Skip to content

[impeller] vulkan has a CommandBuffer memory corruption bug #125147

New issue
New issue
Closed
flutter/engine
#41347
Closed
[impeller] vulkan has a CommandBuffer memory corruption bug#125147
flutter/engine
#41347
Labels
P1High-priority issues at the top of the work liste: impellerImpeller rendering backend issues and features requestsengineflutter/engine related. See also e: labels.
@gaaclarke

Description

@gaaclarke
gaaclarke
opened on Apr 19, 2023

steps to reproduce

  • run the impeller_unittests with MallocScribble on macos arm64

example failure

console output

[ RUN      ] Play/AiksTest.CanRenderTiledTextureClamp/Vulkan
2023-04-19 10:49:02.199395-0700 impeller_unittests[26237:833497] Execution of the command buffer was aborted due to an error during execution. Invalid Resource (00000009:kIOGPUCommandBufferCallbackErrorInvalidResource)
2023-04-19 10:49:02.199629-0700 impeller_unittests[26237:833497] Execution of the command buffer was aborted due to an error during execution. Invalid Resource (00000009:kIOGPUCommandBufferCallbackErrorInvalidResource)
[mvk-error] VK_ERROR_DEVICE_LOST: MTLCommandBuffer "vkQueueSubmit CommandBuffer on Queue 0-0" execution failed (code 9): Invalid Resource (00000009:kIOGPUCommandBufferCallbackErrorInvalidResource)

stacktrace

Notice that the address is 0x5555555555555555 which is a scribbled region of memory that is getting read.

