[Bug 93790] [HSW] Use after free with compute programs

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jan 20 05:43:57 PST 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=93790

            Bug ID: 93790
           Summary: [HSW] Use after free with compute programs
           Product: Mesa
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Drivers/DRI/i965
          Assignee: idr at freedesktop.org
          Reporter: imirkin at alum.mit.edu
        QA Contact: intel-3d-bugs at lists.freedesktop.org

When running the upstream dEQP GLES31 testsuite, I see the following with
valgrind. Note that this is with a tree that includes f8ac314cc23 (i965:
Implement compute sampler state atom).

==9129== Invalid read of size 4
==9129==    at 0xA9BCA19: update_stage_texture_surfaces
(brw_wm_surface_state.c:840)
==9129==    by 0xA9BCB1A: brw_update_texture_surfaces
(brw_wm_surface_state.c:879)
==9129==    by 0xA9B502E: check_and_emit_atom (brw_state_upload.c:771)
==9129==    by 0xA9B502E: brw_upload_pipeline_state (brw_state_upload.c:882)
==9129==    by 0xA9B502E: brw_upload_compute_state (brw_state_upload.c:942)
==9129==    by 0xA9929B7: brw_dispatch_compute_common.part.2
(brw_compute.c:140)
==9129==    by 0xA68E34B: _mesa_DispatchCompute (compute.c:44)
==9129==    by 0xCA3545:
deqp::gls::ShaderExecUtil::ComputeShaderExecutor::execute(int, void const*
const*, void* const*) (in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x6F7638:
deqp::gles31::Functional::CommonFunctionCase::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x5A180A: deqp::gles31::TestCaseWrapper::iterate(tcu::TestCase*)
(in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x9C9BEE: tcu::TestSessionExecutor::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x998998: tcu::App::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x59D847: main (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==  Address 0xd3e8ca4 is 884 bytes inside a block of size 1,040 free'd
==9129==    at 0x4C2B1DC: free (vg_replace_malloc.c:473)
==9129==    by 0xA86E563: _mesa_reference_program_ (program.c:336)
==9129==    by 0xA765282: _mesa_reference_program (program.h:89)
==9129==    by 0xA765282: _mesa_reference_vertprog (program.h:97)
==9129==    by 0xA765282: update_program (state.c:225)
==9129==    by 0xA765282: _mesa_update_state_locked (state.c:473)
==9129==    by 0xA765308: _mesa_update_state (state.c:504)
==9129==    by 0xA992E47: brw_dispatch_compute_common.part.2
(brw_compute.c:118)
==9129==    by 0xA68E34B: _mesa_DispatchCompute (compute.c:44)
==9129==    by 0xCA3545:
deqp::gls::ShaderExecUtil::ComputeShaderExecutor::execute(int, void const*
const*, void* const*) (in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x6F7638:
deqp::gles31::Functional::CommonFunctionCase::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x5A180A: deqp::gles31::TestCaseWrapper::iterate(tcu::TestCase*)
(in /home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x9C9BEE: tcu::TestSessionExecutor::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x998998: tcu::App::iterate() (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)
==9129==    by 0x59D847: main (in
/home/ilia/src/deqp/modules/gles31/deqp-gles31)

It doesn't happen when running just one test individually, you have to run a
bunch. What I do is

1. Clone https://android.googlesource.com/platform/external/deqp
2. Apply this patch:

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9760d72..0e7455c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -66,8 +66,8 @@ endif ()
 include_directories(${ZLIB_INCLUDE_PATH})

 # libpng
-find_path(PNG_INCLUDE_PATH     libpng.h)
-find_library(PNG_LIBRARY       png)
+find_path(PNG_INCLUDE_PATH     png.h)
+find_package(PNG)

 if (NOT PNG_INCLUDE_PATH OR NOT PNG_LIBRARY)
        message(STATUS "System version of libpng not found, using
external/libpng")
diff --git a/framework/platform/X11/tcuX11GlxPlatform.cpp
b/framework/platform/X11/tcuX11GlxPlatform.cpp
index 1f9e9bc..87e263b 100644
--- a/framework/platform/X11/tcuX11GlxPlatform.cpp
+++ b/framework/platform/X11/tcuX11GlxPlatform.cpp
@@ -322,11 +322,11 @@ GLXContext GlxVisual::createContext (const
GlxContextFactory&     factory,

        const int attribs[] =
        {
-               GLX_CONTEXT_MAJOR_VERSION_ARB,  apiType.getMajorVersion(),
-               GLX_CONTEXT_MINOR_VERSION_ARB,  apiType.getMinorVersion(),
+               GLX_CONTEXT_MAJOR_VERSION_ARB,  2,
+               GLX_CONTEXT_MINOR_VERSION_ARB,  0,
                GLX_CONTEXT_FLAGS_ARB,                  0,
                GLX_CONTEXT_PROFILE_MASK_ARB,   profileMask,
-               None
+               0
        };
        return TCU_CHECK_GLX(factory.m_glXCreateContextAttribsARB(
                                                         getXDisplay(),
m_fbConfig, DE_NULL, True, attribs));

3. cmake -DDEQP_TARGET=x11_egl_glx; make -j8
4. cd modules/gles31; MESA_GLES_VERSION_OVERRIDE=3.1 valgrind ./deqp-gles31
--deqp-visibility=hidden |& tee i965-valgrind.log

You should see the above backtraces within a minute or so.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20160120/ca93a7b3/attachment.html>

More information about the intel-3d-bugs mailing list