diff options
| author | junov <junov@chromium.org> | 2015-11-12 20:47:15 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-11-13 04:48:35 +0000 |
| commit | d87aa1f1aee6ab0181eadaae827a5768981c1ccc (patch) | |
| tree | 6d6cf95ad45b3045c3abfe10f024357ac48df52d /android_webview | |
| parent | 1f8629f7b817c1ea90027416e9385848e8e0993b (diff) | |
| download | chromium_src-d87aa1f1aee6ab0181eadaae827a5768981c1ccc.zip chromium_src-d87aa1f1aee6ab0181eadaae827a5768981c1ccc.tar.gz chromium_src-d87aa1f1aee6ab0181eadaae827a5768981c1ccc.tar.bz2 | |
Fix gpu command buffer use after free by GrContext
ContextProviderCommandBuffer owns a WebGraphicsContext3DCommandBufferImpl and a
GrContextForWebGraphicsContext3D via scoped_ptr. The problem was
that the GrContext object held by GrContextForWebGraphicsContext3D
depended on interface pointers that reference an interface that is owned
by WebGraphicsContext3DCommandBufferImpl, so whenever the
GrContext outlived the ContextProviderCommandBuffer, we ended up in a
state where the interface function pointers are deallocated, but still
referenced. Then, attempts to use the GrContext would result in using
deallocated function pointers. Because the GrContext is a ref counted
object, it can easily outlive the ContextProviderCommandBuffer. This led to
a dangerous situation where we had to be careful about object destruction
order.
This CL fixes the problem for good by wrapping the ownership of the
WebGraphicsContext3DCommandBufferImpl into a subclass of
GrGLInterface, which is a ref counted object that can be owned jointly by
the GrContext and the ContextProviderCommandBuffer, thus guaranteeing
that the command buffer interface will remain valid for the lifetimes of the
GrContext and of the ContextProviderCommandBuffer.
BUG=551143
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1414683003
Cr-Commit-Position: refs/heads/master@{#359493}
Diffstat (limited to 'android_webview')
| -rw-r--r-- | android_webview/browser/aw_render_thread_context_provider.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/android_webview/browser/aw_render_thread_context_provider.cc b/android_webview/browser/aw_render_thread_context_provider.cc index 34531a5..748de1f 100644 --- a/android_webview/browser/aw_render_thread_context_provider.cc +++ b/android_webview/browser/aw_render_thread_context_provider.cc @@ -130,8 +130,8 @@ class GrContext* AwRenderThreadContextProvider::GrContext() { g_gles2_initializer.Get(); gles2::SetGLContext(ContextGL()); - skia::RefPtr<GrGLInterface> interface = - skia::AdoptRef(skia_bindings::CreateCommandBufferSkiaGLBinding()); + skia::RefPtr<GrGLInterface> interface = skia::AdoptRef(new GrGLInterface); + skia_bindings::InitCommandBufferSkiaGLBinding(interface.get()); interface->fCallback = BindGrContextCallback; interface->fCallbackData = reinterpret_cast<GrGLInterfaceCallbackData>(this); |