[Mesa-dev] use after free in exec arrays vbo code

Dave Airlie airlied at gmail.com
Tue Mar 26 00:32:49 PDT 2013 

so I've been playing with MSAA in softpipe and saw this, I don't think
any of my code is causing it, but it does take an MSAA test to trigger
it

with texelFetch fs sampler2DMS 4 I get the below valgrind trace

so it looks like we are keeping a reference in ctx->Array._DrawArrays
that is stale, without a reference, it seems to come from the vbo
exec.arrays.input setup.

Dave.

==12086== Invalid read of size 8
==12086==    at 0x62B9632: is_interleaved_arrays (st_atom_array.c:323)
==12086==    by 0x62B9E97: update_array (st_atom_array.c:556)
==12086==    by 0x62B8E7A: st_validate_state (st_atom.c:205)
==12086==    by 0x62C5245: st_Clear (st_cb_clear.c:394)
==12086==    by 0x6150EA9: _mesa_Clear (clear.c:227)
==12086==    by 0x58541CC: shared_dispatch_stub_203 (glapi_mapi_tmp.h:14273)
==12086==    by 0x4C7CA17: stub_glClear (generated_dispatch.c:1713)
==12086==    by 0x40284C: piglit_display (texelFetch.c:141)
==12086==    by 0x4C7718F: run_test (piglit_fbo_framework.c:57)
==12086==    by 0x4C75328: piglit_gl_test_run (piglit-framework-gl.c:127)
==12086==    by 0x4026C0: main (texelFetch.c:90)
==12086==  Address 0xed16c28 is 1,192 bytes inside a block of size 2,200 free'd
==12086==    at 0x4A074C4: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==12086==    by 0x6147F97: _mesa_delete_array_object (arrayobj.c:120)
==12086==    by 0x61480B2: _mesa_reference_array_object_ (arrayobj.c:153)
==12086==    by 0x6147D59: _mesa_reference_array_object (arrayobj.h:66)
==12086==    by 0x61488FA: _mesa_DeleteVertexArrays (arrayobj.c:463)
==12086==    by 0x585BCAE: shared_dispatch_stub_683 (glapi_mapi_tmp.h:17633)
==12086==    by 0x403047: draw_rect_core (texelFetch.c:307)
==12086==    by 0x40336F: upload_multisample_data (texelFetch.c:403)
==12086==    by 0x403A05: generate_texture (texelFetch.c:524)
==12086==    by 0x404197: piglit_init (texelFetch.c:800)
==12086==    by 0x4C77172: run_test (piglit_fbo_framework.c:55)
==12086==    by 0x4C75328: piglit_gl_test_run (piglit-framework-gl.c:127)
==12086==

More information about the mesa-dev mailing list