Bug 52996

Summary: Read out of bounds in swizzle_for_size() (MesaLib/src/mesa/program/ir_to_mesa.cpp)
Product: Mesa Reporter: Alexander Potapenko <glider>
Component: Mesa coreAssignee: mesa-dev
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: medium    
Version: 7.9   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Alexander Potapenko 2012-07-31 09:55:13 UTC 
(See also https://code.google.com/p/chromium/issues/detail?id=139772)

We're running Webkit tests under AddressSanitizer (http://clang.llvm.org/docs/AddressSanitizer.html) and some tests crash with the following buffer underflow report:

01:55:19.656 6769 worker/1 fast/canvas/webgl/uniform-location-length-limits.html crashed, (stderr lines):
01:55:19.657 6769   [7927:7927:3005006286302:ERROR:gles2_cmd_decoder.cc(5109)] PERFORMANCE WARNING: Attribute 0 is disabled. This has signficant performance penalty
01:55:19.657 6769   =================================================================
01:55:19.657 6769   ==7927== ERROR: AddressSanitizer global-buffer-overflow on address 0x7f0450ad2c5c at pc 0x7f045076a9a3 bp 0x7fff39bc8aa0 sp 0x7fff39bc8a98
01:55:19.657 6769   READ of size 4 at 0x7f0450ad2c5c thread T0
01:55:19.676 6769       #0 0x7f045076a9a3 in swizzle_for_size(int) third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:0
01:55:19.676 6769       #1 0x7f045076abc1 in ir_to_mesa_visitor::visit(ir_dereference_record*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1547
01:55:19.676 6769       #2 0x7f045076aa3f in ir_to_mesa_visitor::visit(ir_dereference_record*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1542
01:55:19.676 6769       #3 0x7f045076adbc in ir_to_mesa_visitor::visit(ir_assignment*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1584
01:55:19.676 6769       #4 0x7f045075fc0c in ir_to_mesa_visitor::visit(ir_function*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1010
01:55:19.676 6769       #5 0x7f045092900c in visit_exec_list(exec_list*, ir_visitor*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/glsl/ir.cpp:1199
01:55:19.676 6769       #6 0x7f045077275e in get_mesa_program(__GLcontextRec*, gl_shader_program*, gl_shader*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:2621
01:55:19.676 6769       #7 0x7f04507751a5 in _mesa_ir_link_shader /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:2812
01:55:19.676 6769       #8 0x7f0450776140 in _mesa_glsl_link_shader /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:2946
01:55:19.676 6769       #9 0x2b93117 in gpu::gles2::ProgramManager::ProgramInfo::Link(gpu::gles2::ShaderManager*, gpu::gles2::ShaderTranslator*, gpu::gles2::ShaderTranslator*, gpu::gles2::FeatureInfo*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/program_manager.cc:514
01:55:19.676 6769       #10 0x2b6bd8c in gpu::gles2::GLES2DecoderImpl::DoLinkProgram(unsigned int) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/gles2_cmd_decoder.cc:4735
01:55:19.676 6769       #11 0x2b54375 in gpu::gles2::GLES2DecoderImpl::HandleLinkProgram(unsigned int, gpu::gles2::LinkProgram const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:1437
01:55:19.676 6769       #12 0x2b469de in gpu::gles2::GLES2DecoderImpl::DoCommand(unsigned int, unsigned int, void const*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/gles2_cmd_decoder.cc:3217
01:55:19.693 6769       #13 0x2be2780 in gpu::CommandParser::ProcessCommand() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/cmd_parser.cc:71
01:55:19.693 6769       #14 0x2b86e44 in gpu::GpuScheduler::PutChanged() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/gpu_scheduler.cc:81
01:55:19.693 6769       #15 0x2aface9 in webkit::gpu::GLInProcessContext::PumpCommands() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/webkit/gpu/webgraphicscontext3d_in_process_command_buffer_impl.cc:251
01:55:19.693 6769       #16 0x2b0a3ed in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit::gpu::GLInProcessContext::*)()>, void ()(webkit::gpu::GLInProcessContext*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit::gpu::GLInProcessContext::*)()>, webkit::gpu::GLInProcessContext*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:871
01:55:19.706 6769       #17 0x2b0a2bd in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit::gpu::GLInProcessContext::*)()>, void ()(webkit::gpu::GLInProcessContext*), void ()(base::internal::UnretainedWrapper<webkit::gpu::GLInProcessContext>)>, void ()(webkit::gpu::GLInProcessContext*)>::Run(base::internal::BindStateBase*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:1172
