http://bugs.winehq.org/show_bug.cgi?id=58325
Bug ID: 58325 Summary: wined3d swapchain use-after-free Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: d3d Assignee: wine-bugs@winehq.org Reporter: yshuiv7@gmail.com Distribution: ---
Releasing the swapchain brings us to wined3d_swapchain_cleanup, which destroys the front/back buffer textures.
Texture destruction is async, happening on the device's command stream. This means these textures can be destroyed way after the swapchain itself. But we did set `texture->swapchain` to `NULL` before queuing their destruction, so that bit is fine.
The problem is in texture_resource_unload. Here we try to acquire the context, which goes adapter_gl_acquire_context -> wined3d_context_gl_acquire -> wined3d_context_gl_activate -> wined3d_context_gl_update_window. And here we try to access `context_gl->c.swapchain->win_handle`, which unfortunately points to the swapchain that was just freed.
I am unsure what's the fix for this. Do we hold a refcount of the swapchain in the context? Do we clear `context->swapchain` when a swapchain is being freed? Should we release the front/back buffer synchronously? Or something else?