Commit caa964b4 authored by Gert Wollny's avatar Gert Wollny Committed by Gert Wollny

mesa: Reference count shaders that are used by transform feedback objects

Transform feedback objects may hold a pointer to a shader program, and
at least in Gallium, this must be a valid pointer until
ctx->Driver.EndTransformFeedback in glEndTransformFeedback has been called
- which is conform with the spec that any program that is part of a
current rendering state should only be flagged for deletion by glDeleteProgram.
This was not handled properly for the transform feedback objects so that
a call sequence


would result in a use after free bug. With this patch the transform
feedback object also updates the reference count to the used program
thereby keeping the program valid as long as the transform feedback
objects links to it.

Fixes: 65458769
       mesa: add end_transform_feedback() helper
Signed-off-by: Gert Wollny's avatarGert Wollny <>
Reviewed-by: default avatarEmil Velikov <>
parent 90d68858
......@@ -40,6 +40,7 @@
#include "shaderapi.h"
#include "shaderobj.h"
#include "program/program.h"
#include "program/prog_parameter.h"
struct using_program_tuple
......@@ -470,6 +471,7 @@ begin_transform_feedback(struct gl_context *ctx, GLenum mode, bool no_error)
if (obj->program != source) {
ctx->NewDriverState |= ctx->DriverFlags.NewTransformFeedbackProg;
_mesa_reference_program_(ctx, &obj->program, source);
obj->program = source;
......@@ -504,6 +506,7 @@ end_transform_feedback(struct gl_context *ctx,
ctx->Driver.EndTransformFeedback(ctx, obj);
_mesa_reference_program_(ctx, &obj->program, NULL);
ctx->TransformFeedback.CurrentObject->Active = GL_FALSE;
ctx->TransformFeedback.CurrentObject->Paused = GL_FALSE;
ctx->TransformFeedback.CurrentObject->EndedAnytime = GL_TRUE;
