Context: directly delete the resource instead of also detaching
Otherwise when detaching vertex array 0 and N the following would happen:
- call Context::deleteVertexArray(0)
- call Context::detachVertexArray(0)
- call State::removeVertexArrayBinding(0)
set mVertexArray to nullptr, returns true
- call State::bindVertexArray(0)
reset mVertexArray to its previous value
- call Context::deleteVertexArray(n)
- call Context::detachVertexArray(n)
- call State::removeVertexArrayBinding(n)
Incorrectly call mVertexArray->id() which is a use after free.
BUG=angleproject:1137
Change-Id: I594044fee6c90b1775a61943b15df92bf323ff2a
Reviewed-on: https://chromium-review.googlesource.com/295123
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Tested-by: Corentin Wallez <cwallez@chromium.org>
diff --git a/src/libANGLE/Context.cpp b/src/libANGLE/Context.cpp
index 3325a5c..40f4373 100644
--- a/src/libANGLE/Context.cpp
+++ b/src/libANGLE/Context.cpp
@@ -140,25 +140,25 @@
}
}
- while (!mFenceNVMap.empty())
+ for (auto fence : mFenceNVMap)
{
- deleteFenceNV(mFenceNVMap.begin()->first);
+ SafeDelete(fence.second);
}
- while (!mQueryMap.empty())
+ for (auto query : mQueryMap)
{
- deleteQuery(mQueryMap.begin()->first);
+ query.second->release();
}
- while (!mVertexArrayMap.empty())
+ for (auto vertexArray : mVertexArrayMap)
{
- deleteVertexArray(mVertexArrayMap.begin()->first);
+ SafeDelete(vertexArray.second);
}
mTransformFeedbackZero.set(NULL);
- while (!mTransformFeedbackMap.empty())
+ for (auto transformFeedback : mTransformFeedbackMap)
{
- deleteTransformFeedback(mTransformFeedbackMap.begin()->first);
+ SafeDelete(transformFeedback.second);
}
for (auto &zeroTexture : mZeroTextures)