[Mesa-dev] [PATCH] mesa: Reference the array object in vbo_bind_arrays()

Fredrik Höglund fredrik at kde.org
Mon Apr 15 10:56:59 PDT 2013 

Otherwise gl_array_attrib::_DrawArrays can end up pointing at free'd
memory when the array object is deleted.

Note: This is a candidate for the stable branches.
---

The slightly longer explanation is that the mesa state tracker accesses
_DrawArrays during state validation, and state validation can be
triggered between draw calls. So the following sequence of calls will
result in a segfault if the VAO being deleted is the VAO that was used
in the last draw call:

   glDeleteVertexArrays(...);
   glClear();

 src/mesa/main/context.c       |    1 +
 src/mesa/main/mtypes.h        |    5 +++++
 src/mesa/vbo/vbo_exec_array.c |    3 +++
 3 files changed, 9 insertions(+)

diff --git a/src/mesa/main/context.c b/src/mesa/main/context.c
index d77740e..a03a22d 100644
--- a/src/mesa/main/context.c
+++ b/src/mesa/main/context.c
@@ -1160,6 +1160,7 @@ _mesa_free_context_data( struct gl_context *ctx )
 
    _mesa_reference_array_object(ctx, &ctx->Array.ArrayObj, NULL);
    _mesa_reference_array_object(ctx, &ctx->Array.DefaultArrayObj, NULL);
+   _mesa_reference_array_object(ctx, &ctx->Array.DrawArrayObj, NULL);
 
    _mesa_free_attrib_data(ctx);
    _mesa_free_buffer_objects(ctx);
diff --git a/src/mesa/main/mtypes.h b/src/mesa/main/mtypes.h
index e46fa39..6fb5c79 100644
--- a/src/mesa/main/mtypes.h
+++ b/src/mesa/main/mtypes.h
@@ -1555,6 +1555,11 @@ struct gl_array_attrib
     * Vertex arrays as consumed by a driver.
     * The array pointer is set up only by the VBO module. */
    const struct gl_client_array **_DrawArrays; /**< 0..VERT_ATTRIB_MAX-1 */
+
+   /**
+    * The vertex array object that contains the arrays pointed to by _DrawArrays.
+    */
+   struct gl_array_object *DrawArrayObj;
 };
 
 
diff --git a/src/mesa/vbo/vbo_exec_array.c b/src/mesa/vbo/vbo_exec_array.c
index 7e61f7b..2bcf1b4 100644
--- a/src/mesa/vbo/vbo_exec_array.c
+++ b/src/mesa/vbo/vbo_exec_array.c
@@ -35,6 +35,7 @@
 #include "main/enums.h"
 #include "main/macros.h"
 #include "main/transformfeedback.h"
+#include "main/arrayobj.h"
 
 #include "vbo_context.h"
 
@@ -499,6 +500,8 @@ vbo_bind_arrays(struct gl_context *ctx)
 
    vbo_draw_method(vbo, DRAW_ARRAYS);
 
+   _mesa_reference_array_object(ctx, &ctx->Array.DrawArrayObj, ctx->Array.ArrayObj);
+
    if (exec->array.recalculate_inputs) {
       recalculate_input_bindings(ctx);
 
-- 
1.7.10.4

More information about the mesa-dev mailing list