[Nouveau] [Bug 75279] XCloseDisplay() takes one minute around nouveau_dri.so, freezing Firefox startup

Wed Mar 5 12:46:25 PST 2014

https://bugs.freedesktop.org/show_bug.cgi?id=75279

--- Comment #35 from Ilia Mirkin <imirkin at alum.mit.edu> ---
(In reply to comment #33)
> The stack to the free() points to line 203 here, while the stack to where
> the free'd data is subsequently used points to line 205 here:
> 
> http://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/nouveau/
> nouveau_fence.c?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04#n203
> 
> 
>    if (fence == screen->fence.current)
>       nouveau_fence_next(screen);
> 
>    do {
>       nouveau_fence_update(screen, FALSE);  // <--- free here!
> 
>       if (fence->state == NOUVEAU_FENCE_STATE_SIGNALLED) // <--
> use-after-free
>          return TRUE;
> 
> 
> So it seems like nouveau_fence_update (which was apparently inlined)
> destroys the fence object... do you need to call nouveau_fence_ref() to keep
> it alive?

This code is rather confusing. You have to keep in mind how it's used, which
among other things is from the kick handler. I tried to fix it up with

http://cgit.freedesktop.org/mesa/mesa/commit/?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04

But I guess it was insufficient? I have an odd recollection that I felt like
the stuff in the context destroy was suspect, but I don't remember how. Since
it wasn't directly related to my problem, I left it alone (esp since I was
going under the assumption that it would only be triggered on exit, in which
case it's harder to care). Unfortunately it was a long enough time ago that
I've lost my context on this. I'm guessing that the key here is that there are
multiple contexts and one screen. (Someone should confirm that to be the case.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20140305/78cefd00/attachment.html>