Bug 57735 - use-after-free (both read and write) with Gallium drivers when replacing an image in a texture attached to a FBO
Summary: use-after-free (both read and write) with Gallium drivers when replacing an i...
Alias: None
Product: Mesa
Classification: Unclassified
Component: Mesa core (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Jose Fonseca
QA Contact:
Depends on:
Reported: 2012-11-30 13:51 UTC by Benoit Jacob
Modified: 2019-11-19 08:57 UTC (History)
4 users (show)

See Also:
i915 platform:
i915 features:

apitrace trace (53.88 KB, text/plain)
2012-11-30 13:51 UTC, Benoit Jacob
glretrace+valgrind output showing errors (61.30 KB, text/plain)
2012-11-30 13:53 UTC, Benoit Jacob

Description Benoit Jacob 2012-11-30 13:51:27 UTC
Created attachment 70831 [details]
apitrace trace

This is https://bugzilla.mozilla.org/show_bug.cgi?id=814407

I have seen this on various Gallium drivers (llvmpipe, nouveau, radeon) on Mesa 8.0 (at least 8.0.3 and 8.0.4). This does not reproduce on llvmpipe on current Mesa Git. Still would be worth checking if the bug is really fixed, and I haven't checked Mesa Git with other drivers than llvmpipe.

Attaching an apitrace allowing to reproduce this with this command:

LD_PRELOAD=/hack/Mesa-8.0.3/build/linux-x86_64-debug/gallium/targets/libgl-xlib/libGL.so.1 LD_LIBRARY_PATH=/hack/Mesa-8.0.3/build/linux-x86_64-debug/gallium/targets/libgl-xlib valgrind --smc-check=all-non-file ../apitrace/build/glretrace -v firefox.5.trace

There are a ton of Valgrind error, both invalid writes and reads, attaching valgrind output.

In Firefox we found that we could work around this by re-attaching textures to any FBOs they are attached to (glFramebufferTexture2D), everytime we replace a texture image in them (e.g. glTexImage2D).
Comment 1 Benoit Jacob 2012-11-30 13:53:11 UTC
Created attachment 70832 [details]
glretrace+valgrind output showing errors
Comment 2 Brian Paul 2012-12-11 22:09:20 UTC
This bug doesn't seem to happen with Mesa 9.0 or later so I'm going to mark it as fixed.

I don't think there are going to be any more 8.0.x releases so I'm not going to track down the specific change and backport it.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.