<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body> <div> <a class="bz_bug_link bz_status_NEW " title="NEW - read-after-free in st_framebuffer_validate" href="https://bugs.freedesktop.org/show_bug.cgi?id=101829#c3">Comment # 3</a> on <a class="bz_bug_link bz_status_NEW " title="NEW - read-after-free in st_framebuffer_validate" href="https://bugs.freedesktop.org/show_bug.cgi?id=101829">bug 101829</a> from <a class="email" href="mailto:gw.fossdev@gmail.com" title="Gert Wollny <gw.fossdev@gmail.com>"> Gert Wollny</a> <pre>I can confirm that the trace results in a sigsegv, but with gltrace on r600g I get a different backtrace (9ee67467c9ea + a patchset related to register merging that shouldn't have to do anything with the bug) valgrind glretrace Downloads/example.trace ==8227== Memcheck, a memory error detector ==8227== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==8227== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==8227== Command: glretrace Downloads/example.trace ==8227== ==8227== Invalid read of size 4 ==8227== at 0x9A9AC88: st_framebuffers_purge (st_manager.c:509) ==8227== by 0x9A9AC88: st_api_make_current (st_manager.c:872) ==8227== by 0x9C457CD: dri_make_current (dri_context.c:278) ==8227== by 0x9C44283: driBindContext (dri_util.c:559) ==8227== by 0x77425EA: dri2_bind_context (dri2_glx.c:154) ==8227== by 0x771930B: MakeContextCurrent (glxcurrent.c:228) ==8227== by 0x40A406: glws::makeCurrentInternal(glws::Drawable*, glws::Context*) (glws_glx.cpp:370) ==8227== by 0x412C3E: makeCurrent (glws.hpp:213) ==8227== by 0x412C3E: glretrace::makeCurrent(trace::Call&, glws::Drawable*, glretrace::Context*) (glretrace_ws.cpp:170) ==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*) (retrace_main.cpp:233) ==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386) ==8227== by 0x40CE2F: runRace (retrace_main.cpp:364) ==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505) ==8227== by 0x407D97: mainLoop (retrace_main.cpp:565) ==8227== by 0x407D97: main (retrace_main.cpp:880) ==8227== Address 0x1604d964 is 4 bytes inside a block of size 480 free'd ==8227== at 0x4C2BD2B: free (vg_replace_malloc.c:530) ==8227== by 0x9C44F3D: dri_put_drawable.part.3 (dri_util.c:642) ==8227== by 0x7741337: dri2DestroyDrawable (dri2_glx.c:343) ==8227== by 0x773EEC9: driReleaseDrawables (dri_common.c:452) ==8227== by 0x77425C1: dri2_bind_context (dri2_glx.c:142) ==8227== by 0x771930B: MakeContextCurrent (glxcurrent.c:228) ==8227== by 0x40A406: glws::makeCurrentInternal(glws::Drawable*, glws::Context*) (glws_glx.cpp:370) ==8227== by 0x412C3E: makeCurrent (glws.hpp:213) ==8227== by 0x412C3E: glretrace::makeCurrent(trace::Call&, glws::Drawable*, glretrace::Context*) (glretrace_ws.cpp:170) ==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*) (retrace_main.cpp:233) ==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386) ==8227== by 0x40CE2F: runRace (retrace_main.cpp:364) ==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505) ==8227== by 0x407D97: mainLoop (retrace_main.cpp:565) ==8227== by 0x407D97: main (retrace_main.cpp:880) ==8227== Block was alloc'd at ==8227== at 0x4C2CB0D: calloc (vg_replace_malloc.c:711) ==8227== by 0x9C46199: dri_create_buffer (dri_drawable.c:139) ==8227== by 