[Bug 93790] [HSW] Use after free with compute programs

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jan 21 11:28:02 PST 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=93790

--- Comment #2 from Ilia Mirkin <imirkin at alum.mit.edu> ---
IMHO this is a pretty serious bug... just repro'd with

bin/arb_shader_image_load_store-semantics -fbo -auto

Program received signal SIGSEGV, Segmentation fault.
update_stage_texture_surfaces (brw=brw at entry=0x7ffff7fcf040,
prog=prog at entry=0xd62340, 
    stage_state=stage_state at entry=0x7ffff7ff3cf0,
for_gather=for_gather at entry=true) at brw_wm_surface_state.c:842
842           surf_offset[s] = 0;
(gdb) bt
#0  update_stage_texture_surfaces (brw=brw at entry=0x7ffff7fcf040,
prog=prog at entry=0xd62340, 
    stage_state=stage_state at entry=0x7ffff7ff3cf0,
for_gather=for_gather at entry=true) at brw_wm_surface_state.c:842
#1  0x00007ffff03d5bb4 in brw_update_texture_surfaces (brw=0x7ffff7fcf040) at
brw_wm_surface_state.c:891
#2  0x00007ffff03cdf4f in check_and_emit_atom (atom=0x7ffff7ff5610,
state=<synthetic pointer>, brw=0x7ffff7fcf040)
    at brw_state_upload.c:771
#3  brw_upload_pipeline_state (pipeline=BRW_COMPUTE_PIPELINE,
brw=0x7ffff7fcf040) at brw_state_upload.c:882
#4  brw_upload_compute_state (brw=0x7ffff7fcf040) at brw_state_upload.c:942

(gdb) p *stage_state->prog_data
$2 = {binding_table = {size_bytes = 12, pull_constants_start = 3, texture_start
= 1, gather_texture_start = 3503345872, 
    ubo_start = 1, ssbo_start = 1, abo_start = 3503345872, image_start = 1,
shader_time_start = 3503345872}, nr_params = 2, 
  nr_pull_params = 0, nr_image_params = 2, curb_read_length = 1, total_scratch
= 0, total_shared = 0, dispatch_grf_start_reg = 4, 
  use_alt_mode = false, param = 0xc9f3a0, pull_param = 0x10ef6a0, image_param =
0x10d9070}

which is the same thing as the valgrind complaint. The texgather value gets
overwritten with 0xd0d0d0d0 (consistently so, it seems) and so the surf_offset
is out in la-la land. But the underlying issue appears to be the
use-after-free.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20160121/a1b16ab9/attachment-0001.html>

More information about the intel-3d-bugs mailing list