Minimal testcase: Have window-mocker, recordmydesktop and compiz installed. Create a file mock with this content: {"Menu": [{"Menu": ["Open", "Save", "Save As", "Quit"], "Title": "File"}, {"Menu": ["Help 1", "Help 2", "Help 3", "Help 4"], "Title": "Help"}], "Contents": "TextEdit"} start recordmydesktop with compiz enabled: /usr/bin/recordmydesktop --no-sound --no-frame -o /dev/null start window-mocker: /usr/bin/python /usr/bin/window-mocker -testability mock Kill window mocker, the xserver will crash.
glamor-egl 0.5.1 crashes, git no longer crashes, but valgrind shows it still reads freed memory. git also breaks glxinfo with LIBGL_ALWAYS_INDIRECT=1
Some more poking, it seems someone is changing drawable around.. create picture 0x1cd457e0, with drawable 0x1327d1f0 (some log spam removed, involving correct picture and drawable) destroy picture 0x1cd457e0, with drawable 0x1cd65820 and private 0x1cd658e0 0 (nil) Then finally, at the end when valgrind blows up, I get this: Obtaining format for pixmap 0x1327d1f0 and picture 0x1cd457e0 ==7989== Invalid read of size 4 ==7989== at 0x8CAA0CA: glamor_get_tex_format_type_from_pixmap (glamor_utils.h:1252) ==7989== by 0x8CAD1B7: glamor_download_sub_pixmap_to_cpu (glamor_pixmap.c:1074) ==7989== by 0x8CA8BB7: _glamor_get_image (glamor_getimage.c:66) ==7989== by 0x8CA8D2F: glamor_get_image (glamor_getimage.c:92) ==7989== by 0x29AEF2: miSpriteGetImage (misprite.c:413) ==7989== by 0x1E7674: compGetImage (compinit.c:148) ==7989== by 0x1F5E5B: ProcShmGetImage (shm.c:684) ==7989== by 0x1F686F: ProcShmDispatch (shm.c:1121) ==7989== by 0x15D00D: Dispatch (dispatch.c:432) ==7989== by 0x14C569: main (main.c:298) ==7989== Address 0x1cd457f0 is 16 bytes inside a block of size 120 free'd ==7989== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7989== by 0x228897: FreePicture (picture.c:1477) ==7989== by 0x228B23: PictureDestroyWindow (picture.c:73) ==7989== by 0x234C19: damageDestroyWindow (damage.c:1646) ==7989== by 0x1E92C0: compDestroyWindow (compwindow.c:590) ==7989== by 0x20FF85: DbeDestroyWindow (dbe.c:1389) ==7989== by 0x185D46: FreeWindowResources (window.c:907) ==7989== by 0x1889A7: DeleteWindow (window.c:975) ==7989== by 0x17EBF1: doFreeResource (resource.c:873) ==7989== by 0x17FC1B: FreeClientResources (resource.c:1139) ==7989== by 0x15C4DE: CloseDownClient (dispatch.c:3402) ==7989== by 0x2AB843: CheckConnections (connection.c:1008) ==7989== (II) fail to get matched format for dfdfdfdf I guess the method of obtaining pixmap from a window drawable may result in not always returning the same pixmap, causing this bug...
Created attachment 88619 [details] [review] fixup picture in SetWindowPixmap I found a fix, if I update the pixmap in SetWindowPixmap the testcase doesn't crash.
(In reply to comment #3) > Created attachment 88619 [details] [review] [review] > fixup picture in SetWindowPixmap > > I found a fix, if I update the pixmap in SetWindowPixmap the testcase > doesn't crash. Good catch! Could you rebase your patch with git master and send it to the glamor mail list: glamor@lists.freedesktop.org. Please use git format-patch to generate the patch. Thanks.
(In reply to comment #3) > Created attachment 88619 [details] [review] [review] > fixup picture in SetWindowPixmap > > I found a fix, if I update the pixmap in SetWindowPixmap the testcase > doesn't crash. I just pushed your patch. Could you have a try with the git master version? And if everything is ok, please close this bug. Thanks.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.