<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEEDINFO "
title="NEEDINFO - [ILK] Browser crashes while switching between fullscreen and windowed video on youtube."
href="https://bugs.freedesktop.org/show_bug.cgi?id=104376#c11">Comment # 11</a>
on <a class="bz_bug_link
bz_status_NEEDINFO "
title="NEEDINFO - [ILK] Browser crashes while switching between fullscreen and windowed video on youtube."
href="https://bugs.freedesktop.org/show_bug.cgi?id=104376">bug 104376</a>
from <span class="vcard"><a class="email" href="mailto:evangelos@foutrelis.com" title="Evangelos Foutras <evangelos@foutrelis.com>"> <span class="fn">Evangelos Foutras</span></a>
</span></b>
<pre>Apparently this issue isn't specific to the i965 driver; I can also repro with
r600g. To my untrained eye it seems there is a race caused by
dri3_handle_present_event() freeing buffers without taking "buf->pixmap ==
ie->pixmap" into account after commit 15e208c4cc. [1]
What's interesting, besides the double free shown below, is that I don't see
the "dri3_handle_present_event() ..." lines from [2a] if I enable Xfce's
compositor. This might be why you Mesa devs are unable to repro these crashes;
please try with display compositing disabled.
[1] <a href="https://cgit.freedesktop.org/mesa/mesa/commit/?id=15e208c4cc">https://cgit.freedesktop.org/mesa/mesa/commit/?id=15e208c4cc</a>
[2a] test run with printf()s run indicating dri3_free_render_buffer() is called
on the same buffer twice
============================================
$ mpv --really-quiet bunny.mp4
dri3_get_buffer() freeing buffer = 0x7f8ef43fcc20; draw->buffers[buf_id] =
0x7f8ef43fcc20
dri3_get_buffer() freeing buffer = 0x7f8ef44d88e0; draw->buffers[buf_id] =
0x7f8ef44d88e0
dri3_get_buffer() freeing buffer = 0x7f8ef4483b40; draw->buffers[buf_id] =
0x7f8ef4483b40
dri3_get_buffer() freeing buffer = 0x7f8ef42e1ac0; draw->buffers[buf_id] =
0x7f8ef42e1ac0
dri3_handle_present_event() freed 0x7f8ef44d4b60
dri3_get_buffer() freeing buffer = 0x7f8ef44ceb20; draw->buffers[buf_id] =
0x7f8ef44ceb20
dri3_get_buffer() freeing buffer = 0x7f8ef42e1ac0; draw->buffers[buf_id] =
0x7f8ef42e1ac0
dri3_get_buffer() freeing buffer = 0x7f8ef44d9800; draw->buffers[buf_id] =
0x7f8ef44d9800
dri3_get_buffer() freeing buffer = 0x7f8ef44d16e0; draw->buffers[buf_id] =
0x7f8ef44d16e0
dri3_handle_present_event() freed 0x7f8ef44d9560
dri3_get_buffer() freeing buffer = 0x7f8ef44d9560; draw->buffers[buf_id] =
(nil)
Segmentation fault (core dumped)
============================================
[2b] debugging printf()s
============================================
diff --git a/src/loader/loader_dri3_helper.c b/src/loader/loader_dri3_helper.c
index 7e6b8b2e05..edfcea8ef7 100644
--- a/src/loader/loader_dri3_helper.c
+++ b/src/loader/loader_dri3_helper.c
@@ -24,6 +24,7 @@
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
+#include <stdio.h>
#include <X11/xshmfence.h>
#include <xcb/xcb.h>
@@ -405,6 +406,7 @@ dri3_handle_present_event(struct loader_dri3_drawable
*draw,
draw->cur_blit_source != b) {
dri3_free_render_buffer(draw, buf);
draw->buffers[b] = NULL;
+ fprintf(stderr, "dri3_handle_present_event() freed %p\n", buf);
}
}
break;
@@ -1435,6 +1437,8 @@ dri3_get_buffer(__DRIdrawable *driDrawable,
draw->width, draw->height);
dri3_fence_trigger(draw->conn, new_buffer);
}
+ fprintf(stderr, "dri3_get_buffer() freeing buffer = %p;
draw->buffers[buf_id] = %p\n",
+ buffer, draw->buffers[buf_id]);
dri3_free_render_buffer(draw, buffer);
} else if (buffer_type == loader_dri3_buffer_front) {
/* Fill the new fake front with data from a real front */
============================================</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>