<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)""
href="https://bugs.freedesktop.org/show_bug.cgi?id=91967#c23">Comment # 23</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)""
href="https://bugs.freedesktop.org/show_bug.cgi?id=91967">bug 91967</a>
from <span class="vcard"><a class="email" href="mailto:jskarvad@redhat.com" title="Jaroslav Škarvada <jskarvad@redhat.com>"> <span class="fn">Jaroslav Škarvada</span></a>
</span></b>
<pre>(In reply to Alberts Muktupāvels from <a href="show_bug.cgi?id=91967#c22">comment #22</a>)
<span class="quote">> (In reply to Jaroslav Škarvada from <a href="show_bug.cgi?id=91967#c21">comment #21</a>)
> > (In reply to Alberts Muktupāvels from <a href="show_bug.cgi?id=91967#c20">comment #20</a>)
> > > (In reply to Jaroslav Škarvada from <a href="show_bug.cgi?id=91967#c19">comment #19</a>)
> > > > AFAICS the &image->base is pointer to the same memory as image, it's just
> > > > different pointer type. Maybe there is a better fix, e.g. to just BAIL or
> > > > return some error, but this problem needs definitely to be fixed. Just
> > > > ignoring it will not help anyone.
> > >
> > > I think that BAIL-ing out is not solution...
> > >
> > > Looking at code it looks like it was intention to try with shm first and if
> > > that fails try with other methods. BAIL-ing out we will lose chance to get
> > > image surface with other methods.
> > >
> > > Basically this is very simple bug - double free with very simple fix.
> > > Surface was destroyed, pointer now is invalid. Setting it to NULL makes
> > > sense.
> >
> > In this case no other method will succeed, because the pixmap doesn't exist.
>
> Is this only case when XShmGetImage can fail?</span >
I guess it can also fail if there is no MIT-SHM extension and maybe in other
cases. These are cases not causing the double free, because some other method
probably steps in and the pixmap is valid in such cases.
But I think the proposed fix is dirty. It relies on the safety check inside the
cairo_surface_destroy. Cleanly written code shouldn't do this. The control flow
should never get into the cairo_surface_destroy for the second time, that's why
I wrote "maybe there is a better fix". But this is definitely question for the
upstream maintainers.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>