[PATCH] pixman: Check whether the buffer still exists when the surface is redrawn

[Lubomir Rintel]

While the pixman image might be attached, the underlying buffer might be
already gone under certain circumstances. This is easily reproduced by
attempting to resize gnome-terminal on a fbdev backend.

A more proper fix (without skipping rendering of the surface) would need a
change to Wayland API, so that the buffers are reference-counted in the same
way as pools are, so that they would not release their pulls if they are still
needed.

$ WAYLAND_DEBUG=1 strace -emunmap weston --backend=fbdev-backend.so
...
[1524846.706] wl_shm at 7.create_pool(new id wl_shm_pool at 26, fd 40, 1545000)
[1524847.215] wl_shm_pool at 26.create_buffer(new id wl_buffer at 27, 0, 750, 515, 3000, 0)
[1524847.735] wl_buffer at 24.destroy()
[1524847.953]  -> wl_display at 1.delete_id(24)
[1524848.144] wl_shm_pool at 23.destroy()
munmap(0xb5b2e000, 1563540)             = 0
[1524849.021]  -> wl_display at 1.delete_id(23)
[1524849.425] wl_surface at 14.attach(wl_buffer at 27, 0, 0)
[1524849.730] wl_surface at 14.set_buffer_scale(1)
[1524849.821] wl_surface at 14.damage(0, 0, 750, 515)
<No commit yet, so drawing is attempted from older buffer that used to be
 attached to the surface, which happens to come from a destroyed pool,
 resulting it an invalid read from address 0xb5b2e000>

Signed-off-by: Lubomir Rintel <lkundrak at v3.sk>
---
A Perl-based reproducer available here, in case it is more convenient to run 
than gnome-terminal: http://v3.sk/~lkundrak/pixman-crash.pl

 src/pixman-renderer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pixman-renderer.c b/src/pixman-renderer.c
index b719829..6759a00 100644
--- a/src/pixman-renderer.c
+++ b/src/pixman-renderer.c
@@ -348,7 +348,7 @@ draw_view(struct weston_view *ev, struct weston_output *output,
 	pixman_region32_t surface_blend;
 
 	/* No buffer attached */
-	if (!ps->image)
+	if (!ps->buffer_ref.buffer)
 		return;
 
 	pixman_region32_init(&repaint);
-- 
1.8.4.2