va_end(ap);
}
+/* To check for memory safety issues, validates that the given pointer in GPU
+ * memory is valid, containing at least sz bytes. The goal is to eliminate
+ * GPU-side memory bugs (NULL pointer dereferences, buffer overflows, or buffer
+ * overruns) by statically validating pointers.
+ */
+
+static void
+pandecode_validate_buffer(mali_ptr addr, size_t sz)
+{
+ if (!addr) {
+ pandecode_msg("XXX: null pointer deref");
+ return;
+ }
+
+ /* Find a BO */
+
+ struct pandecode_mapped_memory *bo =
+ pandecode_find_mapped_gpu_mem_containing(addr);
+
+ if (!bo) {
+ pandecode_msg("XXX: invalid memory dereference\n");
+ return;
+ }
+
+ /* Bounds check */
+
+ unsigned offset = addr - bo->gpu_va;
+ unsigned total = offset + sz;
+
+ if (total > bo->length) {
+ pandecode_msg("XXX: buffer overrun."
+ "Chunk of size %d at offset %d in buffer of size %d. "
+ "Overrun by %d bytes.",
+ sz, offset, bo->length, total - bo->length);
+ return;
+ }
+}
+
struct pandecode_flag_info {
u64 flag;
const char *name;
DEFINE_CASE(QUAD_STRIP);
default:
- return "MALI_TRIANGLES /* XXX: Unknown GL mode, check dump */";
+ pandecode_msg("XXX: invalid draw mode %X\n", mode);
+ return "";
}
#undef DEFINE_CASE
DEFINE_CASE(ALWAYS);
default:
- return "MALI_FUNC_NEVER /* XXX: Unknown function, check dump */";
+ pandecode_msg("XXX: invalid func %X\n", mode);
+ return "";
}
}
#undef DEFINE_CASE
DEFINE_CASE(ALWAYS);
default:
- return "MALI_FUNC_NEVER /* XXX: Unknown function, check dump */";
+ pandecode_msg("XXX: invalid alt func %X\n", mode);
+ return "";
}
}
#undef DEFINE_CASE
DEFINE_CASE(DECR);
default:
- return "MALI_STENCIL_KEEP /* XXX: Unknown stencil op, check dump */";
+ pandecode_msg("XXX: invalid stencil op %X\n", op);
+ return "";
}
}
DEFINE_CASE(IMAGE);
DEFINE_CASE(INTERNAL);
default:
- return "MALI_ATTR_UNUSED /* XXX: Unknown stencil op, check dump */";
+ pandecode_msg("XXX: invalid attribute mode %X\n", mode);
+ return "";
}
}
DEFINE_CASE(RESERVED_1);
default:
- return "MALI_CHANNEL_ZERO /* XXX: Unknown channel, check dump */";
+ pandecode_msg("XXX: invalid channel %X\n", channel);
+ return "";
}
}
#undef DEFINE_CASE
DEFINE_CASE(MIRRORED_REPEAT);
default:
- return "MALI_WRAP_REPEAT /* XXX: Unknown wrap mode, check dump */";
+ pandecode_msg("XXX: invalid wrap mode %X\n", op);
+ return "";
}
}
#undef DEFINE_CASE
#define DEFINE_CASE(name) case MALI_EXCEPTION_ACCESS_## name: return ""#name
static char *
-pandecode_exception_access(enum mali_exception_access fmt)
+pandecode_exception_access(enum mali_exception_access access)
{
- switch (fmt) {
+ switch (access) {
DEFINE_CASE(NONE);
DEFINE_CASE(EXECUTE);
DEFINE_CASE(READ);
pandecode_prop("hierarchy_mask = 0x%" PRIx16, t->hierarchy_mask);
/* We know this name from the kernel, but we never see it nonzero */
+
if (t->flags)
- pandecode_prop("flags = 0x%" PRIx16 " /* XXX: unexpected */", t->flags);
+ pandecode_msg("XXX: unexpected tiler flags 0x%" PRIx16, t->flags);
MEMORY_PROP(t, polygon_list);
pandecode_swizzle(format.swizzle);
- pandecode_prop("no_preload = 0x%" PRIx32, format.no_preload);
+ /* In theory, the no_preload bit can be cleared to enable MFBD preload,
+ * which is a faster hardware-based alternative to the wallpaper method
+ * to preserve framebuffer contents across frames. In practice, MFBD
+ * preload is buggy on Midgard, and so this is a chicken bit. If this
