mesa: fix _mesa_free_pipeline_data() use-after-free bug

Unreference the ctx->_Shader object before we delete all the pipeline
objects in the hash table.  Before, ctx->_Shader could point to freed
memory when _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL)
was called.

Fixes crash when exiting the piglit rendezvous_by_location test on
Windows.

Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>

diff --git a/src/mesa/main/pipelineobj.c b/src/mesa/main/pipelineobj.c
index 017d4257eb815ea122504acfbf708770040836ae..b713d956f78ca2c2655c3f26588bb72a8b176502 100644 (file)
--- a/src/mesa/main/pipelineobj.c
+++ b/src/mesa/main/pipelineobj.c
@@ -120,12 +120,12 @@ delete_pipelineobj_cb(GLuint id, void *data, void *userData)
 void
 _mesa_free_pipeline_data(struct gl_context *ctx)
 {
+   _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
+
    _mesa_HashDeleteAll(ctx->Pipeline.Objects, delete_pipelineobj_cb, ctx);
    _mesa_DeleteHashTable(ctx->Pipeline.Objects);
 
-   _mesa_reference_pipeline_object(ctx, &ctx->_Shader, NULL);
    _mesa_delete_pipeline_object(ctx, ctx->Pipeline.Default);
-
 }
 
 /**