<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [HSW] Use after free with compute programs"
href="https://bugs.freedesktop.org/show_bug.cgi?id=93790">93790</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[HSW] Use after free with compute programs
</td>
</tr>
<tr>
<th>Product</th>
<td>Mesa
</td>
</tr>
<tr>
<th>Version</th>
<td>git
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Other
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>Drivers/DRI/i965
</td>
</tr>
<tr>
<th>Assignee</th>
<td>idr@freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>imirkin@alum.mit.edu
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>intel-3d-bugs@lists.freedesktop.org
</td>
</tr></table>
<p>
<div>
<pre>When running the upstream dEQP GLES31 testsuite, I see the following with
valgrind. Note that this is with a tree that includes f8ac314cc23 (i965:
Implement compute sampler state atom).
==9129== Invalid read of size 4
==9129== at 0xA9BCA19: update_stage_texture_surfaces
(brw_wm_surface_state.c:840)
==9129== by 0xA9BCB1A: brw_update_texture_surfaces
(brw_wm_surface_state.c:879)
==9129== by 0xA9B502E: check_and_emit_atom (brw_state_upload.c:771)
==9129== by 0xA9B502E: brw_upload_pipeline_state (brw_state_upload.c:882)
==9129== by 0xA9B502E: brw_upload_compute_state (brw_state_upload.c:942)
==9129== by 0xA9929B7: brw_dispatch_compute_common.part.2
(brw_compute.c:140)
==9129== by 0xA68E34B: _mesa_DispatchCompute (compute.c:44)
==9129== by 0xCA3545:
deqp::gls::ShaderExecUtil::ComputeShaderExecutor::execute(int, void const*
const*, void* const*) (in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x6F7638:
deqp::gles31::Functional::CommonFunctionCase::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x5A180A: deqp::gles31::TestCaseWrapper::iterate(tcu::TestCase*)
(in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x9C9BEE: tcu::TestSessionExecutor::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x998998: tcu::App::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x59D847: main (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== Address 0xd3e8ca4 is 884 bytes inside a block of size 1,040 free'd
==9129== at 0x4C2B1DC: free (vg_replace_malloc.c:473)
==9129== by 0xA86E563: _mesa_reference_program_ (program.c:336)
==9129== by 0xA765282: _mesa_reference_program (program.h:89)
==9129== by 0xA765282: _mesa_reference_vertprog (program.h:97)
==9129== by 0xA765282: update_program (state.c:225)
==9129== by 0xA765282: _mesa_update_state_locked (state.c:473)
==9129== by 0xA765308: _mesa_update_state (state.c:504)
==9129== by 0xA992E47: brw_dispatch_compute_common.part.2
(brw_compute.c:118)
==9129== by 0xA68E34B: _mesa_DispatchCompute (compute.c:44)
==9129== by 0xCA3545:
deqp::gls::ShaderExecUtil::ComputeShaderExecutor::execute(int, void const*
const*, void* const*) (in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x6F7638:
deqp::gles31::Functional::CommonFunctionCase::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x5A180A: deqp::gles31::TestCaseWrapper::iterate(tcu::TestCase*)
(in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x9C9BEE: tcu::TestSessionExecutor::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x998998: tcu::App::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129== by 0x59D847: main (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
It doesn't happen when running just one test individually, you have to run a
bunch. What I do is
1. Clone <a href="https://android.googlesource.com/platform/external/deqp">https://android.googlesource.com/platform/external/deqp</a>
2. Apply this patch:
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9760d72..0e7455c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -66,8 +66,8 @@ endif ()
include_directories(${ZLIB_INCLUDE_PATH})
# libpng
-find_path(PNG_INCLUDE_PATH libpng.h)
-find_library(PNG_LIBRARY png)
+find_path(PNG_INCLUDE_PATH png.h)
+find_package(PNG)
if (NOT PNG_INCLUDE_PATH OR NOT PNG_LIBRARY)
message(STATUS "System version of libpng not found, using
external/libpng")
diff --git a/framework/platform/X11/tcuX11GlxPlatform.cpp
b/framework/platform/X11/tcuX11GlxPlatform.cpp
index 1f9e9bc..87e263b 100644
--- a/framework/platform/X11/tcuX11GlxPlatform.cpp
+++ b/framework/platform/X11/tcuX11GlxPlatform.cpp
@@ -322,11 +322,11 @@ GLXContext GlxVisual::createContext (const
GlxContextFactory& factory,
const int attribs[] =
{
- GLX_CONTEXT_MAJOR_VERSION_ARB, apiType.getMajorVersion(),
- GLX_CONTEXT_MINOR_VERSION_ARB, apiType.getMinorVersion(),
+ GLX_CONTEXT_MAJOR_VERSION_ARB, 2,
+ GLX_CONTEXT_MINOR_VERSION_ARB, 0,
GLX_CONTEXT_FLAGS_ARB, 0,
GLX_CONTEXT_PROFILE_MASK_ARB, profileMask,
- None
+ 0
};
return TCU_CHECK_GLX(factory.m_glXCreateContextAttribsARB(
getXDisplay(),
m_fbConfig, DE_NULL, True, attribs));
3. cmake -DDEQP_TARGET=x11_egl_glx; make -j8
4. cd modules/gles31; MESA_GLES_VERSION_OVERRIDE=3.1 valgrind ./deqp-gles31
--deqp-visibility=hidden |& tee i965-valgrind.log
You should see the above backtraces within a minute or so.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>