Fence emission can flush the push buffer, which through flush_notify unreferences recently emitted fence. If ref count is increased after fence emission, unreference deletes the fence, which causes SIGSEGV. Backtrace: nouveau_fence_del nouveau_fence_ref nouveau_fence_next nouveau_pushbuf_flush MARK_RING nv50_screen_fence_emit nouveau_fence_emit nv50_flush This bug manifested as an assertion failure in nouveau_fence.c, because SIGSEGV handler tried to shutdown the application and used messed up fence. This issue was reported by Maxim Levitsky. Note: This is a candidate for the 7.11 branch.

14 years ago · 65b8eea064
--- a/src/gallium/drivers/nouveau/nouveau_fence.c
+++ b/src/gallium/drivers/nouveau/nouveau_fence.c
@@ -93,8 +93,6 @@ nouveau_fence_emit(struct nouveau_fence *fence)
   /* set this now, so that if fence.emit triggers a flush we don't recurse */
   fence->state = NOUVEAU_FENCE_STATE_EMITTED;

   screen->fence.emit(&screen->base, fence->sequence);

   ++fence->ref;

   if (screen->fence.tail)
@@ -103,6 +101,8 @@ nouveau_fence_emit(struct nouveau_fence *fence)
      screen->fence.head = fence;

   screen->fence.tail = fence;

   screen->fence.emit(&screen->base, fence->sequence);
 }

 void