[Mesa-dev] [Bug 52996] New: Read out of bounds in swizzle_for_size() (MesaLib/src/mesa/program/ir_to_mesa.cpp)

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jul 31 02:55:13 PDT 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=52996

             Bug #: 52996
           Summary: Read out of bounds in swizzle_for_size()
                    (MesaLib/src/mesa/program/ir_to_mesa.cpp)
    Classification: Unclassified
           Product: Mesa
           Version: 7.9
          Platform: Other
        OS/Version: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Mesa core
        AssignedTo: mesa-dev at lists.freedesktop.org
        ReportedBy: glider at google.com


(See also https://code.google.com/p/chromium/issues/detail?id=139772)

We're running Webkit tests under AddressSanitizer
(http://clang.llvm.org/docs/AddressSanitizer.html) and some tests crash with
the following buffer underflow report:

01:55:19.656 6769 worker/1
fast/canvas/webgl/uniform-location-length-limits.html crashed, (stderr lines):
01:55:19.657 6769   [7927:7927:3005006286302:ERROR:gles2_cmd_decoder.cc(5109)]
PERFORMANCE WARNING: Attribute 0 is disabled. This has signficant performance
penalty
01:55:19.657 6769  
=================================================================
01:55:19.657 6769   ==7927== ERROR: AddressSanitizer global-buffer-overflow on
address 0x7f0450ad2c5c at pc 0x7f045076a9a3 bp 0x7fff39bc8aa0 sp 0x7fff39bc8a98
01:55:19.657 6769   READ of size 4 at 0x7f0450ad2c5c thread T0
01:55:19.676 6769       #0 0x7f045076a9a3 in swizzle_for_size(int)
third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:0
01:55:19.676 6769       #1 0x7f045076abc1 in
ir_to_mesa_visitor::visit(ir_dereference_record*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1547
01:55:19.676 6769       #2 0x7f045076aa3f in
ir_to_mesa_visitor::visit(ir_dereference_record*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1542
01:55:19.676 6769       #3 0x7f045076adbc in
ir_to_mesa_visitor::visit(ir_assignment*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1584
01:55:19.676 6769       #4 0x7f045075fc0c in
ir_to_mesa_visitor::visit(ir_function*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1010
01:55:19.676 6769       #5 0x7f045092900c in visit_exec_list(exec_list*,
ir_visitor*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/glsl/ir.cpp:1199
01:55:19.676 6769       #6 0x7f045077275e in get_mesa_program(__GLcontextRec*,
gl_shader_program*, gl_shader*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:2621
01:55:19.676 6769       #7 0x7f04507751a5 in _mesa_ir_link_shader
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:2812
01:55:19.676 6769       #8 0x7f0450776140 in _mesa_glsl_link_shader
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:2946
01:55:19.676 6769       #9 0x2b93117 in
gpu::gles2::ProgramManager::ProgramInfo::Link(gpu::gles2::ShaderManager*,
gpu::gles2::ShaderTranslator*, gpu::gles2::ShaderTranslator*,
gpu::gles2::FeatureInfo*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/program_manager.cc:514
01:55:19.676 6769       #10 0x2b6bd8c in
gpu::gles2::GLES2DecoderImpl::DoLinkProgram(unsigned int)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/gles2_cmd_decoder.cc:4735
01:55:19.676 6769       #11 0x2b54375 in
gpu::gles2::GLES2DecoderImpl::HandleLinkProgram(unsigned int,
gpu::gles2::LinkProgram const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:1437
01:55:19.676 6769       #12 0x2b469de in
gpu::gles2::GLES2DecoderImpl::DoCommand(unsigned int, unsigned int, void
const*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/gles2_cmd_decoder.cc:3217
01:55:19.693 6769       #13 0x2be2780 in gpu::CommandParser::ProcessCommand()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/cmd_parser.cc:71
01:55:19.693 6769       #14 0x2b86e44 in gpu::GpuScheduler::PutChanged()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/gpu_scheduler.cc:81