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x5555555555555555)
  * frame #0: 0x00000001232ba3cc libvulkan.1.3.243.dylib`vkFreeCommandBuffers + 20
    frame #1: 0x0000000102aac390 impeller_unittests`void impeller::vk::PoolFree<impeller::vk::Device, impeller::vk::CommandPool, impeller::vk::DispatchLoaderDynamic>::destroy<impeller::vk::CommandBuffer>(impeller::vk::CommandBuffer) [inlined] void impeller::vk::Device::free<impeller::vk::DispatchLoaderDynamic>(this=0x000000010fbeb780, commandPool=(m_commandPool = 0x0000000110021400), commandBuffers=0x000000016fdfc8a8, d=0x00000001044787b0) const at vulkan_funcs.hpp:3456:5
    frame #2: 0x0000000102aac2b0 impeller_unittests`void impeller::vk::PoolFree<impeller::vk::Device, impeller::vk::CommandPool, impeller::vk::DispatchLoaderDynamic>::destroy<impeller::vk::CommandBuffer>(this=0x000000010fbeb780, t=(m_commandBuffer = 0x000000010f82bb78)) at vulkan.hpp:5634:9
    frame #3: 0x0000000102aac674 impeller_unittests`impeller::vk::UniqueHandle<impeller::vk::CommandBuffer, impeller::vk::DispatchLoaderDynamic>::~UniqueHandle(this=0x000000010fbeb780) at vulkan.hpp:1224:15
    frame #4: 0x0000000102aaad18 impeller_unittests`impeller::vk::UniqueHandle<impeller::vk::CommandBuffer, impeller::vk::DispatchLoaderDynamic>::~UniqueHandle(this=0x000000010fbeb780) at vulkan.hpp:1221:5
    frame #5: 0x0000000102abac84 impeller_unittests`impeller::SharedObjectVKT<impeller::vk::CommandBuffer>::~SharedObjectVKT(this=0x000000010fbeb778) at shared_object_vk.h:20:7
    frame #6: 0x0000000102abaa8c impeller_unittests`impeller::SharedObjectVKT<impeller::vk::CommandBuffer>::~SharedObjectVKT(this=0x000000010fbeb778) at shared_object_vk.h:20:7
    frame #7: 0x0000000102aba770 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__shared_ptr_emplace<impeller::SharedObjectVKT<impeller::vk::CommandBuffer>, std::_LIBCPP_ABI_NAMESPACE::allocator<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > >::__on_zero_shared(this=0x000000010fbeb760) at shared_ptr.h:311:24
    frame #8: 0x00000001000292c0 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__shared_count::__release_shared[abi:v15000](this=0x000000010fbeb760) at shared_ptr.h:174:9
    frame #9: 0x000000010002922c impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__shared_weak_count::__release_shared[abi:v15000](this=0x000000010fbeb760) at shared_ptr.h:215:27
    frame #10: 0x0000000102aca920 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >::~shared_ptr[abi:v15000](this=0x000000010fbd6100) at shared_ptr.h:702:23
    frame #11: 0x0000000102ab8dd4 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >::~shared_ptr[abi:v15000](this=0x000000010fbd6100) at shared_ptr.h:700:5
    frame #12: 0x0000000102ac7a80 impeller_unittests`void std::_LIBCPP_ABI_NAMESPACE::allocator_traits<std::_LIBCPP_ABI_NAMESPACE::allocator<std::_LIBCPP_ABI_NAMESPACE::__tree_node<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >, void*> > >::destroy[abi:v15000]<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >, void, void>((null)=0x000000010f82b7c8, __p=0x000000010fbd6100) at allocator_traits.h:319:15
    frame #13: 0x0000000102ac7948 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__tree<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >, std::_LIBCPP_ABI_NAMESPACE::less<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > >, std::_LIBCPP_ABI_NAMESPACE::allocator<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > > >::destroy(this=0x000000010f82b7c0, __nd=0x000000010fbd60e0) at __tree:1799:9
    frame #14: 0x0000000102ac7888 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__tree<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >, std::_LIBCPP_ABI_NAMESPACE::less<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > >, std::_LIBCPP_ABI_NAMESPACE::allocator<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > > >::~__tree(this=0x000000010f82b7c0) at __tree:1787:3
    frame #15: 0x0000000102ac781c impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__tree<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >, std::_LIBCPP_ABI_NAMESPACE::less<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > >, std::_LIBCPP_ABI_NAMESPACE::allocator<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > > >::~__tree(this=0x000000010f82b7c0) at __tree:1784:1