+ * bit isn't set, most likely something broke unrelated to preload */
+
+ if (!format.no_preload) {
+ pandecode_msg("XXX: buggy MFBD preload enabled - chicken bit should be clear\n");
+ pandecode_prop("no_preload = 0x%" PRIx32, format.no_preload);
+ }
if (format.zero)
pandecode_prop("zero = 0x%" PRIx32, format.zero);
pandecode_indent--;
pandecode_log("},\n");
- } else {
- pandecode_log(".chunknown = {\n");
- pandecode_indent++;
-
- pandecode_prop("unk = 0x%" PRIx64, rt->chunknown.unk);
-
- char *a = pointer_as_memory_reference(rt->chunknown.pointer);
- pandecode_prop("pointer = %s", a);
- free(a);
-
- pandecode_indent--;
- pandecode_log("},\n");
+ } else if (rt->afbc.metadata || rt->afbc.stride || rt->afbc.unk) {
+ pandecode_msg("XXX: AFBC disabled but AFBC field set (0x%lX, 0x%x, 0x%x)\n",
+ rt->afbc.metadata,
+ rt->afbc.stride,
+ rt->afbc.unk);
}
MEMORY_PROP(rt, framebuffer);
}
if (rt->zero1 || rt->zero2 || rt->zero3) {
- pandecode_msg("render target zeros tripped\n");
+ pandecode_msg("XXX: render target zeros tripped\n");
pandecode_prop("zero1 = 0x%" PRIx64, rt->zero1);
pandecode_prop("zero2 = 0x%" PRIx32, rt->zero2);
pandecode_prop("zero3 = 0x%" PRIx32, rt->zero3);
pandecode_log_decoded_flags(mfbd_flag_info, fb->mfbd_flags);
pandecode_log_cont(",\n");
- pandecode_prop("clear_stencil = 0x%x", fb->clear_stencil);
- pandecode_prop("clear_depth = %f", fb->clear_depth);
+ if (fb->clear_stencil)
+ pandecode_prop("clear_stencil = 0x%x", fb->clear_stencil);
+
+ if (fb->clear_depth)
+ pandecode_prop("clear_depth = %f", fb->clear_depth);
+
+ /* TODO: What is this? Let's not blow up.. */
+ if (fb->unknown2 != 0x1F)
+ pandecode_prop("unknown2 = 0x%x", fb->unknown2);
pandecode_prop("unknown2 = 0x%x", fb->unknown2);
MEMORY_PROP(fb, scratchpad);
pandecode_midgard_tiler_descriptor(&t, fb->width1 + 1, fb->height1 + 1, is_fragment);
if (fb->zero3 || fb->zero4) {
- pandecode_msg("framebuffer zeros tripped\n");
+ pandecode_msg("XXX: framebuffer zeros tripped\n");
pandecode_prop("zero3 = 0x%" PRIx32, fb->zero3);
pandecode_prop("zero4 = 0x%" PRIx32, fb->zero4);
}
MEMORY_PROP_DIR(fbx->ds_afbc, depth_stencil);
if (fbx->ds_afbc.zero1 || fbx->ds_afbc.padding) {
- pandecode_msg("Depth/stencil AFBC zeros tripped\n");
+ pandecode_msg("XXX: Depth/stencil AFBC zeros tripped\n");
pandecode_prop("zero1 = 0x%" PRIx32,
fbx->ds_afbc.zero1);
pandecode_prop("padding = 0x%" PRIx64,
if (fbx->ds_linear.depth_stride_zero ||
fbx->ds_linear.stencil_stride_zero ||
fbx->ds_linear.zero1 || fbx->ds_linear.zero2) {
- pandecode_msg("Depth/stencil zeros tripped\n");
+ pandecode_msg("XXX: Depth/stencil zeros tripped\n");
pandecode_prop("depth_stride_zero = 0x%x",
fbx->ds_linear.depth_stride_zero);
pandecode_prop("stencil_stride_zero = 0x%x",
}
if (fbx->zero3 || fbx->zero4) {
- pandecode_msg("fb_extra zeros tripped\n");
+ pandecode_msg("XXX: fb_extra zeros tripped\n");
pandecode_prop("zero3 = 0x%" PRIx64, fbx->zero3);
pandecode_prop("zero4 = 0x%" PRIx64, fbx->zero4);
}
pandecode_prop("unk = 0x%x", attr[i].unk);
pandecode_prop("magic_divisor = 0x%08x", attr[i].magic_divisor);
if (attr[i].zero != 0)
- pandecode_prop("zero = 0x%x /* XXX zero tripped */", attr[i].zero);
+ pandecode_prop("XXX: zero tripped (0x%x)\n", attr[i].zero);
pandecode_prop("divisor = %d", attr[i].divisor);
pandecode_magic_divisor(attr[i].magic_divisor, attr[i - 1].shift, attr[i].divisor, attr[i - 1].extra_flags);
