Re: [PATCH v6 0/4] MR10992: ddraw: Allow attaching flip chain surfaces surfaces (for v1 surfaces).

June 3, 2026

      Hello @gofman, it seems this commit triggers new ASan report ([x86](https://gitlab.winehq.org/bernhardu/wine/-/jobs/272959#L2541), [x86_64](https://gitlab.winehq.org/bernhardu/wine/-/jobs/272960#L2532))

By releasing `surface1` in line 6508 it looks like `backbuffer1` got released, too.

Therefore the explicit release of `backbuffer1` in line 6510 triggers ASan.

Could this be the related to the comment about increased reference counter in [line 6476](https://gitlab.winehq.org/wine/wine/-/blob/master/dlls/ddraw/tests/ddraw1.c?...
```
    /* Looks like here is a ddraw bug here, when deleting a surface the next one in chain gets an extra reference. */
```

<details>
<summary>ASan x86 details></summary>

```
==ddraw_test.exe==988==ERROR: AddressSanitizer: heap-use-after-free on address 0x02311d50 at pc 0x0043d2b6 bp 0x0022f514 sp 0x0022f510
READ of size 4 at 0x02311d50 thread T0
    #0 0x0043d2b5 in test_surface_attachment /builds/bernhardu/wine/build64/../dlls/ddraw/tests/ddraw1.c:6510:11
    #1 0x004127c5 in func_ddraw1 /builds/bernhardu/wine/build64/../dlls/ddraw/tests/ddraw1.c:17101:5
    #2 0x0069e311 in run_test /builds/bernhardu/wine/build64/../include/wine/test.h:780:5
    #3 0x0069ddca in main /builds/bernhardu/wine/build64/../include/wine/test.h:900:12
    #4 0x006a0075 in mainCRTStartup /builds/bernhardu/wine/build64/../dlls/msvcrt/crt_main.c:70:11
    #5 0x7bcc35df in BaseThreadInitThunk (C:\windows\system32\kernel32.dll+0x7b8235df)
    #6 0x7be36b9a in call_thread_func_wrapper (C:\windows\system32\ntdll.dll+0x7bc46b9a)
    #7 0x7be3750a in call_thread_func /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:502:9
0x02311d50 is located 16 bytes inside of 300-byte region [0x02311d40,0x02311e6c)
freed by thread T0 here:
    #0 0x766c5aab in free /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:78:3
    #1 0x78df7155 in ddraw_surface_wined3d_object_destroyed /builds/bernhardu/wine/build64/../dlls/ddraw/surface.c:6235:5
    #2 0x777af5d1 in wined3d_texture_sub_resources_destroyed /builds/bernhardu/wine/build64/../dlls/wined3d/texture.c:453:13
    #3 0x77633065 in adapter_gl_destroy_texture /builds/bernhardu/wine/build64/../dlls/wined3d/adapter_gl.c:4550:5
    #4 0x777aff81 in wined3d_texture_decref /builds/bernhardu/wine/build64/../dlls/wined3d/texture.c:724:9
    #5 0x78df2cef in ddraw_surface_cleanup /builds/bernhardu/wine/build64/../dlls/ddraw/surface.c:646:5
    #6 0x78df2ac2 in ddraw_surface_cleanup /builds/bernhardu/wine/build64/../dlls/ddraw/surface.c:625:13
    #7 0x78df270e in ddraw_surface_release_iface /builds/bernhardu/wine/build64/../dlls/ddraw/surface.c:678:9
    #8 0x78df69df in ddraw_surface1_Release /builds/bernhardu/wine/build64/../dlls/ddraw/surface.c:789:9
    #9 0x0043b21e in test_surface_attachment /builds/bernhardu/wine/build64/../dlls/ddraw/tests/ddraw1.c:6508:11
    #10 0x004127c5 in func_ddraw1 /builds/bernhardu/wine/build64/../dlls/ddraw/tests/ddraw1.c:17101:5
    #11 0x0069e311 in run_test /builds/bernhardu/wine/build64/../include/wine/test.h:780:5
    #12 0x0069ddca in main /builds/bernhardu/wine/build64/../include/wine/test.h:900:12
    #13 0x006a0075 in mainCRTStartup /builds/bernhardu/wine/build64/../dlls/msvcrt/crt_main.c:70:11
    #14 0x7bcc35df in BaseThreadInitThunk (C:\windows\system32\kernel32.dll+0x7b8235df)
    #15 0x7be36b9a in call_thread_func_wrapper (C:\windows\system32\ntdll.dll+0x7bc46b9a)
    #16 0x7be3750a in call_thread_func /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:502:9
previously allocated by thread T0 here:
    #0 0x766c5cae in calloc /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98:3
    #1 0x78deb031 in ddraw_texture_init /builds/bernhardu/wine/build64/../dlls/ddraw/surface.c:6546:25
    #2 0x78de9dc9 in ddraw_surface_create /builds/bernhardu/wine/build64/../dlls/ddraw/surface.c:7160:29
    #3 0x78dbe3e4 in ddraw1_CreateSurface /builds/bernhardu/wine/build64/../dlls/ddraw/ddraw.c:3112:10
    #4 0x00439fad in test_surface_attachment /builds/bernhardu/wine/build64/../dlls/ddraw/tests/ddraw1.c:6372:10
    #5 0x004127c5 in func_ddraw1 /builds/bernhardu/wine/build64/../dlls/ddraw/tests/ddraw1.c:17101:5
    #6 0x0069e311 in run_test /builds/bernhardu/wine/build64/../include/wine/test.h:780:5
    #7 0x0069ddca in main /builds/bernhardu/wine/build64/../include/wine/test.h:900:12
    #8 0x006a0075 in mainCRTStartup /builds/bernhardu/wine/build64/../dlls/msvcrt/crt_main.c:70:11
    #9 0x7bcc35df in BaseThreadInitThunk (C:\windows\system32\kernel32.dll+0x7b8235df)
    #10 0x7be36b9a in call_thread_func_wrapper (C:\windows\system32\ntdll.dll+0x7bc46b9a)
    #11 0x7be3750a in call_thread_func /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:502:9
SUMMARY: AddressSanitizer: heap-use-after-free /builds/bernhardu/wine/build64/../dlls/ddraw/tests/ddraw1.c:6510:11 in test_surface_attachment
```

</details>

-- 
https://gitlab.winehq.org/wine/wine/-/merge_requests/10992#note_142086

Bernhard Übelacker (＠bernhardu)

tags

participants (1)