https://bugs.freedesktop.org/show_bug.cgi?id=75279

--- Comment #33 from Benoit Jacob <bjacob-4eJtQOnFJqFBDgjK7y7TUQ@public.gmane.org> ---
The stack to the free() points to line 203 here, while the stack to where the
free'd data is subsequently used points to line 205 here:

http://cgit.freedesktop.org/mesa/mesa/tree/src/gallium/drivers/nouveau/nouveau_fence.c?id=ce6dd69697ae62d9336bbd4f5808bc4d75cdcc04#n203


   if (fence == screen->fence.current)
      nouveau_fence_next(screen);

   do {
      nouveau_fence_update(screen, FALSE);  // <--- free here!

      if (fence->state == NOUVEAU_FENCE_STATE_SIGNALLED) // <-- use-after-free
         return TRUE;


So it seems like nouveau_fence_update (which was apparently inlined) destroys
the fence object... do you need to call nouveau_fence_ref() to keep it alive?

-- 
You are receiving this mail because:
You are the assignee for the bug.