[Mesa-dev] [Bug 99677] heap-use-after-free in glsl
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sat Feb 4 15:50:18 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=99677
Bug ID: 99677
Summary: heap-use-after-free in glsl
Product: Mesa
Version: git
Hardware: x86-64 (AMD64)
OS: Linux (All)
Status: NEW
Severity: normal
Priority: medium
Component: glsl-compiler
Assignee: mesa-dev at lists.freedesktop.org
Reporter: bartosz.tomczyk86 at gmail.com
QA Contact: intel-3d-bugs at lists.freedesktop.org
Address Sanitizer report use after free in glsl compiler.
Steps to reproduce: build mesa with address sanitizer enabled and run piglit
test glsl-es-3.00/compiler/no-unsized-arrays-01.vert fail 3.0:
==27336==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000024ddb0
at pc 0x7f62c7771443 bp 0x7ffec46303b0 sp 0x7ffec46303a8
READ of size 4 at 0x61000024ddb0 thread T0
#0 0x7f62c7771442 in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5266:24
#1 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
#2 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
#3 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
#4 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
#5 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
#6 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
#7 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
#8 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
#9 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
#10 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
#11 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
#12 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
#13 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#14 0x401629 in _start
(/home/bartek/Devel/piglit/bin/glslparsertest_gles2+0x401629)
0x61000024ddb0 is located 112 bytes inside of 192-byte region
[0x61000024dd40,0x61000024de00)
freed by thread T0 here:
#0 0x7f62d5295310 in __interceptor_cfree.localalias.1
/build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
#1 0x7f62c80dc88d in unsafe_free
/home/bartek/Devel/mesa/src/util/ralloc.c:268:4
#2 0x7f62c80db4da in ralloc_free
/home/bartek/Devel/mesa/src/util/ralloc.c:231:4
#3 0x7f62c780b200 in exec_node::operator delete(void*)
/home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/list.h:59:4
#4 0x7f62c7f2c515 in ir_variable::~ir_variable()
/home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/ir.h:420:7
#5 0x7f62c7789d36 in get_variable_being_redeclared(ir_variable*, YYLTYPE,
_mesa_glsl_parse_state*, bool)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4001:7
#6 0x7f62c776fec1 in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5210:10
#7 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
#8 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
#9 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
#10 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
#11 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
#12 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
#13 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
#14 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
#15 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
#16 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
#17 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
#18 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
#19 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
previously allocated by thread T0 here:
#0 0x7f62d52954c8 in __interceptor_malloc
/build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x7f62c80d95d2 in ralloc_size
/home/bartek/Devel/mesa/src/util/ralloc.c:113:18
#2 0x7f62c80da2cc in rzalloc_size
/home/bartek/Devel/mesa/src/util/ralloc.c:145:16
#3 0x7f62c61b9808 in exec_node::operator new(unsigned long, void*)
/home/bartek/Devel/mesa/src/mesa/../../src/compiler/glsl/list.h:59:4
#4 0x7f62c7762e1c in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4789:13
#5 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
#6 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
#7 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
#8 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
#9 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
#10 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
#11 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
#12 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
#13 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
#14 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
#15 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
#16 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
#17 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170204/9baa4743/attachment.html>
More information about the mesa-dev
mailing list