discomfitor pushed a commit to branch master.

http://git.enlightenment.org/core/efl.git/commit/?id=437ba4c46d0c161bd11c6f6d42adbff872a8540a

commit 437ba4c46d0c161bd11c6f6d42adbff872a8540a
Author: Mike Blumenkrantz <zm...@osg.samsung.com>
Date:   Fri Mar 11 16:04:56 2016 -0500

    gl_common: call evas_gl_common_texture_free() before dropping image cache
    
    texture_free() accesses struct members which can be freed if image cache 
entry
    reaches zero references
    
    @fix
    
    ==30989== Invalid read of size 1
    ==30989==    at 0x23BA2934: evas_gl_common_texture_free 
(evas_gl_texture.c:1506)
    ==30989==    by 0x23BA9117: evas_gl_common_image_free (evas_gl_image.c:724)
    ==30989==    by 0x23B80DA1: eng_image_data_put (evas_engine.c:988)
    ==30989==    by 0x872681A: _evas_image_data_set (evas_object_image.c:1264)
    ==30989==    by 0x87360B5: evas_obj_image_data_set (evas_image.eo.c:236)
    ==30989==    by 0x8736B43: evas_object_image_data_set (evas_image.eo.c:741)
    ==30989==    by 0x4820A4: e_comp_object_render (e_comp_object.c:3746)
    ==30989==    by 0x477B92: _e_comp_object_pixels_get (e_comp_object.c:909)
    ==30989==    by 0x872CF52: evas_process_dirty_pixels 
(evas_object_image.c:3154)
    ==30989==    by 0x872DD16: _evas_image_render (evas_object_image.c:3389)
    ==30989==    by 0x872DB01: evas_object_image_render 
(evas_object_image.c:3351)
    ==30989==    by 0x879C524: evas_render_mapped (evas_render.c:1802)
    ==30989==    by 0x879E82A: evas_render_updates_internal_loop 
(evas_render.c:2380)
    ==30989==    by 0x87A005D: evas_render_updates_internal (evas_render.c:2770)
    ==30989==    by 0x87A140D: evas_render_updates_internal_wait 
(evas_render.c:3122)
    ==30989==    by 0x87A1502: _evas_canvas_render_updates (evas_render.c:3144)
    ==30989==    by 0x871ED0D: evas_canvas_render_updates (evas_canvas.eo.c:354)
    ==30989==    by 0x8720C5F: evas_render_updates (evas_canvas.eo.c:1089)
    ==30989==    by 0x22F65C35: _ecore_evas_drm_render (ecore_evas_drm.c:1072)
    ==30989==    by 0x7416F7B: _ecore_evas_idle_enter (ecore_evas.c:172)
    ==30989==    by 0xDDE3577: _ecore_call_task_cb (ecore_private.h:282)
    ==30989==    by 0xDDE3A5E: _ecore_idle_enterer_call 
(ecore_idle_enterer.c:174)
    ==30989==    by 0xDDE836B: _ecore_main_loop_iterate_internal 
(ecore_main.c:2261)
    ==30989==    by 0xDDE67B8: ecore_main_loop_begin (ecore_main.c:1284)
    ==30989==    by 0x4407B6: main (e_main.c:1087)
    ==30989==  Address 0x23a9e1d2 is 338 bytes inside a block of size 552 free'd
    ==30989==    at 0x4C29E00: free (vg_replace_malloc.c:530)
    ==30989==    by 0x882B2E2: _evas_common_rgba_image_delete 
(evas_image_main.c:343)
    ==30989==    by 0x87B1E17: _evas_cache_image_entry_delete 
(evas_cache_image.c:205)
    ==30989==    by 0x87B3C52: evas_cache_image_drop (evas_cache_image.c:950)
    ==30989==    by 0x23BA90F5: evas_gl_common_image_free (evas_gl_image.c:722)
    ==30989==    by 0x23B80DA1: eng_image_data_put (evas_engine.c:988)
    ==30989==    by 0x872681A: _evas_image_data_set (evas_object_image.c:1264)
    ==30989==    by 0x87360B5: evas_obj_image_data_set (evas_image.eo.c:236)
    ==30989==    by 0x8736B43: evas_object_image_data_set (evas_image.eo.c:741)
    ==30989==    by 0x4820A4: e_comp_object_render (e_comp_object.c:3746)
    ==30989==    by 0x477B92: _e_comp_object_pixels_get (e_comp_object.c:909)
    ==30989==    by 0x872CF52: evas_process_dirty_pixels 
(evas_object_image.c:3154)
    ==30989==    by 0x872DD16: _evas_image_render (evas_object_image.c:3389)
    ==30989==    by 0x872DB01: evas_object_image_render 
