AddressSanitizer: use-after-poison /vulkandriver/drivers/llvm-project/llvm/include/llvm/CodeGen/MachineInstr.h:281:43 in getParent

[afd]

Found using a build with assertions ON and sanitizers ON, using these commit hashes:

/vulkandriver/drivers/AMDVLK 88d3e8e911055fe9c6a7ae1960b9fae13a70a9cf /vulkandriver/drivers/llpc aacd74a46f62e652b63cfb2b6f145f6e489d74d4 /vulkandriver/drivers/llvm-project ccbc834ac4f92e63a9a003bd5a18cb9fcf3c6121 /vulkandriver/drivers/pal 9074bd0bdaf67fa84399dfabed3ec437951838f8 /vulkandriver/drivers/spvgen c054813a9a894e32aaaa04c6717a667c15f60cfd /vulkandriver/drivers/third_party/cwpack 7387247eb9889ddcabbc1053b9c2052e253b088e /vulkandriver/drivers/third_party/metrohash 712f76fee75d69b23a1ea8f6465752c3ccaaf9a2 /vulkandriver/drivers/xgl 598c6832a4983f5b75b38a589fca5be80a2f3bb0

Sanitizers are required to trigger this issue. Assertions should not be required.

Files needed to reproduce the issue

Command to reproduce the issue:

amdllpc -gfxip=9.0.0 -verify-ir -auto-layout-desc tofile/shader.frag.spv -o temp.out

I see this output:

==2278879==ERROR: AddressSanitizer: use-after-poison on address 0x6210001a3cb0 at pc 0x000006da0c70 bp 0x7ffd9ceab180 sp 0x7ffd9ceab178
READ of size 8 at 0x6210001a3cb0 thread T0
    #0 0x6da0c6f in getParent /vulkandriver/drivers/llvm-project/llvm/include/llvm/CodeGen/MachineInstr.h:281:43
    #1 0x6da0c6f in llvm::LiveVariables::VarInfo::findKill(llvm::MachineBasicBlock const*) const /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/LiveVariables.cpp:62:19
    #2 0x752ca17 in rescheduleMIBelowKill /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/TwoAddressInstructionPass.cpp:735:34
    #3 0x752ca17 in (anonymous namespace)::TwoAddressInstructionPass::tryInstructionTransform(llvm::MachineInstrBundleIterator<llvm::MachineInstr, false>&, llvm::MachineInstrBundleIterator<llvm::MachineInstr, false>&, unsigned int, unsigned int, unsigned int, bool) /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/TwoAddressInstructionPass.cpp:1153:42
    #4 0x7525763 in (anonymous namespace)::TwoAddressInstructionPass::runOnMachineFunction(llvm::MachineFunction&) /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/TwoAddressInstructionPass.cpp:1595:15
    #5 0x6eda549 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/MachineFunctionPass.cpp:73:13
    #6 0xa04dfc1 in llvm::FPPassManager::runOnFunction(llvm::Function&) /vulkandriver/drivers/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1587:27
    #7 0x637715e in RunPassOnSCC /vulkandriver/drivers/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:177:25
    #8 0x637715e in RunAllPassesOnSCC /vulkandriver/drivers/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:470:16
    #9 0x637715e in (anonymous namespace)::CGPassManager::runOnModule(llvm::Module&) /vulkandriver/drivers/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:526:18
    #10 0xa04ee2f in runOnModule /vulkandriver/drivers/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1702:27
    #11 0xa04ee2f in llvm::legacy::PassManagerImpl::run(llvm::Module&) /vulkandriver/drivers/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:614:44
    #12 0x53e500b in lgc::PipelineState::generate(std::unique_ptr<llvm::Module, std::default_delete<llvm::Module> >, llvm::raw_pwrite_stream&, std::function<unsigned int (llvm::Module const*, unsigned int, llvm::ArrayRef<llvm::ArrayRef<unsigned char> >)>, llvm::ArrayRef<llvm::Timer*>, llvm::MemoryBufferRef) /vulkandriver/drivers/llpc/lgc/state/Compiler.cpp:203:12
    #13 0x4df7198 in Llpc::Compiler::buildPipelineInternal(Llpc::Context*, llvm::ArrayRef<Vkgc::PipelineShaderInfo const*>, bool, llvm::SmallString<1024u>*) /vulkandriver/drivers/llpc/llpc/context/llpcCompiler.cpp:1215:17
    #14 0x4dfdfaa in Llpc::Compiler::buildGraphicsPipelineInternal(Llpc::GraphicsContext*, llvm::ArrayRef<Vkgc::PipelineShaderInfo const*>, bool, llvm::SmallString<1024u>*) /vulkandriver/drivers/llpc/llpc/context/llpcCompiler.cpp:1433:14
    #15 0x4dfeee6 in Llpc::Compiler::BuildGraphicsPipeline(Vkgc::GraphicsPipelineBuildInfo const*, Llpc::GraphicsPipelineBuildOut*, void*) /vulkandriver/drivers/llpc/llpc/context/llpcCompiler.cpp:1517:14
    #16 0x4dc34c8 in buildPipeline /vulkandriver/drivers/llpc/llpc/tool/amdllpc.cpp:1055:24
    #17 0x4dc34c8 in processPipeline(Llpc::ICompiler*, llvm::ArrayRef<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, unsigned int, unsigned int*) /vulkandriver/drivers/llpc/llpc/tool/amdllpc.cpp:1493:16
    #18 0x4dbb997 in main /vulkandriver/drivers/llpc/llpc/tool/amdllpc.cpp:1661:16
    #19 0x7f5158774cc9 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26cc9)
    #20 0x4dba029 in _start (/data/temp/llpc-from-docker/amdllpc+0x4dba029)

