[Bug 36261] New: valgrind shows a use after free in ddraw/tests/ddraw4.c
https://bugs.winehq.org/show_bug.cgi?id=36261 Bug ID: 36261 Summary: valgrind shows a use after free in ddraw/tests/ddraw4.c Product: Wine Version: 1.7.18 Hardware: x86 OS: Linux Status: NEW Keywords: download, source, testcase Severity: normal Priority: P2 Component: directx-d3d Assignee: wine-bugs(a)winehq.org Reporter: austinenglish(a)gmail.com ==29500== Invalid write of size 4 ==29500== at 0x498B288: d3d_device_inner_Release (device.c:319) ==29500== by 0x498B45B: d3d_device3_Release (device.c:345) ==29500== by 0x4C6844D: test_process_vertices (ddraw4.c:624) ==29500== by 0x4C8C1E0: func_ddraw4 (ddraw4.c:7299) ==29500== by 0x4CDE890: run_test (test.h:584) ==29500== by 0x4CDEC7F: main (test.h:654) ==29500== Address 0x47a4dc8 is 112 bytes inside a block of size 160 free'd ==29500== at 0x7BC4C782: notify_free (heap.c:263) ==29500== by 0x7BC510C7: RtlFreeHeap (heap.c:1762) ==29500== by 0x497D9F9: ddraw_destroy (ddraw.c:441) ==29500== by 0x497DC0C: ddraw4_Release (ddraw.c:472) ==29500== by 0x49A3B99: ddraw_surface_release_iface (surface.c:552) ==29500== by 0x49A3D41: ddraw_surface4_Release (surface.c:611) ==29500== by 0x498B229: d3d_device_inner_Release (device.c:316) ==29500== by 0x498B45B: d3d_device3_Release (device.c:345) ==29500== by 0x4C6844D: test_process_vertices (ddraw4.c:624) ==29500== by 0x4C8C1E0: func_ddraw4 (ddraw4.c:7299) ==29500== by 0x4CDE890: run_test (test.h:584) ==29500== by 0x4CDEC7F: main (test.h:654) ==29500== -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=36261 --- Comment #1 from Austin English <austinenglish(a)gmail.com> --- Also: ==26415== Invalid write of size 4 ==26415== at 0x4B962A8: d3d_device_inner_Release (device.c:319) ==26415== by 0x4B9647B: d3d_device3_Release (device.c:345) ==26415== by 0x4AAFA09: test_coop_level_d3d_state (ddraw4.c:994) ==26415== by 0x4AD1B87: func_ddraw4 (ddraw4.c:7455) ==26415== by 0x4B24F84: run_test (test.h:584) ==26415== by 0x4B25373: main (test.h:654) ==26415== Address 0x482ea30 is 112 bytes inside a block of size 160 free'd ==26415== at 0x7BC4C7AA: notify_free (heap.c:263) ==26415== by 0x7BC510EF: RtlFreeHeap (heap.c:1762) ==26415== by 0x4B889F9: ddraw_destroy (ddraw.c:441) ==26415== by 0x4B88C0C: ddraw4_Release (ddraw.c:472) ==26415== by 0x4BAEC45: ddraw_surface_release_iface (surface.c:558) ==26415== by 0x4BAEDED: ddraw_surface4_Release (surface.c:617) ==26415== by 0x4B96249: d3d_device_inner_Release (device.c:316) ==26415== by 0x4B9647B: d3d_device3_Release (device.c:345) ==26415== by 0x4AAFA09: test_coop_level_d3d_state (ddraw4.c:994) ==26415== by 0x4AD1B87: func_ddraw4 (ddraw4.c:7455) ==26415== by 0x4B24F84: run_test (test.h:584) ==26415== by 0x4B25373: main (test.h:654) ==26415== ==26415== Warning: client syscall munmap tried to modify addresses 0x81d30000-0x81d30fff ==26415== Invalid read of size 4 ==26415== at 0x400B950: memcpy (vg_replace_strmem.c:908) ==26415== by 0x4EABBB8: wined3d_device_set_ps_consts_f (device.c:2496) ==26415== by 0x4F37473: wined3d_stateblock_apply (stateblock.c:984) ==26415== by 0x4B8A1ED: ddraw_set_cooperative_level (ddraw.c:951) ==26415== by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010) ==26415== by 0x4B888F3: ddraw_destroy (ddraw.c:420) ==26415== by 0x4B88C0C: ddraw4_Release (ddraw.c:472) ==26415== by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088) ==26415== by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456) ==26415== by 