<div dir="auto">Rb for the series. Posting from phone.<div dir="auto"><br></div><div dir="auto">Marek</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Feb 2, 2017 6:20 PM, "Nicolai Hähnle" <<a href="mailto:nhaehnle@gmail.com">nhaehnle@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">From: Nicolai Hähnle <<a href="mailto:nicolai.haehnle@amd.com">nicolai.haehnle@amd.com</a>><br>
<br>
The GLX specification says about glXDestroyPixmap:<br>
<br>
    "The storage for the GLX pixmap will be freed when it is not current<br>
     to any client."<br>
<br>
We're not really following this language to the letter: some of the storage<br>
is freed immediately (in particular, the dri3_drawable, which contains both<br>
GLXDRIdrawable and loader_dri3_drawable). So we NULL out the pointers to<br>
that freed storage; the previous patches added the corresponding NULL-pointer<br>
checks.<br>
<br>
This fixes memory corruption in piglit<br>
./bin/glx-visuals-depth/<wbr>stencil -pixmap -auto<br>
<br>
Cc: 17.0 <<a href="mailto:mesa-stable@lists.freedesktop.org">mesa-stable@lists.<wbr>freedesktop.org</a>><br>
Reviewed-by: Marek Olšák <<a href="mailto:marek.olsak@amd.com">marek.olsak@amd.com</a>><br>
---<br>
 src/mesa/drivers/dri/common/<wbr>dri_util.c | 12 ++++++++++++<br>
 1 file changed, 12 insertions(+)<br>
<br>
diff --git a/src/mesa/drivers/dri/common/<wbr>dri_util.c b/src/mesa/drivers/dri/common/<wbr>dri_util.c<br>
index f92eee9..d18c458 100644<br>
--- a/src/mesa/drivers/dri/common/<wbr>dri_util.c<br>
+++ b/src/mesa/drivers/dri/common/<wbr>dri_util.c<br>
@@ -638,20 +638,22 @@ static void dri_put_drawable(__DRIdrawable *pdp)<br>
     }<br>
 }<br>
<br>
 static __DRIdrawable *<br>
 driCreateNewDrawable(__<wbr>DRIscreen *screen,<br>
                      const __DRIconfig *config,<br>
                      void *data)<br>
 {<br>
     __DRIdrawable *pdraw;<br>
<br>
+    assert(data != NULL);<br>
+<br>
     pdraw = malloc(sizeof *pdraw);<br>
     if (!pdraw)<br>
        return NULL;<br>
<br>
     pdraw->loaderPrivate = data;<br>
<br>
     pdraw->driScreenPriv = screen;<br>
     pdraw->driContextPriv = NULL;<br>
     pdraw->refcount = 0;<br>
     pdraw->lastStamp = 0;<br>
@@ -667,20 +669,30 @@ driCreateNewDrawable(__<wbr>DRIscreen *screen,<br>
     }<br>
<br>
     pdraw->dri2.stamp = pdraw->lastStamp + 1;<br>
<br>
     return pdraw;<br>
 }<br>
<br>
 static void<br>
 driDestroyDrawable(__<wbr>DRIdrawable *pdp)<br>
 {<br>
+    /*<br>
+     * The loader's data structures are going away, even if pdp itself stays<br>
+     * around for the time being because it is currently bound. This happens<br>
+     * when a currently bound GLX pixmap is destroyed.<br>
+     *<br>
+     * Clear out the pointer back into the loader's data structures to avoid<br>
+     * accessing an outdated pointer.<br>
+     */<br>
+    pdp->loaderPrivate = NULL;<br>
+<br>
     dri_put_drawable(pdp);<br>
 }<br>
<br>
 static __DRIbuffer *<br>
 dri2AllocateBuffer(__DRIscreen *screen,<br>
                   unsigned int attachment, unsigned int format,<br>
                   int width, int height)<br>
 {<br>
     return screen->driver-><wbr>AllocateBuffer(screen, attachment, format,<br>
                                           width, height);<br>
--<br>
2.9.3<br>
<br>
______________________________<wbr>_________________<br>
mesa-stable mailing list<br>
<a href="mailto:mesa-stable@lists.freedesktop.org">mesa-stable@lists.freedesktop.<wbr>org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/mesa-stable" rel="noreferrer" target="_blank">https://lists.freedesktop.org/<wbr>mailman/listinfo/mesa-stable</a><br>
</blockquote></div></div>