[cairo-bugs] [Bug 91967] Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)"
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue May 24 12:34:02 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=91967
--- Comment #23 from Jaroslav Škarvada <jskarvad at redhat.com> ---
(In reply to Alberts Muktupāvels from comment #22)
> (In reply to Jaroslav Škarvada from comment #21)
> > (In reply to Alberts Muktupāvels from comment #20)
> > > (In reply to Jaroslav Škarvada from comment #19)
> > > > AFAICS the &image->base is pointer to the same memory as image, it's just
> > > > different pointer type. Maybe there is a better fix, e.g. to just BAIL or
> > > > return some error, but this problem needs definitely to be fixed. Just
> > > > ignoring it will not help anyone.
> > >
> > > I think that BAIL-ing out is not solution...
> > >
> > > Looking at code it looks like it was intention to try with shm first and if
> > > that fails try with other methods. BAIL-ing out we will lose chance to get
> > > image surface with other methods.
> > >
> > > Basically this is very simple bug - double free with very simple fix.
> > > Surface was destroyed, pointer now is invalid. Setting it to NULL makes
> > > sense.
> >
> > In this case no other method will succeed, because the pixmap doesn't exist.
>
> Is this only case when XShmGetImage can fail?
I guess it can also fail if there is no MIT-SHM extension and maybe in other
cases. These are cases not causing the double free, because some other method
probably steps in and the pixmap is valid in such cases.
But I think the proposed fix is dirty. It relies on the safety check inside the
cairo_surface_destroy. Cleanly written code shouldn't do this. The control flow
should never get into the cairo_surface_destroy for the second time, that's why
I wrote "maybe there is a better fix". But this is definitely question for the
upstream maintainers.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20160524/01f4608e/attachment.html>
More information about the cairo-bugs
mailing list