[Mesa-dev] [Bug 108713] Gallium: use after free with transform feedback

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Nov 12 10:01:38 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=108713

            Bug ID: 108713
           Summary: Gallium: use after free with transform feedback
           Product: Mesa
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Other
          Assignee: mesa-dev at lists.freedesktop.org
          Reporter: gw.fossdev at gmail.com
        QA Contact: mesa-dev at lists.freedesktop.org

With the call sequence 

eglMakeCurrent(Y)
glUseProgram(X)
glBindTransformFeedback(..., 1)
/*do something*/

glBindTransformFeedback(..., 0)
eglMakeCurrent(Y)
glDeleteProgram(X)
glBindTransformFeedback(..., 1)
glEndTransformFeedback() 

there is a use after free in glEndTransformFeedback(): 

#0 0x7f93bfecfda1 in st_end_transform_feedback
mesa/state_tracker/st_cb_xformfb.c:206
    #1 0x7f93bf84fecc in end_transform_feedback
mesa/main/transformfeedback.c:505
    #2 0x7f93bf8500d7 in _mesa_EndTransformFeedback
mesa/main/transformfeedback.c:535

because the transform feedback holds a stale link to the shader program.  

I've seen this error on r600 and it was also confirmed on radeonsi, the same
code runs fine with i965. 

That spec says

"If a program object is in use as part of current rendering state, it will be
flagged for deletion, but it will not be deleted until it is no longer part of
current state for any rendering context."

So since the shader program is part of the current rendering state it should
still be available. 

I am however not completely sure about this, because the transform feedback
object was not bound when the program was deleted, so maybe the deleted program
should not be part of its state. 

So either the shader gets deleted too early, or the transform feedback object
is not properly notified about the shader being deleted.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20181112/4b2d38a7/attachment.html>

More information about the mesa-dev mailing list