[Mesa-dev] [PATCH] st/dri: Fix dangling pointer to a destroyed dri_drawable
Marek Olšák
maraeo at gmail.com
Tue Apr 24 17:47:42 UTC 2018
On Tue, Apr 24, 2018 at 3:13 AM, Johan Helsing <johan.helsing at qt.io> wrote:
> Emil: Your alternative patch won't work because dri_make_current is not
> necessarily called with NULL after a buffer has been destroyed.
>
>
> The problematic sequence is a pattern we use in QtWayland:
>
>
> //create temporary context
>
> surface1 = eglCreateWindowSurface() <-- dri_drawable pointer is malloced
>
> eglMakeCurrent(surface1) <-- ctx->dPriv is set
>
>
> // ... (Get some information about available GL extensions etc)
>
>
> eglDestroySurface(surface1) <-- pointer is freed, ctx->dPriv is now
> dangling
>
> surface2 = eglCreateWindowSurface() <-- Creating a new surface. Sometimes
> it's address will be the same as the free'd pointer.
>
> eglMakeCurrent(surface2) <-- In dri_make_current, ctx->dPriv ==
> driReadPriv may return true because the pointers may be equal
>
> => The drawable info is not updated. Width and height for the
> drawable is not set from the wl_egl_window on the first frame.
>
>
> Marek: How exactly does it crash? Are you sure firefox didn't previously
> access free'd memory through the dangling pointer and that it was just
> exposed now that the pointer is NULL?
>
ctx was a dangling pointer, which means ctx had been destroyed, and reading
ctx->dPriv crashed.
Marek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180424/601c3cac/attachment.html>
More information about the mesa-dev
mailing list