(evas_object_image.c:3351)
    ==30989==    by 0x879C524: evas_render_mapped (evas_render.c:1802)
    ==30989==    by 0x879E82A: evas_render_updates_internal_loop 
(evas_render.c:2380)
    ==30989==    by 0x87A005D: evas_render_updates_internal (evas_render.c:2770)
    ==30989==    by 0x87A140D: evas_render_updates_internal_wait 
(evas_render.c:3122)
    ==30989==    by 0x87A1502: _evas_canvas_render_updates (evas_render.c:3144)
    ==30989==    by 0x871ED0D: evas_canvas_render_updates (evas_canvas.eo.c:354)
    ==30989==    by 0x8720C5F: evas_render_updates (evas_canvas.eo.c:1089)
    ==30989==    by 0x22F65C35: _ecore_evas_drm_render (ecore_evas_drm.c:1072)
    ==30989==    by 0x7416F7B: _ecore_evas_idle_enter (ecore_evas.c:172)
    ==30989==    by 0xDDE3577: _ecore_call_task_cb (ecore_private.h:282)
    ==30989==    by 0xDDE3A5E: _ecore_idle_enterer_call 
(ecore_idle_enterer.c:174)
    ==30989==    by 0xDDE836B: _ecore_main_loop_iterate_internal 
(ecore_main.c:2261)
    ==30989==    by 0xDDE67B8: ecore_main_loop_begin (ecore_main.c:1284)
    ==30989==    by 0x4407B6: main (e_main.c:1087)
    ==30989==  Block was alloc'd at
    ==30989==    at 0x4C2AA98: calloc (vg_replace_malloc.c:711)
    ==30989==    by 0x882B0A0: _evas_common_rgba_image_new 
(evas_image_main.c:295)
    ==30989==    by 0x87B1F1B: _evas_cache_image_entry_new 
(evas_cache_image.c:253)
    ==30989==    by 0x87B4170: evas_cache_image_data (evas_cache_image.c:1079)
    ==30989==    by 0x23BA7EDE: evas_gl_common_image_new_from_data 
(evas_gl_image.c:333)
    ==30989==    by 0x23B7F972: eng_image_new_from_data (evas_engine.c:531)
    ==30989==    by 0x23B80D81: eng_image_data_put (evas_engine.c:984)
    ==30989==    by 0x872681A: _evas_image_data_set (evas_object_image.c:1264)
    ==30989==    by 0x87360B5: evas_obj_image_data_set (evas_image.eo.c:236)
    ==30989==    by 0x8736B43: evas_object_image_data_set (evas_image.eo.c:741)
    ==30989==    by 0x4820A4: e_comp_object_render (e_comp_object.c:3746)
    ==30989==    by 0x477B92: _e_comp_object_pixels_get (e_comp_object.c:909)
    ==30989==    by 0x872CF52: evas_process_dirty_pixels 
(evas_object_image.c:3154)
    ==30989==    by 0x872DD16: _evas_image_render (evas_object_image.c:3389)
    ==30989==    by 0x872DB01: evas_object_image_render 
(evas_object_image.c:3351)
    ==30989==    by 0x879C524: evas_render_mapped (evas_render.c:1802)
    ==30989==    by 0x879E82A: evas_render_updates_internal_loop 
(evas_render.c:2380)
    ==30989==    by 0x87A005D: evas_render_updates_internal (evas_render.c:2770)
    ==30989==    by 0x87A140D: evas_render_updates_internal_wait 
(evas_render.c:3122)
    ==30989==    by 0x87A1502: _evas_canvas_render_updates (evas_render.c:3144)
    ==30989==    by 0x871ED0D: evas_canvas_render_updates (evas_canvas.eo.c:354)
    ==30989==    by 0x8720C5F: evas_render_updates (evas_canvas.eo.c:1089)
    ==30989==    by 0x22F65C35: _ecore_evas_drm_render (ecore_evas_drm.c:1072)
    ==30989==    by 0x7416F7B: _ecore_evas_idle_enter (ecore_evas.c:172)
    ==30989==    by 0xDDE3577: _ecore_call_task_cb (ecore_private.h:282)
    ==30989==    by 0xDDE3A5E: _ecore_idle_enterer_call 
(ecore_idle_enterer.c:174)
    ==30989==    by 0xDDE836B: _ecore_main_loop_iterate_internal 
(ecore_main.c:2261)
    ==30989==    by 0xDDE67B8: ecore_main_loop_begin (ecore_main.c:1284)
    ==30989==    by 0x4407B6: main (e_main.c:1087)
    ==30989==
    ==30989== Invalid write of size 1
    ==30989==    at 0x23BA293E: evas_gl_common_texture_free 
(evas_gl_texture.c:1506)
    ==30989==    by 0x23BA9117: evas_gl_common_image_free (evas_gl_image.c:724)
