<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - heap-use-after-free in glsl"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=99677">99677</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>heap-use-after-free in glsl
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86-64 (AMD64)
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>glsl-compiler
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>mesa-dev@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>bartosz.tomczyk86@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-3d-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Address Sanitizer report use after free in glsl compiler.

Steps to reproduce: build mesa with address sanitizer enabled and run piglit
test glsl-es-3.00/compiler/no-unsized-arrays-01.vert fail 3.0:


==27336==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000024ddb0
at pc 0x7f62c7771443 bp 0x7ffec46303b0 sp 0x7ffec46303a8
READ of size 4 at 0x61000024ddb0 thread T0
    #0 0x7f62c7771442 in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5266:24
    #1 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
    #2 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
    #3 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
    #4 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
    #5 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
    #6 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
    #7 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
    #8 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
    #9 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
    #10 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
    #11 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
    #12 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
    #13 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #14 0x401629 in _start
(/home/bartek/Devel/piglit/bin/glslparsertest_gles2+0x401629)

0x61000024ddb0 is located 112 bytes inside of 192-byte region
[0x61000024dd40,0x61000024de00)
freed by thread T0 here:
    #0 0x7f62d5295310 in __interceptor_cfree.localalias.1
/build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x7f62c80dc88d in unsafe_free
/home/bartek/Devel/mesa/src/util/ralloc.c:268:4
    #2 0x7f62c80db4da in ralloc_free
/home/bartek/Devel/mesa/src/util/ralloc.c:231:4
    #3 0x7f62c780b200 in exec_node::operator delete(void*)
/home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/list.h:59:4
    #4 0x7f62c7f2c515 in ir_variable::~ir_variable()
/home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/ir.h:420:7
    #5 0x7f62c7789d36 in get_variable_being_redeclared(ir_variable*, YYLTYPE,
_mesa_glsl_parse_state*, bool)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4001:7
    #6 0x7f62c776fec1 in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5210:10
    #7 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
    #8 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
    #9 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
    #10 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
    #11 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
    #12 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
    #13 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
    #14 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
    #15 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
    #16 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
    #17 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
    #18 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
    #19 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

previously allocated by thread T0 here:
    #0 0x7f62d52954c8 in __interceptor_malloc
/build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f62c80d95d2 in ralloc_size
/home/bartek/Devel/mesa/src/util/ralloc.c:113:18
    #2 0x7f62c80da2cc in rzalloc_size
/home/bartek/Devel/mesa/src/util/ralloc.c:145:16
    #3 0x7f62c61b9808 in exec_node::operator new(unsigned long, void*)
/home/bartek/Devel/mesa/src/mesa/../../src/compiler/glsl/list.h:59:4
    #4 0x7f62c7762e1c in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4789:13
    #5 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
    #6 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
    #7 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
    #8 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
    #9 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
    #10 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
    #11 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
    #12 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
    #13 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
    #14 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
    #15 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
    #16 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
    #17 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>