[Mesa-dev] [Bug 101829] read-after-free in st_framebuffer_validate
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Jul 18 19:25:12 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=101829
--- Comment #3 from Gert Wollny <gw.fossdev at gmail.com> ---
I can confirm that the trace results in a sigsegv, but with gltrace on r600g I
get a different backtrace (9ee67467c9ea + a patchset related to register
merging that shouldn't have to do anything with the bug)
valgrind glretrace Downloads/example.trace
==8227== Memcheck, a memory error detector
==8227== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8227== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==8227== Command: glretrace Downloads/example.trace
==8227==
==8227== Invalid read of size 4
==8227== at 0x9A9AC88: st_framebuffers_purge (st_manager.c:509)
==8227== by 0x9A9AC88: st_api_make_current (st_manager.c:872)
==8227== by 0x9C457CD: dri_make_current (dri_context.c:278)
==8227== by 0x9C44283: driBindContext (dri_util.c:559)
==8227== by 0x77425EA: dri2_bind_context (dri2_glx.c:154)
==8227== by 0x771930B: MakeContextCurrent (glxcurrent.c:228)
==8227== by 0x40A406: glws::makeCurrentInternal(glws::Drawable*,
glws::Context*) (glws_glx.cpp:370)
==8227== by 0x412C3E: makeCurrent (glws.hpp:213)
==8227== by 0x412C3E: glretrace::makeCurrent(trace::Call&, glws::Drawable*,
glretrace::Context*) (glretrace_ws.cpp:170)
==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*)
(retrace_main.cpp:233)
==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386)
==8227== by 0x40CE2F: runRace (retrace_main.cpp:364)
==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505)
==8227== by 0x407D97: mainLoop (retrace_main.cpp:565)
==8227== by 0x407D97: main (retrace_main.cpp:880)
==8227== Address 0x1604d964 is 4 bytes inside a block of size 480 free'd
==8227== at 0x4C2BD2B: free (vg_replace_malloc.c:530)
==8227== by 0x9C44F3D: dri_put_drawable.part.3 (dri_util.c:642)
==8227== by 0x7741337: dri2DestroyDrawable (dri2_glx.c:343)
==8227== by 0x773EEC9: driReleaseDrawables (dri_common.c:452)
==8227== by 0x77425C1: dri2_bind_context (dri2_glx.c:142)
==8227== by 0x771930B: MakeContextCurrent (glxcurrent.c:228)
==8227== by 0x40A406: glws::makeCurrentInternal(glws::Drawable*,
glws::Context*) (glws_glx.cpp:370)
==8227== by 0x412C3E: makeCurrent (glws.hpp:213)
==8227== by 0x412C3E: glretrace::makeCurrent(trace::Call&, glws::Drawable*,
glretrace::Context*) (glretrace_ws.cpp:170)
==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*)
(retrace_main.cpp:233)
==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386)
==8227== by 0x40CE2F: runRace (retrace_main.cpp:364)
==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505)
==8227== by 0x407D97: mainLoop (retrace_main.cpp:565)
==8227== by 0x407D97: main (retrace_main.cpp:880)
==8227== Block was alloc'd at
==8227== at 0x4C2CB0D: calloc (vg_replace_malloc.c:711)
==8227== by 0x9C46199: dri_create_buffer (dri_drawable.c:139)
==8227== by 0x9C49D83: dri2_create_buffer (dri2.c:2196)
==8227== by 0x9C450A3: driCreateNewDrawable (dri_util.c:671)
==8227== by 0x774127C: dri2CreateDrawable (dri2_glx.c:405)
==8227== by 0x773ED9F: driFetchDrawable (dri_common.c:410)
==8227== by 0x77425A8: dri2_bind_context (dri2_glx.c:139)
==8227== by 0x771930B: MakeContextCurrent (glxcurrent.c:228)
==8227== by 0x40A406: glws::makeCurrentInternal(glws::Drawable*,
glws::Context*) (glws_glx.cpp:370)
==8227== by 0x412C3E: makeCurrent (glws.hpp:213)
==8227== by 0x412C3E: glretrace::makeCurrent(trace::Call&, glws::Drawable*,
glretrace::Context*) (glretrace_ws.cpp:170)
==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*)
(retrace_main.cpp:233)
==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386)
==8227== by 0x40CE2F: runRace (retrace_main.cpp:364)
==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505)
739: message: api issue 1: FBO incomplete: no attachments and default width or
height is 0 [-1]
==8227== Conditional jump or move depends on uninitialised value(s)
==8227== at 0x4C327D2: __memcmp_sse4_1 (vg_replace_strmem.c:1099)
==8227== by 0x9F12F2F: r600_set_vertex_buffers (r600_state_common.c:550)
==8227== by 0x9D4EDE0: u_vbuf_set_driver_vertex_buffers (u_vbuf.c:1116)
==8227== by 0x9D52394: u_vbuf_draw_vbo (u_vbuf.c:1140)
==8227== by 0x9A6018B: st_draw_vbo (st_draw.c:222)
==8227== by 0x9A0A379: vbo_validated_drawrangeelements
(vbo_exec_array.c:918)
==8227== by 0x9A0AB05: vbo_exec_DrawRangeElementsBaseVertex
(vbo_exec_array.c:1019)
==8227== by 0x9A0AD6A: vbo_exec_DrawRangeElements (vbo_exec_array.c:1039)
==8227== by 0x9938B6F: _mesa_unmarshal_DrawRangeElements
(marshal_generated.c:21699)
==8227== by 0x9938B6F: _mesa_unmarshal_dispatch_cmd
