[Bug 32297] [r300g] Memory corruption crash when exiting application using DRI2_InvalidateBuffers

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jan 5 16:40:23 PST 2011 

https://bugs.freedesktop.org/show_bug.cgi?id=32297

--- Comment #4 from Chris Rankin <rankincj at googlemail.com> 2011-01-05 16:40:23 PST ---
I think I've debugged this as far as I can; to get any further I'll need to
find where the __DRIcontext.driverPrivate field is set to the "garbage"(?)
value.

According to the fprintf() statements that I've littered throughout the
Mesa/gallium code, where:

&__DRIcontext = 0x7d6f8d70
&struct dri_context = 0x7d13c4f0

Starting just before the crash:

** ENTER dri2_destroy_context: pcp->driContext=0x7d6f8d70,
pcp->driContext->driverPrivate=0x7d13c4f0
** destroying dri_context 0x7d13c4f0
*** setting cPriv(0x7d6f8d70)->driverPrivate from 0x7d13c4f0 to NULL
** DONE dri2_destroy_context: pcp->driContext=0x7d6f8d70,
pcp->driContext->driverPrivate=(nil)

So at this point, we have destroyed the dri_context at 0x7d13c4f0, and for good
measure I have also explicitly NULLed out the __DRIcontext.driverPrivate field
which referred to it. However, we then get this call to DRI2WireToEvent(),
which triggers the fatal call to dri2InvalidateBuffers():

** ENTER DRI2WireToEvent
*** wire->u.u.type=0x4b
dri2 invalidate buffers: awire=0x7a56b4c8, awire->drawable=0x4800011
** ENTER dri2GetGlxDrawableFromXDrawableId
** found pdraw=0x7d775bd8 for drawable 0x4800011: cPriv=0x7d6f8d70,
driverPrivate=0x7a5047a8
** ENTER dri2InvalidateBuffers: pdp->driDrawable->driContextPriv=0x7d6f8d70
** drawable IDs: 0x4800011 0x7d775c78
dri2_invalidate_drawable: dPriv=0x7d775c78, dPriv->driContextPriv=0x7d6f8d70,
drawable=0x7d775cf8, ctx=0x7a5047a8, drawable->dPriv=0x7d775c78
wine: Unhandled page fault on read access to 0x0000003c at address 0x7d9710df
(thread 000d), starting debugger...

This event fetches a struct dri2_drawable from the dri2Hash structure, which is
linked to the __DRIcontext at 0x7d6f8d70 via driDrawable->driContextPriv.
However, the driverPrivate field on this __DRIcontext structure is now set to
0x7a5047a8, which is a garbage value as far as I can tell. Chaos ensues when
this value is mistaken for the address of a struct dri_context.

Interestingly, this problem actually DOES happen when WoW runs full-screen.
However, the Wine debugger isn't started to tell me about it.

If anyone has any ideas on how to debug this further then I'm all ears. I've
already tried using valgrind, but wine/WoW completely failed to run.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the dri-devel mailing list