pandecode_indent--;
const char *dppass = pandecode_stencil_op(stencil->dppass);
if (stencil->zero)
- pandecode_msg("Stencil zero tripped: %X\n", stencil->zero);
+ pandecode_msg("XXX: stencil zero tripped: %X\n", stencil->zero);
pandecode_log(".stencil_%s = {\n", name);
pandecode_indent++;
pandecode_blend_equation(const struct mali_blend_equation *blend)
{
if (blend->zero1)
- pandecode_msg("Blend zero tripped: %X\n", blend->zero1);
+ pandecode_msg("XXX: blend zero tripped: %X\n", blend->zero1);
pandecode_log(".equation = {\n");
pandecode_indent++;
attr_meta = pandecode_fetch_gpu_mem(attr_mem, p,
sizeof(*attr_mem));
+ /* If the record is discard, it should be zero for everything else */
+
+ if (attr_meta->format == MALI_VARYING_DISCARD) {
+ uint64_t zero =
+ attr_meta->index |
+ attr_meta->unknown1 |
+ attr_meta->unknown3 |
+ attr_meta->src_offset;
+
+ if (zero)
+ pandecode_msg("XXX: expected empty record for varying discard\n");
+
+ /* We want to look for a literal 0000 swizzle -- this
+ * is not encoded with all zeroes, however */
+
+ enum mali_channel z = MALI_CHANNEL_ZERO;
+ unsigned zero_swizzle = z | (z << 3) | (z << 6) | (z << 9);
+ bool good_swizzle = attr_meta->swizzle == zero_swizzle;
+
+ if (!good_swizzle)
+ pandecode_msg("XXX: expected zero swizzle for discard\n");
+
+ if (!varying)
+ pandecode_msg("XXX: cannot discard attribute\n");
+
+ /* If we're all good, omit the record */
+ if (!zero && varying && good_swizzle) {
+ pandecode_log("/* discarded varying */\n");
+ continue;
+ }
+ }
+
pandecode_log("{\n");
pandecode_indent++;
pandecode_prop("index = %d", attr_meta->index);
pandecode_swizzle(attr_meta->swizzle);
pandecode_prop("format = %s", pandecode_format(attr_meta->format));
- pandecode_prop("unknown1 = 0x%" PRIx64, (u64) attr_meta->unknown1);
- pandecode_prop("unknown3 = 0x%" PRIx64, (u64) attr_meta->unknown3);
+ if (attr_meta->unknown1 != 0x2) {
+ pandecode_msg("XXX: expected unknown1 = 0x2\n");
+ pandecode_prop("unknown1 = 0x%" PRIx64, (u64) attr_meta->unknown1);
+ }
+
+ if (attr_meta->unknown3) {
+ pandecode_msg("XXX: unexpected unknown3 set\n");
+ pandecode_prop("unknown3 = 0x%" PRIx64, (u64) attr_meta->unknown3);
+ }
+
pandecode_prop("src_offset = %d", attr_meta->src_offset);
pandecode_indent--;
pandecode_log("},\n");
if (p->offset_bias_correction)
pandecode_prop("offset_bias_correction = %d", p->offset_bias_correction);
- if (p->zero1) {
- pandecode_msg("Zero tripped\n");
- pandecode_prop("zero1 = 0x%" PRIx32, p->zero1);
- }
+ /* TODO: Figure out what this is. It's not zero */
+ pandecode_prop("zero1 = 0x%" PRIx32, p->zero1);
pandecode_indent--;
pandecode_log("},\n");
pandecode_uniform_buffers(mali_ptr pubufs, int ubufs_count, int job_no)
{
struct pandecode_mapped_memory *umem = pandecode_find_mapped_gpu_mem_containing(pubufs);
-
struct mali_uniform_buffer_meta *PANDECODE_PTR_VAR(ubufs, umem, pubufs);
- for (int i = 0; i < ubufs_count; i++) {
- mali_ptr ptr = ubufs[i].ptr << 2;
- struct pandecode_mapped_memory *umem2 = pandecode_find_mapped_gpu_mem_containing(ptr);
- uint32_t *PANDECODE_PTR_VAR(ubuf, umem2, ptr);
- char name[50];
- snprintf(name, sizeof(name), "ubuf_%d", i);
- /* The blob uses ubuf 0 to upload internal stuff and
- * uniforms that won't fit/are accessed indirectly, so
- * it puts it in the batchbuffer.