01:55:19.706 6769       #18 0x2b2b5b1 in gpu::CommandBufferService::FlushSync(int, int) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/service/command_buffer_service.cc:76
01:55:19.706 6769       #19 0x311dc8d in gpu::CommandBufferHelper::FlushSync() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/cmd_buffer_helper.cc:9addr2line: '': No such file
01:55:19.707 6769   5
01:55:19.708 6769       #20 0x311dfb8 in gpu::CommandBufferHelper::Finish() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/cmd_buffer_helper.cc:121
01:55:19.708 6769       #21 0x31261a2 in gpu::gles2::GLES2Implementation::WaitForCmd() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/gles2_implementation.cc:556
01:55:19.708 6769       #22 0x3127339 in gpu::gles2::GLES2Implementation::GetBucketContents(unsigned int, std::vector<signed char, std::allocator<signed char> >*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/gles2_implementation.cc:671
01:55:19.708 6769       #23 0x314bd91 in gpu::gles2::CachedProgramInfoManager::ProgramInfo::Update(gpu::gles2::GLES2Implementation*, unsigned int) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/program_info_manager.cc:307
01:55:19.708 6769       #24 0x314cc3a in gpu::gles2::CachedProgramInfoManager::GetProgramInfo(gpu::gles2::GLES2Implementation*, unsigned int) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/program_info_manager.cc:375
01:55:19.708 6769       #25 0x314d181 in gpu::gles2::CachedProgramInfoManager::GetProgramiv(gpu::gles2::GLES2Implementation*, unsigned int, unsigned int, int*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/program_info_manager.cc:393
01:55:19.708 6769       #26 0x312adb8 in gpu::gles2::GLES2Implementation::GetProgramivHelper(unsigned int, unsigned int, int*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/gpu/command_buffer/client/gles2_implementation.cc:1338
01:55:19.709 6769       #27 0x2afff63 in gpu::gles2::GLES2Implementation::GetProgramiv(unsigned int, unsigned int, int*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./gpu/command_buffer/client/../client/gles2_implementation_autogen.h:597
01:55:19.709 6769       #28 0x14afddb in WebCore::WebGLProgram::cacheInfoIfNeeded() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/canvas/WebGLProgram.cpp:190
01:55:19.709 6769       #29 0x14aff8e in WebCore::WebGLProgram::getLinkStatus() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/canvas/WebGLProgram.cpp:96
01:55:19.709 6769       #30 0x13f765a in WebCore::WebGLRenderingContext::getProgramParameter(WebCore::WebGLProgram*, unsigned int, int&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/canvas/WebGLRenderingContext.cpp:2647
01:55:19.709 6769       #31 0x3720535 in WebCore::V8WebGLRenderingContext::getProgramParameterCallback(v8::Arguments const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp:360
01:55:19.709 6769       #32 0xdb4851 in v8::internal::MaybeObject* v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/v8/src/builtins.cc:1145
01:55:19.709 6769       #33 0x31338a00618e in  
01:55:19.709 6769       #34 0x31338a096f79 in  
01:55:19.709 6769       #35 0x31338a09cda0 in  
01:55:19.718 6769       #36 0x31338a0098ce in  
01:55:19.718 6769       #37 0x31338a09e2af in  
01:55:19.718 6769       #38 0x31338a023ca7 in  
01:55:19.718 6769       #39 0x31338a011217 in  
01:55:19.718 6769       #40 0xdfaf3f in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/v8/src/execution.cc:118
01:55:19.718 6769       #41 0xd6e7cd in v8::Script::Run() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/v8/src/api.cc:1613
01:55:19.724 6769       #42 0x18604b5 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:365
01:55:19.724 6769       #43 0x185f6ce in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:336
01:55:19.724 6769       #44 0x1804e20 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/bindings/v8/ScriptController.cpp:204
01:55:19.724 6769       #45 0xa25903 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/dom/ScriptElement.cpp:300
01:55:19.724 6769       #46 0xa23501 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/dom/ScriptElement.cpp:240
01:55:19.724 6769       #47 0x141e18d in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:292
01:55:19.724 6769       #48 0x141def2 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLScriptRunner.cpp:172
