Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / angle / 438dbcf15299a2abcc432d1670aa8e475ea55707^! / . / src / compiler / translator / PoolAlloc.cpp
commit438dbcf15299a2abcc432d1670aa8e475ea55707[log] [tgz]
authorJamie Madill <jmadill@chromium.org>Fri Jun 17 14:20:05 2016 -0400
committerCommit Bot <commit-bot@chromium.org>Fri Jun 17 20:00:40 2016 +0000
treeeb5b2ea71f5a3ce9da3a3c414267bbc7fae795c6
parent8bcba14727e99bf5e0fd25c323b93a73fcf28978 [diff] [blame]
translator: Fix builtin function emulator use-after-free.

We were calling the global pool allocator in the builtin function
emulator, which would lead to us freeing TTypes that were still
referenced. Fix this by using the TCache which was designed for
such a purpose, and locking the allocator around the builtin
function emulator to try and prevent similar bugs from creeping
in.

Eventually we would like to get rid of the global allocator and
replace it with different pools in different contexts, which are
managed more safely.

BUG=620937

Change-Id: If501ff6ea4d9bf8a2b8f89f2c94a01386f79ee3a
Reviewed-on: https://chromium-review.googlesource.com/353671
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>

diff --git a/src/compiler/translator/PoolAlloc.cpp b/src/compiler/translator/PoolAlloc.cpp
index 887cb66..27e1c06 100644
--- a/src/compiler/translator/PoolAlloc.cpp
+++ b/src/compiler/translator/PoolAlloc.cpp

@@ -6,16 +6,16 @@
 
 #include "compiler/translator/PoolAlloc.h"
 
-#include "compiler/translator/InitializeGlobals.h"
-
-#include "common/platform.h"
-#include "common/angleutils.h"
-#include "common/tls.h"
-
 #include <stdint.h>
 #include <stdio.h>
 #include <assert.h>
 
+#include "common/angleutils.h"
+#include "common/debug.h"
+#include "common/platform.h"
+#include "common/tls.h"
+#include "compiler/translator/InitializeGlobals.h"
+
 TLSIndex PoolIndex = TLS_INVALID_INDEX;
 
 bool InitializePoolIndex()
@@ -56,7 +56,8 @@
     freeList(0),
     inUseList(0),
     numCalls(0),
-    totalBytes(0)
+    totalBytes(0),
+    mLocked(false)
 {
     //
     // Don't allow page sizes we know are smaller than all common
@@ -206,6 +207,8 @@
 
 void* TPoolAllocator::allocate(size_t numBytes)
 {
+    ASSERT(!mLocked);
+
     //
     // Just keep some interesting statistics.
     //
@@ -284,6 +287,17 @@
     return initializeAllocation(inUseList, ret, numBytes);
 }
 
+void TPoolAllocator::lock()
+{
+    ASSERT(!mLocked);
+    mLocked = true;
+}
+
+void TPoolAllocator::unlock()
+{
+    ASSERT(mLocked);
+    mLocked = false;
+}
 
 //
 // Check all allocations in a list for damage by calling check on each.