Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / skia / 351b8d8ce2cb4352fa4e6d58ed9ae444c1ce24f5^! / . / src / gpu / GrBlockAllocator.cpp
commit351b8d8ce2cb4352fa4e6d58ed9ae444c1ce24f5[log] [tgz]
authorJohn Stiles <johnstiles@google.com>Tue Nov 03 13:51:07 2020 -0500
committerSkia Commit-Bot <skia-commit-bot@chromium.org>Tue Nov 03 19:31:35 2020 +0000
tree019b6fb4f8be37c4ea02aa6da473c573602431d4
parent52991f8c81aacc5a7e38daedcfe6744c8b8e5c1e [diff] [blame]
Poison unallocated block memory in GrBlockAllocator.

This will allow ASAN to detect use-after-free errors in pooled memory,
enabling our fuzzers to catch errors sooner.

Testing with oss-fuzz:26942 : http://screen/C5TEbu3CJvHzRqA

Change-Id: Ic47d6b043998e5069525490cd25b2390cad94360
Bug: skia:10885
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/331482
Reviewed-by: Michael Ludwig <michaelludwig@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>

diff --git a/src/gpu/GrBlockAllocator.cpp b/src/gpu/GrBlockAllocator.cpp
index 181c74d..bac879d 100644
--- a/src/gpu/GrBlockAllocator.cpp
+++ b/src/gpu/GrBlockAllocator.cpp

@@ -23,7 +23,7 @@
         , fN1(1)
         // The head block always fills remaining space from GrBlockAllocator's size, because it's
         // inline, but can take over the specified number of bytes immediately after it.
-        , fHead(nullptr, additionalPreallocBytes + BaseHeadBlockSize()) {
+        , fHead(/*prev=*/nullptr, additionalPreallocBytes + BaseHeadBlockSize()) {
     SkASSERT(fBlockIncrement >= 1);
     SkASSERT(additionalPreallocBytes <= kMaxAllocationSize);
 }
@@ -37,9 +37,13 @@
          , fAllocatorMetadata(0) {
     SkASSERT(allocationSize >= (int) sizeof(Block));
     SkDEBUGCODE(fSentinel = kAssignedMarker;)
+
+    this->poisonRange(kDataStart, fSize);
 }
 
 GrBlockAllocator::Block::~Block() {
+    this->unpoisonRange(kDataStart, fSize);
+
     SkASSERT(fSentinel == kAssignedMarker);
     SkDEBUGCODE(fSentinel = kFreedMarker;) // FWIW
 }
@@ -94,6 +98,7 @@
         // Reset the cursor of the head block so that it can be reused if it becomes the new tail
         block->fCursor = kDataStart;
         block->fMetadata = 0;
+        block->poisonRange(kDataStart, block->fSize);
         // Unlike in reset(), we don't set the head's next block to null because there are
         // potentially heap-allocated blocks that are still connected to it.
     } else {
@@ -168,6 +173,7 @@
             // For reset(), but NOT releaseBlock(), the head allocatorMetadata and scratch block
             // are reset/destroyed.
             b->fAllocatorMetadata = 0;
+            b->poisonRange(kDataStart, b->fSize);
             this->resetScratchSpace();
         } else {
             delete b;