glslang icon indicating copy to clipboard operation
glslang copied to clipboard
verified publisher icon KhronosGroup

AddressSanitizer unknown-crash with glslangValidator.exe

Open JohannesKauffmann opened this issue 3 years ago • 0 comments

Originally reported as QTBUG-106100.

glslangValidator.exe crashes under AddressSanitizer on Windows with Visual Studio 17.2.6. Tested with current master (9e78bc8108a13d4d4ed860b2c5547092059ed83e).

Fragment shader used:

#version 440

layout(location = 0) in vec2 v_texcoord;

layout(location = 0) out vec4 fragColor;

layout(binding = 1) uniform sampler2D tex;

void main()
{
    fragColor = texture(tex, v_texcoord);
}

Steps to reproduce:

mkdir build && cd build
cmake -GNinja -DCMAKE_CXX_FLAGS="-fsanitize=address" ..
cmake --build .
.\StandAlone\glslangValidator.exe texture.frag

AddressSanitizer output:

=================================================================
==6516==ERROR: AddressSanitizer: unknown-crash on address 0x12ace669c20c at pc 0x7ff7e0535242 bp 0x006cb15edec0 sp 0x006cb15edec8
READ of size 1 at 0x12ace669c20c thread T0
    #0 0x7ff7e0535241 in glslang::TAllocation::checkGuardBlock(unsigned char *, unsigned char, char const *) const C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\PoolAlloc.cpp:161
    #1 0x7ff7e0539cc4 in glslang::TAllocation::check(void) const C:\Users\Johannes\source\repos\glslang\glslang\Include\PoolAlloc.h:93
    #2 0x7ff7e05350ad in glslang::TAllocation::checkAllocList(void) const C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\PoolAlloc.cpp:312
    #3 0x7ff7e0538910 in glslang::TPoolAllocator::tHeader::~tHeader(void) C:\Users\Johannes\source\repos\glslang\glslang\Include\PoolAlloc.h:199
    #4 0x7ff7e0538936 in glslang::TPoolAllocator::tHeader::`scalar deleting dtor'(unsigned int) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.32.31326\include\vector:552
    #5 0x7ff7e05362c3 in glslang::TPoolAllocator::pop(void) C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\PoolAlloc.cpp:209
    #6 0x7ff7e04de0af in ShCompile C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ShaderLang.cpp:1520
    #7 0x7ff7e02a41f5 in CompileFile(char const *, void *) C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1820
    #8 0x7ff7e02abf27 in CompileShaders(class glslang::TWorklist &) C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1156
    #9 0x7ff7e02b07ea in singleMain(void) C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1668
    #10 0x7ff7e02b0bcc in main C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1701
    #11 0x7ff7e09beb68 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #12 0x7ff7e09beabd in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #13 0x7ff7e09be97d in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #14 0x7ff7e09bebdd in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #15 0x7ffd64a17033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #16 0x7ffd656c2650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

0x12ace669c20c is located 268 bytes inside of 8192-byte region [0x12ace669c100,0x12ace669e100)
allocated by thread T0 here:
    #0 0x7ff7e09bd843 in operator new[](unsigned __int64) D:\a\_work\1\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_win_new_array_thunk.cpp:42
    #1 0x7ff7e0536c9e in glslang::TPoolAllocator::allocate(unsigned __int64) C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\PoolAlloc.cpp:291
    #2 0x7ff7e0412814 in glslang::pool_allocator<char>::allocate(unsigned __int64) C:\Users\Johannes\source\repos\glslang\glslang\Include\PoolAlloc.h:288
    #3 0x7ff7e03796e7 in std::basic_string<char, struct std::char_traits<char>, class glslang::pool_allocator<char>>::_Reallocate_for<class <lambda_d2a8c8c63c9b0078c7d1ac183d48c7d6>, char const *>(unsigned __int64, class <lambda_d2a8c8c63c9b0078c7d1ac183d48c7d6>, char const *) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.32.31326\include\xstring:4530
    #4 0x7ff7e0412fbb in std::basic_string<char, struct std::char_traits<char>, class glslang::pool_allocator<char>>::assign(char const *const, unsigned __int64) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.32.31326\include\xstring:3248
    #5 0x7ff7e0412c71 in std::basic_string<char, struct std::char_traits<char>, class glslang::pool_allocator<char>>::assign(char const *const) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.32.31326\include\xstring:3258
    #6 0x7ff7e03a0ed9 in std::basic_string<char, struct std::char_traits<char>, class glslang::pool_allocator<char>>::basic_string<char, struct std::char_traits<char>, class glslang::pool_allocator<char>>(char const *const) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.32.31326\include\xstring:2536
    #7 0x7ff7e05a10f3 in glslang::TParseVersions::getExtensionBehavior(char const *) C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\Versions.cpp:871
    #8 0x7ff7e05a1332 in glslang::TParseVersions::extensionTurnedOn(char const *const) C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\Versions.cpp:881
    #9 0x7ff7e069a0ec in glslang::TParseContext::findFunction(struct glslang::TSourceLoc const &, class glslang::TFunction const &, bool &) C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ParseHelper.cpp:6710
    #10 0x7ff7e0663975 in glslang::TParseContext::handleFunctionCall(struct glslang::TSourceLoc const &, class glslang::TFunction *, class TIntermNode *) C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ParseHelper.cpp:1335
    #11 0x7ff7e0924a84 in yyparse(class glslang::TParseContext *) C:\Users\Johannes\source\repos\glslang\build\MachineIndependent\glslang.y:494
    #12 0x7ff7e0655628 in glslang::TParseContext::parseShaderStrings(class glslang::TPpContext &, class glslang::TInputScanner &, bool) C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ParseHelper.cpp:209
    #13 0x7ff7e04ec64f in `anonymous namespace'::DoFullParse::operator() C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ShaderLang.cpp:1240
    #14 0x7ff7e04f33b6 in `anonymous namespace'::ProcessDeferred<`anonymous namespace'::DoFullParse> C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ShaderLang.cpp:1023
    #15 0x7ff7e04ecc24 in `anonymous namespace'::CompileDeferred C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ShaderLang.cpp:1331
    #16 0x7ff7e04ddfb5 in ShCompile C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\ShaderLang.cpp:1506
    #17 0x7ff7e02a41f5 in CompileFile(char const *, void *) C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1820
    #18 0x7ff7e02abf27 in CompileShaders(class glslang::TWorklist &) C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1156
    #19 0x7ff7e02b07ea in singleMain(void) C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1668
    #20 0x7ff7e02b0bcc in main C:\Users\Johannes\source\repos\glslang\StandAlone\StandAlone.cpp:1701
    #21 0x7ff7e09beb68 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #22 0x7ff7e09beabd in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #23 0x7ff7e09be97d in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #24 0x7ff7e09bebdd in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #25 0x7ffd64a17033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #26 0x7ffd656c2650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

SUMMARY: AddressSanitizer: unknown-crash C:\Users\Johannes\source\repos\glslang\glslang\MachineIndependent\PoolAlloc.cpp:161 in glslang::TAllocation::checkGuardBlock(unsigned char *, unsigned char, char const *) const
Shadow bytes around the buggy address:
  0x04b8807537f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04b880753800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04b880753810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04b880753820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04b880753830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x04b880753840: 00[04]00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04b880753850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04b880753860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04b880753870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04b880753880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04b880753890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6516==ABORTING

JohannesKauffmann avatar Aug 31 '22 20:08 JohannesKauffmann