Mac: Require child AllocateGpuMemoryBuffer to not fail

content/common/gpu/gpu_memory_buffer_factory_io_surface.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/gpu/gpu_memory_buffer_factory_io_surface.h"
 
 #include <vector>
 
 #include "base/logging.h"
 #include "content/common/gpu/client/gpu_memory_buffer_impl.h"
@@ skipping 32 matching lines @@
 gfx::GpuMemoryBufferHandle
 GpuMemoryBufferFactoryIOSurface::CreateGpuMemoryBuffer(
     gfx::GpuMemoryBufferId id,
     const gfx::Size& size,
     gfx::BufferFormat format,
     gfx::BufferUsage usage,
     int client_id,
     gfx::PluginWindowHandle surface_handle) {
   base::ScopedCFTypeRef<IOSurfaceRef> io_surface(
       gfx::IOSurfaceManager::CreateIOSurface(size, format));
-  if (!io_surface)
-    return gfx::GpuMemoryBufferHandle();
+  CHECK(io_surface);

[reveman, 2015/12/01 20:49:04]

This makes it possible for a malicious renderer to crash the GPU process by
requesting an IOSurface to be allocated that is too large.

 
-  if (!gfx::IOSurfaceManager::GetInstance()->RegisterIOSurface(id, client_id,
-                                                               io_surface)) {
-    return gfx::GpuMemoryBufferHandle();
-  }
+  bool register_result =
+      gfx::IOSurfaceManager::GetInstance()->RegisterIOSurface(id, client_id,
+                                                              io_surface);
+  CHECK(register_result);

[reveman, 2015/12/01 20:49:04]

Is it possible that the browser decides to start a new gpu process before this
process has been shutdown? This can fail in that case without being a real
problem.

 
   {
     base::AutoLock lock(io_surfaces_lock_);
 
     IOSurfaceMapKey key(id, client_id);
     DCHECK(io_surfaces_.find(key) == io_surfaces_.end());
     io_surfaces_[key] = io_surface;

[reveman, 2015/12/01 20:49:04]

FYI, storing the IOSurface here is actually a bug as it it allows an IOSurface
to become invalid (if the gpu process crashes) after successfully allocating a
GMB. I don't think this affects the user experience today but it means that we
need to be handle failure to create a GLImage.

   }
 
   gfx::GpuMemoryBufferHandle handle;
   handle.type = gfx::IO_SURFACE_BUFFER;
   handle.id = id;
   return handle;
 }
 
 gfx::GpuMemoryBufferHandle
 GpuMemoryBufferFactoryIOSurface::CreateGpuMemoryBufferFromHandle(
@@ skipping 41 matching lines @@
 
   scoped_refptr<gl::GLImageIOSurface> image(
       new gl::GLImageIOSurface(size, internalformat));
   if (!image->Initialize(it->second.get(), handle.id, format))
     return scoped_refptr<gl::GLImage>();
 
   return image;
 }
 
 }  // namespace content