01:55:19.693 6769       #15 0x2aface9 in
webkit::gpu::GLInProcessContext::PumpCommands()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/webkit/gpu/webgraphicscontext3d_in_process_command_buffer_impl.cc:251
01:55:19.693 6769       #16 0x2b0a3ed in base::internal::InvokeHelper<false,
void, base::internal::RunnableAdapter<void
(webkit::gpu::GLInProcessContext::*)()>, void
()(webkit::gpu::GLInProcessContext*)>::MakeItSo(base::internal::RunnableAdapter<void
(webkit::gpu::GLInProcessContext::*)()>, webkit::gpu::GLInProcessContext*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:871
01:55:19.706 6769       #17 0x2b0a2bd in base::internal::Invoker<1,
base::internal::BindState<base::internal::RunnableAdapter<void
(webkit::gpu::GLInProcessContext::*)()>, void
()(webkit::gpu::GLInProcessContext*), void
()(base::internal::UnretainedWrapper<webkit::gpu::GLInProcessContext>)>, void
()(webkit::gpu::GLInProcessContext*)>::Run(base::internal::BindStateBase*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:1172
01:55:19.706 6769       #18 0x2b2b5b1 in
gpu::CommandBufferService::FlushSync(int, int)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/command_buffer_service.cc:76
01:55:19.706 6769       #19 0x311dc8d in gpu::CommandBufferHelper::FlushSync()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/cmd_buffer_helper.cc:9addr2line:
'': No such file
01:55:19.707 6769   5
01:55:19.708 6769       #20 0x311dfb8 in gpu::CommandBufferHelper::Finish()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/cmd_buffer_helper.cc:121
01:55:19.708 6769       #21 0x31261a2 in
gpu::gles2::GLES2Implementation::WaitForCmd()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/gles2_implementation.cc:556
01:55:19.708 6769       #22 0x3127339 in
gpu::gles2::GLES2Implementation::GetBucketContents(unsigned int,
std::vector<signed char, std::allocator<signed char> >*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/gles2_implementation.cc:671
01:55:19.708 6769       #23 0x314bd91 in
gpu::gles2::CachedProgramInfoManager::ProgramInfo::Update(gpu::gles2::GLES2Implementation*,
unsigned int)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/program_info_manager.cc:307
01:55:19.708 6769       #24 0x314cc3a in
gpu::gles2::CachedProgramInfoManager::GetProgramInfo(gpu::gles2::GLES2Implementation*,
unsigned int)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/program_info_manager.cc:375
01:55:19.708 6769       #25 0x314d181 in
gpu::gles2::CachedProgramInfoManager::GetProgramiv(gpu::gles2::GLES2Implementation*,
unsigned int, unsigned int, int*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/program_info_manager.cc:393
01:55:19.708 6769       #26 0x312adb8 in
gpu::gles2::GLES2Implementation::GetProgramivHelper(unsigned int, unsigned int,
int*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/gles2_implementation.cc:1338
01:55:19.709 6769       #27 0x2afff63 in
gpu::gles2::GLES2Implementation::GetProgramiv(unsigned int, unsigned int, int*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./gpu/command_buffer/client/../client/gles2_implementation_autogen.h:597
01:55:19.709 6769       #28 0x14afddb in
WebCore::WebGLProgram::cacheInfoIfNeeded()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/canvas/WebGLProgram.cpp:190
01:55:19.709 6769       #29 0x14aff8e in WebCore::WebGLProgram::getLinkStatus()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/canvas/WebGLProgram.cpp:96
01:55:19.709 6769       #30 0x13f765a in
WebCore::WebGLRenderingContext::getProgramParameter(WebCore::WebGLProgram*,
unsigned int, int&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/canvas/WebGLRenderingContext.cpp:2647
01:55:19.709 6769       #31 0x3720535 in
WebCore::V8WebGLRenderingContext::getProgramParameterCallback(v8::Arguments
const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp:360
01:55:19.709 6769       #32 0xdb4851 in v8::internal::MaybeObject*
