Skip to content

Fix crash in ~ShadowInterfacePrivate

Vlad Zahorodnii requested to merge work/shadow-tile-buffer-crash into master

Currently, buffer objects are destroyed with some delay. This is wrong since BufferInterface::get() will return a defunct buffer object after deleteLater() has been called and before the buffer object gets actually destroyed. It's an esoteric case, and unfortunately some users hit it when hovering the scroll bar in kdevelop. We should either destroy buffer objects right away or leave them alone.

Since using a defunct buffer object is a use-after-free bug, the compositor will most likely crash. This merge request fixes the bug in two steps. First, it breaks the bidirectional connection between the BufferInterface objects and the SurfaceInterface objects. A wl_buffer object can be attached to multiple surfaces so the surface() property makes little sense and it can be removed. The second step is to adjust the BufferInterface::unref() method so it only sends the release event. It's okay-ish to keep unreferenced buffers around. If the client has received a wl_buffer.release event and it doesn't mind calling the destroy request, then the buffer will most likely be re-used.

Edited by Vlad Zahorodnii

Merge request reports

Loading