 F DEBUG : #52 pc 0000000000654cf1 /apex/com.android.runtime/lib64/libart.so (MterpInvokeDirect+1361) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #53 pc 0000000000161919 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+25) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #54 pc 00000000002d2a50 /system/framework/framework.jar (android.opengl.GLSurfaceView$GLThread.run+48)
12-19 00:47:58.514 24692 24692 F DEBUG : #55 pc 000000000030880d /apex/com.android.runtime/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.17217001537915276687+237) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #56 pc 0000000000641663 /apex/com.android.runtime/lib64/libart.so (artQuickToInterpreterBridge+1203) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #57 pc 00000000001737cc /apex/com.android.runtime/lib64/libart.so (art_quick_to_interpreter_bridge+140) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #58 pc 0000000000168354 /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_stub+756) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #59 pc 0000000000178bf0 /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+288) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #60 pc 000000000053fa59 /apex/com.android.runtime/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+89) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #61 pc 0000000000540c75 /apex/com.android.runtime/lib64/libart.so (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue const*)+437) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #62 pc 000000000058b364 /apex/com.android.runtime/lib64/libart.so (art::Thread::CreateCallback(void*)+1444) (BuildId: b7ed59cf25855a5153b1e70650e57f85)
12-19 00:47:58.514 24692 24692 F DEBUG : #63 pc 00000000000fa8d1 /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+33) (BuildId: 37af595a0fd8f93364df0fa3e99ebe0e)
12-19 00:47:58.514 24692 24692 F DEBUG : #64 pc 00000000000963b7 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+55) (BuildId: 37af595a0fd8f93364df0fa3e99ebe0e)
Edited by Alejandro Piñeiro