search

BlamKiwi / angleproject

Automatically exported from code.google.com/p/angleproject
Other
0 stars 0 forks source link

BuiltInFunctionEmulator can cause TType destructors to be called on freed memory #1010

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
BuiltInFunctionEmulator stores a vector of FunctionId objects, which contain 
TType objects. These in turn contain TString objects, for which memory is 
reserved by the PoolAllocator. PoolAllocator will free the memory reserved for 
the TStrings before the BuiltInFunctionEmulator instance is destroyed. 
BuiltInFunctionEmulator destruction can then cause use-after-free issues.

Original issue reported on code.google.com by oetu...@nvidia.com on 26 May 2015 at 1:00

GoogleCodeExporter commented 9 years ago 
The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/950457b30274414efed0ffd4d6d15ffc8da44e64

commit 950457b30274414efed0ffd4d6d15ffc8da44e64
Author: Olli Etuaho <oetuaho@nvidia.com>
Date: Tue May 26 11:36:59 2015

Fix destructing TStrings through BuiltInFunctionEmulator after free

BuiltInFunctionEmulator gets destructed after the PoolAllocator has already
freed memory. That's why BuiltInFunctionEmulator can't hold any objects that
contain parts stored in the memory pool that would be accessed in its
destructor. Use only pointers to TType objects inside
BuiltInFunctionEmulator, so that the BuiltInFunctionEmulator destructor doesn't
access TStrings which have data in the memory pool.

Also fix style issues in BuiltInFunctionEmulator.

BUG=angleproject:1010
TEST=dEQP-GLES3.functional.shaders.builtin_functions.*

Change-Id: Ic35caf80bf125d0427c2ed2024e98657756103b6
Reviewed-on: https://chromium-review.googlesource.com/272738
Tested-by: Olli Etuaho <oetuaho@nvidia.com>
Reviewed-by: Zhenyao Mo <zmo@chromium.org>

[modify] 
http://crrev.com/950457b30274414efed0ffd4d6d15ffc8da44e64/src/compiler/translato
r/BuiltInFunctionEmulator.cpp
[modify] 
http://crrev.com/950457b30274414efed0ffd4d6d15ffc8da44e64/src/compiler/translato
r/BuiltInFunctionEmulator.h
[modify] 
http://crrev.com/950457b30274414efed0ffd4d6d15ffc8da44e64/src/compiler/translato
r/BuiltInFunctionEmulatorHLSL.cpp
[modify] 
http://crrev.com/950457b30274414efed0ffd4d6d15ffc8da44e64/src/compiler/translato
r/BuiltInFunctionEmulatorGLSL.cpp

Original comment by bugdroid1@chromium.org on 27 May 2015 at 6:09

GoogleCodeExporter commented 9 years ago

Original comment by oetu...@nvidia.com on 27 May 2015 at 6:15