Crash after quitting Haiku3D

[humdinger]

This is hrev48830.

Quitting Haiku3D there's a crash. Report attached. It starts with

state: Exception (Segment violation)

Frame		IP			Function Name
-----------------------------------------------
0x70aa2978	0xdbc2c4	/boot/system/lib/libGL.so + 0x2b2c4 
Unable to retrieve disassembly for IP 0xdbc2c4: No such file or directory
	Frame memory:
		[0x70aa294c]  |6M.....D....).p   7c 36 4d 02 01 00 00 00 44 00 00 00 a8 29 aa 70
		[0x70aa295c]  ]6M...M.0....).p   5d 36 4d 02 08 81 4d 02 30 a4 0e 18 a8 29 aa 70
		[0x70aa296c]  .k...2......       f8 6b 82 01 a0 32 0f 18 03 00 00 00
0x70aa29b0	0x24d42c7	_._13BitmapTexture + 0x27 
0x70aa29e0	0x1b0fb34	BReferenceable::LastReferenceReleased() + 0x2c 
0x70aa2a10	0x1b0faf1	BReferenceable::ReleaseReference() + 0x3d 
0x70aa2a40	0x24d1574	_._12MeshInstance + 0x24 
0x70aa2a70	0x24d30c4	RenderView::_DeleteScene() + 0x38 
0x70aa2ab0	0x24d243d	_._10RenderView + 0x2d 
0x70aa2ae0	0x1a776a9	_._5BView + 0x95 
0x70aa2b20	0x1a84cc5	_._7BWindow + 0xfd 
0x70aa2b50	0x2317a69	_._13BDirectWindow + 0x35 
0x70aa2b80	0x24d0f87	_._10MainWindow + 0x27 
0x70aa2bb0	0x19a89bc	BLooper::Quit() + 0xdc 
0x70aa2be0	0x1a85441	BWindow::Quit() + 0xc1 

[humdinger]

crash on quit

[vrkosk]

gdb gives a more detailed backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to team /boot/system/demos/Haiku3d (1863) thread w>Haiku3d (1870)]
0x0100f2c4 in glIsTexture () from /boot/system/lib/libGL.so
(gdb) bt
#0  0x0100f2c4 in glIsTexture () from /boot/system/lib/libGL.so
#1  0x01467694 in Texture::~Texture ()
#2  0x014682a8 in BitmapTexture::~BitmapTexture ()
#3  0x00e5009a in BReferenceable::LastReferenceReleased ()
   from /boot/system/lib/libbe.so
#4  0x00e50057 in BReferenceable::ReleaseReference ()
   from /boot/system/lib/libbe.so
#5  0x01465573 in MeshInstance::~MeshInstance ()
#6  0x014670d9 in RenderView::_DeleteScene ()
#7  0x01466472 in RenderView::~RenderView ()
#8  0x00db7823 in BView::~BView () from /boot/system/lib/libbe.so
#9  0x00dc4c56 in BWindow::~BWindow () from /boot/system/lib/libbe.so
#10 0x02217a6e in BDirectWindow::~BDirectWindow ()
   from /boot/system/lib/libgame.so
#11 0x01464f88 in MainWindow::~MainWindow ()
#12 0x00ce95ea in BLooper::Quit () from /boot/system/lib/libbe.so
#13 0x00dc53b2 in BWindow::Quit () from /boot/system/lib/libbe.so
#14 0x02217ad7 in BDirectWindow::Quit () from /boot/system/lib/libgame.so
#15 0x00ceaa69 in BLooper::_QuitRequested () from /boot/system/lib/libbe.so
#16 0x00ce9112 in BLooper::DispatchMessage () from /boot/system/lib/libbe.so
#17 0x00dc80e1 in BWindow::DispatchMessage () from /boot/system/lib/libbe.so
#18 0x02217b07 in BDirectWindow::DispatchMessage ()
   from /boot/system/lib/libgame.so
#19 0x00dcbeee in BWindow::task_looper () from /boot/system/lib/libbe.so
#20 0x02217e5b in BDirectWindow::task_looper ()
   from /boot/system/lib/libgame.so
#21 0x00cea58b in BLooper::_task0_ () from /boot/system/lib/libbe.so
#22 0x01dcc527 in thread_entry () from /boot/system/lib/libroot.so
#23 0x603ce250 in ?? ()

The glIsTexture() call is made in the Texture class destructor of haiku3d, so my guess is its parameter (fId) is somehow invalid, maybe null or it's being freed twice.

[zzzzz]

If the main window is resized, nothing happens. If it's not, the crash occurs at close attempt.

Tested on hrev 50589,

[pulkomandy]

The fId is allocated in ​http://cgit.haiku-os.org/haiku/tree/src/apps/haiku3d/texture/BitmapTexture.cpp and released in ​http://cgit.haiku-os.org/haiku/tree/src/apps/haiku3d/Texture.cpp

The texture itself is shared using reference counting between different objects, as seen in RenderView::_CreateScene(). The meshes are released in _DeleteScene and this ends up freeing the texture.

All of this looks right to me.

does the crash happen with all 3 Mesa implementations? (gcc2, gcc5+swrast, gcc5+softpipe) It could be a bug in Mesa side as well, losing track of the texture.

[kainjow]

I was able to reproduce with 50953, x86_gcc2.

[diver]

Still here.

[X512]

glIsTexture crash should be fixed in hrev53904.