If a frame callback is not destroyed when destroying a surface, its handler function will be invoked if the surface was destroyed after the callback was requested but before it was invoked, causing a write on free:ed memory.
This can happen if eglDestroySurface() is called shortly after eglSwapBuffers(). --- Hi, This a one part of a two-part fix. Further explanation can be found here: http://lists.freedesktop.org/archives/wayland-devel/2012-October/006021.html Jonas src/egl/drivers/dri2/platform_wayland.c | 3 +++ src/gallium/state_trackers/egl/wayland/native_wayland.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/egl/drivers/dri2/platform_wayland.c b/src/egl/drivers/dri2/platform_wayland.c index 9153ef9..1c0ab38 100644 --- a/src/egl/drivers/dri2/platform_wayland.c +++ b/src/egl/drivers/dri2/platform_wayland.c @@ -213,6 +213,9 @@ dri2_destroy_surface(_EGLDriver *drv, _EGLDisplay *disp, _EGLSurface *surf) dri2_surf->third_buffer); } + if (dri2_surf->frame_callback) + wl_callback_destroy(dri2_surf->frame_callback); + free(surf); return EGL_TRUE; diff --git a/src/gallium/state_trackers/egl/wayland/native_wayland.c b/src/gallium/state_trackers/egl/wayland/native_wayland.c index 62c87f3..560e40d 100644 --- a/src/gallium/state_trackers/egl/wayland/native_wayland.c +++ b/src/gallium/state_trackers/egl/wayland/native_wayland.c @@ -355,6 +355,9 @@ wayland_surface_destroy(struct native_surface *nsurf) wl_buffer_destroy(surface->buffer[buffer]); } + if (surface->frame_callback) + wl_callback_destroy(surface->frame_callback); + resource_surface_destroy(surface->rsurf); FREE(surface); } -- 1.7.10.4 _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