v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous
namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>,
v8::internal::Isolate*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/v8/src/builtins.cc:1145
01:55:19.709 6769       #33 0x31338a00618e in  
01:55:19.709 6769       #34 0x31338a096f79 in  
01:55:19.709 6769       #35 0x31338a09cda0 in  
01:55:19.718 6769       #36 0x31338a0098ce in  
01:55:19.718 6769       #37 0x31338a09e2af in  
01:55:19.718 6769       #38 0x31338a023ca7 in  
01:55:19.718 6769       #39 0x31338a011217 in  
01:55:19.718 6769       #40 0xdfaf3f in v8::internal::Invoke(bool,
v8::internal::Handle<v8::internal::JSFunction>,
v8::internal::Handle<v8::internal::Object>, int,
v8::internal::Handle<v8::internal::Object>*, bool*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/v8/src/execution.cc:118
01:55:19.718 6769       #41 0xd6e7cd in v8::Script::Run()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/v8/src/api.cc:1613
01:55:19.724 6769       #42 0x18604b5 in
WebCore::V8Proxy::runScript(v8::Handle<v8::Script>)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:365
01:55:19.724 6769       #43 0x185f6ce in
WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:336
01:55:19.724 6769       #44 0x1804e20 in
WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/ScriptController.cpp:204
01:55:19.724 6769       #45 0xa25903 in
WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/dom/ScriptElement.cpp:300
01:55:19.724 6769       #46 0xa23501 in
WebCore::ScriptElement::prepareScript(WTF::TextPosition const&,
WebCore::ScriptElement::LegacyTypeSupport)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/dom/ScriptElement.cpp:240
01:55:19.724 6769       #47 0x141e18d in
WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition
const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:292
01:55:19.724 6769       #48 0x141def2 in
WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>,
WTF::TextPosition const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:172
01:55:19.724 6769       #49 0x1416d4b in ~PassRefPtr
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WTF/wtf/PassRefPtr.h:67
01:55:19.724 6769       #50 0x1416ef8 in
WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode,
WebCore::PumpSession&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:217
01:55:19.724 6769       #51 0x1416726 in
WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:254
01:55:19.724 6769       #52 0x1416ad5 in
WebCore::HTMLDocumentParser::resumeParsingAfterYield()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:191
01:55:19.724 6769       #53 0x150a978 in
WebCore::ThreadTimers::sharedTimerFiredInternal()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
01:55:19.724 6769       #54 0x2a9767d in base::internal::InvokeHelper<false,
void, base::internal::RunnableAdapter<void
(webkit_glue::WebKitPlatformSupportImpl::*)()>, void
()(webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void
(webkit_glue::WebKitPlatformSupportImpl::*)()>,
webkit_glue::WebKitPlatformSupportImpl*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:871
01:55:19.724 6769       #55 0x2a974ad in base::internal::Invoker<1,
base::internal::BindState<base::internal::RunnableAdapter<void
(webkit_glue::WebKitPlatformSupportImpl::*)()>, void
()(webkit_glue::WebKitPlatformSupportImpl*), void
()(base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>,
void
()(webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:1172
01:55:19.724 6769       #56 0x2e44cad in base::Timer::RunScheduledTask()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/timer.cc:184
01:55:19.724 6769       #57 0x2e4529d in base::internal::InvokeHelper<false,
void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>,
void
()(base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void
(base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:871