0x9C49D83: dri2_create_buffer (dri2.c:2196) ==8227== by 0x9C450A3: driCreateNewDrawable (dri_util.c:671) ==8227== by 0x774127C: dri2CreateDrawable (dri2_glx.c:405) ==8227== by 0x773ED9F: driFetchDrawable (dri_common.c:410) ==8227== by 0x77425A8: dri2_bind_context (dri2_glx.c:139) ==8227== by 0x771930B: MakeContextCurrent (glxcurrent.c:228) ==8227== by 0x40A406: glws::makeCurrentInternal(glws::Drawable*, glws::Context*) (glws_glx.cpp:370) ==8227== by 0x412C3E: makeCurrent (glws.hpp:213) ==8227== by 0x412C3E: glretrace::makeCurrent(trace::Call&, glws::Drawable*, glretrace::Context*) (glretrace_ws.cpp:170) ==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*) (retrace_main.cpp:233) ==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386) ==8227== by 0x40CE2F: runRace (retrace_main.cpp:364) ==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505) 739: message: api issue 1: FBO incomplete: no attachments and default width or height is 0 [-1] ==8227== Conditional jump or move depends on uninitialised value(s) ==8227== at 0x4C327D2: __memcmp_sse4_1 (vg_replace_strmem.c:1099) ==8227== by 0x9F12F2F: r600_set_vertex_buffers (r600_state_common.c:550) ==8227== by 0x9D4EDE0: u_vbuf_set_driver_vertex_buffers (u_vbuf.c:1116) ==8227== by 0x9D52394: u_vbuf_draw_vbo (u_vbuf.c:1140) ==8227== by 0x9A6018B: st_draw_vbo (st_draw.c:222) ==8227== by 0x9A0A379: vbo_validated_drawrangeelements (vbo_exec_array.c:918) ==8227== by 0x9A0AB05: vbo_exec_DrawRangeElementsBaseVertex (vbo_exec_array.c:1019) ==8227== by 0x9A0AD6A: vbo_exec_DrawRangeElements (vbo_exec_array.c:1039) ==8227== by 0x9938B6F: _mesa_unmarshal_DrawRangeElements (marshal_generated.c:21699) ==8227== by 0x9938B6F: _mesa_unmarshal_dispatch_cmd (marshal_generated.c:41346) ==8227== by 0x98ED96C: glthread_unmarshal_batch (glthread.c:53) ==8227== by 0x98EDC54: _mesa_glthread_finish (glthread.c:209) ==8227== by 0x98FF573: _mesa_marshal_GetError (marshal_generated.c:12286) ==8227== ==8227== Conditional jump or move depends on uninitialised value(s) ==8227== at 0x9F15A4D: r600_draw_vbo (r600_state_common.c:1806) ==8227== by 0x9D521DB: u_vbuf_draw_vbo (u_vbuf.c:1143) ==8227== by 0x9A6018B: st_draw_vbo (st_draw.c:222) ==8227== by 0x9A0A379: vbo_validated_drawrangeelements (vbo_exec_array.c:918) ==8227== by 0x9A0AB05: vbo_exec_DrawRangeElementsBaseVertex (vbo_exec_array.c:1019) ==8227== by 0x9A0AD6A: vbo_exec_DrawRangeElements (vbo_exec_array.c:1039) ==8227== by 0x9938B6F: _mesa_unmarshal_DrawRangeElements (marshal_generated.c:21699) ==8227== by 0x9938B6F: _mesa_unmarshal_dispatch_cmd (marshal_generated.c:41346) ==8227== by 0x98ED96C: glthread_unmarshal_batch (glthread.c:53) ==8227== by 0x98EDC54: _mesa_glthread_finish (glthread.c:209) ==8227== by 0x98FF573: _mesa_marshal_GetError (marshal_generated.c:12286) ==8227== by 0x412530: glretrace::checkGlError(trace::Call&) (glretrace_main.cpp:94) ==8227== by 0x4C2256: retrace_glDrawRangeElements(trace::Call&) (glretrace_gl.cpp:10574) ==8227== ==8227== Conditional jump or move depends on uninitialised value(s) ==8227== at 0x9F15A4D: r600_draw_vbo (r600_state_common.c:1806) ==8227== by 0x9D521DB: u_vbuf_draw_vbo (u_vbuf.c:1143) ==8227== by 0x9A6018B: st_draw_vbo (st_draw.c:222) ==8227== by 