0x6210001a3cb0 is located 4016 bytes inside of 4096-byte region [0x6210001a2d00,0x6210001a3d00)
allocated by thread T0 here:
    #0 0x7f5158d6131d in operator new(unsigned long) /build/llvm-toolchain-9-uSl4bC/llvm-toolchain-9-9/projects/compiler-rt/lib/asan/asan_new_delete.cc:99:3
    #1 0x54dc395 in Allocate /vulkandriver/drivers/llvm-project/llvm/include/llvm/Support/AllocatorBase.h:85:12
    #2 0x54dc395 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::StartNewSlab() /vulkandriver/drivers/llvm-project/llvm/include/llvm/Support/Allocator.h:336:19
    #3 0x54dbdf4 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::Allocate(unsigned long, llvm::Align) /vulkandriver/drivers/llvm-project/llvm/include/llvm/Support/Allocator.h:188:5
    #4 0x6eabaf1 in Allocate /vulkandriver/drivers/llvm-project/llvm/include/llvm/Support/Allocator.h:202:12
    #5 0x6eabaf1 in operator new<llvm::MallocAllocator, 4096, 4096, 128> /vulkandriver/drivers/llvm-project/llvm/include/llvm/Support/Allocator.h:438:20
    #6 0x6eabaf1 in llvm::MachineFunction::init() /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/MachineFunction.cpp:160:15
    #7 0x6f720fa in llvm::MachineModuleInfo::getOrCreateMachineFunction(llvm::Function&) /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/MachineModuleInfo.cpp:241:14
    #8 0x6eda474 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /vulkandriver/drivers/llvm-project/llvm/lib/CodeGen/MachineFunctionPass.cpp:45:29
    #9 0xa04dfc1 in llvm::FPPassManager::runOnFunction(llvm::Function&) /vulkandriver/drivers/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1587:27
    #10 0x637715e in RunPassOnSCC /vulkandriver/drivers/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:177:25
    #11 0x637715e in RunAllPassesOnSCC /vulkandriver/drivers/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:470:16
    #12 0x637715e in (anonymous namespace)::CGPassManager::runOnModule(llvm::Module&) /vulkandriver/drivers/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:526:18
    #13 0xa04ee2f in runOnModule /vulkandriver/drivers/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1702:27
    #14 0xa04ee2f in llvm::legacy::PassManagerImpl::run(llvm::Module&) /vulkandriver/drivers/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:614:44
    #15 0x53e500b in lgc::PipelineState::generate(std::unique_ptr<llvm::Module, std::default_delete<llvm::Module> >, llvm::raw_pwrite_stream&, std::function<unsigned int (llvm::Module const*, unsigned int, llvm::ArrayRef<llvm::ArrayRef<unsigned char> >)>, llvm::ArrayRef<llvm::Timer*>, llvm::MemoryBufferRef) /vulkandriver/drivers/llpc/lgc/state/Compiler.cpp:203:12
    #16 0x4df7198 in Llpc::Compiler::buildPipelineInternal(Llpc::Context*, llvm::ArrayRef<Vkgc::PipelineShaderInfo const*>, bool, llvm::SmallString<1024u>*) /vulkandriver/drivers/llpc/llpc/context/llpcCompiler.cpp:1215:17
    #17 0x4dfdfaa in Llpc::Compiler::buildGraphicsPipelineInternal(Llpc::GraphicsContext*, llvm::ArrayRef<Vkgc::PipelineShaderInfo const*>, bool, llvm::SmallString<1024u>*) /vulkandriver/drivers/llpc/llpc/context/llpcCompiler.cpp:1433:14
    #18 0x4dfeee6 in Llpc::Compiler::BuildGraphicsPipeline(Vkgc::GraphicsPipelineBuildInfo const*, Llpc::GraphicsPipelineBuildOut*, void*) /vulkandriver/drivers/llpc/llpc/context/llpcCompiler.cpp:1517:14
    #19 0x4dc34c8 in buildPipeline /vulkandriver/drivers/llpc/llpc/tool/amdllpc.cpp:1055:24
    #20 0x4dc34c8 in processPipeline(Llpc::ICompiler*, llvm::ArrayRef<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, unsigned int, unsigned int*) /vulkandriver/drivers/llpc/llpc/tool/amdllpc.cpp:1493:16
    #21 0x4dbb997 in main /vulkandriver/drivers/llpc/llpc/tool/amdllpc.cpp:1661:16
    #22 0x7f5158774cc9 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26cc9)

