| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/command_line.h" | 5 #include "base/command_line.h" |
| 6 #include "base/run_loop.h" | 6 #include "base/run_loop.h" |
| 7 #include "content/browser/gpu/browser_gpu_channel_host_factory.h" | 7 #include "content/browser/gpu/browser_gpu_channel_host_factory.h" |
| 8 #include "content/browser/gpu/gpu_process_host_ui_shim.h" | 8 #include "content/browser/gpu/gpu_process_host_ui_shim.h" |
| 9 #include "content/common/gpu/client/context_provider_command_buffer.h" | 9 #include "content/common/gpu/client/context_provider_command_buffer.h" |
| 10 #include "content/common/gpu/client/webgraphicscontext3d_command_buffer_impl.h" | 10 #include "content/common/gpu/client/webgraphicscontext3d_command_buffer_impl.h" |
| 11 #include "content/common/gpu/gpu_process_launch_causes.h" | 11 #include "content/common/gpu/gpu_process_launch_causes.h" |
| 12 #include "content/public/browser/gpu_data_manager.h" | 12 #include "content/public/browser/gpu_data_manager.h" |
| 13 #include "content/public/common/content_switches.h" | 13 #include "content/public/common/content_switches.h" |
| 14 #include "content/public/test/content_browser_test.h" | 14 #include "content/public/test/content_browser_test.h" |
| 15 #include "gpu/blink/webgraphicscontext3d_in_process_command_buffer_impl.h" | 15 #include "gpu/blink/webgraphicscontext3d_in_process_command_buffer_impl.h" |
| 16 #include "third_party/skia/include/core/SkSurface.h" |
| 17 #include "third_party/skia/include/gpu/GrContext.h" |
| 16 #include "ui/gl/gl_switches.h" | 18 #include "ui/gl/gl_switches.h" |
| 17 | 19 |
| 18 namespace { | 20 namespace { |
| 19 | 21 |
| 20 using content::WebGraphicsContext3DCommandBufferImpl; | 22 using content::WebGraphicsContext3DCommandBufferImpl; |
| 21 | 23 |
| 22 const content::CauseForGpuLaunch kInitCause = | 24 const content::CauseForGpuLaunch kInitCause = |
| 23 content:: | 25 content:: |
| 24 CAUSE_FOR_GPU_LAUNCH_WEBGRAPHICSCONTEXT3DCOMMANDBUFFERIMPL_INITIALIZE; | 26 CAUSE_FOR_GPU_LAUNCH_WEBGRAPHICSCONTEXT3DCOMMANDBUFFERIMPL_INITIALIZE; |
| 25 | 27 |
| (...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 190 kInitCause, | 192 kInitCause, |
| 191 base::Bind(&BrowserGpuChannelHostFactoryTest::Signal, &event)); | 193 base::Bind(&BrowserGpuChannelHostFactoryTest::Signal, &event)); |
| 192 EXPECT_TRUE(event); | 194 EXPECT_TRUE(event); |
| 193 EXPECT_EQ(gpu_channel.get(), GetGpuChannel()); | 195 EXPECT_EQ(gpu_channel.get(), GetGpuChannel()); |
| 194 } | 196 } |
| 195 #endif | 197 #endif |
| 196 | 198 |
| 197 // Test fails on Chromeos + Mac, flaky on Windows because UI Compositor | 199 // Test fails on Chromeos + Mac, flaky on Windows because UI Compositor |
| 198 // establishes a GPU channel. | 200 // establishes a GPU channel. |
| 199 #if defined(OS_LINUX) && !defined(OS_CHROMEOS) | 201 #if defined(OS_LINUX) && !defined(OS_CHROMEOS) |
| 202 #define MAYBE_GrContextKeepsGpuChannelAlive GrContextKeepsGpuChannelAlive |
| 203 #else |
| 204 #define MAYBE_GrContextKeepsGpuChannelAlive \ |
| 205 DISABLED_GrContextKeepsGpuChannelAlive |
| 206 #endif |
| 207 IN_PROC_BROWSER_TEST_F(BrowserGpuChannelHostFactoryTest, |
| 208 MAYBE_GrContextKeepsGpuChannelAlive) { |
| 209 // Test for crbug.com/551143 |
| 210 // This test verifies that holding a reference to the GrContext created by |
| 211 // a ContextProviderCommandBuffer will keep the gpu channel alive after the |