0x9A0986F: vbo_draw_arrays (vbo_exec_array.c:486) ==8227== by 0x9A09DE9: vbo_exec_DrawArrays (vbo_exec_array.c:641) ==8227== by 0x993476D: _mesa_unmarshal_DrawArrays (marshal_generated.c:26211) ==8227== by 0x993476D: _mesa_unmarshal_dispatch_cmd (marshal_generated.c:41754) ==8227== by 0x98ED96C: glthread_unmarshal_batch (glthread.c:53) ==8227== by 0x98EDC54: _mesa_glthread_finish (glthread.c:209) ==8227== by 0x98FF573: _mesa_marshal_GetError (marshal_generated.c:12286) ==8227== by 0x412530: glretrace::checkGlError(trace::Call&) (glretrace_main.cpp:94) ==8227== by 0x4C51FE: retrace_glDrawArrays(trace::Call&) (glretrace_gl.cpp:9435) ==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*) (retrace_main.cpp:233) ==8227== ==8227== Invalid read of size 8 ==8227== at 0x5C134E: retrace_glXMakeContextCurrent(trace::Call&) (glretrace_glx.cpp:194) ==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*) (retrace_main.cpp:233) ==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386) ==8227== by 0x40CE2F: runRace (retrace_main.cpp:364) ==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505) ==8227== by 0x407D97: mainLoop (retrace_main.cpp:565) ==8227== by 0x407D97: main (retrace_main.cpp:880) ==8227== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==8227== apitrace: warning: caught signal 11 4128: error: caught an unhandled exception glretrace+0x239054 /lib64/libpthread.so.0+0x10bbf glretrace+0x1c134e glretrace+0xc8bc glretrace+0xce2f glretrace+0x7d97 /lib64/libc.so.6: __libc_start_main+0xef glretrace: _start+0x28 ? apitrace: info: taking default action for signal 11 ==8227== ==8227== Process terminating with default action of signal 11 (SIGSEGV) ==8227== at 0x518AA79: raise (pt-raise.c:35) ==8227== by 0x63912B: os::signalHandler(int, siginfo_t*, void*) (os_posix.cpp:357) ==8227== by 0x518ABBF: ??? (in /lib64/libpthread-2.23.so) ==8227== by 0x5C134D: retrace_glXMakeContextCurrent(trace::Call&) (glretrace_glx.cpp:194) ==8227== by 0x40C8BC: retrace::retraceCall(trace::Call*) (retrace_main.cpp:233) ==8227== by 0x40CE2F: runLeg (retrace_main.cpp:386) ==8227== by 0x40CE2F: runRace (retrace_main.cpp:364) ==8227== by 0x40CE2F: retrace::RelayRace::run() (retrace_main.cpp:505) ==8227== by 0x407D97: mainLoop (retrace_main.cpp:565) ==8227== by 0x407D97: main (retrace_main.cpp:880) ==8227== ==8227== HEAP SUMMARY: ==8227== in use at exit: 4,826,139 bytes in 12,695 blocks ==8227== total heap usage: 55,166 allocs, 42,471 frees, 17,699,948 bytes allocated ==8227== ==8227== LEAK SUMMARY: ==8227== definitely lost: 20,160 bytes in 3 blocks ==8227== indirectly lost: 0 bytes in 0 blocks ==8227== possibly lost: 112,184 bytes in 745 blocks ==8227== still reachable: 4,693,795 bytes in 11,947 blocks ==8227== suppressed: 0 bytes in 0 blocks ==8227== Rerun with --leak-check=full to see details of leaked memory ==8227== ==8227== For counts of detected and suppressed errors, rerun with: -v ==8227== Use --track-origins=yes to see where uninitialised values come from ==8227== ERROR SUMMARY: 35 errors from 5 contexts (suppressed: 0 from 0)</pre> </div> <hr> You are receiving this mail because: <ul> <li>You are the assignee for the bug.</li> <li>You are the QA Contact for the bug.</li> </ul> </body> </html>