<div dir="ltr">Looks good to me. Thanks for fixing it up. Do the prospects look good for getting this committed?<div><br></div><div style>It would be cool if my name was attached to the patch, but since you really ended up writing it, its fine with me if you're marked as the author.</div>
<div style><br></div><div style>Thanks,</div><div style>Myles</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 1, 2013 at 2:08 PM, Brian Paul <span dir="ltr"><<a href="mailto:brianp@vmware.com" target="_blank">brianp@vmware.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I took a closer look at your patch and I think it's incorrect.<br>
<br>
Note that the 'values' pointer is incremented by 4 in each loop iteration and size is decremented by 4. So accessing values[i*4+j] will eventually go out of bounds.<br>
<br>
I think something like this would work.<br>
<br>
diff --git a/src/mesa/program/prog_<u></u>parameter.c b/src/mesa/program/prog_<u></u>parameter.c<br>
index 95b153e..1b16feb 100644<br>
--- a/src/mesa/program/prog_<u></u>parameter.c<br>
+++ b/src/mesa/program/prog_<u></u>parameter.c<br>
@@ -155,7 +155,17 @@ _mesa_add_parameter(struct gl_program_parameter_list *paramList,<div class="im"><br>
p->Size = size;<br>
p->DataType = datatype;<br>
if (values) {<br>
- COPY_4V(paramList-><u></u>ParameterValues[oldNum + i], values);<br></div>
+ if (size >= 4) {<div class="im"><br>
+ COPY_4V(paramList-><u></u>ParameterValues[oldNum + i], values);<br>
+ }<br></div>
+ else {<div class="im"><br>
+ for (j = 0; j < size; j++) {<br>
+ paramList->ParameterValues[<u></u>oldNum + i][j] = values[j];<br>
+ }<br></div>
+ for (; j < 4; j++) {<br>
+ paramList->ParameterValues[<u></u>oldNum + i][j] = 0.0f;<div class="im"><br>
+ }<br>
+ }<br>
values += 4;<br>
p->Initialized = GL_TRUE;<br>
}<br>
<br></div>
-Brian<div class="im"><br>
<br>
<br>
On 06/19/2013 01:47 AM, Myles C. Maxfield wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Any word on this?<br>
<br>
Thanks,<br>
Myles<br>
<br>
<br>
On Mon, Jun 17, 2013 at 12:09 PM, Myles C. Maxfield<br></div><div class="im">
<<a href="mailto:myles.maxfield@gmail.com" target="_blank">myles.maxfield@gmail.com</a> <mailto:<a href="mailto:myles.maxfield@gmail.com" target="_blank">myles.maxfield@gmail.<u></u>com</a>>> wrote:<br>
<br>
Sure. I was under the impression that |size| couldn't be both<br>
greater than 4 and a non-multiple of 4, but I've reworked the patch<br>
to incorporate this and to be a little more straightforward.<br>
<br>
Is the only way to replace "ASAN" with "Address Sanitizer" to change<br>
the subject of this email thread?<br>
<br>
Anyway, here's a similar but modified patch:<br>
<br></div>
From: Myles C. Maxfield <<a href="mailto:mymax@amazon.com" target="_blank">mymax@amazon.com</a> <mailto:<a href="mailto:mymax@amazon.com" target="_blank">mymax@amazon.com</a>>><div><div class="h5"><br>
Date: Mon, 17 Jun 2013 11:50:05 -0700<br>
Subject: [PATCH] Appeasing Address Sanitizer<br>
<br>
---<br>
src/mesa/program/prog_<u></u>parameter.c | 13 ++++++++++++-<br>
1 file changed, 12 insertions(+), 1 deletion(-)<br>
<br>
diff --git a/src/mesa/program/prog_<u></u>parameter.c<br>
b/src/mesa/program/prog_<u></u>parameter.c<br>
index 95b153e..1d46476 100644<br>
--- a/src/mesa/program/prog_<u></u>parameter.c<br>
+++ b/src/mesa/program/prog_<u></u>parameter.c<br>
@@ -155,7 +155,18 @@ _mesa_add_parameter(struct<br>
gl_program_parameter_list *paramList,<br>
p->Size = size;<br>
p->DataType = datatype;<br>
if (values) {<br>
