Comment 0 for bug 550218

Created an attachment (id=33011)
GDB debug log

In about 1 of 5 times that I close OpenGL programs (that I have written), the X server crashes. It doesn't seem to happen when I kill or "^C" them, though. It is likely the programs are misbehaving (for example, I currently don't clean up all X and GLX resources before exit, and maybe I mix both new and old GLX api). I don't have the problem with other OpenGL programs I have tested such as glxgears or glxinfo. I any case, I don't think the server should crash, no matter whether programs/clients are misbehaving or not. Also, I should mention that in previous versions of the server, I didn't have the problem.

I attached to the server process with gdb to get a backtrace. The debug log (with prompts) is attached. pScreen in #2 was optimized out so I got it from #3 instead.

This is my theory:

pDraw at #3 is probably a freed pointer. Thus its pScreen field is undefined/arbitrary and in this case was 0x1 which made 'privates' in #0 a pointer a bit higher (because implicitly, #2 will find 'privates' by adding the field offset to the pScreen pointer, see the source code at that part). Thus in the end it uses an invalid pointer of value 0x151 for 'privates'.

I think the problem is here (#4 in backtrace, __glXDRIdrawableDestroy in glx/glxdri2.c):

    /* If the X window was destroyed, the dri DestroyWindow hook will
     * aready have taken care of this, so only call if pDraw isn't NULL. */
    if (drawable->pDraw != NULL)
 DRI2DestroyDrawable(drawable->pDraw);

It assumes that drawable->pDraw has been set to NULL if it is already freed. However, wherever it is freed this pointer is not set to NULL afterwards (at least that's what I suspect). I don't know where I can find the code of the "dri DestroyWindow hook", though.

I use xserver version 2:1.7.4-2 in Debian. My original report at bugs.debian.org is here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567677