    ==30989==    by 0x23B80DA1: eng_image_data_put (evas_engine.c:988)
    ==30989==    by 0x872681A: _evas_image_data_set (evas_object_image.c:1264)
    ==30989==    by 0x87360B5: evas_obj_image_data_set (evas_image.eo.c:236)
    ==30989==    by 0x8736B43: evas_object_image_data_set (evas_image.eo.c:741)
    ==30989==    by 0x4820A4: e_comp_object_render (e_comp_object.c:3746)
    ==30989==    by 0x477B92: _e_comp_object_pixels_get (e_comp_object.c:909)
    ==30989==    by 0x872CF52: evas_process_dirty_pixels 
(evas_object_image.c:3154)
    ==30989==    by 0x872DD16: _evas_image_render (evas_object_image.c:3389)
    ==30989==    by 0x872DB01: evas_object_image_render 
(evas_object_image.c:3351)
    ==30989==    by 0x879C524: evas_render_mapped (evas_render.c:1802)
    ==30989==    by 0x879E82A: evas_render_updates_internal_loop 
(evas_render.c:2380)
    ==30989==    by 0x87A005D: evas_render_updates_internal (evas_render.c:2770)
    ==30989==    by 0x87A140D: evas_render_updates_internal_wait 
(evas_render.c:3122)
    ==30989==    by 0x87A1502: _evas_canvas_render_updates (evas_render.c:3144)
    ==30989==    by 0x871ED0D: evas_canvas_render_updates (evas_canvas.eo.c:354)
    ==30989==    by 0x8720C5F: evas_render_updates (evas_canvas.eo.c:1089)
    ==30989==    by 0x22F65C35: _ecore_evas_drm_render (ecore_evas_drm.c:1072)
    ==30989==    by 0x7416F7B: _ecore_evas_idle_enter (ecore_evas.c:172)
    ==30989==    by 0xDDE3577: _ecore_call_task_cb (ecore_private.h:282)
    ==30989==    by 0xDDE3A5E: _ecore_idle_enterer_call 
(ecore_idle_enterer.c:174)
    ==30989==    by 0xDDE836B: _ecore_main_loop_iterate_internal 
(ecore_main.c:2261)
    ==30989==    by 0xDDE67B8: ecore_main_loop_begin (ecore_main.c:1284)
    ==30989==    by 0x4407B6: main (e_main.c:1087)
    ==30989==  Address 0x23a9e1d2 is 338 bytes inside a block of size 552 free'd
    ==30989==    at 0x4C29E00: free (vg_replace_malloc.c:530)
    ==30989==    by 0x882B2E2: _evas_common_rgba_image_delete 
(evas_image_main.c:343)
    ==30989==    by 0x87B1E17: _evas_cache_image_entry_delete 
(evas_cache_image.c:205)
    ==30989==    by 0x87B3C52: evas_cache_image_drop (evas_cache_image.c:950)
    ==30989==    by 0x23BA90F5: evas_gl_common_image_free (evas_gl_image.c:722)
    ==30989==    by 0x23B80DA1: eng_image_data_put (evas_engine.c:988)
    ==30989==    by 0x872681A: _evas_image_data_set (evas_object_image.c:1264)
    ==30989==    by 0x87360B5: evas_obj_image_data_set (evas_image.eo.c:236)
    ==30989==    by 0x8736B43: evas_object_image_data_set (evas_image.eo.c:741)
    ==30989==    by 0x4820A4: e_comp_object_render (e_comp_object.c:3746)
    ==30989==    by 0x477B92: _e_comp_object_pixels_get (e_comp_object.c:909)
    ==30989==    by 0x872CF52: evas_process_dirty_pixels 
(evas_object_image.c:3154)
    ==30989==    by 0x872DD16: _evas_image_render (evas_object_image.c:3389)
    ==30989==    by 0x872DB01: evas_object_image_render 
(evas_object_image.c:3351)
    ==30989==    by 0x879C524: evas_render_mapped (evas_render.c:1802)
    ==30989==    by 0x879E82A: evas_render_updates_internal_loop 
(evas_render.c:2380)
    ==30989==    by 0x87A005D: evas_render_updates_internal (evas_render.c:2770)
    ==30989==    by 0x87A140D: evas_render_updates_internal_wait 
(evas_render.c:3122)
    ==30989==    by 0x87A1502: _evas_canvas_render_updates (evas_render.c:3144)
    ==30989==    by 0x871ED0D: evas_canvas_render_updates (evas_canvas.eo.c:354)
    ==30989==    by 0x8720C5F: evas_render_updates (evas_canvas.eo.c:1089)
    ==30989==    by 0x22F65C35: _ecore_evas_drm_render (ecore_evas_drm.c:1072)
