<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body> <div> <a class="bz_bug_link bz_status_NEEDINFO " title="NEEDINFO - [ILK] Browser crashes while switching between fullscreen and windowed video on youtube." href="https://bugs.freedesktop.org/show_bug.cgi?id=104376#c11">Comment # 11</a> on <a class="bz_bug_link bz_status_NEEDINFO " title="NEEDINFO - [ILK] Browser crashes while switching between fullscreen and windowed video on youtube." href="https://bugs.freedesktop.org/show_bug.cgi?id=104376">bug 104376</a> from <a class="email" href="mailto:evangelos@foutrelis.com" title="Evangelos Foutras <evangelos@foutrelis.com>"> Evangelos Foutras</a> <pre>Apparently this issue isn't specific to the i965 driver; I can also repro with r600g. To my untrained eye it seems there is a race caused by dri3_handle_present_event() freeing buffers without taking "buf->pixmap == ie->pixmap" into account after commit 15e208c4cc. [1] What's interesting, besides the double free shown below, is that I don't see the "dri3_handle_present_event() ..." lines from [2a] if I enable Xfce's compositor. This might be why you Mesa devs are unable to repro these crashes; please try with display compositing disabled. [1] <a href="https://cgit.freedesktop.org/mesa/mesa/commit/?id=15e208c4cc">https://cgit.freedesktop.org/mesa/mesa/commit/?id=15e208c4cc</a> [2a] test run with printf()s run indicating dri3_free_render_buffer() is called on the same buffer twice ============================================ $ mpv --really-quiet bunny.mp4 dri3_get_buffer() freeing buffer = 0x7f8ef43fcc20; draw->buffers[buf_id] = 0x7f8ef43fcc20 dri3_get_buffer() freeing buffer = 0x7f8ef44d88e0; draw->buffers[buf_id] = 0x7f8ef44d88e0 dri3_get_buffer() freeing buffer = 0x7f8ef4483b40; draw->buffers[buf_id] = 0x7f8ef4483b40 dri3_get_buffer() freeing buffer = 0x7f8ef42e1ac0; draw->buffers[buf_id] = 0x7f8ef42e1ac0 dri3_handle_present_event() freed 0x7f8ef44d4b60 dri3_get_buffer() freeing buffer = 0x7f8ef44ceb20; draw->buffers[buf_id] = 0x7f8ef44ceb20 dri3_get_buffer() freeing buffer = 0x7f8ef42e1ac0; draw->buffers[buf_id] = 0x7f8ef42e1ac0 dri3_get_buffer() freeing buffer = 0x7f8ef44d9800; draw->buffers[buf_id] = 0x7f8ef44d9800 dri3_get_buffer() freeing buffer = 0x7f8ef44d16e0; draw->buffers[buf_id] = 0x7f8ef44d16e0 dri3_handle_present_event() freed 0x7f8ef44d9560 dri3_get_buffer() freeing buffer = 0x7f8ef44d9560; draw->buffers[buf_id] = (nil) Segmentation fault (core dumped) ============================================ [2b] debugging printf()s ============================================ diff --git a/src/loader/loader_dri3_helper.c b/src/loader/loader_dri3_helper.c index 7e6b8b2e05..edfcea8ef7 100644 --- a/src/loader/loader_dri3_helper.c +++ b/src/loader/loader_dri3_helper.c @@ -24,6 +24,7 @@ #include <fcntl.h> #include <stdlib.h> #include <unistd.h> +#include <stdio.h> #include <X11/xshmfence.h> #include <xcb/xcb.h> @@ -405,6 +406,7 @@ dri3_handle_present_event(struct loader_dri3_drawable *draw, draw->cur_blit_source != b) { dri3_free_render_buffer(draw, buf); draw->buffers[b] = NULL; + fprintf(stderr, "dri3_handle_present_event() freed %p\n", buf); } } break; @@ -1435,6 +1437,8 @@ dri3_get_buffer(__DRIdrawable *driDrawable, draw->width, draw->height); dri3_fence_trigger(draw->conn, new_buffer); } + fprintf(stderr, "dri3_get_buffer() freeing buffer = %p; draw->buffers[buf_id] = %p\n", + buffer, draw->buffers[buf_id]); dri3_free_render_buffer(draw, buffer); } else if (buffer_type == loader_dri3_buffer_front) { /* Fill the new fake front with data from a real front */ ============================================</pre> </div> <hr> You are receiving this mail because: <ul> <li>You are the QA Contact for the bug.</li> <li>You are the assignee for the bug.</li> </ul> </body> </html>