[Bug 104376] [ILK] Browser crashes while switching between fullscreen and windowed video on youtube.

Wed Jan 10 09:41:25 UTC 2018

https://bugs.freedesktop.org/show_bug.cgi?id=104376

--- Comment #11 from Evangelos Foutras <evangelos at foutrelis.com> ---
Apparently this issue isn't specific to the i965 driver; I can also repro with
r600g. To my untrained eye it seems there is a race caused by
dri3_handle_present_event() freeing buffers without taking "buf->pixmap ==
ie->pixmap" into account after commit 15e208c4cc. [1]

What's interesting, besides the double free shown below, is that I don't see
the "dri3_handle_present_event() ..." lines from [2a] if I enable Xfce's
compositor. This might be why you Mesa devs are unable to repro these crashes;
please try with display compositing disabled.

[1] https://cgit.freedesktop.org/mesa/mesa/commit/?id=15e208c4cc

[2a] test run with printf()s run indicating dri3_free_render_buffer() is called
on the same buffer twice
============================================
$ mpv --really-quiet bunny.mp4 
dri3_get_buffer() freeing buffer = 0x7f8ef43fcc20; draw->buffers[buf_id] =
0x7f8ef43fcc20
dri3_get_buffer() freeing buffer = 0x7f8ef44d88e0; draw->buffers[buf_id] =
0x7f8ef44d88e0
dri3_get_buffer() freeing buffer = 0x7f8ef4483b40; draw->buffers[buf_id] =
0x7f8ef4483b40
dri3_get_buffer() freeing buffer = 0x7f8ef42e1ac0; draw->buffers[buf_id] =
0x7f8ef42e1ac0
dri3_handle_present_event() freed 0x7f8ef44d4b60
dri3_get_buffer() freeing buffer = 0x7f8ef44ceb20; draw->buffers[buf_id] =
0x7f8ef44ceb20
dri3_get_buffer() freeing buffer = 0x7f8ef42e1ac0; draw->buffers[buf_id] =
0x7f8ef42e1ac0
dri3_get_buffer() freeing buffer = 0x7f8ef44d9800; draw->buffers[buf_id] =
0x7f8ef44d9800
dri3_get_buffer() freeing buffer = 0x7f8ef44d16e0; draw->buffers[buf_id] =
0x7f8ef44d16e0
dri3_handle_present_event() freed 0x7f8ef44d9560
dri3_get_buffer() freeing buffer = 0x7f8ef44d9560; draw->buffers[buf_id] =
(nil)
Segmentation fault (core dumped)
============================================

[2b] debugging printf()s
============================================

diff --git a/src/loader/loader_dri3_helper.c b/src/loader/loader_dri3_helper.c
index 7e6b8b2e05..edfcea8ef7 100644
--- a/src/loader/loader_dri3_helper.c
+++ b/src/loader/loader_dri3_helper.c
@@ -24,6 +24,7 @@
 #include <fcntl.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <stdio.h>

 #include <X11/xshmfence.h>
 #include <xcb/xcb.h>
@@ -405,6 +406,7 @@ dri3_handle_present_event(struct loader_dri3_drawable
*draw,
              draw->cur_blit_source != b) {
             dri3_free_render_buffer(draw, buf);
             draw->buffers[b] = NULL;
+            fprintf(stderr, "dri3_handle_present_event() freed %p\n", buf);
          }
       }
       break;
@@ -1435,6 +1437,8 @@ dri3_get_buffer(__DRIdrawable *driDrawable,
                            draw->width, draw->height);
             dri3_fence_trigger(draw->conn, new_buffer);
          }
+         fprintf(stderr, "dri3_get_buffer() freeing buffer = %p;
draw->buffers[buf_id] = %p\n",
+            buffer, draw->buffers[buf_id]);
          dri3_free_render_buffer(draw, buffer);
       } else if (buffer_type == loader_dri3_buffer_front) {
          /* Fill the new fake front with data from a real front */
============================================

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20180110/885f73b5/attachment.html>
