Fix gpu command buffer use after free by GrContext

content/common/gpu/client/context_provider_command_buffer.cc

Index: content/common/gpu/client/context_provider_command_buffer.cc
diff --git a/content/common/gpu/client/context_provider_command_buffer.cc b/content/common/gpu/client/context_provider_command_buffer.cc
index 7b16a0278cfcb824c4e4dda2eb05307b204f612b..b624d1d96f8c008ac02958252e2c8455cd880b82 100644
--- a/content/common/gpu/client/context_provider_command_buffer.cc
+++ b/content/common/gpu/client/context_provider_command_buffer.cc
@@ -21,11 +21,11 @@ class ContextProviderCommandBuffer::LostContextCallbackProxy
  public:
   explicit LostContextCallbackProxy(ContextProviderCommandBuffer* provider)
       : provider_(provider) {
-    provider_->context3d_->setContextLostCallback(this);
+    provider_->WebContext3DNoChecks()->setContextLostCallback(this);
   }
 
   ~LostContextCallbackProxy() override {
-    provider_->context3d_->setContextLostCallback(NULL);
+    provider_->WebContext3DNoChecks()->setContextLostCallback(NULL);
   }
 
   void onContextLost() override { provider_->OnLostContext(); }
@@ -47,11 +47,12 @@ ContextProviderCommandBuffer::Create(
 ContextProviderCommandBuffer::ContextProviderCommandBuffer(
     scoped_ptr<WebGraphicsContext3DCommandBufferImpl> context3d,
     CommandBufferContextType type)
-    : context3d_(context3d.Pass()),
-      context_type_(type),
+    : context_type_(type),
       debug_name_(CommandBufferContextTypeToString(type)) {
+  gr_interface_ = skia::AdoptRef(new GrGLInterfaceForWebGraphicsContext3D(
+      context3d.Pass()));
   DCHECK(main_thread_checker_.CalledOnValidThread());
-  DCHECK(context3d_);
+  DCHECK(gr_interface_->WebContext3D());
   context_thread_checker_.DetachFromThread();
 }
 
@@ -60,41 +61,50 @@ ContextProviderCommandBuffer::~ContextProviderCommandBuffer() {
          context_thread_checker_.CalledOnValidThread());
 
   // Destroy references to the context3d_ before leaking it.
-  if (context3d_->GetCommandBufferProxy())
-    context3d_->GetCommandBufferProxy()->SetLock(nullptr);
+  if (WebContext3DNoChecks()->GetCommandBufferProxy())
+    WebContext3DNoChecks()->GetCommandBufferProxy()->SetLock(nullptr);
   lost_context_callback_proxy_.reset();
 }
 
 
 CommandBufferProxyImpl* ContextProviderCommandBuffer::GetCommandBufferProxy() {
-  return context3d_->GetCommandBufferProxy();
+  return WebContext3D()->GetCommandBufferProxy();
 }
 
 WebGraphicsContext3DCommandBufferImpl*
 ContextProviderCommandBuffer::WebContext3D() {
-  DCHECK(context3d_);
+  DCHECK(gr_interface_);
+  DCHECK(gr_interface_->WebContext3D());
   DCHECK(lost_context_callback_proxy_);  // Is bound to thread.
   DCHECK(context_thread_checker_.CalledOnValidThread());
 
-  return context3d_.get();
+  return WebContext3DNoChecks();
+}
+
+WebGraphicsContext3DCommandBufferImpl*
+    ContextProviderCommandBuffer::WebContext3DNoChecks() {
+  return static_cast<WebGraphicsContext3DCommandBufferImpl*>(
+      gr_interface_->WebContext3D());
 }
 
 bool ContextProviderCommandBuffer::BindToCurrentThread() {
   // This is called on the thread the context will be used.
   DCHECK(context_thread_checker_.CalledOnValidThread());
+  DCHECK(gr_interface_ && gr_interface_->WebContext3D());
 
   if (lost_context_callback_proxy_)
     return true;
 
-  context3d_->SetContextType(context_type_);
-  if (!context3d_->InitializeOnCurrentThread())
+  WebContext3DNoChecks()->SetContextType(context_type_);
+  if (!WebContext3DNoChecks()->InitializeOnCurrentThread())
     return false;
 
   InitializeCapabilities();
 
   std::string unique_context_name =
-      base::StringPrintf("%s-%p", debug_name_.c_str(), context3d_.get());
-  context3d_->traceBeginCHROMIUM("gpu_toplevel", unique_context_name.c_str());
+      base::StringPrintf("%s-%p", debug_name_.c_str(), WebContext3DNoChecks());
+  WebContext3DNoChecks()->traceBeginCHROMIUM("gpu_toplevel",
+                                             unique_context_name.c_str());
 
   lost_context_callback_proxy_.reset(new LostContextCallbackProxy(this));
   return true;
@@ -105,15 +115,14 @@ void ContextProviderCommandBuffer::DetachFromThread() {
 }
 
 gpu::gles2::GLES2Interface* ContextProviderCommandBuffer::ContextGL() {
-  DCHECK(context3d_);
   DCHECK(lost_context_callback_proxy_);  // Is bound to thread.
   DCHECK(context_thread_checker_.CalledOnValidThread());

[piman, 2015/11/09 19:29:25]

nit: can remove those, since they're covered by WebContext3D()

 
-  return context3d_->GetImplementation();
+  return WebContext3D()->GetImplementation();
 }
 
 gpu::ContextSupport* ContextProviderCommandBuffer::ContextSupport() {
-  return context3d_->GetContextSupport();
+  return WebContext3D()->GetContextSupport();
 }
 
 class GrContext* ContextProviderCommandBuffer::GrContext() {
@@ -123,7 +132,7 @@ class GrContext* ContextProviderCommandBuffer::GrContext() {
   if (gr_context_)
     return gr_context_->get();
 
-  gr_context_.reset(new GrContextForWebGraphicsContext3D(context3d_.get()));
+  gr_context_.reset(new GrContextForWebGraphicsContext3D(gr_interface_));
 
   // If GlContext is already lost, also abandon the new GrContext.
   if (gr_context_->get() &&
@@ -142,8 +151,7 @@ void ContextProviderCommandBuffer::InvalidateGrContext(uint32_t state) {
 }
 
 void ContextProviderCommandBuffer::SetupLock() {
-  DCHECK(context3d_);
-  context3d_->GetCommandBufferProxy()->SetLock(&context_lock_);
+  WebContext3D()->GetCommandBufferProxy()->SetLock(&context_lock_);
 }
 
 base::Lock* ContextProviderCommandBuffer::GetLock() {
@@ -176,9 +184,9 @@ void ContextProviderCommandBuffer::OnLostContext() {
 
 void ContextProviderCommandBuffer::InitializeCapabilities() {
   Capabilities caps;
-  caps.gpu = context3d_->GetImplementation()->capabilities();
+  caps.gpu = WebContext3DNoChecks()->GetImplementation()->capabilities();
 
-  size_t mapped_memory_limit = context3d_->GetMappedMemoryLimit();
+  size_t mapped_memory_limit = WebContext3DNoChecks()->GetMappedMemoryLimit();
   caps.max_transfer_buffer_usage_bytes =
       mapped_memory_limit == WebGraphicsContext3DCommandBufferImpl::kNoLimit
       ? std::numeric_limits<size_t>::max() : mapped_memory_limit;