01:55:19.724 6769       #49 0x1416d4b in ~PassRefPtr /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WTF/wtf/PassRefPtr.h:67
01:55:19.724 6769       #50 0x1416ef8 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:217
01:55:19.724 6769       #51 0x1416726 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:254
01:55:19.724 6769       #52 0x1416ad5 in WebCore::HTMLDocumentParser::resumeParsingAfterYield() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:191
01:55:19.724 6769       #53 0x150a978 in WebCore::ThreadTimers::sharedTimerFiredInternal() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
01:55:19.724 6769       #54 0x2a9767d in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:871
01:55:19.724 6769       #55 0x2a974ad in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*), void ()(base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:1172
01:55:19.724 6769       #56 0x2e44cad in base::Timer::RunScheduledTask() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/timer.cc:184
01:55:19.724 6769       #57 0x2e4529d in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:871
01:55:19.724 6769       #58 0x2e45158 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*), void ()(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void ()(base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/./base/bind_internal.h:1172
01:55:19.724 6769       #59 0xa4b523 in MessageLoop::RunTask(base::PendingTask const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_loop.cc:461
01:55:19.725 6769       #60 0xa4bd3d in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_loop.cc:472
01:55:19.725 6769       #61 0xa4c212 in MessageLoop::DoWork() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_loop.cc:648
01:55:19.725 6769       #62 0xaa7cc5 in base::MessagePumpGlib::HandleDispatch() /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_pump_glib.cc:268
01:55:19.725 6769       #63 0xaa6dc9 in (anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) /mnt/data/b/build/slave/Webkit_Linux_ASAN/build/src/base/message_pump_glib.cc:105
01:55:19.725 6769   0x7f0450ad2c5c is located 4 bytes to the left of global variable 'swizzle_for_size(int)::size_swizzles (third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp)' (0x7f0450ad2c60) of size 16
01:55:19.725 6769   0x7f0450ad2c5c is located 53 bytes to the right of global variable '.str74 (third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp)' (0x7f0450ad2c20) of size 7
01:55:19.725 6769     '.str74 (third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp)' is ascii string '%s[%d]'
01:55:19.725 6769   ==7927== ABORTING
01:55:19.725 6769   Stats: 668M malloced (680M for red zones) by 1503178 calls
01:55:19.725 6769   Stats: 5M realloced by 6982 calls
01:55:19.725 6769   Stats: 281M freed by 1114295 calls
01:55:19.725 6769   Stats: 173M really freed by 626504 calls
01:55:19.725 6769   Stats: 1032M (264381 full pages) mmaped in 258 calls
01:55:19.725 6769     mmaps   by size class: 8:720852; 9:155629; 10:16380; 11:4094; 12:2048; 13:2560; 14:2048; 15:768; 16:3584; 17:224; 18:128; 19:40; 20:16; 21:88; 22:44;
01:55:19.725 6769     mallocs by size class: 8:1281100; 9:171552; 10:26987; 11:6638; 12:2369; 13:4225; 14:3860; 15:1423; 16:4217; 17:390; 18:192; 19:78; 20:15; 21:88; 22:44;
01:55:19.728 6769     frees   by size class: 8:1028304; 9:43047; 10:24931; 11:5126; 12:2134; 13:4055; 14:3333; 15:1298; 16:1517; 17:340; 18:124; 19:76; 20:10;
01:55:19.728 6769     rfrees  by size class: 8:579526; 9:21342; 10:14535; 11:3236; 12:1485; 13:2190; 14:1959; 15:731; 16:1181; 17:187; 18:72; 19:51; 20:9;
01:55:19.728 6769   Stats: malloc large: 807 small slow: 6915
01:55:19.728 6769   Shadow byte and word:
01:55:19.733 6769     0x1fe08a15a58b: f9
01:55:19.733 6769     0x1fe08a15a588: f9 f9 f9 f9 00 00 f9 f9
01:55:19.733 6769   More shadow bytes:
01:55:19.733 6769     0x1fe08a15a568: f9 f9 f9 f9 00 00 00 00
01:55:19.733 6769     0x1fe08a15a570: 00 00 00 00 00 00 00 00
01:55:19.733 6769     0x1fe08a15a578: 00 00 00 00 00 00 00 04
01:55:19.733 6769     0x1fe08a15a580: f9 f9 f9 f9 07 f9 f9 f9
01:55:19.733 6769   =>0x1fe08a15a588: f9 f9 f9 f9 00 00 f9 f9
01:55:19.733 6769     0x1fe08a15a590: f9 f9 f9 f9 00 00 00 00
01:55:19.733 6769     0x1fe08a15a598: 00 04 f9 f9 f9 f9 f9 f9
01:55:19.733 6769     0x1fe08a15a5a0: 00 00 00 00 00 04 f9 f9
01:55:19.733 6769     0x1fe08a15a5a8: f9 f9 f9 f9 00 06 f9 f9
01:55:20.101 6748   fast/canvas/webgl/uniform-location-length-limits.html -> unexpected crash

