llvmpipe use-after-free

I tried throwing asan at an llvmpipe CI crash to try to debug my MR, and got a pre-existing use-after-free instead:
--deqp-case=dEQP-GLES31.functional.primitive_bounding_box.wide_points.global_state.vertex_tessellation_geometry_fragment.default_framebuffer_bbox_larger,dEQP-GLES31.functional.copy_image.non_compressed.viewclass_128_bits.rgba32ui_rgba32ui.texture2d_to_renderbuffer
Writing test log into /home/anholt/TestResults.qpa
dEQP Core git-39e5966401d69eba352d71404827230b90d3063b (0x39e59664) starting..
  target implementation = 'Surfaceless'

Test case 'dEQP-GLES31.functional.primitive_bounding_box.wide_points.global_state.vertex_tessellation_geometry_fragment.default_framebuffer_bbox_larger'..
  Pass (Pass)

Test case 'dEQP-GLES31.functional.copy_image.non_compressed.viewclass_128_bits.rgba32ui_rgba32ui.texture2d_to_renderbuffer'..
=================================================================
==2156026==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000853c0 at pc 0x7f199d31e983 bp 0x7ffee9be72e0 sp 0x7ffee9be6a90
READ of size 32 at 0x6130000853c0 thread T0
    #0 0x7f199d31e982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
    #1 0x7f1998470f08 in try_update_scene_state ../src/gallium/drivers/llvmpipe/lp_setup.c:1296
    #2 0x7f19984725ca in begin_binning ../src/gallium/drivers/llvmpipe/lp_setup.c:228
    #3 0x7f19984739b7 in execute_clears ../src/gallium/drivers/llvmpipe/lp_setup.c:300
    #4 0x7f19984739b7 in set_scene_state ../src/gallium/drivers/llvmpipe/lp_setup.c:348
    #5 0x7f1998474d83 in lp_setup_bind_framebuffer ../src/gallium/drivers/llvmpipe/lp_setup.c:398
    #6 0x7f19984e8064 in llvmpipe_set_framebuffer_state ../src/gallium/drivers/llvmpipe/lp_state_surface.c:100
    #7 0x7f1996f5a60f in st_update_framebuffer_state ../src/mesa/state_tracker/st_atom_framebuffer.c:207
    #8 0x7f1996f503ca in st_validate_state ../src/mesa/state_tracker/st_atom.c:262
    #9 0x7f1996faa21c in prepare_draw ../src/mesa/state_tracker/st_draw.c:104
    #10 0x7f1996fab6f2 in st_draw_gallium ../src/mesa/state_tracker/st_draw.c:182
    #11 0x7f19972fa844 in _mesa_validated_drawrangeelements ../src/mesa/main/draw.c:1790
    #12 0x7f1997300b32 in _mesa_DrawElements ../src/mesa/main/draw.c:1923
    #13 0x564aa5d76335 in drawIndexed /home/anholt/src/VK-GL-CTS/framework/opengl/gluDrawUtil.cpp:490
    #14 0x564aa5d76335 in glu::drawFromBuffers(glu::RenderContext const&, unsigned int, int, glu::VertexArrayBinding const*, glu::PrimitiveList const&, glu::DrawUtilCallback*) /home/anholt/src/VK-GL-CTS/framework/opengl/gluDrawUtil.cpp:556
    #15 0x564aa5d767c8 in glu::drawFromVAOBuffers(glu::RenderContext const&, unsigned int, int, glu::VertexArrayBinding const*, glu::PrimitiveList const&, glu::DrawUtilCallback*) /home/anholt/src/VK-GL-CTS/framework/opengl/gluDrawUtil.cpp:586
    #16 0x564aa5d1646a in deqp::gls::TextureTestUtil::TextureRenderer::renderQuad(int, float const*, glu::TextureTestUtil::RenderParams const&) /home/anholt/src/VK-GL-CTS/modules/glshared/glsTextureTestUtil.cpp:479
    #17 0x564aa5b10c0a in renderTexture<tcu::Texture2DView> /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1176
    #18 0x564aa5b10c0a in renderTexture2DView /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1255
    #19 0x564aa5b1a50a in renderTexture2D /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1340
    #20 0x564aa5b1a50a in render /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1744
    #21 0x564aa5b1b79f in renderSourceIter /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:2044
    #22 0x564aa5b0c8da in iterate /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:2273
    #23 0x564aa56cf346 in deqp::gles31::TestCaseWrapper<deqp::gles31::TestPackage>::iterate(tcu::TestCase*) /home/anholt/src/VK-GL-CTS/modules/gles31/tes31TestCaseWrapper.hpp:86
    #24 0x564aa5e885cb in tcu::TestSessionExecutor::iterateTestCase(tcu::TestCase*) /home/anholt/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:302
    #25 0x564aa5e88637 in tcu::TestSessionExecutor::iterate() /home/anholt/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:139
    #26 0x564aa5e5be18 in tcu::App::iterate() /home/anholt/src/VK-GL-CTS/framework/common/tcuApp.cpp:173
    #27 0x564aa56cb4a6 in main /home/anholt/src/VK-GL-CTS/framework/platform/tcuMain.cpp:58
    #28 0x7f199cd6ad09 in __libc_start_main ../csu/libc-start.c:308
    #29 0x564aa56cb219 in _start (/home/anholt/src/VK-GL-CTS-build/modules/gles31/deqp-gles31+0x267219)