(marshal_generated.c:41346)
==8227== by 0x98ED96C: glthread_unmarshal_batch (glthread.c:53)
==8227== by 0x98EDC54: _mesa_glthread_finish (glthread.c:209)
==8227== by 0x98FF573: _mesa_marshal_GetError (marshal_generated.c:12286)
==8227==
==8227== Conditional jump or move depends on uninitialised value(s)
==8227== at 0x9F15A4D: r600_draw_vbo (r600_state_common.c:1806)
==8227== by 0x9D521DB: u_vbuf_draw_vbo (u_vbuf.c:1143)
==8227== by 0x9A6018B: st_draw_vbo (st_draw.c:222)
==8227== by 0x9A0A379: vbo_validated_drawrangeelements
(vbo_exec_array.c:918)
==8227== by 0x9A0AB05: vbo_exec_DrawRangeElementsBaseVertex
(vbo_exec_array.c:1019)
==8227== by 0x9A0AD6A: vbo_exec_DrawRangeElements (vbo_exec_array.c:1039)
==8227== by 0x9938B6F: _mesa_unmarshal_DrawRangeElements
(marshal_generated.c:21699)
==8227== by 0x9938B6F: _mesa_unmarshal_dispatch_cmd
(marshal_generated.c:41346)
==8227== by 0x98ED96C: glthread_unmarshal_batch (glthread.c:53)
==8227== by 0x98EDC54: _mesa_glthread_finish (glthread.c:209)
==8227== by 0x98FF573: _mesa_marshal_GetError (marshal_generated.c:12286)
==8227== by 0x412530: glretrace::checkGlError(trace::Call&)
(glretrace_main.cpp:94)
==8227== by 0x4C2256: retrace_glDrawRangeElements(trace::Call&)
(glretrace_gl.cpp:10574)
==8227==
==8227== Conditional jump or move depends on uninitialised value(s)
==8227== at 0x9F15A4D: r600_draw_vbo (r600_state_common.c:1806)
==8227== by 0x9D521DB: u_vbuf_draw_vbo (u_vbuf.c:1143)
==8227== by 0x9A6018B: st_draw_vbo (st_draw.c:222)
==8227== by 0x9A0986F: vbo_draw_arrays (vbo_exec_array.c:486)
==8227== by 0x9A09DE9: vbo_exec_DrawArrays (vbo_exec_array.c:641)
==8227== by 0x993476D: _mesa_unmarshal_DrawArrays
(marshal_generated.c:26211)
==8227== by 0x993476D: _mesa_unmarshal_dispatch_cmd
(marshal_generated.c:41754)
==8227== by 0x98ED96C: glthread_unmarshal_batch (glthread.c:53)
==8227== by 0x98EDC54: _mesa_glthread_finish (glthread.c:209)
==8227== by 0x98FF573: _mesa_marshal_GetError (marshal_generated.c:12286)
==8227== by 0x412530: glretrace::checkGlError(trace::Call&)
(glretrace_main.cpp:94)
==8227== by 0x4C51FE: retrace_glDrawArrays(trace::Call&)
(glretrace_gl.cpp:9435)
==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*)
(retrace_main.cpp:233)
==8227==
==8227== Invalid read of size 8
==8227== at 0x5C134E: retrace_glXMakeContextCurrent(trace::Call&)
(glretrace_glx.cpp:194)
==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*)
(retrace_main.cpp:233)
==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386)
==8227== by 0x40CE2F: runRace (retrace_main.cpp:364)
==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505)
==8227== by 0x407D97: mainLoop (retrace_main.cpp:565)
==8227== by 0x407D97: main (retrace_main.cpp:880)
==8227== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==8227==
apitrace: warning: caught signal 11
4128: error: caught an unhandled exception
glretrace+0x239054
/lib64/libpthread.so.0+0x10bbf
glretrace+0x1c134e
glretrace+0xc8bc
glretrace+0xce2f
glretrace+0x7d97
/lib64/libc.so.6: __libc_start_main+0xef
glretrace: _start+0x28
?
apitrace: info: taking default action for signal 11
==8227==
==8227== Process terminating with default action of signal 11 (SIGSEGV)
==8227== at 0x518AA79: raise (pt-raise.c:35)
==8227== by 0x63912B: os::signalHandler(int, siginfo_t*, void*)
(os_posix.cpp:357)
==8227== by 0x518ABBF: ??? (in /lib64/libpthread-2.23.so)
==8227== by 0x5C134D: retrace_glXMakeContextCurrent(trace::Call&)
(glretrace_glx.cpp:194)
==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*)
(retrace_main.cpp:233)
==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386)
==8227== by 0x40CE2F: runRace (retrace_main.cpp:364)
==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505)
==8227== by 0x407D97: mainLoop (retrace_main.cpp:565)
==8227== by 0x407D97: main (retrace_main.cpp:880)
==8227==
==8227== HEAP SUMMARY:
==8227== in use at exit: 4,826,139 bytes in 12,695 blocks
==8227== total heap usage: 55,166 allocs, 42,471 frees, 17,699,948 bytes
allocated
==8227==
==8227== LEAK SUMMARY:
==8227== definitely lost: 20,160 bytes in 3 blocks
==8227== indirectly lost: 0 bytes in 0 blocks
==8227== possibly lost: 112,184 bytes in 745 blocks
==8227== still reachable: 4,693,795 bytes in 11,947 blocks
==8227== suppressed: 0 bytes in 0 blocks
==8227== Rerun with --leak-check=full to see details of leaked memory
==8227==
==8227== For counts of detected and suppressed errors, rerun with: -v
==8227== Use --track-origins=yes to see where uninitialised values come from
==8227== ERROR SUMMARY: 35 errors from 5 contexts (suppressed: 0 from 0)
--
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170718/cb754737/attachment-0001.html>
More information about the mesa-dev
mailing list