0x4B24F84: run_test (test.h:584) ==26415== by 0x4B25373: main (test.h:654) ==26415== Address 0xa174000 is 880 bytes inside a block of size 65,536 alloc'd ==26415== at 0x7BC4C75D: notify_alloc (heap.c:255) ==26415== by 0x7BC50FA1: RtlAllocateHeap (heap.c:1716) ==26415== by 0x4F38C30: state_init (stateblock.c:1324) ==26415== by 0x4F38D09: stateblock_init (stateblock.c:1346) ==26415== by 0x4F38F8E: wined3d_stateblock_create (stateblock.c:1403) ==26415== by 0x4B8A024: ddraw_set_cooperative_level (ddraw.c:914) ==26415== by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010) ==26415== by 0x4B888F3: ddraw_destroy (ddraw.c:420) ==26415== by 0x4B88C0C: ddraw4_Release (ddraw.c:472) ==26415== by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088) ==26415== by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456) ==26415== by 0x4B24F84: run_test (test.h:584) ==26415== by 0x4B25373: main (test.h:654) ==26415== ==26415== Invalid read of size 4 ==26415== at 0x400B95A: memcpy (vg_replace_strmem.c:908) ==26415== by 0x4EABBB8: wined3d_device_set_ps_consts_f (device.c:2496) ==26415== by 0x4F37473: wined3d_stateblock_apply (stateblock.c:984) ==26415== by 0x4B8A1ED: ddraw_set_cooperative_level (ddraw.c:951) ==26415== by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010) ==26415== by 0x4B888F3: ddraw_destroy (ddraw.c:420) ==26415== by 0x4B88C0C: ddraw4_Release (ddraw.c:472) ==26415== by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088) ==26415== by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456) ==26415== by 0x4B24F84: run_test (test.h:584) ==26415== by 0x4B25373: main (test.h:654) ==26415== Address 0xa174008 is 888 bytes inside a block of size 65,536 alloc'd ==26415== at 0x7BC4C75D: notify_alloc (heap.c:255) ==26415== by 0x7BC50FA1: RtlAllocateHeap (heap.c:1716) ==26415== by 0x4F38C30: state_init (stateblock.c:1324) ==26415== by 0x4F38D09: stateblock_init (stateblock.c:1346) ==26415== by 0x4F38F8E: wined3d_stateblock_create (stateblock.c:1403) ==26415== by 0x4B8A024: ddraw_set_cooperative_level (ddraw.c:914) ==26415== by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010) ==26415== by 0x4B888F3: ddraw_destroy (ddraw.c:420) ==26415== by 0x4B88C0C: ddraw4_Release (ddraw.c:472) ==26415== by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088) ==26415== by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456) ==26415== by 0x4B24F84: run_test (test.h:584) ==26415== by 0x4B25373: main (test.h:654) ==26415== there's a valgrind assertion failure, after all of this, which these issues could be causing: memcheck: mc_main.c:1003 (get_sec_vbits8): Assertion 'n' failed. Memcheck: get_sec_vbits8: no node for address 0xA174000 (0xA17400F) ==26415== at 0x3804CD81: report_and_quit (m_libcassert.c:279) ==26415== by 0x3804CEA9: vgPlain_assert_fail (m_libcassert.c:359) ==26415== by 0x380255EE: get_sec_vbits8 (mc_main.c:1003) ==26415== by 0x38000585: mc_LOADVn_slow (mc_main.c:813) ==26415== by 0x38027616: vgMemCheck_helperc_LOADV32le (mc_main.c:4482) ==26415== by 0x88DFDA8C: ??? sched status: running_tid=1 Thread 1: status = VgTs_Runnable ==26415== at 0x400B95A: memcpy (vg_replace_strmem.c:908) ==26415== by 0x4EABBB8: wined3d_device_set_ps_consts_f (device.c:2496) ==26415== by 0x4F37473: wined3d_stateblock_apply (stateblock.c:984) ==26415== by 0x4B8A1ED: ddraw_set_cooperative_level (ddraw.c:951) ==26415== by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010) ==26415== by 