[Bug 58325] New: wined3d swapchain use-after-free
http://bugs.winehq.org/show_bug.cgi?id=58325 Bug ID: 58325 Summary: wined3d swapchain use-after-free Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: d3d Assignee: wine-bugs(a)winehq.org Reporter: yshuiv7(a)gmail.com Distribution: --- Releasing the swapchain brings us to wined3d_swapchain_cleanup, which destroys the front/back buffer textures. Texture destruction is async, happening on the device's command stream. This means these textures can be destroyed way after the swapchain itself. But we did set `texture->swapchain` to `NULL` before queuing their destruction, so that bit is fine. The problem is in texture_resource_unload. Here we try to acquire the context, which goes adapter_gl_acquire_context -> wined3d_context_gl_acquire -> wined3d_context_gl_activate -> wined3d_context_gl_update_window. And here we try to access `context_gl->c.swapchain->win_handle`, which unfortunately points to the swapchain that was just freed. I am unsure what's the fix for this. Do we hold a refcount of the swapchain in the context? Do we clear `context->swapchain` when a swapchain is being freed? Should we release the front/back buffer synchronously? Or something else? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58325 Bernhard Übelacker <bernhardu(a)mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu(a)mailbox.org --- Comment #1 from Bernhard Übelacker <bernhardu(a)mailbox.org> --- Just in case this is of any help, this is the (regular) ASan report to it: https://gitlab.winehq.org/bernhardu/wine/-/blob/5c01131e61811f903f9857404319... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58325 --- Comment #2 from Bernhard Übelacker <bernhardu@mailbox.org> --- After seeing you closed your merge request [1], I tried to drop it it in my gitlab runs, but unfortunately it still pops out here [2]. [1] https://gitlab.winehq.org/wine/wine/-/merge_requests/8406 [2] https://gitlab.winehq.org/bernhardu/wine/-/jobs/230557#L4216 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58325 --- Comment #3 from Yuxuan Shui <yshuiv7@gmail.com> --- whoops, i guess i closed it prematurely. i haven't looked at it for a while. i still don't know the mechanism of this bug, my previous explanations were shot down by Zeb and she was right. must be some convoluted race conditions... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58325 --- Comment #4 from Yuxuan Shui <yshuiv7@gmail.com> --- i just tried it again and didn't see this anymore, do you see the same? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58325 Stian Low <wineryyyyy@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wineryyyyy@gmail.com --- Comment #5 from Stian Low <wineryyyyy@gmail.com> --- (In reply to Yuxuan Shui from comment #4)
i just tried it again and didn't see this anymore, do you see the same?
Race condition behavior seemed to sometimes cause swapchain tests for d3d10/11 to lockup/crash for wine-11-11: https://gitlab.winehq.org/wine/wine/-/merge_requests/10567/#note_143871 Adding Sleep() to some parts of wined3d exposed race conditions. I plan to add tests to reproduce and id wined3d parts which may need extra safety mechanisms. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
WineHQ Bugzilla -
WineHQ Bugzilla