01:55:19.724 6769       #58 0x2e45158 in base::internal::Invoker<1,
base::internal::BindState<base::internal::RunnableAdapter<void
(base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*),
void ()(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void
()(base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:1172
01:55:19.724 6769       #59 0xa4b523 in MessageLoop::RunTask(base::PendingTask
const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_loop.cc:461
01:55:19.725 6769       #60 0xa4bd3d in
MessageLoop::DeferOrRunPendingTask(base::PendingTask const&)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_loop.cc:472
01:55:19.725 6769       #61 0xa4c212 in MessageLoop::DoWork()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_loop.cc:648
01:55:19.725 6769       #62 0xaa7cc5 in base::MessagePumpGlib::HandleDispatch()
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_pump_glib.cc:268
01:55:19.725 6769       #63 0xaa6dc9 in (anonymous
namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*)
/mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_pump_glib.cc:105
01:55:19.725 6769   0x7f0450ad2c5c is located 4 bytes to the left of global
variable 'swizzle_for_size(int)::size_swizzles
(third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp)' (0x7f0450ad2c60) of
size 16
01:55:19.725 6769   0x7f0450ad2c5c is located 53 bytes to the right of global
variable '.str74 (third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp)'
(0x7f0450ad2c20) of size 7
01:55:19.725 6769     '.str74
(third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp)' is ascii string
'%s[%d]'
01:55:19.725 6769   ==7927== ABORTING
01:55:19.725 6769   Stats: 668M malloced (680M for red zones) by 1503178 calls
01:55:19.725 6769   Stats: 5M realloced by 6982 calls
01:55:19.725 6769   Stats: 281M freed by 1114295 calls
01:55:19.725 6769   Stats: 173M really freed by 626504 calls
01:55:19.725 6769   Stats: 1032M (264381 full pages) mmaped in 258 calls
01:55:19.725 6769     mmaps   by size class: 8:720852; 9:155629; 10:16380;
11:4094; 12:2048; 13:2560; 14:2048; 15:768; 16:3584; 17:224; 18:128; 19:40;
20:16; 21:88; 22:44;
01:55:19.725 6769     mallocs by size class: 8:1281100; 9:171552; 10:26987;
11:6638; 12:2369; 13:4225; 14:3860; 15:1423; 16:4217; 17:390; 18:192; 19:78;
20:15; 21:88; 22:44;
01:55:19.728 6769     frees   by size class: 8:1028304; 9:43047; 10:24931;
11:5126; 12:2134; 13:4055; 14:3333; 15:1298; 16:1517; 17:340; 18:124; 19:76;
20:10;
01:55:19.728 6769     rfrees  by size class: 8:579526; 9:21342; 10:14535;
11:3236; 12:1485; 13:2190; 14:1959; 15:731; 16:1181; 17:187; 18:72; 19:51;
20:9;
01:55:19.728 6769   Stats: malloc large: 807 small slow: 6915
01:55:19.728 6769   Shadow byte and word:
01:55:19.733 6769     0x1fe08a15a58b: f9
01:55:19.733 6769     0x1fe08a15a588: f9 f9 f9 f9 00 00 f9 f9
01:55:19.733 6769   More shadow bytes:
01:55:19.733 6769     0x1fe08a15a568: f9 f9 f9 f9 00 00 00 00
01:55:19.733 6769     0x1fe08a15a570: 00 00 00 00 00 00 00 00
01:55:19.733 6769     0x1fe08a15a578: 00 00 00 00 00 00 00 04
01:55:19.733 6769     0x1fe08a15a580: f9 f9 f9 f9 07 f9 f9 f9
01:55:19.733 6769   =>0x1fe08a15a588: f9 f9 f9 f9 00 00 f9 f9
01:55:19.733 6769     0x1fe08a15a590: f9 f9 f9 f9 00 00 00 00
01:55:19.733 6769     0x1fe08a15a598: 00 04 f9 f9 f9 f9 f9 f9
01:55:19.733 6769     0x1fe08a15a5a0: 00 00 00 00 00 04 f9 f9
01:55:19.733 6769     0x1fe08a15a5a8: f9 f9 f9 f9 00 06 f9 f9
01:55:20.101 6748   fast/canvas/webgl/uniform-location-length-limits.html ->
unexpected crash

This is most likely to occur because 0 is passed as an argument to
swizzle_for_size().

Unfortunately it may be hard to check whether the latest Mesa has this bug, so
if there's no obvious way to fix this (I'm not familiar with the code, so I see
none), I can only suggest to run Mesa tests under AddressSanitizer.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the mesa-dev mailing list