- COPY_4V(paramList-><u></u>ParameterValues[oldNum + i], values);<br>
+ if (size >= (i+1)*4) {<br>
+ COPY_4V(paramList-><u></u>ParameterValues[oldNum + i],<br>
values);<br>
+ } else {<br>
+ /* silence asan */<br>
+ for (j = 0; j < 4; j++) {<br>
+ if (i*4+j < size) {<br>
+ paramList->ParameterValues[<u></u>oldNum + i][j] =<br>
values[i*4+j];<br>
+ } else {<br>
+ paramList->ParameterValues[<u></u>oldNum + i][j].f<br>
= 0.0f;<br>
+ }<br>
+ }<br>
+ }<br>
values += 4;<br>
p->Initialized = GL_TRUE;<br>
}<br>
--<br>
1.7.12.4 (Apple Git-37)<br>
<br>
<br>
On Mon, Jun 17, 2013 at 8:13 AM, Brian Paul <<a href="mailto:brianp@vmware.com" target="_blank">brianp@vmware.com</a><br></div></div><div class="im">
<mailto:<a href="mailto:brianp@vmware.com" target="_blank">brianp@vmware.com</a>>> wrote:<br>
<br>
On 06/14/2013 05:12 PM, Myles C. Maxfield wrote:<br>
<br>
Sorry for the triple post; I received a bounce email the<br>
first time and got sent to the spam folder the second time,<br>
so I'm trying a third time.<br>
<br>
Hello, all. I was running Mesa with Address Sanitizer [1]<br>
turned on, and found one place where ASAN pointed out a<br>
read-before-initialized problem. In particular, in<br>
_mesa_add_parameter, in prog_parameter.c, |values|<br>
represents an array holding a variable number of values.<br>
These values get copied out of the array 4 at a time with<br>
the COPY_4V macro, however, the array might only contain a<br>
single element. In this case, ASAN reports a<br>
read-before-initialize because the last 3 of the 4 elements<br>
haven't been written to yet. I was hoping to contribute a<br>
patch that will silence this problem that ASAN reports. I'm<br>
happy to incorporate any feedback anyone has into this patch.<br>
<br>
Thanks,<br>
Myles C. Maxfield<br>
<br></div>
[1]<a href="https://code.google.com/p/__address-sanitizer/" target="_blank">https://code.google.com/p/_<u></u>_address-sanitizer/</a><br>
<<a href="https://code.google.com/p/address-sanitizer/" target="_blank">https://code.google.com/p/<u></u>address-sanitizer/</a>><br>
<br>
diff --git a/src/mesa/program/prog___<u></u>parameter.c<br>
b/src/mesa/program/prog___<u></u>parameter.c<br>
index 2018fa5..63915fb 100644<br>
--- a/src/mesa/program/prog___<u></u>parameter.c<br>
+++ b/src/mesa/program/prog___<u></u>parameter.c<div class="im"><br>
@@ -158,7 +158,17 @@ _mesa_add_parameter(struct<br>
gl_program_parameter_list *paramList,<br>
p->DataType = datatype;<br>
p->Flags = flags;<br>
if (values) {<br></div>
- COPY_4V(paramList->__<u></u>ParameterValues[oldNum +<div class="im"><br>
i], values);<br>
+ if (size & 3) {<br>
+ for (j = 0; j < size; j++) {<br></div>
+ paramList->ParameterValues[__<u></u>oldNum + i][j]<div class="im"><br>
= values[j];<br>
+ }<br>
+ /* silence asan */<br>
+ for (j = size; j < 4; j++) {<br></div>
+ paramList->ParameterValues[__<u></u>oldNum +<div class="im"><br>
i][j].f = 0;<br>
+ }<br>
+ } else {<br></div>
+ COPY_4V(paramList->__<u></u>ParameterValues[oldNum +<div class="im"><br>
i], values);<br>
+ }<br>
values += 4;<br>
p->Initialized = GL_TRUE;<br>
}<br>
<br>
<br>
The value of 'size' can actually be greater than 4 (IIRC, and<br>
the function comment are still correct). For example, for a<br>
matrix, size=16. So the first for-loop should be fixed, just to<br>
be safe.<br>
<br>
In the commit message, let's not use "ASAN" since it's not<br>
obvious that it means Address Sanitizer.<br>
<br>
-Brian<br>
<br>
<br>
<br>
<br>
<br>
</div></blockquote>
<br>
</blockquote></div><br></div>