asan use after free in Aura cc:TextureLayer::Update

Asan use after free in Aura cc:TextureLayer::Update

What happens is that GpuProcessTransportFactory::OffscreenContextProviderForMainThread() resets the shared context, so the existing one is freed, but OwnedTexture has a raw pointer to it

Which is accessed by TextureLayer::Update via the client.

So the solution is to have the client reset the raw pointer when the OnLostMainThreadSharedContext() is fired on the OwnedTexture, note how that function has a scoped pointer on the old_contexts_main_thread which makes it safe to call host_context_ while in the callback.

BUG=275775
TEST=none, see bug for asan notes.

[piman, 2013-08-21 00:01:04]

lgtm

[commit-bot: I haz the power, 2013-08-21 19:22:09]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/cpu@chromium.org/23364002/1

[cpu_(ooo_6.6-7.5), 2013-08-21 22:50:09]

Aborted commit of this patch at request of danakj

So this CL will be left just for reference.

One final comment:

https://chromiumcodereview.appspot.com/23364002/diff/1/content/browser/aura/g...
File content/browser/aura/gpu_process_transport_factory.cc (right):

https://chromiumcodereview.appspot.com/23364002/diff/1/content/browser/aura/g...
content/browser/aura/gpu_process_transport_factory.cc:76: DeleteTexture();
I think we should not call DeleteTexture() here and simply set the texture_id_
to zero.

[piman, 2013-08-21 23:01:32]

https://chromiumcodereview.appspot.com/23364002/diff/1/content/browser/aura/g...
File content/browser/aura/gpu_process_transport_factory.cc (right):

https://chromiumcodereview.appspot.com/23364002/diff/1/content/browser/aura/g...
content/browser/aura/gpu_process_transport_factory.cc:76: DeleteTexture();
On 2013/08/21 22:50:09, cpu wrote:
> I think we should not call DeleteTexture() here and simply set the texture_id_
> to zero.

I disagree. It can cause leaks depending on the GL behavior (and the reason for
the lost resource).