[Bug 36261] valgrind shows a use after free in ddraw/tests/ddraw4.c

wine-bugs at winehq.org wine-bugs at winehq.org
Sat May 31 15:23:22 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=36261

--- Comment #1 from Austin English <austinenglish at gmail.com> ---
Also:
==26415== Invalid write of size 4
==26415==    at 0x4B962A8: d3d_device_inner_Release (device.c:319)
==26415==    by 0x4B9647B: d3d_device3_Release (device.c:345)
==26415==    by 0x4AAFA09: test_coop_level_d3d_state (ddraw4.c:994)
==26415==    by 0x4AD1B87: func_ddraw4 (ddraw4.c:7455)
==26415==    by 0x4B24F84: run_test (test.h:584)
==26415==    by 0x4B25373: main (test.h:654)
==26415==  Address 0x482ea30 is 112 bytes inside a block of size 160 free'd
==26415==    at 0x7BC4C7AA: notify_free (heap.c:263)
==26415==    by 0x7BC510EF: RtlFreeHeap (heap.c:1762)
==26415==    by 0x4B889F9: ddraw_destroy (ddraw.c:441)
==26415==    by 0x4B88C0C: ddraw4_Release (ddraw.c:472)
==26415==    by 0x4BAEC45: ddraw_surface_release_iface (surface.c:558)
==26415==    by 0x4BAEDED: ddraw_surface4_Release (surface.c:617)
==26415==    by 0x4B96249: d3d_device_inner_Release (device.c:316)
==26415==    by 0x4B9647B: d3d_device3_Release (device.c:345)
==26415==    by 0x4AAFA09: test_coop_level_d3d_state (ddraw4.c:994)
==26415==    by 0x4AD1B87: func_ddraw4 (ddraw4.c:7455)
==26415==    by 0x4B24F84: run_test (test.h:584)
==26415==    by 0x4B25373: main (test.h:654)
==26415== 

==26415== Warning: client syscall munmap tried to modify addresses
0x81d30000-0x81d30fff
==26415== Invalid read of size 4
==26415==    at 0x400B950: memcpy (vg_replace_strmem.c:908)
==26415==    by 0x4EABBB8: wined3d_device_set_ps_consts_f (device.c:2496)
==26415==    by 0x4F37473: wined3d_stateblock_apply (stateblock.c:984)
==26415==    by 0x4B8A1ED: ddraw_set_cooperative_level (ddraw.c:951)
==26415==    by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010)
==26415==    by 0x4B888F3: ddraw_destroy (ddraw.c:420)
==26415==    by 0x4B88C0C: ddraw4_Release (ddraw.c:472)
==26415==    by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088)
==26415==    by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456)
==26415==    by 0x4B24F84: run_test (test.h:584)
==26415==    by 0x4B25373: main (test.h:654)
==26415==  Address 0xa174000 is 880 bytes inside a block of size 65,536 alloc'd
==26415==    at 0x7BC4C75D: notify_alloc (heap.c:255)
==26415==    by 0x7BC50FA1: RtlAllocateHeap (heap.c:1716)
==26415==    by 0x4F38C30: state_init (stateblock.c:1324)
==26415==    by 0x4F38D09: stateblock_init (stateblock.c:1346)
==26415==    by 0x4F38F8E: wined3d_stateblock_create (stateblock.c:1403)
==26415==    by 0x4B8A024: ddraw_set_cooperative_level (ddraw.c:914)
==26415==    by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010)
==26415==    by 0x4B888F3: ddraw_destroy (ddraw.c:420)
==26415==    by 0x4B88C0C: ddraw4_Release (ddraw.c:472)
==26415==    by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088)
==26415==    by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456)
==26415==    by 0x4B24F84: run_test (test.h:584)
==26415==    by 0x4B25373: main (test.h:654)
==26415== 
==26415== Invalid read of size 4
==26415==    at 0x400B95A: memcpy (vg_replace_strmem.c:908)
==26415==    by 0x4EABBB8: wined3d_device_set_ps_consts_f (device.c:2496)
==26415==    by 0x4F37473: wined3d_stateblock_apply (stateblock.c:984)
==26415==    by 0x4B8A1ED: ddraw_set_cooperative_level (ddraw.c:951)
==26415==    by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010)
==26415==    by 0x4B888F3: ddraw_destroy (ddraw.c:420)
==26415==    by 0x4B88C0C: ddraw4_Release (ddraw.c:472)
==26415==    by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088)
==26415==    by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456)
==26415==    by 0x4B24F84: run_test (test.h:584)
==26415==    by 0x4B25373: main (test.h:654)
==26415==  Address 0xa174008 is 888 bytes inside a block of size 65,536 alloc'd
==26415==    at 0x7BC4C75D: notify_alloc (heap.c:255)
==26415==    by 0x7BC50FA1: RtlAllocateHeap (heap.c:1716)
==26415==    by 0x4F38C30: state_init (stateblock.c:1324)
==26415==    by 0x4F38D09: stateblock_init (stateblock.c:1346)
==26415==    by 0x4F38F8E: wined3d_stateblock_create (stateblock.c:1403)
==26415==    by 0x4B8A024: ddraw_set_cooperative_level (ddraw.c:914)
==26415==    by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010)
==26415==    by 0x4B888F3: ddraw_destroy (ddraw.c:420)
==26415==    by 0x4B88C0C: ddraw4_Release (ddraw.c:472)
==26415==    by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088)
==26415==    by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456)
==26415==    by 0x4B24F84: run_test (test.h:584)
==26415==    by 0x4B25373: main (test.h:654)
==26415== 

there's a valgrind assertion failure, after all of this, which these issues
could be causing:
memcheck: mc_main.c:1003 (get_sec_vbits8): Assertion 'n' failed.
Memcheck: get_sec_vbits8: no node for address 0xA174000 (0xA17400F)

==26415==    at 0x3804CD81: report_and_quit (m_libcassert.c:279)
==26415==    by 0x3804CEA9: vgPlain_assert_fail (m_libcassert.c:359)
==26415==    by 0x380255EE: get_sec_vbits8 (mc_main.c:1003)
==26415==    by 0x38000585: mc_LOADVn_slow (mc_main.c:813)
==26415==    by 0x38027616: vgMemCheck_helperc_LOADV32le (mc_main.c:4482)
==26415==    by 0x88DFDA8C: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==26415==    at 0x400B95A: memcpy (vg_replace_strmem.c:908)
==26415==    by 0x4EABBB8: wined3d_device_set_ps_consts_f (device.c:2496)
==26415==    by 0x4F37473: wined3d_stateblock_apply (stateblock.c:984)
==26415==    by 0x4B8A1ED: ddraw_set_cooperative_level (ddraw.c:951)
==26415==    by 0x4B8A5E2: ddraw7_SetCooperativeLevel (ddraw.c:1010)
==26415==    by 0x4B888F3: ddraw_destroy (ddraw.c:420)
==26415==    by 0x4B88C0C: ddraw4_Release (ddraw.c:472)
==26415==    by 0x4AB0162: test_surface_interface_mismatch (ddraw4.c:1088)
==26415==    by 0x4AD1B8C: func_ddraw4 (ddraw4.c:7456)
==26415==    by 0x4B24F84: run_test (test.h:584)
==26415==    by 0x4B25373: main (test.h:654)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list