| 212 // provider has been destroyed. Without this behavior, user code would have |
| 213 // to be careful to destroy objects in the right order to avoid using freed |
| 214 // memory as a function pointer in the GrContext's GrGLInterface instance. |
| 215 DCHECK(!IsChannelEstablished()); |
| 216 EstablishAndWait(); |
| 217 |
| 218 GpuChannelHost* host = GetGpuChannel(); |
| 219 |
| 220 // Expect one ref held by the factory. |
| 221 EXPECT_TRUE(host->HasOneRef()); |
| 222 |
| 223 // Step 1: sanity check: verify that construction+destruction of context |
| 224 // provider will ref/unref 'host' |
| 225 scoped_refptr<ContextProviderCommandBuffer> provider = |
| 226 ContextProviderCommandBuffer::Create(CreateContext(), |
| 227 OFFSCREEN_CONTEXT_FOR_TESTING); |
| 228 EXPECT_FALSE(host->HasOneRef()); |
| 229 provider = nullptr; |
| 230 EXPECT_TRUE(host->HasOneRef()); |
| 231 |
| 232 // Step 2: verify that holding onto the provider's GrContext will |
| 233 // retain the host after provider is destroyed. |
| 234 provider = ContextProviderCommandBuffer::Create(CreateContext(), |
| 235 OFFSCREEN_CONTEXT_FOR_TESTING); |
| 236 EXPECT_FALSE(host->HasOneRef()); |
| 237 skia::RefPtr<GrContext> gr_context = skia::AdoptRef(provider->GrContext()); |
| 238 EXPECT_FALSE(host->HasOneRef()); |
| 239 provider = nullptr; |
| 240 EXPECT_FALSE(host->HasOneRef()); |
| 241 |
| 242 SkImageInfo info = SkImageInfo::MakeN32Premul(1, 1); |
| 243 skia::RefPtr<SkSurface> surface = skia::AdoptRef(SkSurface::NewRenderTarget( |
| 244 gr_context.get(), SkSurface::kNo_Budgeted, info)); |
| 245 EXPECT_FALSE(host->HasOneRef()); |
| 246 gr_context = nullptr; |
| 247 EXPECT_FALSE(host->HasOneRef()); // GrContext kept alive by surface. |
| 248 surface = nullptr; |
| 249 EXPECT_TRUE(host->HasOneRef()); |
| 250 } |
| 251 |
| 252 // Test fails on Chromeos + Mac, flaky on Windows because UI Compositor |
| 253 // establishes a GPU channel. |
| 254 #if defined(OS_LINUX) && !defined(OS_CHROMEOS) |
| 200 #define MAYBE_CrashAndRecover | 255 #define MAYBE_CrashAndRecover |
| 201 #else | 256 #else |
| 202 #define MAYBE_CrashAndRecover DISABLED_CrashAndRecover | 257 #define MAYBE_CrashAndRecover DISABLED_CrashAndRecover |
| 203 #endif | 258 #endif |
| 204 IN_PROC_BROWSER_TEST_F(BrowserGpuChannelHostFactoryTest, | 259 IN_PROC_BROWSER_TEST_F(BrowserGpuChannelHostFactoryTest, |
| 205 MAYBE_CrashAndRecover) { | 260 MAYBE_CrashAndRecover) { |
| 206 DCHECK(!IsChannelEstablished()); | 261 DCHECK(!IsChannelEstablished()); |
| 207 EstablishAndWait(); | 262 EstablishAndWait(); |
| 208 scoped_refptr<GpuChannelHost> host = GetGpuChannel(); | 263 scoped_refptr<GpuChannelHost> host = GetGpuChannel(); |
| 209 | 264 |
| (...skipping 12 matching lines...) Expand all Loading... |
| 222 shim->SimulateCrash(); | 277 shim->SimulateCrash(); |
| 223 run_loop.Run(); | 278 run_loop.Run(); |
| 224 | 279 |
| 225 EXPECT_EQ(1, counter); | 280 EXPECT_EQ(1, counter); |
| 226 EXPECT_FALSE(IsChannelEstablished()); | 281 EXPECT_FALSE(IsChannelEstablished()); |
| 227 EstablishAndWait(); | 282 EstablishAndWait(); |
| 228 EXPECT_TRUE(IsChannelEstablished()); | 283 EXPECT_TRUE(IsChannelEstablished()); |
| 229 } | 284 } |
| 230 | 285 |
| 231 } // namespace content | 286 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1414683003:
Fix gpu command buffer use after free by GrContext (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master