    ==30989==    by 0x7416F7B: _ecore_evas_idle_enter (ecore_evas.c:172)
    ==30989==    by 0xDDE3577: _ecore_call_task_cb (ecore_private.h:282)
    ==30989==    by 0xDDE3A5E: _ecore_idle_enterer_call 
(ecore_idle_enterer.c:174)
    ==30989==    by 0xDDE836B: _ecore_main_loop_iterate_internal 
(ecore_main.c:2261)
    ==30989==    by 0xDDE67B8: ecore_main_loop_begin (ecore_main.c:1284)
    ==30989==    by 0x4407B6: main (e_main.c:1087)
    ==30989==  Block was alloc'd at
    ==30989==    at 0x4C2AA98: calloc (vg_replace_malloc.c:711)
    ==30989==    by 0x882B0A0: _evas_common_rgba_image_new 
(evas_image_main.c:295)
    ==30989==    by 0x87B1F1B: _evas_cache_image_entry_new 
(evas_cache_image.c:253)
    ==30989==    by 0x87B4170: evas_cache_image_data (evas_cache_image.c:1079)
    ==30989==    by 0x23BA7EDE: evas_gl_common_image_new_from_data 
(evas_gl_image.c:333)
    ==30989==    by 0x23B7F972: eng_image_new_from_data (evas_engine.c:531)
    ==30989==    by 0x23B80D81: eng_image_data_put (evas_engine.c:984)
    ==30989==    by 0x872681A: _evas_image_data_set (evas_object_image.c:1264)
    ==30989==    by 0x87360B5: evas_obj_image_data_set (evas_image.eo.c:236)
    ==30989==    by 0x8736B43: evas_object_image_data_set (evas_image.eo.c:741)
    ==30989==    by 0x4820A4: e_comp_object_render (e_comp_object.c:3746)
    ==30989==    by 0x477B92: _e_comp_object_pixels_get (e_comp_object.c:909)
    ==30989==    by 0x872CF52: evas_process_dirty_pixels 
(evas_object_image.c:3154)
    ==30989==    by 0x872DD16: _evas_image_render (evas_object_image.c:3389)
    ==30989==    by 0x872DB01: evas_object_image_render 
(evas_object_image.c:3351)
    ==30989==    by 0x879C524: evas_render_mapped (evas_render.c:1802)
    ==30989==    by 0x879E82A: evas_render_updates_internal_loop 
(evas_render.c:2380)
    ==30989==    by 0x87A005D: evas_render_updates_internal (evas_render.c:2770)
    ==30989==    by 0x87A140D: evas_render_updates_internal_wait 
(evas_render.c:3122)
    ==30989==    by 0x87A1502: _evas_canvas_render_updates (evas_render.c:3144)
    ==30989==    by 0x871ED0D: evas_canvas_render_updates (evas_canvas.eo.c:354)
    ==30989==    by 0x8720C5F: evas_render_updates (evas_canvas.eo.c:1089)
    ==30989==    by 0x22F65C35: _ecore_evas_drm_render (ecore_evas_drm.c:1072)
    ==30989==    by 0x7416F7B: _ecore_evas_idle_enter (ecore_evas.c:172)
    ==30989==    by 0xDDE3577: _ecore_call_task_cb (ecore_private.h:282)
    ==30989==    by 0xDDE3A5E: _ecore_idle_enterer_call 
(ecore_idle_enterer.c:174)
    ==30989==    by 0xDDE836B: _ecore_main_loop_iterate_internal 
(ecore_main.c:2261)
    ==30989==    by 0xDDE67B8: ecore_main_loop_begin (ecore_main.c:1284)
    ==30989==    by 0x4407B6: main (e_main.c:1087)
---
 src/modules/evas/engines/gl_common/evas_gl_image.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/modules/evas/engines/gl_common/evas_gl_image.c 
b/src/modules/evas/engines/gl_common/evas_gl_image.c
index e62cfdc..502ef91 100644
--- a/src/modules/evas/engines/gl_common/evas_gl_image.c
+++ b/src/modules/evas/engines/gl_common/evas_gl_image.c
@@ -712,6 +712,7 @@ evas_gl_common_image_free(Evas_GL_Image *im)
      {
         if (_evas_gl_image_cache_add(im)) return;
      }
+   if (im->tex) evas_gl_common_texture_free(im->tex, EINA_TRUE);
    if (im->im)
      {
 #ifdef EVAS_CSERVE2
@@ -721,7 +722,6 @@ evas_gl_common_image_free(Evas_GL_Image *im)
 #endif
           evas_cache_image_drop(&im->im->cache_entry);
      }
-   if (im->tex) evas_gl_common_texture_free(im->tex, EINA_TRUE);
 
    free(im);
 }

-- 


Reply via email to