0x4B888F3: ddraw_destroy (ddraw.c:420) ==26415== by 0x4B88C0C: ddraw4_Release (ddraw.c:472) ==26415== by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088) ==26415== by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456) ==26415== by 0x4B24F84: run_test (test.h:584) ==26415== by 0x4B25373: main (test.h:654) Note: see also the FAQ in the source distribution. It contains workarounds to several common problems. In particular, if Valgrind aborted or crashed after identifying problems in your program, there's a good chance that fixing those problems will prevent Valgrind aborting or crashing, especially if it happened in m_mallocfree.c. If that doesn't help, please report this bug to: www.valgrind.org In the bug report, send all the above text, the valgrind version, and what OS and version you are using. Thanks. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=36261 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|valgrind shows a use after |valgrind shows a use after |free in |free in |ddraw/tests/ddraw4.c |d3d_device7_Release() | |ddraw/tests/ddraw{4,7}.c --- Comment #2 from Austin English <austinenglish(a)gmail.com> --- The original problem also occurs in ddraw7's tests: ==29087== Invalid write of size 4 ==29087== at 0x4B962A8: d3d_device_inner_Release (device.c:319) ==29087== by 0x4B963D9: d3d_device7_Release (device.c:336) ==29087== by 0x4AD6C8B: test_coop_level_d3d_state (ddraw7.c:913) ==29087== by 0x4AF73A2: func_ddraw7 (ddraw7.c:7184) ==29087== by 0x4B24F84: run_test (test.h:584) ==29087== by 0x4B25373: main (test.h:654) ==29087== Address 0x48b7540 is 112 bytes inside a block of size 160 free'd ==29087== at 0x7BC4C7AA: notify_free (heap.c:263) ==29087== by 0x7BC510EF: RtlFreeHeap (heap.c:1762) ==29087== by 0x4B889F9: ddraw_destroy (ddraw.c:441) ==29087== by 0x4B88B01: ddraw7_Release (ddraw.c:459) ==29087== by 0x4BAEC45: ddraw_surface_release_iface (surface.c:558) ==29087== by 0x4BAED19: ddraw_surface7_Release (surface.c:602) ==29087== by 0x4B96249: d3d_device_inner_Release (device.c:316) ==29087== by 0x4B963D9: d3d_device7_Release (device.c:336) ==29087== by 0x4AD6C8B: test_coop_level_d3d_state (ddraw7.c:913) ==29087== by 0x4AF73A2: func_ddraw7 (ddraw7.c:7184) ==29087== by 0x4B24F84: run_test (test.h:584) ==29087== by 0x4B25373: main (test.h:654) ==29087== -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=36261 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|valgrind shows a use after |valgrind shows a use after |free in |free in |d3d_device7_Release() |d3d_device_inner_Release() |ddraw/tests/ddraw{4,7}.c |ddraw/tests/ddraw{4,7}.c -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=36261 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |valgrind -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=36261 joaopa <jeremielapuree(a)yahoo.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jeremielapuree(a)yahoo.fr --- Comment #3 from joaopa <jeremielapuree(a)yahoo.fr> --- What about this bug with current wine(3.20)? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=36261 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #4 from Austin English <austinenglish(a)gmail.com> --- I can't reproduce on my current hardware with wine-4.0-407-gf7b3120991 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=36261 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 4.2. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org