diff options
| author | Greg Daniel <egdaniel@google.com> | 2018-09-05 13:27:27 -0400 |
|---|---|---|
| committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-09-05 18:40:58 +0000 |
| commit | 469dd659a517eac9b5691140b1dfa400e6dd269b (patch) | |
| tree | 69f114f4b1ff6bc32ed157109df12604aabd0819 | |
| parent | 29a4a684af2525d78a1090fba2d3dea2b6a59fc7 (diff) | |
| download | platform_external_skqp-469dd659a517eac9b5691140b1dfa400e6dd269b.tar.gz platform_external_skqp-469dd659a517eac9b5691140b1dfa400e6dd269b.tar.bz2 platform_external_skqp-469dd659a517eac9b5691140b1dfa400e6dd269b.zip | |
On GrAHardwareBufferImageGenerator store the owned texture as a GrGpuResource instead of GrTexture.
Disassembly before change (crash on deref at 861310)
_ZN31GrAHardwareBufferImageGenerator17releaseTextureRefEv():
861297 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:112
861298 1eb738: 91010280 add x0, x20, #0x40
861299 1eb73c: aa1f03e1 mov x1, xzr
861300 1eb740: 97fc287c bl f5930 <_ZN5sk_spI14GrTextureProxyE5resetEPS0_>
861301 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:113
861302 1eb744: f9401a88 ldr x8, [x20,#48]
861303 1eb748: b4000168 cbz x8, 1eb774 <_ZN31GrAHardwareBufferImageGenerator17onGenerateTextureEP9GrContextRK11SkImageInfoRK8SkIPointb+0xac>
861304 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:117
861305 1eb74c: f9400109 ldr x9, [x8]
861306 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:118
861307 1eb750: 9101c3e0 add x0, sp, #0x70
861308 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:117
861309 1eb754: b9403a8a ldr w10, [x20,#56]
861310 1eb758: f85e8129 ldur x9, [x9,#-24]
861311 1eb75c: b9007bea str w10, [sp,#120]
861312 1eb760: 8b090108 add x8, x8, x9
861313 1eb764: f9003be8 str x8, [sp,#112]
861314 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:118
861315 1eb768: 97fffef6 bl 1eb340 <_ZN12SkMessageBusI25GrGpuResourceFreedMessageE4PostERKS0_>
861316 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:119
861317 1eb76c: f9001a9f str xzr, [x20,#48]
861318 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:120
861319 1eb770: b9003a9f str wzr, [x20,#56]
Disassembly with change (no more derefs):
768904 _ZN31GrAHardwareBufferImageGenerator17releaseTextureRefEv():
768905 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:105
768906 1b0c94: 91010260 add x0, x19, #0x40
768907 1b0c98: aa1f03e1 mov x1, xzr
768908 1b0c9c: 97fcb2a9 bl dd740 <_ZN5sk_spI14GrTextureProxyE5resetEPS0_>
768909 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:106
768910 1b0ca0: f9401a68 ldr x8, [x19,#48]
768911 1b0ca4: b4000108 cbz x8, 1b0cc4 <_ZN31GrAHardwareBufferImageGenerator9makeProxyEP9GrContext+0x84>
768912 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:110
768913 1b0ca8: b9403a69 ldr w9, [x19,#56]
768914 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:111
768915 1b0cac: 9100c3e0 add x0, sp, #0x30
768916 external/skia/src/gpu/GrAHardwareBufferImageGenerator.cpp:110
768917 1b0cb0: f9001be8 str x8, [sp,#48]
768918 1b0cb4: b9003be9 str w9, [sp,#56]
Bug: b/112859199
Change-Id: I5afab9b2bc6a3c13d2606ac9e09fb55929a14426
Reviewed-on: https://skia-review.googlesource.com/151822
Commit-Queue: Greg Daniel <egdaniel@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
| -rw-r--r-- | src/gpu/GrAHardwareBufferImageGenerator.cpp | 2 | ||||
| -rw-r--r-- | src/gpu/GrAHardwareBufferImageGenerator.h | 13 |
2 files changed, 13 insertions, 2 deletions
diff --git a/src/gpu/GrAHardwareBufferImageGenerator.cpp b/src/gpu/GrAHardwareBufferImageGenerator.cpp index 981337bb49..4920f1c809 100644 --- a/src/gpu/GrAHardwareBufferImageGenerator.cpp +++ b/src/gpu/GrAHardwareBufferImageGenerator.cpp @@ -348,7 +348,7 @@ void GrAHardwareBufferImageGenerator::makeProxy(GrContext* context) { AHardwareBuffer* hardwareBuffer = fHardwareBuffer; AHardwareBuffer_acquire(hardwareBuffer); - GrTexture** ownedTexturePtr = &fOwnedTexture; + GrGpuResource** ownedTexturePtr = &fOwnedTexture; const bool isProtectedContent = fIsProtectedContent; fCachedProxy = proxyProvider->createLazyProxy( diff --git a/src/gpu/GrAHardwareBufferImageGenerator.h b/src/gpu/GrAHardwareBufferImageGenerator.h index 1eefe1137c..ecf5d646a0 100644 --- a/src/gpu/GrAHardwareBufferImageGenerator.h +++ b/src/gpu/GrAHardwareBufferImageGenerator.h @@ -11,6 +11,8 @@ #include "GrTypesPriv.h" +class GrGpuResource; + extern "C" { typedef struct AHardwareBuffer AHardwareBuffer; } @@ -60,7 +62,16 @@ private: // There is never a ref associated with this pointer. We rely on our atomic bookkeeping // with the context ID to know when this pointer is valid and safe to use. This lets us // avoid releasing a ref from another thread, or get into races during context shutdown. - GrTexture* fOwnedTexture = nullptr; + // + // We store this object as a GrGpuResource* and not a GrTexture* even though we are always + // using a GrTexutre. The reason for this is that it is possible for the underlying GrTexture + // object to get freed before this class sends its unref message (i.e. if the owning GrContext + // is destroyed). In this case, when we try to create the unfef message to be posted, we end up + // casting the GrTexture* to a GrGpuResource*. Since GrTexture has virtual inheritance, this + // cast causes us to dereference the vptr to get the offset to the base pointer. In other words + // casting with virtual inheritance counts as a use and we hit a use after free issue. Thus if + // we store a GrGpuResource* here instead then we don't run into the issue of needing a cast. + GrGpuResource* fOwnedTexture = nullptr; uint32_t fOwningContextID = SK_InvalidGenID; uint32_t fBufferFormat; |