0x6130000853c0 is located 0 bytes inside of 364-byte region [0x6130000853c0,0x61300008552c)
freed by thread T0 here:
    #0 0x7f199d38eb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x7f19970ae5a1 in _mesa_free_parameter_list ../src/mesa/program/prog_parameter.c:182
    #2 0x7f19970b345d in _mesa_delete_program ../src/mesa/program/program.c:259
    #3 0x7f19970b3761 in _mesa_reference_program_ ../src/mesa/program/program.c:329
    #4 0x7f1996f54124 in _mesa_reference_program ../src/mesa/program/program.h:90
    #5 0x7f1996f54124 in st_reference_prog ../src/mesa/state_tracker/st_program.h:303
    #6 0x7f1996f54124 in st_update_fp ../src/mesa/state_tracker/st_atom_shader.c:192
    #7 0x7f1996f503ca in st_validate_state ../src/mesa/state_tracker/st_atom.c:262
    #8 0x7f1996faa21c in prepare_draw ../src/mesa/state_tracker/st_draw.c:104
    #9 0x7f1996fab6f2 in st_draw_gallium ../src/mesa/state_tracker/st_draw.c:182
    #10 0x7f19972fa844 in _mesa_validated_drawrangeelements ../src/mesa/main/draw.c:1790
    #11 0x7f1997300b32 in _mesa_DrawElements ../src/mesa/main/draw.c:1923
    #12 0x564aa5d76335 in drawIndexed /home/anholt/src/VK-GL-CTS/framework/opengl/gluDrawUtil.cpp:490
    #13 0x564aa5d76335 in glu::drawFromBuffers(glu::RenderContext const&, unsigned int, int, glu::VertexArrayBinding const*, glu::PrimitiveList const&, glu::DrawUtilCallback*) /home/anholt/src/VK-GL-CTS/framework/opengl/gluDrawUtil.cpp:556
    #14 0x564aa5d767c8 in glu::drawFromVAOBuffers(glu::RenderContext const&, unsigned int, int, glu::VertexArrayBinding const*, glu::PrimitiveList const&, glu::DrawUtilCallback*) /home/anholt/src/VK-GL-CTS/framework/opengl/gluDrawUtil.cpp:586
    #15 0x564aa5d1646a in deqp::gls::TextureTestUtil::TextureRenderer::renderQuad(int, float const*, glu::TextureTestUtil::RenderParams const&) /home/anholt/src/VK-GL-CTS/modules/glshared/glsTextureTestUtil.cpp:479
    #16 0x564aa5b10c0a in renderTexture<tcu::Texture2DView> /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1176
    #17 0x564aa5b10c0a in renderTexture2DView /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1255
    #18 0x564aa5b1a50a in renderTexture2D /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1340
    #19 0x564aa5b1a50a in render /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:1744
    #20 0x564aa5b1b79f in renderSourceIter /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:2044
    #21 0x564aa5b0c8da in iterate /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fCopyImageTests.cpp:2273
    #22 0x564aa56cf346 in deqp::gles31::TestCaseWrapper<deqp::gles31::TestPackage>::iterate(tcu::TestCase*) /home/anholt/src/VK-GL-CTS/modules/gles31/tes31TestCaseWrapper.hpp:86
    #23 0x564aa5e885cb in tcu::TestSessionExecutor::iterateTestCase(tcu::TestCase*) /home/anholt/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:302
    #24 0x564aa5e88637 in tcu::TestSessionExecutor::iterate() /home/anholt/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:139
    #25 0x564aa5e5be18 in tcu::App::iterate() /home/anholt/src/VK-GL-CTS/framework/common/tcuApp.cpp:173
