Very high memory usage in spirv-val with given test file

[zoddicus]

This originated as fuzzing case discovered by Chromium, https://bugs.chromium.org/p/chromium/issues/detail?id=997499. It reproduces when using the Vulkan Execution Env, but not when using the WebGPU one.

Even though the fuzzer is for the optimizer my investigations suggest that the memory usage issue is actually in spirv-val, since the stack trace I get on the OOM is in BuiltIn validation. If given enough memory to work with the fuzzer case will complete, so I don't think it is an infinite loop, but likely a pathological case. Given it doesn't reproduce for WebGPU @dneto0 was suggesting it might be related to decoration groups.

test-case.spv.zip

[dneto0]

Not looking at the code right now, I recall that the validator (?) expands decorations into a flat set of records. If the module has multiple nestings of decoration groups I suspect you could provoke exponential blowup of number of records. Note that SPIR-V spec prohibits nested decoration groups, but someone can craft a module like that. The proposed WebGPU env spec for SPIR-V bans decoration groups entirely, which may be why the validator handles this case more gracefully.

Then again ^^ is speculation. ;-)

[s-perron]

The test case has lots of repeated decorations, but no decoration groups.

      1                OpDecorate %1 Location 0
      6                OpDecorate %1 Location 4
      2                OpDecorate %gl_CullDistance_0 BuiltIn CullDistance
    203                OpDecorate %gl_CullDistance_1 BuiltIn CullDistance
     39                OpDecorate %gl_CullDistance_2 BuiltIn CullDistance
      2                OpDecorate %gl_CullDistance_2 BuiltIn Position
      7                OpDecorate %gl_CullDistance BuiltIn CullDistance
    311                OpDecorate %i_jvar_0OLOR BuiltIn CullDistance
      6                OpDecorate %i_jvar_0OLOR BuiltIn PointSize

[s-perron]

I am able to reproduce the problem. When I run the validator using:

$ /usr/bin/time -f "%M" spirv-val test-case.spv --target-env vulkan1.1

I see that we use 1,485,024 KB of memory. We get the error message is

error: line 602: According to the Vulkan spec BuiltIn CullDistance variable needs to be a 32-bit float array. ID <12> (OpVariable) is not an array.

With

/usr/bin/time -f "%M" spirv-val test-case.spv --target-env spv1.3

only 5,320 KB of memory is used, and there is no error message. My guess is that the validator is validating something that is vulkan specific with the builtin variables. There is probably a data structure that keeps track of the builtin, and, given that there are 570 Builtin decorations, it is becoming very large.