<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - heap-use-after-free in glsl"
href="https://bugs.freedesktop.org/show_bug.cgi?id=99677">99677</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>heap-use-after-free in glsl
</td>
</tr>
<tr>
<th>Product</th>
<td>Mesa
</td>
</tr>
<tr>
<th>Version</th>
<td>git
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86-64 (AMD64)
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux (All)
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>glsl-compiler
</td>
</tr>
<tr>
<th>Assignee</th>
<td>mesa-dev@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>bartosz.tomczyk86@gmail.com
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>intel-3d-bugs@lists.freedesktop.org
</td>
</tr></table>
<p>
<div>
<pre>Address Sanitizer report use after free in glsl compiler.
Steps to reproduce: build mesa with address sanitizer enabled and run piglit
test glsl-es-3.00/compiler/no-unsized-arrays-01.vert fail 3.0:
==27336==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000024ddb0
at pc 0x7f62c7771443 bp 0x7ffec46303b0 sp 0x7ffec46303a8
READ of size 4 at 0x61000024ddb0 thread T0
#0 0x7f62c7771442 in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5266:24
#1 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
#2 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
#3 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
#4 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
#5 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
#6 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
#7 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
#8 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
#9 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
#10 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
#11 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
#12 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
#13 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#14 0x401629 in _start
(/home/bartek/Devel/piglit/bin/glslparsertest_gles2+0x401629)
0x61000024ddb0 is located 112 bytes inside of 192-byte region
[0x61000024dd40,0x61000024de00)
freed by thread T0 here:
#0 0x7f62d5295310 in __interceptor_cfree.localalias.1
/build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
#1 0x7f62c80dc88d in unsafe_free
/home/bartek/Devel/mesa/src/util/ralloc.c:268:4
#2 0x7f62c80db4da in ralloc_free
/home/bartek/Devel/mesa/src/util/ralloc.c:231:4
#3 0x7f62c780b200 in exec_node::operator delete(void*)
/home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/list.h:59:4
#4 0x7f62c7f2c515 in ir_variable::~ir_variable()
/home/bartek/Devel/mesa/src/compiler/../../src/compiler/glsl/ir.h:420:7
#5 0x7f62c7789d36 in get_variable_being_redeclared(ir_variable*, YYLTYPE,
_mesa_glsl_parse_state*, bool)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4001:7
#6 0x7f62c776fec1 in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5210:10
#7 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
#8 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
#9 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
#10 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
#11 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
#12 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
#13 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
#14 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
#15 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
#16 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
#17 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
#18 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
#19 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
previously allocated by thread T0 here:
#0 0x7f62d52954c8 in __interceptor_malloc
/build/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x7f62c80d95d2 in ralloc_size
/home/bartek/Devel/mesa/src/util/ralloc.c:113:18
#2 0x7f62c80da2cc in rzalloc_size
/home/bartek/Devel/mesa/src/util/ralloc.c:145:16
#3 0x7f62c61b9808 in exec_node::operator new(unsigned long, void*)
/home/bartek/Devel/mesa/src/mesa/../../src/compiler/glsl/list.h:59:4
#4 0x7f62c7762e1c in ast_declarator_list::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:4789:13
#5 0x7f62c774d6ba in ast_compound_statement::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:2217:12
#6 0x7f62c779f624 in ast_function_definition::hir(exec_list*,
_mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:5834:16
#7 0x7f62c7712506 in _mesa_ast_to_hir(exec_list*, _mesa_glsl_parse_state*)
/home/bartek/Devel/mesa/src/compiler/glsl/ast_to_hir.cpp:155:12
#8 0x7f62c7dd5e38 in _mesa_glsl_compile_shader
/home/bartek/Devel/mesa/src/compiler/glsl/glsl_parser_extras.cpp:1944:7
#9 0x7f62c68b8801 in _mesa_compile_shader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1039:7
#10 0x7f62c68bf323 in _mesa_CompileShader
/home/bartek/Devel/mesa/src/mesa/main/shaderapi.c:1392:4
#11 0x7f62d4e5f37f in stub_glCompileShader
/home/bartek/Devel/piglit/build/tests/util/piglit-dispatch-gen.c:6974
#12 0x401dd6 in test
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:303
#13 0x40250f in piglit_init
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:543
#14 0x7f62d4ef75bf in run_test
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl/piglit_winsys_framework.c:73
#15 0x7f62d4edc1fb in piglit_gl_test_run
/home/bartek/Devel/piglit/tests/util/piglit-framework-gl.c:203
#16 0x40183d in main
/home/bartek/Devel/piglit/tests/glslparsertest/glslparsertest.c:90
#17 0x7f62d173c290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>