[Mesa-dev] [PATCH] mesa: Reference the array object in vbo_bind_arrays()
Marek Olšák
maraeo at gmail.com
Mon Apr 15 11:24:15 PDT 2013
I think the problem is _DrawArrays points to a deleted VAO, because we
don't reset _DrawArrays to NULL. The attached patch should fix it. Please
review.
Marek
On Mon, Apr 15, 2013 at 7:56 PM, Fredrik Höglund <fredrik at kde.org> wrote:
> Otherwise gl_array_attrib::_DrawArrays can end up pointing at free'd
> memory when the array object is deleted.
>
> Note: This is a candidate for the stable branches.
> ---
>
> The slightly longer explanation is that the mesa state tracker accesses
> _DrawArrays during state validation, and state validation can be
> triggered between draw calls. So the following sequence of calls will
> result in a segfault if the VAO being deleted is the VAO that was used
> in the last draw call:
>
> glDeleteVertexArrays(...);
> glClear();
>
> src/mesa/main/context.c | 1 +
> src/mesa/main/mtypes.h | 5 +++++
> src/mesa/vbo/vbo_exec_array.c | 3 +++
> 3 files changed, 9 insertions(+)
>
> diff --git a/src/mesa/main/context.c b/src/mesa/main/context.c
> index d77740e..a03a22d 100644
> --- a/src/mesa/main/context.c
> +++ b/src/mesa/main/context.c
> @@ -1160,6 +1160,7 @@ _mesa_free_context_data( struct gl_context *ctx )
>
> _mesa_reference_array_object(ctx, &ctx->Array.ArrayObj, NULL);
> _mesa_reference_array_object(ctx, &ctx->Array.DefaultArrayObj, NULL);
> + _mesa_reference_array_object(ctx, &ctx->Array.DrawArrayObj, NULL);
>
> _mesa_free_attrib_data(ctx);
> _mesa_free_buffer_objects(ctx);
> diff --git a/src/mesa/main/mtypes.h b/src/mesa/main/mtypes.h
> index e46fa39..6fb5c79 100644
> --- a/src/mesa/main/mtypes.h
> +++ b/src/mesa/main/mtypes.h
> @@ -1555,6 +1555,11 @@ struct gl_array_attrib
> * Vertex arrays as consumed by a driver.
> * The array pointer is set up only by the VBO module. */
> const struct gl_client_array **_DrawArrays; /**< 0..VERT_ATTRIB_MAX-1
> */
> +
> + /**
> + * The vertex array object that contains the arrays pointed to by
> _DrawArrays.
> + */
> + struct gl_array_object *DrawArrayObj;
> };
>
>
> diff --git a/src/mesa/vbo/vbo_exec_array.c b/src/mesa/vbo/vbo_exec_array.c
> index 7e61f7b..2bcf1b4 100644
> --- a/src/mesa/vbo/vbo_exec_array.c
> +++ b/src/mesa/vbo/vbo_exec_array.c
> @@ -35,6 +35,7 @@
> #include "main/enums.h"
> #include "main/macros.h"
> #include "main/transformfeedback.h"
> +#include "main/arrayobj.h"
>
> #include "vbo_context.h"
>
> @@ -499,6 +500,8 @@ vbo_bind_arrays(struct gl_context *ctx)
>
> vbo_draw_method(vbo, DRAW_ARRAYS);
>
> + _mesa_reference_array_object(ctx, &ctx->Array.DrawArrayObj,
> ctx->Array.ArrayObj);
> +
> if (exec->array.recalculate_inputs) {
> recalculate_input_bindings(ctx);
>
> --
> 1.7.10.4
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20130415/6f5cd81a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mesa-fix-use-after-free-with-a-stale-pointer-in-_Dra.patch
Type: application/octet-stream
Size: 2566 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20130415/6f5cd81a/attachment.obj>
More information about the mesa-dev
mailing list