I think the problem is _DrawArrays points to a deleted VAO, because we don't reset _DrawArrays to NULL. The attached patch should fix it. Please review.
Marek On Mon, Apr 15, 2013 at 7:56 PM, Fredrik Höglund <[email protected]> wrote: > Otherwise gl_array_attrib::_DrawArrays can end up pointing at free'd > memory when the array object is deleted. > > Note: This is a candidate for the stable branches. > --- > > The slightly longer explanation is that the mesa state tracker accesses > _DrawArrays during state validation, and state validation can be > triggered between draw calls. So the following sequence of calls will > result in a segfault if the VAO being deleted is the VAO that was used > in the last draw call: > > glDeleteVertexArrays(...); > glClear(); > > src/mesa/main/context.c | 1 + > src/mesa/main/mtypes.h | 5 +++++ > src/mesa/vbo/vbo_exec_array.c | 3 +++ > 3 files changed, 9 insertions(+) > > diff --git a/src/mesa/main/context.c b/src/mesa/main/context.c > index d77740e..a03a22d 100644 > --- a/src/mesa/main/context.c > +++ b/src/mesa/main/context.c > @@ -1160,6 +1160,7 @@ _mesa_free_context_data( struct gl_context *ctx ) > > _mesa_reference_array_object(ctx, &ctx->Array.ArrayObj, NULL); > _mesa_reference_array_object(ctx, &ctx->Array.DefaultArrayObj, NULL); > + _mesa_reference_array_object(ctx, &ctx->Array.DrawArrayObj, NULL); > > _mesa_free_attrib_data(ctx); > _mesa_free_buffer_objects(ctx); > diff --git a/src/mesa/main/mtypes.h b/src/mesa/main/mtypes.h > index e46fa39..6fb5c79 100644 > --- a/src/mesa/main/mtypes.h > +++ b/src/mesa/main/mtypes.h > @@ -1555,6 +1555,11 @@ struct gl_array_attrib > * Vertex arrays as consumed by a driver. > * The array pointer is set up only by the VBO module. */ > const struct gl_client_array **_DrawArrays; /**< 0..VERT_ATTRIB_MAX-1 > */ > + > + /** > + * The vertex array object that contains the arrays pointed to by > _DrawArrays. > + */ > + struct gl_array_object *DrawArrayObj; > }; > > > diff --git a/src/mesa/vbo/vbo_exec_array.c b/src/mesa/vbo/vbo_exec_array.c > index 7e61f7b..2bcf1b4 100644 > --- a/src/mesa/vbo/vbo_exec_array.c > +++ b/src/mesa/vbo/vbo_exec_array.c > @@ -35,6 +35,7 @@ > #include "main/enums.h" > #include "main/macros.h" > #include "main/transformfeedback.h" > +#include "main/arrayobj.h" > > #include "vbo_context.h" > > @@ -499,6 +500,8 @@ vbo_bind_arrays(struct gl_context *ctx) > > vbo_draw_method(vbo, DRAW_ARRAYS); > > + _mesa_reference_array_object(ctx, &ctx->Array.DrawArrayObj, > ctx->Array.ArrayObj); > + > if (exec->array.recalculate_inputs) { > recalculate_input_bindings(ctx); > > -- > 1.7.10.4 > > _______________________________________________ > mesa-dev mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/mesa-dev >
0001-mesa-fix-use-after-free-with-a-stale-pointer-in-_Dra.patch
Description: Binary data
_______________________________________________ mesa-dev mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/mesa-dev
