Use-after-free crash innv50_ir::GCRA::RIG_Node::init()
At Mozilla we've detected a series of use-after-free crashes happening in the the nouveau driver when using cards from the Tesla family. This is happening on a wide range of hardware on Debian, Ubuntu and Linux Mint. The crash seem to affect Mesa versions ranging from 18.104.22.168 to 22.214.171.124.
Describe the issue
A complete stack trace of the crash including register contents and line numbers can be found here:
The first ten frames of the stack look like this:
0 nv50_ir::GCRA::RIG_Node::init(nv50_ir::RegisterSet const&, nv50_ir::LValue*) 1 nv50_ir::GCRA::allocateRegisters(nv50_ir::ArrayList&) 2 nv50_ir::RegAlloc::execFunc() 3 nv50_ir::RegAlloc::exec() 4 nv50_ir::Program::registerAllocation() 5 nv50_ir_generate_code() 6 nv50_program_translate() 7 nv50_sp_state_create() 8 st_create_fp_variant() 9 st_get_fp_variant() 10 1st_finalize_program()
The crash seems to have been triggered by an access from the
rdi register which contains the poison pattern we use in Firefox to detect free()'d objects. I might be able to track down the variable corresponding to that register and I'll add a comment later if I do.
We have reports for this crash starting with Mesa 126.96.36.199 but a very similar issue goes all the way back to 188.8.131.52, here's the corresponding crash report:
Any extra information would be greatly appreciated
Most users that experienced this crash hit it by visiting https://store.google.com with a recent version of Firefox (both release and ESR).