Use-after-free crash innv50_ir::GCRA::RIG_Node::init()

System information

At Mozilla we've detected a series of use-after-free crashes happening in the the nouveau driver when using cards from the Tesla family. This is happening on a wide range of hardware on Debian, Ubuntu and Linux Mint. The crash seem to affect Mesa versions ranging from 18.3.6.0 to 20.0.6.0.

Describe the issue

A complete stack trace of the crash including register contents and line numbers can be found here:

https://crash-stats.mozilla.org/report/index/8f1b9cf2-8fdd-41b8-a949-bd7ed0200529

The first ten frames of the stack look like this:

0 nv50_ir::GCRA::RIG_Node::init(nv50_ir::RegisterSet const&, nv50_ir::LValue*)
1 nv50_ir::GCRA::allocateRegisters(nv50_ir::ArrayList&)
2 nv50_ir::RegAlloc::execFunc()
3 nv50_ir::RegAlloc::exec()
4 nv50_ir::Program::registerAllocation()
5 nv50_ir_generate_code()
6 nv50_program_translate()
7 nv50_sp_state_create()
8 st_create_fp_variant()
9 st_get_fp_variant()
10 1st_finalize_program()

The crash seems to have been triggered by an access from the rdi register which contains the poison pattern we use in Firefox to detect free()'d objects. I might be able to track down the variable corresponding to that register and I'll add a comment later if I do.

Regression

We have reports for this crash starting with Mesa 18.3.6.0 but a very similar issue goes all the way back to 13.0.6.0, here's the corresponding crash report:

https://crash-stats.mozilla.org/report/index/429e8137-8931-419e-9824-67e300200508

Any extra information would be greatly appreciated

Most users that experienced this crash hit it by visiting https://store.google.com with a recent version of Firefox (both release and ESR).

Edited May 29, 2020 by Gabriele Svelto

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information