Use-after-free crash innv50_ir::GCRA::RIG_Node::init()
System information
At Mozilla we've detected a series of use-after-free crashes happening in the the nouveau driver when using cards from the Tesla family. This is happening on a wide range of hardware on Debian, Ubuntu and Linux Mint. The crash seem to affect Mesa versions ranging from 18.3.6.0 to 20.0.6.0.
Describe the issue
A complete stack trace of the crash including register contents and line numbers can be found here:
https://crash-stats.mozilla.org/report/index/8f1b9cf2-8fdd-41b8-a949-bd7ed0200529
The first ten frames of the stack look like this:
0 nv50_ir::GCRA::RIG_Node::init(nv50_ir::RegisterSet const&, nv50_ir::LValue*)
1 nv50_ir::GCRA::allocateRegisters(nv50_ir::ArrayList&)
2 nv50_ir::RegAlloc::execFunc()
3 nv50_ir::RegAlloc::exec()
4 nv50_ir::Program::registerAllocation()
5 nv50_ir_generate_code()
6 nv50_program_translate()
7 nv50_sp_state_create()
8 st_create_fp_variant()
9 st_get_fp_variant()
10 1st_finalize_program()
The crash seems to have been triggered by an access from the rdi
register which contains the poison pattern we use in Firefox to detect free()'d objects. I might be able to track down the variable corresponding to that register and I'll add a comment later if I do.
Regression
We have reports for this crash starting with Mesa 18.3.6.0 but a very similar issue goes all the way back to 13.0.6.0, here's the corresponding crash report:
https://crash-stats.mozilla.org/report/index/429e8137-8931-419e-9824-67e300200508
Any extra information would be greatly appreciated
Most users that experienced this crash hit it by visiting https://store.google.com with a recent version of Firefox (both release and ESR).