- */
- pandecode_log("uint32_t %s_%d[] = {\n", name, job_no);
- pandecode_indent++;
-
- for (int j = 0; j <= ubufs[i].size; j++) {
- for (int k = 0; k < 4; k++) {
- if (k == 0)
- pandecode_log("0x%"PRIx32", ", ubuf[4 * j + k]);
- else
- pandecode_log_cont("0x%"PRIx32", ", ubuf[4 * j + k]);
-
- }
-
- pandecode_log_cont("\n");
- }
-
- pandecode_indent--;
- pandecode_log("};\n");
- }
-
pandecode_log("struct mali_uniform_buffer_meta uniform_buffers_%"PRIx64"_%d[] = {\n",
pubufs, job_no);
pandecode_indent++;
for (int i = 0; i < ubufs_count; i++) {
pandecode_log("{\n");
pandecode_indent++;
- pandecode_prop("size = MALI_POSITIVE(%d)", ubufs[i].size + 1);
- pandecode_prop("ptr = ubuf_%d_%d_p >> 2", i, job_no);
+
+ unsigned size = (ubufs[i].size + 1) * 16;
+ mali_ptr addr = ubufs[i].ptr << 2;
+
+ pandecode_validate_buffer(addr, size);
+
+ char *ptr = pointer_as_memory_reference(ubufs[i].ptr << 2);
+ pandecode_prop("size = %u", size);
+ pandecode_prop("ptr = (%s) >> 2", ptr);
pandecode_indent--;
pandecode_log("},\n");
+ free(ptr);
}
pandecode_indent--;
struct bifrost_scratchpad *PANDECODE_PTR_VAR(scratchpad, mem, pscratchpad);
- if (scratchpad->zero)
- pandecode_msg("XXX scratchpad zero tripped");
+ if (scratchpad->zero) {
+ pandecode_msg("XXX: scratchpad zero tripped");
+ pandecode_prop("zero = 0x%x\n", scratchpad->zero);
+ }
pandecode_log("struct bifrost_scratchpad scratchpad_%"PRIx64"_%d%s = {\n", pscratchpad, job_no, suffix);
pandecode_indent++;
uniform_count = s->bifrost2.uniform_count;
uniform_buffer_count = s->bifrost1.uniform_buffer_count;
} else {
- uniform_count = s->midgard1.uniform_count;
+ uniform_count = s->midgard1.uniform_buffer_count;
uniform_buffer_count = s->midgard1.uniform_buffer_count;
}
unsigned max_attr_index = pandecode_attribute_meta(job_no, attribute_count, p, false, suffix);
attr_mem = pandecode_find_mapped_gpu_mem_containing(p->attributes);
- pandecode_attributes(attr_mem, p->attributes, job_no, suffix, max_attr_index + 1, false);
+ pandecode_attributes(attr_mem, p->attributes, job_no, suffix, max_attr_index, false);
}
/* Varyings are encoded like attributes but not actually sent; we just
pandecode_attributes(attr_mem, p->varyings, job_no, suffix, varying_count, true);
}
- bool is_compute = job_type == JOB_TYPE_COMPUTE;
-
- if (p->uniforms && !is_compute) {
- int rows = uniform_count, width = 4;
- size_t sz = rows * width * sizeof(float);
-
- struct pandecode_mapped_memory *uniform_mem = pandecode_find_mapped_gpu_mem_containing(p->uniforms);
- pandecode_fetch_gpu_mem(uniform_mem, p->uniforms, sz);
- u32 *PANDECODE_PTR_VAR(uniforms, uniform_mem, p->uniforms);
-
- pandecode_log("u32 uniforms_%d%s[] = {\n", job_no, suffix);
-
- pandecode_indent++;
-
- for (int row = 0; row < rows; row++) {
- for (int i = 0; i < width; i++) {
- u32 v = uniforms[i];
- float f;
- memcpy(&f, &v, sizeof(v));
- pandecode_log_cont("%X /* %f */, ", v, f);
- }
-
- pandecode_log_cont("\n");
-
- uniforms += width;
- }
-
- pandecode_indent--;
- pandecode_log("};\n");
- } else if (p->uniforms) {
- int rows = uniform_count * 2;
- size_t sz = rows * sizeof(mali_ptr);
-
- struct pandecode_mapped_memory *uniform_mem = pandecode_find_mapped_gpu_mem_containing(p->uniforms);
- pandecode_fetch_gpu_mem(uniform_mem, p->uniforms, sz);
- mali_ptr *PANDECODE_PTR_VAR(uniforms, uniform_mem, p->uniforms);