SUMMARY: AddressSanitizer: use-after-poison /vulkandriver/drivers/llvm-project/llvm/include/llvm/CodeGen/MachineInstr.h:281:43 in getParent

Issue found by the GraphicsFuzz project.

[ruiling]

how to build xgl with asan enabled? I tried on ubuntu 18.04, I failed to generating makefile through " cmake $xgl_path -DCMAKE_BUILD_TYPE=RelWithDebInfo -DXGL_USE_SANITIZER=Address". I got error message " Host compiler appears to require libatomic, but cannot find it." but I have already installed libatomic-ops-dev libatomic1:amd64. Do you have any idea? @afd @kuhar

[kuhar]

@ruiling see https://github.com/GPUOpen-Drivers/llpc/blob/dev/docker/amdvlk.Dockerfile#L84 for complete instructions

Alternatively, you can also just grab the latest sanitizer docker image produced by the nightly cron job with something like:

sudo docker pull gcr.io/stadia-open-source/amdvlk_release_clang_sanitizers_on:nightly

[ruiling]

Issue fixed in llvm https://reviews.llvm.org/D89092. It will be available after next llvm promotion. sorry for the late reply.

[kuhar]

This has recently started passing: https://github.com/GPUOpen-Drivers/llpc/runs/1295716691?check_suite_focus=true

[kuhar]

Thanks for the fix, @ruiling. In the future, could you please add a comment with a related phabricator revision before it's actually committed, so that we get a change participate in code review or downstream testing too?

[ruiling]

sounds good idea, thanks for the advice @kuhar