Buffer11: Fix use-after-free with system memory storage.

Certain use patterns could trigger a deallocation of the system memory storage as it was being initialized. Fix this by resetting the idle counter before we enter into the internal update which would trigger the deallocation check. BUG=chromium:682020 Change-Id: Ic3dac78ffa778cbaf103820a23eea009ce439d5c Reviewed-on: https://chromium-review.googlesource.com/430304Reviewed-by: Geoff Lang <geofflang@chromium.org> Reviewed-by: Corentin Wallez <cwallez@chromium.org> Commit-Queue: Jamie Madill <jmadill@chromium.org> (cherry picked from commit c1a5d16e) Reviewed-on: https://chromium-review.googlesource.com/434066Reviewed-by: Jamie Madill <jmadill@chromium.org>

Buffer11: Fix use-after-free with system memory storage.
a4aaa2de · Jamie Madill · 555009ce · a4aaa2de · a4aaa2de
Commit a4aaa2de authored Jan 18, 2017 by Jamie Madill
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 6 deletions

Buffer11.cpp src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp +16 -5

Buffer11.h src/libANGLE/renderer/d3d/d3d11/Buffer11.h +2 -1

No files found.
--- a/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp
+++ b/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp
@@ -571,16 +571,19 @@ bool Buffer11::canDeallocateSystemMemory() const
            mSize <= mRenderer->getNativeCaps().maxUniformBlockSize);
 }

-gl::Error Buffer11::markBufferUsage(BufferUsage usage)
+void Buffer11::markBufferUsage(BufferUsage usage)
 {
    mIdleness[usage] = 0;
+}

-    if (usage != BUFFER_USAGE_SYSTEM_MEMORY && canDeallocateSystemMemory())
+gl::Error Buffer11::garbageCollection(BufferUsage currentUsage)
+{
+    if (currentUsage != BUFFER_USAGE_SYSTEM_MEMORY && canDeallocateSystemMemory())
    {
        ANGLE_TRY(checkForDeallocation(BUFFER_USAGE_SYSTEM_MEMORY));
    }

-    if (usage != BUFFER_USAGE_STAGING)
+    if (currentUsage != BUFFER_USAGE_STAGING)
    {
        ANGLE_TRY(checkForDeallocation(BUFFER_USAGE_STAGING));
    }
@@ -686,14 +689,18 @@ gl::ErrorOrResult<Buffer11::BufferStorage *> Buffer11::getBufferStorage(BufferUs
        newStorage = allocateStorage(usage);
    }

+    markBufferUsage(usage);
+
    // resize buffer
    if (newStorage->getSize() < mSize)
    {
        ANGLE_TRY(newStorage->resize(mSize, true));
    }

+    ASSERT(newStorage);
+
    ANGLE_TRY(updateBufferStorage(newStorage, 0, mSize));
-    ANGLE_TRY(markBufferUsage(usage));
+    ANGLE_TRY(garbageCollection(usage));

    return newStorage;
 }
@@ -737,6 +744,8 @@ gl::ErrorOrResult<Buffer11::BufferStorage *> Buffer11::getConstantBufferRangeSto
        newStorage           = cacheEntry->storage;
    }

+    markBufferUsage(BUFFER_USAGE_UNIFORM);
+
    if (newStorage->getSize() < static_cast<size_t>(size))
    {
        size_t maximumAllowedAdditionalSize = 2 * getSize();
@@ -771,7 +780,7 @@ gl::ErrorOrResult<Buffer11::BufferStorage *> Buffer11::getConstantBufferRangeSto
    }

    ANGLE_TRY(updateBufferStorage(newStorage, offset, size));
-    ANGLE_TRY(markBufferUsage(BUFFER_USAGE_UNIFORM));
+    ANGLE_TRY(garbageCollection(BUFFER_USAGE_UNIFORM));
    return newStorage;
 }

@@ -782,6 +791,8 @@ gl::Error Buffer11::updateBufferStorage(BufferStorage *storage,
    BufferStorage *latestBuffer = nullptr;
    ANGLE_TRY_RESULT(getLatestBufferStorage(), latestBuffer);

+    ASSERT(storage);
+
    if (latestBuffer && latestBuffer->getDataRevision() > storage->getDataRevision())
    {
        // Copy through a staging buffer if we're copying from or to a non-staging, mappable

--- a/src/libANGLE/renderer/d3d/d3d11/Buffer11.h
+++ b/src/libANGLE/renderer/d3d/d3d11/Buffer11.h
@@ -106,7 +106,8 @@ class Buffer11 : public BufferD3D
        unsigned int lruCount;
    };

-    gl::Error markBufferUsage(BufferUsage usage);
+    void markBufferUsage(BufferUsage usage);
+    gl::Error garbageCollection(BufferUsage currentUsage);
    gl::ErrorOrResult<NativeStorage *> getStagingStorage();
    gl::ErrorOrResult<PackStorage *> getPackStorage();
    gl::ErrorOrResult<SystemMemoryStorage *> getSystemMemoryStorage();