From mboxrd@z Thu Jan 1 00:00:00 1970 From: bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ@public.gmane.org Subject: [Bug 75279] XCloseDisplay() takes one minute around nouveau_dri.so, freezing Firefox startup Date: Wed, 05 Mar 2014 20:46:25 +0000 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0086966110==" Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: nouveau-bounces-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org Errors-To: nouveau-bounces-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org List-Id: nouveau.vger.kernel.org --===============0086966110== Content-Type: multipart/alternative; boundary="1394052385.eee6aB3.27858"; charset="us-ascii" --1394052385.eee6aB3.27858 Date: Wed, 5 Mar 2014 20:46:25 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" https://bugs.freedesktop.org/show_bug.cgi?id=75279 --- Comment #35 from Ilia Mirkin --- (In reply to comment #33) > The stack to the free() points to line 203 here, while the stack to where > the free'd data is subsequently used points to line 205 here: > > http://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/nouveau/ > nouveau_fence.c?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04#n203 > > > if (fence == screen->fence.current) > nouveau_fence_next(screen); > > do { > nouveau_fence_update(screen, FALSE); // <--- free here! > > if (fence->state == NOUVEAU_FENCE_STATE_SIGNALLED) // <-- > use-after-free > return TRUE; > > > So it seems like nouveau_fence_update (which was apparently inlined) > destroys the fence object... do you need to call nouveau_fence_ref() to keep > it alive? This code is rather confusing. You have to keep in mind how it's used, which among other things is from the kick handler. I tried to fix it up with http://cgit.freedesktop.org/mesa/mesa/commit/?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04 But I guess it was insufficient? I have an odd recollection that I felt like the stuff in the context destroy was suspect, but I don't remember how. Since it wasn't directly related to my problem, I left it alone (esp since I was going under the assumption that it would only be triggered on exit, in which case it's harder to care). Unfortunately it was a long enough time ago that I've lost my context on this. I'm guessing that the key here is that there are multiple contexts and one screen. (Someone should confirm that to be the case.) -- You are receiving this mail because: You are the assignee for the bug. --1394052385.eee6aB3.27858 Date: Wed, 5 Mar 2014 20:46:25 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8"

Comment # 35 on bug 75279 from 
(In reply to comment #33)
> The stack to the free() points to line 203 here, while the stack to where
> the free'd data is subsequently used points to line 205 here:
> 
> http://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/nouveau/
> nouveau_fence.c?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04#n203
> 
> 
>    if (fence == screen->fence.current)
>       nouveau_fence_next(screen);
> 
>    do {
>       nouveau_fence_update(screen, FALSE);  // <--- free here!
> 
>       if (fence->state == NOUVEAU_FENCE_STATE_SIGNALLED) // <--
> use-after-free
>          return TRUE;
> 
> 
> So it seems like nouveau_fence_update (which was apparently inlined)
> destroys the fence object... do you need to call nouveau_fence_ref() to keep
> it alive?

This code is rather confusing. You have to keep in mind how it's used, which
among other things is from the kick handler. I tried to fix it up with

http://cgit.freedesktop.org/mesa/mesa/commit/?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04

But I guess it was insufficient? I have an odd recollection that I felt like
the stuff in the context destroy was suspect, but I don't remember how. Since
it wasn't directly related to my problem, I left it alone (esp since I was
going under the assumption that it would only be triggered on exit, in which
case it's harder to care). Unfortunately it was a long enough time ago that
I've lost my context on this. I'm guessing that the key here is that there are
multiple contexts and one screen. (Someone should confirm that to be the case.)

You are receiving this mail because:
  • You are the assignee for the bug.
--1394052385.eee6aB3.27858-- --===============0086966110== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Nouveau mailing list Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org http://lists.freedesktop.org/mailman/listinfo/nouveau --===============0086966110==--