-
- pandecode_log("mali_ptr uniforms_%d%s[] = {\n", job_no, suffix);
-
- pandecode_indent++;
-
- for (int row = 0; row < rows; row++) {
- char *a = pointer_as_memory_reference(uniforms[row]);
- pandecode_log("%s,\n", a);
- free(a);
- }
-
- pandecode_indent--;
- pandecode_log("};\n");
-
- }
-
if (p->uniform_buffers) {
- pandecode_uniform_buffers(p->uniform_buffers, uniform_buffer_count, job_no);
- }
+ if (uniform_buffer_count)
+ pandecode_uniform_buffers(p->uniform_buffers, uniform_buffer_count, job_no);
+ else
+ pandecode_msg("XXX: UBOs specified but not referenced\n");
+ } else if (uniform_buffer_count)
+ pandecode_msg("XXX: UBOs referenced but not specified\n");
+
+ /* We don't want to actually dump uniforms, but we do need to validate
+ * that the counts we were given are sane */
+
+ if (p->uniforms) {
+ if (uniform_count)
+ pandecode_validate_buffer(p->uniforms, uniform_count * 16);
+ else
+ pandecode_msg("XXX: Uniforms specified but not referenced");
+ } else if (uniform_count)
+ pandecode_msg("XXX: UBOs referenced but not specified\n");
if (p->texture_trampoline) {
struct pandecode_mapped_memory *mmem = pandecode_find_mapped_gpu_mem_containing(p->texture_trampoline);
if (t->swizzle_zero) {
/* Shouldn't happen */
- pandecode_msg("Swizzle zero tripped but replay will be fine anyway");
+ pandecode_msg("XXX: swizzle zero tripped\n");
pandecode_prop("swizzle_zero = %d", t->swizzle_zero);
}
pandecode_prop("compare_func = %s", pandecode_alt_func(s->compare_func));
if (s->zero || s->zero2) {
- pandecode_msg("Zero tripped\n");
+ pandecode_msg("XXX: sampler zero tripped\n");
pandecode_prop("zero = 0x%X, 0x%X\n", s->zero, s->zero2);
}
pandecode_prop("unk2 = 0x%x", v->unk2);
if (v->zero0 || v->zero1) {
- pandecode_msg("vertex only zero tripped");
+ pandecode_msg("XXX: vertex only zero tripped");
pandecode_prop("zero0 = 0x%" PRIx32, v->zero0);
pandecode_prop("zero1 = 0x%" PRIx64, v->zero1);
}
pandecode_indent++;
if (h->zero) {
- pandecode_msg("tiler heap zero tripped\n");
+ pandecode_msg("XXX: tiler heap zero tripped\n");
pandecode_prop("zero = 0x%x", h->zero);
}
for (int i = 0; i < 12; i++) {
if (h->zeros[i] != 0) {
- pandecode_msg("tiler heap zero %d tripped, value %x\n",
+ pandecode_msg("XXX: tiler heap zero %d tripped, value %x\n",
i, h->zeros[i]);
}
}
pandecode_indent++;
if (t->zero0 || t->zero1) {
- pandecode_msg("tiler meta zero tripped");
+ pandecode_msg("XXX: tiler meta zero tripped\n");
pandecode_prop("zero0 = 0x%" PRIx64, t->zero0);
pandecode_prop("zero1 = 0x%" PRIx64, t->zero1);
}
for (int i = 0; i < 12; i++) {
if (t->zeros[i] != 0) {
- pandecode_msg("tiler heap zero %d tripped, value %" PRIx64 "\n",
+ pandecode_msg("XXX: tiler heap zero %d tripped, value %" PRIx64 "\n",
i, t->zeros[i]);
}
}
if (t->zero1 || t->zero2 || t->zero3 || t->zero4 || t->zero5
|| t->zero6 || t->zero7 || t->zero8) {
- pandecode_msg("tiler only zero tripped");
+ pandecode_msg("XXX: tiler only zero tripped\n");
pandecode_prop("zero1 = 0x%" PRIx64, t->zero1);
pandecode_prop("zero2 = 0x%" PRIx64, t->zero2);
pandecode_prop("zero3 = 0x%" PRIx64, t->zero3);
pandecode_prop("offset_start = %d", v->offset_start);
if (v->zero5) {
- pandecode_msg("Zero tripped\n");
+ pandecode_msg("XXX: midgard payload zero tripped\n");
pandecode_prop("zero5 = 0x%" PRIx64, v->zero5);
}