commit 438dbcf15299a2abcc432d1670aa8e475ea55707
author Jamie Madill <jmadill@chromium.org> Fri Jun 17 14:20:05 2016 -0400
committer Commit Bot <commit-bot@chromium.org> Fri Jun 17 20:00:40 2016 +0000
tree eb5b2ea71f5a3ce9da3a3c414267bbc7fae795c6
parent 8bcba14727e99bf5e0fd25c323b93a73fcf28978

translator: Fix builtin function emulator use-after-free.

We were calling the global pool allocator in the builtin function
emulator, which would lead to us freeing TTypes that were still
referenced. Fix this by using the TCache which was designed for
such a purpose, and locking the allocator around the builtin
function emulator to try and prevent similar bugs from creeping
in.

Eventually we would like to get rid of the global allocator and
replace it with different pools in different contexts, which are
managed more safely.

BUG=620937

Change-Id: If501ff6ea4d9bf8a2b8f89f2c94a01386f79ee3a
Reviewed-on: https://chromium-review.googlesource.com/353671
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>

src/compiler/translator/Compiler.cpp

diff --git a/src/compiler/translator/Compiler.cpp b/src/compiler/translator/Compiler.cpp
index 93062ca..3c7742a 100644
--- a/src/compiler/translator/Compiler.cpp
+++ b/src/compiler/translator/Compiler.cpp
@@ -318,7 +318,10 @@
         // Built-in function emulation needs to happen after validateLimitations pass.
         if (success)
         {
+            // TODO(jmadill): Remove global pool allocator.
+            GetGlobalPoolAllocator()->lock();
             initBuiltInFunctionEmulator(&builtInFunctionEmulator, compileOptions);
+            GetGlobalPoolAllocator()->unlock();
             builtInFunctionEmulator.MarkBuiltInFunctionsForEmulation(root);
         }