[Mesa-dev] [PATCH] st/dri: Fix dangling pointer to a destroyed dri_drawable
Emil Velikov
emil.l.velikov at gmail.com
Tue Apr 24 11:06:55 UTC 2018
On 24 April 2018 at 08:13, Johan Helsing <johan.helsing at qt.io> wrote:
> Emil: Your alternative patch won't work because dri_make_current is not
> necessarily called with NULL after a buffer has been destroyed.
>
Interesting, the trace attached in the bugreport does a proper
makecurrent/surface dance.
Namely, MakeCurrent(..., NULL, NULL, ...) is called before DestroySurface().
Hope you can see how that may be confusing wrt the patch in question.
>
> The problematic sequence is a pattern we use in QtWayland:
>
>
> //create temporary context
>
> surface1 = eglCreateWindowSurface() <-- dri_drawable pointer is malloced
>
> eglMakeCurrent(surface1) <-- ctx->dPriv is set
>
>
> // ... (Get some information about available GL extensions etc)
>
>
> eglDestroySurface(surface1) <-- pointer is freed, ctx->dPriv is now dangling
>
As others have pointed out pointer must not be freed at this point.
We have plenty of refcounting and locking to ensure that, so I'm a bit
suspicious if this happens.
Can you observed that, or it's more of an educated guess?
> surface2 = eglCreateWindowSurface() <-- Creating a new surface. Sometimes
> it's address will be the same as the free'd pointer.
>
Repeating my earlier question - what do you mean with "it will be the same"?
A malloc call returns the same pointer as previously freed memory, other?
Thanks
Emil
More information about the mesa-dev
mailing list