==31602== Invalid read of size 8
==31602== at 0xC29C0F4: intelDestroyContext (intel_context.c:877)
==31602== by 0xC28CB7A: driDestroyContext (dri_util.c:545)
==31602== by 0x80FE505: __glXDRIcontextDestroy (glxdri2.c:192)
==31602== by 0x80ED0A1: __glXFreeContext (glxext.c:211)
==31602== by 0x80ECD9F: ContextGone (glxext.c:110)
==31602== by 0x437D55: FreeResourceByType (resource.c:598)
==31602== by 0x80E333F: __glXDisp_DestroyContext (glxcmds.c:370)
==31602== by 0x80ED95E: __glXDispatch (glxext.c:578)
==31602== by 0x439AEC: Dispatch (dispatch.c:445)
==31602== by 0x42678A: main (main.c:285)
==31602== Address 0x1bbdc508 is 8 bytes inside a block of size 144 free'd
==31602== at 0x4C255FD: free (vg_replace_malloc.c:323)
==31602== by 0xC3796CC: _mesa_free (imports.c:85)
==31602== by 0xC28CB33: dri_put_drawable (dri_util.c:516)
==31602== by 0xC28CB50: driDestroyDrawable (dri_util.c:523)
==31602== by 0x80FE2B7: __glXDRIdrawableDestroy (glxdri2.c:105)
==31602== by 0x80ECF57: DrawableGone (glxext.c:163)
==31602== by 0x437C09: FreeResource (resource.c:562)
==31602== by 0x45AED1: CrushTree (window.c:877)
==31602== by 0x45AFF2: DeleteWindow (window.c:914)
==31602== by 0x437C09: FreeResource (resource.c:562)
==31602== by 0x43A78F: ProcDestroyWindow (dispatch.c:751)
==31602== by 0x439AEC: Dispatch (dispatch.c:445)
There's a race. intelDestroyContext() and __glXDRIdrawableDestroy() can be called in either order when the program closes, but the Intel mesa code doesn't do refcounting on the drawable. So if intelDestroyContext() is called second, the drawable is already destroyed and free'd, and may already be overwritten. Crash.
I was able to get this out of valgrind:
==31602== Invalid read of size 8 context. c:877) Destroy (glxdri2.c:192) DestroyContext (glxcmds.c:370) malloc. c:323) eDestroy (glxdri2.c:105)
==31602== at 0xC29C0F4: intelDestroyContext (intel_
==31602== by 0xC28CB7A: driDestroyContext (dri_util.c:545)
==31602== by 0x80FE505: __glXDRIcontext
==31602== by 0x80ED0A1: __glXFreeContext (glxext.c:211)
==31602== by 0x80ECD9F: ContextGone (glxext.c:110)
==31602== by 0x437D55: FreeResourceByType (resource.c:598)
==31602== by 0x80E333F: __glXDisp_
==31602== by 0x80ED95E: __glXDispatch (glxext.c:578)
==31602== by 0x439AEC: Dispatch (dispatch.c:445)
==31602== by 0x42678A: main (main.c:285)
==31602== Address 0x1bbdc508 is 8 bytes inside a block of size 144 free'd
==31602== at 0x4C255FD: free (vg_replace_
==31602== by 0xC3796CC: _mesa_free (imports.c:85)
==31602== by 0xC28CB33: dri_put_drawable (dri_util.c:516)
==31602== by 0xC28CB50: driDestroyDrawable (dri_util.c:523)
==31602== by 0x80FE2B7: __glXDRIdrawabl
==31602== by 0x80ECF57: DrawableGone (glxext.c:163)
==31602== by 0x437C09: FreeResource (resource.c:562)
==31602== by 0x45AED1: CrushTree (window.c:877)
==31602== by 0x45AFF2: DeleteWindow (window.c:914)
==31602== by 0x437C09: FreeResource (resource.c:562)
==31602== by 0x43A78F: ProcDestroyWindow (dispatch.c:751)
==31602== by 0x439AEC: Dispatch (dispatch.c:445)
There's a race. intelDestroyCon text() and __glXDRIdrawabl eDestroy( ) can be called in either order when the program closes, but the Intel mesa code doesn't do refcounting on the drawable. So if intelDestroyCon text() is called second, the drawable is already destroyed and free'd, and may already be overwritten. Crash.