    frame #16: 0x0000000102ac77bc impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::set<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >, std::_LIBCPP_ABI_NAMESPACE::less<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > >, std::_LIBCPP_ABI_NAMESPACE::allocator<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > > >::~set[abi:v15000](this=0x000000010f82b7c0) at set:676:5
    frame #17: 0x0000000102ab82a8 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::set<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> >, std::_LIBCPP_ABI_NAMESPACE::less<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > >, std::_LIBCPP_ABI_NAMESPACE::allocator<std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::SharedObjectVKT<impeller::vk::CommandBuffer> > > >::~set[abi:v15000](this=0x000000010f82b7c0) at set:674:12
    frame #18: 0x0000000102ab8230 impeller_unittests`impeller::CommandPoolVK::~CommandPoolVK(this=0x000000010f82b750) at command_pool_vk.cc:85:31
    frame #19: 0x0000000102ab8368 impeller_unittests`impeller::CommandPoolVK::~CommandPoolVK(this=0x000000010f82b750) at command_pool_vk.cc:85:31
    frame #20: 0x0000000102abffe4 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::default_delete<impeller::CommandPoolVK>::operator(this=0x000000010f828238, __ptr=0x000000010f82b750)[abi:v15000](impeller::CommandPoolVK*) const at unique_ptr.h:48:5
    frame #21: 0x0000000102abfb90 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__shared_ptr_pointer<impeller::CommandPoolVK*, std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::CommandPoolVK>::__shared_ptr_default_delete<impeller::CommandPoolVK, impeller::CommandPoolVK>, std::_LIBCPP_ABI_NAMESPACE::allocator<impeller::CommandPoolVK> >::__on_zero_shared(this=0x000000010f828220) at shared_ptr.h:263:5
    frame #22: 0x00000001000292c0 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__shared_count::__release_shared[abi:v15000](this=0x000000010f828220) at shared_ptr.h:174:9
    frame #23: 0x000000010002922c impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::__shared_weak_count::__release_shared[abi:v15000](this=0x000000010f828220) at shared_ptr.h:215:27
    frame #24: 0x0000000102aace70 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::CommandPoolVK>::~shared_ptr[abi:v15000](this=0x000000016fdfcee8) at shared_ptr.h:702:23
    frame #25: 0x0000000102aacb84 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::CommandPoolVK>::~shared_ptr[abi:v15000](this=0x000000016fdfcee8) at shared_ptr.h:700:5
    frame #26: 0x0000000102ab72e8 impeller_unittests`std::_LIBCPP_ABI_NAMESPACE::shared_ptr<impeller::CommandPoolVK>::operator=[abi:v15000](this=0x000000010f826468, __r=0x000000016fdfcfa0) at shared_ptr.h:708:9
    frame #27: 0x0000000102ab6c44 impeller_unittests`impeller::CommandPoolVK::GetThreadLocal(context=0x000000010fa57120) at command_pool_vk.cc:44:21
    frame #28: 0x0000000102ad70f0 impeller_unittests`impeller::ContextVK::CreateGraphicsCommandEncoder(this=0x000000010fa57120) const at context_vk.cc:478:19
    frame #29: 0x0000000102ad6fb8 impeller_unittests`impeller::ContextVK::CreateCommandBuffer(this=0x000000010fa57120) const at context_vk.cc:401:18
    frame #30: 0x0000000102ba6b60 impeller_unittests`impeller::TextureVK::OnSetContents(this=0x000000010fa5cf88, contents="\xb5\x88_\xff\xb8\x8bb\xff\xb9\x8ce\xff\xb7\x8ac\xff\xb4\x88c\xff\xb4\x88c\xff\xb4\x87f\xff\xb4\x87f\xff\xaf\x82e\xff\xb2\x85h\xff\xae\x82i\xff\xa7{b\xff\xa4w`\xff\xa4w`\xff\xa2u`\xff\x9aq_\xff\x86`S\xff\x83aW\xff\x80`U\xff|^S\xffy[S\xffrWN\xffkPI\xffbKC\xffaIE\xff[FA\xffWCB\xffUA@\xffS?@\xffQ=>\xffS?@\xffUCC\xffL<?\xffN?B\xffRDD\xffRDD\xffSAA\xffQ?=\xffS?>\xffTA=\xff[C?\xff[D>\xff]D?\xff^E>\xffbG>\xffdI@\xffeH@\xffeH@\xffiHA\xffmLC\xffpOF\xffnNA\xffoN?\xffsR?\xffzWD\xff|YE\xff|YC\xff|YC\xff\x80[H\xff\x83^K\xff\x86_P\xff\x85^O\xff\x87_U\xff\x8abV\xff\x84_L\xff\x87cM\xff\x89cN\xff\x87aL\xff\x87aL\xff\x88bM\xff\x89`L\xff\x86]I\xff\x8a`J\xff\x8baK\xff\x8cbL\xff\x8dcM\xff\x91dO\xff\x92eP\xff\x94gR\xff\x94gP\xff\x9boV\xff\x9anS\xff\x9bmS\xff\x9cnT\xff\x9eoS\xff\x9fpT\xff\x9fpT\xff\x9eoS\xff\x9dnR\xff\xa2sW\xff\xa6x^\xff\xa9{a\xff\xa8|c\xff\xa9}d\xff\xaa\x80h\xff\xac\x84k\xff\xae\x8at\xff\xab\x88r\xff\xaa\x87q\xff\xad\x8at\xff\xb1\x91|\xff\xb5\x95\x80\xff\xb4\x94\U0000007f\xff\xb2\x92}\xff\xb6\x93\U0000007f\xff\xb8\x95\x81\xff\xb9\x95\U0000007f\xff\xb7\x93{\xff\xb9\x90z\xff\xb7\x8fv\xff\xb2\x88o\xff\xad\x83k\xff\xab|h\xff\xa2ub\xff\x95jZ\xff\x89bS\xff}[O\xffoQG\xff_F?