<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - test_optpass has use after free bug, failing with memory testing tools like address sanitizer"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=108636">108636</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>test_optpass has use after free bug, failing with memory testing tools like address sanitizer
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>minor
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>glsl-compiler
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>mesa-dev@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>hanno@hboeck.de
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-3d-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=142340" name="attach_142340" title="patch to fix use after free in test_optpass.">attachment 142340</a> <a href="attachment.cgi?id=142340&action=edit" title="patch to fix use after free in test_optpass.">[details]</a></span> <a href='page.cgi?id=splinter.html&bug=108636&attachment=142340'>[review]</a>
patch to fix use after free in test_optpass.

When compiling mesa with address sanitizer (-fsanitize=address) and running the
test suite a use after free bug is exposed in test_optpass.cpp.

This is the code:

   ralloc_free(state);
   ralloc_free(shader);

   return state->error;

This is obviously not correct. First state is free'd and then state->error is
used as the return value.

Given this is only a test this is not severe, yet it still should be fixed so
mesa can easily be tested with address sanitizer or other memory safety check
tools.

See attached patch (works on both git and 18.2.4), I'm saving state->error to a
variable and then returning that.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>