This is most likely to occur because 0 is passed as an argument to swizzle_for_size().

Unfortunately it may be hard to check whether the latest Mesa has this bug, so if there's no obvious way to fix this (I'm not familiar with the code, so I see none), I can only suggest to run Mesa tests under AddressSanitizer.
Comment 1 Brian Paul 2012-07-31 14:14:45 UTC 
The swizzle_for_size() function is (unchanged from Mesa 7.9 to today):

static int
swizzle_for_size(int size)
{
   int size_swizzles[4] = {
      MAKE_SWIZZLE4(SWIZZLE_X, SWIZZLE_X, SWIZZLE_X, SWIZZLE_X),
      MAKE_SWIZZLE4(SWIZZLE_X, SWIZZLE_Y, SWIZZLE_Y, SWIZZLE_Y),
      MAKE_SWIZZLE4(SWIZZLE_X, SWIZZLE_Y, SWIZZLE_Z, SWIZZLE_Z),
      MAKE_SWIZZLE4(SWIZZLE_X, SWIZZLE_Y, SWIZZLE_Z, SWIZZLE_W),
   };

   assert((size >= 1) && (size <= 4));
   return size_swizzles[size - 1];
}

My guess is that if something's going wrong, you're running a non-debug build and the assertion is a no-op.  Can you rebuild Mesa for debugging and retest?  If you can find the value of 'size' for this failure, that'd be helpful.
Comment 2 Ian Romanick 2012-07-31 19:42:15 UTC 
Is there a way to have AddressSanitizer drop into a debugger (like --db-attach=yes in Valgrind) when it hits an error?  It would be interesting to go up to the topmost ir_to_mesa_visitor::visit(ir_dereference_record*) frame and print ir->type->name.

It seems like the only way this could happen is if either is_scalar or is_vector is true and vector_elements is zero.
Comment 3 Alexander Potapenko 2012-08-31 15:03:18 UTC 
I've managed to reproduce this locally.
Inserting fprintf() calls into third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp shows that swizzle_for_size(0) is really called for some ir type named Nesting2:

ir->type->name: Nesting2
swizzle_for_size(0)
=================================================================
==5641== ERROR: AddressSanitizer global-buffer-overflow on address 0x7fcd7760bc7c at pc 0x7fcd771ed9b3 bp 0x7fff035d6e10 sp 0x7fff035d6e08
READ of size 4 at 0x7fcd7760bc7c thread T0
    #0 0x7fcd771ed9b2 in swizzle_for_size(int) /usr/local/google/chrome-asan/src/out/Release/../../third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:319
    #1 0x7fcd771ed701 in ir_to_mesa_visitor::visit(ir_dereference_record*) /usr/local/google/chrome-asan/src/out/Release/../../third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1547
    #2 0x7fcd771edadd in ir_to_mesa_visitor::visit(ir_assignment*) /usr/local/google/chrome-asan/src/out/Release/../../third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1591
    #3 0x7fcd771dca42 in ir_to_mesa_visitor::visit(ir_function*) /usr/local/google/chrome-asan/src/out/Release/../../third_party/mesa/MesaLib/src/mesa/program/ir_to_mesa.cpp:1020
    #4 0x7fcd77412d29 in visit_exec_list(exec_list*, ir_visitor*) /usr/local/google/chrome-asan/src/out/Release/../../third_party/mesa/MesaLib/src/glsl/ir.cpp:1200
...

Please let me know how else I can help.
Comment 4 Alexander Potapenko 2012-10-17 12:51:41 UTC 
In order to attach the debugger to a program instrumented with ASan one needs to run it with ASAN_OPTIONS=sleep_before_dying=100 (which means sleep for 100 seconds) and then attach gdb to the PID obtained from the log.
Comment 5 Ian Romanick 2012-10-18 21:58:05 UTC 
This bug was already fixed on the 7.9 branch by the commit listed below.  I similar patch is also on the 7.10.  You just need to update... and I recommend updating to either 8.0.x or 9.0.  The 7.x release series is no longer actively supported.

commit 0d98ceb4bfc9f0ac5462e060fa1d66c9b8b7d031
Author: Ian Romanick <ian.d.romanick@intel.com>
Date:   Mon Dec 13 15:42:46 2010 -0800

    ir_to_mesa: Don't generate swizzles for record derefs of non-scalar/vectors
    
    This is the same as what the array dereference handler does.
    
    Fixes piglit test glsl-link-struct-array (bugzilla #31648).
    
    NOTE: This is a candidate for the 7.9 and 7.10 branches.
    (cherry picked from commit 2d577ee730c30caacf711babde6542766aa0b655)

*** This bug has been marked as a duplicate of bug 31648 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.