[XFree86] CVS tree: Xserver deref null pointer in Mesa cleanup of dropped client connectio

Mon, 27 Jan 2003 15:14:43 -0800 

                    XFree86 Bug/Test Report Form

Please fill in as many of the fields a possible, and return this form to
[EMAIL PROTECTED]  Replace the comments in [] with your own text.

VERSION:

CVS tree on 1/21/2003

XF86_VERSION
4.2.99.4
VIDEO DRIVER:

radeon mobile 9600

OPERATING SYSTEM:

Linux

VIDEO CARD:

    MODEL:

    Radeon Mobility 9000

    GRAPHICS CHIPSET:

    ATI Radeon R250

    RAMDAC:

    CLOCKCHIP:


    VIDEO MEMORY:

    BUS TYPE:

    PCI

REPORT:

        I have an OpenGL program that crashes after opening the GL
context (I believe) - but then dies. The Xserver tries to cleanup
after this mishap and free memory. In the Mesa server code,
xc/extras/Mesa/src/tnl, a context structure element "freed_immesiate"
is used to cache the last freed memory - for possible reuse. Clearly a
performance gain.

The problem: If no memory has been freed - because none has been
allocated yet, _tnl_DestroyContext (t_context.c:146) invokes
_tnl_free_immediate with a second argument the pointer to the
freed_immediate memory. This will be "0" if no memory has been freed -
or if t_imm_alloc.c has given the memory to someone else already.

_tnl_free_immediate (t_imm_alloc.c:129) places the second argument into a
variable IM.

Almost immediately at line 130 - IM is derefenced with 

   ASSERT(IM->ref_count == 0);

Oops....

Two possible fixes: a) _tnl_free_immediate should test for IM being 0,
or _tnl_DestroyContext should not call _tnl_free_immediate if freed_immediate
is 0.

I chose the later.... Seems that the DRI development CVS tree suffers
from the same.

     Ezra

--- xc/extras/Mesa/src/tnl/t_context.c.ezra     2003-01-27 17:22:23.000000000 -0500
+++ xc/extras/Mesa/src/tnl/t_context.c  2003-01-27 17:11:58.000000000 -0500
@@ -144,7 +144,8 @@
    _tnl_array_destroy( ctx );
    _tnl_imm_destroy( ctx );
    _tnl_destroy_pipeline( ctx );
-   _tnl_free_immediate( ctx, tnl->freed_immediate );
+   if (tnl->freed_immediate) 
+     _tnl_free_immediate( ctx, tnl->freed_immediate );
 
    FREE(tnl);
    ctx->swtnl_context = 0;


$XFree86: xc/programs/Xserver/hw/xfree86/doc/BugReport.cpp,v 1.1 2001/01/15 23:00:01 
dawes Exp $
_______________________________________________
XFree86 mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/xfree86

Reply via email to