    #26 0x564aa56cb4a6 in main /home/anholt/src/VK-GL-CTS/framework/platform/tcuMain.cpp:58
    #27 0x7f199cd6ad09 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f199d38fa3c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
    #1 0x7f19970ae8a8 in os_malloc_aligned ../src/util/os_memory_aligned.h:58
    #2 0x7f19970ae8a8 in os_realloc_aligned ../src/util/os_memory_aligned.h:121
    #3 0x7f19970ae8a8 in _mesa_reserve_parameter_storage ../src/mesa/program/prog_parameter.c:227
    #4 0x7f19970a4cbd in _mesa_ensure_and_associate_uniform_storage ../src/mesa/program/ir_to_mesa.cpp:2628
    #5 0x7f1996fced6f in st_glsl_to_nir_post_opts ../src/mesa/state_tracker/st_glsl_to_nir.cpp:510
    #6 0x7f1996fd3d57 in st_link_nir ../src/mesa/state_tracker/st_glsl_to_nir.cpp:890
    #7 0x7f19970a5060 in _mesa_glsl_link_shader ../src/mesa/program/ir_to_mesa.cpp:3143
    #8 0x7f19976c716f in link_program ../src/mesa/main/shaderapi.c:1353
    #9 0x7f19976c716f in link_program_error ../src/mesa/main/shaderapi.c:1464
    #10 0x564aa5d7c55c in glu::Program::link() /home/anholt/src/VK-GL-CTS/framework/opengl/gluShaderProgram.cpp:295
    #11 0x564aa5d7d748 in glu::ShaderProgram::init(glw::Functions const&, glu::ProgramSources const&) /home/anholt/src/VK-GL-CTS/framework/opengl/gluShaderProgram.cpp:437
    #12 0x564aa5d7d8b7 in glu::ShaderProgram::ShaderProgram(glu::RenderContext const&, glu::ProgramSources const&) /home/anholt/src/VK-GL-CTS/framework/opengl/gluShaderProgram.cpp:371
    #13 0x564aa5b00328 in init /home/anholt/src/VK-GL-CTS/modules/gles31/functional/es31fPrimitiveBoundingBoxTests.cpp:691
    #14 0x564aa5e88582 in tcu::TestSessionExecutor::enterTestCase(tcu::TestCase*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/anholt/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:209
    #15 0x564aa5e886db in tcu::TestSessionExecutor::iterate() /home/anholt/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:107
    #16 0x564aa5e5be18 in tcu::App::iterate() /home/anholt/src/VK-GL-CTS/framework/common/tcuApp.cpp:173
    #17 0x564aa56cb4a6 in main /home/anholt/src/VK-GL-CTS/framework/platform/tcuMain.cpp:58
    #18 0x7f199cd6ad09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c2680008a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680008a30: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c2680008a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680008a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680008a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
=>0x0c2680008a70: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2680008a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680008a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680008aa0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c2680008ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680008ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2156026==ABORTING
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Admin message

llvmpipe use-after-free
