[Mesa-dev] use after free in exec arrays vbo code

Marek Olšák maraeo at gmail.com
Tue Mar 26 18:21:41 PDT 2013 

Does this patch help?

Marek

On Tue, Mar 26, 2013 at 8:32 AM, Dave Airlie <airlied at gmail.com> wrote:
> so I've been playing with MSAA in softpipe and saw this, I don't think
> any of my code is causing it, but it does take an MSAA test to trigger
> it
>
> with texelFetch fs sampler2DMS 4 I get the below valgrind trace
>
> so it looks like we are keeping a reference in ctx->Array._DrawArrays
> that is stale, without a reference, it seems to come from the vbo
> exec.arrays.input setup.
>
> Dave.
>
> ==12086== Invalid read of size 8
> ==12086==    at 0x62B9632: is_interleaved_arrays (st_atom_array.c:323)
> ==12086==    by 0x62B9E97: update_array (st_atom_array.c:556)
> ==12086==    by 0x62B8E7A: st_validate_state (st_atom.c:205)
> ==12086==    by 0x62C5245: st_Clear (st_cb_clear.c:394)
> ==12086==    by 0x6150EA9: _mesa_Clear (clear.c:227)
> ==12086==    by 0x58541CC: shared_dispatch_stub_203 (glapi_mapi_tmp.h:14273)
> ==12086==    by 0x4C7CA17: stub_glClear (generated_dispatch.c:1713)
> ==12086==    by 0x40284C: piglit_display (texelFetch.c:141)
> ==12086==    by 0x4C7718F: run_test (piglit_fbo_framework.c:57)
> ==12086==    by 0x4C75328: piglit_gl_test_run (piglit-framework-gl.c:127)
> ==12086==    by 0x4026C0: main (texelFetch.c:90)
> ==12086==  Address 0xed16c28 is 1,192 bytes inside a block of size 2,200 free'd
> ==12086==    at 0x4A074C4: free (in
> /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==12086==    by 0x6147F97: _mesa_delete_array_object (arrayobj.c:120)
> ==12086==    by 0x61480B2: _mesa_reference_array_object_ (arrayobj.c:153)
> ==12086==    by 0x6147D59: _mesa_reference_array_object (arrayobj.h:66)
> ==12086==    by 0x61488FA: _mesa_DeleteVertexArrays (arrayobj.c:463)
> ==12086==    by 0x585BCAE: shared_dispatch_stub_683 (glapi_mapi_tmp.h:17633)
> ==12086==    by 0x403047: draw_rect_core (texelFetch.c:307)
> ==12086==    by 0x40336F: upload_multisample_data (texelFetch.c:403)
> ==12086==    by 0x403A05: generate_texture (texelFetch.c:524)
> ==12086==    by 0x404197: piglit_init (texelFetch.c:800)
> ==12086==    by 0x4C77172: run_test (piglit_fbo_framework.c:55)
> ==12086==    by 0x4C75328: piglit_gl_test_run (piglit-framework-gl.c:127)
> ==12086==
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mesa-fix-use-after-free-with-a-stale-pointer-in-_Dra.patch
Type: application/octet-stream
Size: 1155 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20130327/929663d5/attachment.obj>

More information about the mesa-dev mailing list