Bug 82279 - [bisected] double free or corruption on context destruction with postprocessing enabled
Summary: [bisected] double free or corruption on context destruction with postprocessi...
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: Drivers/Gallium/radeonsi (show other bugs)
Version: git
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Default DRI bug account
QA Contact:
URL:
Whiteboard:
Keywords: bisected
Depends on:
Blocks:
 
Reported: 2014-08-07 05:12 UTC by Itzamna
Modified: 2016-06-15 11:56 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
GDB backtrace of Dosbox crash. (3.20 KB, text/plain)
2014-08-07 05:12 UTC, Itzamna 		Details
GDB full backtrace of Dosbox crash. (9.71 KB, text/plain)
2014-08-07 05:15 UTC, Itzamna 		Details
View All

Description Itzamna 2014-08-07 05:12:15 UTC 
Created attachment 104195 [details]
GDB backtrace of Dosbox crash.

Overview:
    SDL applications crash when changing video mode, "corrupted double-linked list" and "double free or corruption" are printed to stderr. The applications tested are Dosbox and Enemy Territory: Quake Wars.

Steps to reproduce:
    1) Install an abandonware game such as Commander Keen 4 
    2) Run it in Dosbox
    3) Depending on the game, press a key to start the game proper

Actual results:
    The application crashes upon changing video mode.

Expected results:
    The application changes video mode without causing a crash.

Build date and platform:
    Build date of all components: 2014-08-07
    Platform: Gentoo GNU/Linux x86_64
    Linux kernel version: 3.16

Additional information:
    Bisecting revealed the culprit commit to be "58d2afa2232060b88f9c444ce7a0d6e63c841bb2: radeonsi: fix leaking the bound state on destruction v2". See attachments for backtraces.
Comment 1 Itzamna 2014-08-07 05:15:30 UTC 
Created attachment 104196 [details]
GDB full backtrace of Dosbox crash.
Comment 2 Itzamna 2014-08-07 05:28:23 UTC 
Some additional information: the crash (obviously) only occurs when Dosbox uses opengl rendering. For this, 'output=opengl' or 'output=openglnb' needs to be set in ~/${USER}/.dosbox/dosbox-${VERSION}.conf.
Comment 3 Michel Dänzer 2014-08-07 06:01:19 UTC 
AFAICT this only happens if postprocessing is enabled via one of the pp_* driconf options or environment variables.

(In reply to comment #0)
>     Bisecting revealed the culprit commit to be
> "58d2afa2232060b88f9c444ce7a0d6e63c841bb2: radeonsi: fix leaking the bound
> state on destruction v2".

Christian, any ideas?
Comment 4 Christian König 2014-08-07 06:44:58 UTC 
(In reply to comment #3)
> AFAICT this only happens if postprocessing is enabled via one of the pp_*
> driconf options or environment variables.
> 
> (In reply to comment #0)
> >     Bisecting revealed the culprit commit to be
> > "58d2afa2232060b88f9c444ce7a0d6e63c841bb2: radeonsi: fix leaking the bound
> > state on destruction v2".
> 
> Christian, any ideas?

That looks like a bug in the post processing cleanup to me. The context the shaders belong to is destroyed before pp_free is called to destroy the shaders created from that context.

Since the bisected patch explicitly destroys all bound shaders of a context if the context is destroyed we get a double free of the shader.
Comment 5 Itzamna 2014-08-07 13:49:10 UTC 
I can now confirm that the crash only occurs with postprocessing enabled through driconf. Apparently, there was still a .drirc present on my /home partition from an earlier installation that had the 'pp_jimenezmlaa' and 'force_s3tc_enable' options enabled. Resetting .drirc to defaults allows me to run all SDL applications normally.
Comment 6 Christian König 2016-06-15 11:56:24 UTC 
I think that issue is fixed by now. Any objections to closing this bug?

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.