\xffS>9\xffJ;6\xffA62\xff>31\xff@64\xffC;8\xffD<9\xff@;7\xff?:6\xff621\xff843\xff<89\xff?;<\xff<7;\xff837\xff:5;\xff?:@\xff?:>\xff<7;\xff845\xff843\xff954\xff952\xff74/\xff40-\xff1-.\xff504\xff615\xff504\xff504\xff948\xff:59\xff948\xff2-1\xff4/3\xff3.2\xff0+/\xff/*.\xff1,0\xff504\xff615\xff504\xff3.2\xff2-1\xff4/3\xff726\xff726\xff615\xff504\xff726\xff726\xff615\xff3.2\xff2-1\xff3.2\xff3.2\xff2./\xff645\xff653\xff653\xff542\xff756\xff978\xff756\xff201\xff869\xff314\xff0.3\xff427\xff75:\xff649\xff538\xff647\xff11/\xff23.\xff423\xff534\xff649\xff649\xff74;\xff74;\xff529\xff205\xff2-3\xff401\xff954\xff;83\xff961\xff63.\xff<85\xff621\xff621\xff732\xff40/\xff621\xff843\xff40/\xff732\xff843\xff843\xff621\xff843\xff:65\xff843\xff3/.\xff401\xff845\xff845\xff401\xff2./\xff512\xff734\xff734\xff623\xff512\xff623\xff845\xff956\xff956\xff845\xff734\xff5//\xff822\xff;63\xff<74\xff<73\xff<73\xff<71\xff<71\xff94.\xff:5/\xff940\xff72.\xff72/\xff941\xff933\xff711\xff"..., length=1110208, slice=0) at texture_vk.cc:60:30
    frame #31: 0x0000000102ba72a0 impeller_unittests`impeller::TextureVK::OnSetContents(this=0x000000010fa5cf88, mapping=shared_ptr<const fml::Mapping> @ 0x000000016fdfd8f0, slice=0) at texture_vk.cc:116:10
    frame #32: 0x0000000100db141c impeller_unittests`impeller::Texture::SetContents(this=0x000000010fa5cf88, mapping=shared_ptr<const fml::Mapping> @ 0x000000016fdfdbb8, slice=0) at texture.cc:38:8
    frame #33: 0x0000000100371cdc impeller_unittests`impeller::CreateTextureForDecompressedImage(context=0x000000016fdfe5d8, decompressed_image=0x000000016fdfe4e0, enable_mipmapping=false) at playground.cc:465:30
    frame #34: 0x000000010037139c impeller_unittests`impeller::Playground::CreateTextureForMapping(context=0x000000016fdfe5d8, mapping=<unavailable>, enable_mipmapping=false) at playground.cc:484:10
    frame #35: 0x0000000100371f24 impeller_unittests`impeller::Playground::CreateTextureForFixture(this=0x000000010fbdb880, fixture_name="kalimba.jpg", enable_mipmapping=false) const at playground.cc:491:18
    frame #36: 0x000000010014c3a8 impeller_unittests`impeller::testing::AiksTest_CanRenderInvertedImage_Test::TestBody(this=0x000000010fbdb880) at aiks_unittests.cc:126:40
    frame #37: 0x00000001032d744c impeller_unittests`void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(object=0x000000010fbdb880, method=20 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00, location="the test body")(), char const*) at gtest.cc:2631:10
    frame #38: 0x00000001032aa608 impeller_unittests`void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(object=0x000000010fbdb880, method=20 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00, location="the test body")(), char const*) at gtest.cc:2686:12
    frame #39: 0x00000001032aa524 impeller_unittests`testing::Test::Run(this=0x000000010fbdb880) at gtest.cc:2706:5
    frame #40: 0x00000001032ab338 impeller_unittests`testing::TestInfo::Run(this=0x000000010e631b50) at gtest.cc:2885:11
    frame #41: 0x00000001032ac980 impeller_unittests`testing::TestSuite::Run(this=0x000000010e62fcf0) at gtest.cc:3044:30
    frame #42: 0x00000001032b9398 impeller_unittests`testing::internal::UnitTestImpl::RunAllTests(this=0x000000010e60d2e0) at gtest.cc:5913:44
    frame #43: 0x00000001032dead4 impeller_unittests`bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(object=0x000000010e60d2e0, method=80 8f 2b 03 01 00 00 00 00 00 00 00 00 00 00 00, location="auxiliary test code (environments or event listeners)")(), char const*) at gtest.cc:2631:10
    frame #44: 0x00000001032b8ec8 impeller_unittests`bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(object=0x000000010e60d2e0, method=80 8f 2b 03 01 00 00 00 00 00 00 00 00 00 00 00, location="auxiliary test code (environments or event listeners)")(), char const*) at gtest.cc:2686:12
    frame #45: 0x00000001032b8d34 impeller_unittests`testing::UnitTest::Run(this=0x0000000104aa9fe8) at gtest.cc:5482:10
    frame #46: 0x0000000100baff70 impeller_unittests`RUN_ALL_TESTS() at gtest.h:2497:46
    frame #47: 0x0000000100bafe0c impeller_unittests`main(argc=1, argv=0x000000016fdff2d0) at run_all_unittests.cc:64:12
    frame #48: 0x00000001a9c57f28 dyld`start + 2236

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1High-priority issues at the top of the work liste: impellerImpeller rendering backend issues and features requestsengineflutter/engine related. See also e: labels.

    Type

    No type

    Projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions