cc: Avoid ResourceProvider nullptr deref

cc/trees/layer_tree_host_impl.cc

 // Copyright 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "cc/trees/layer_tree_host_impl.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
@@ skipping 222 matching lines @@
       resourceless_software_draw_(false),
       animation_host_(std::move(animation_host)),
       rendering_stats_instrumentation_(rendering_stats_instrumentation),
       micro_benchmark_controller_(this),
       shared_bitmap_manager_(shared_bitmap_manager),
       gpu_memory_buffer_manager_(gpu_memory_buffer_manager),
       task_graph_runner_(task_graph_runner),
       id_(id),
       requires_high_res_to_draw_(false),
       is_likely_to_require_a_draw_(false),
+      has_valid_compositor_frame_sink_(false),
       mutator_(nullptr) {
   DCHECK(animation_host_);
   animation_host_->SetMutatorHostClient(this);
 
   DCHECK(task_runner_provider_->IsImplThread());
   DidVisibilityChange(this, visible_);
 
   SetDebugState(settings.initial_debug_state);
 
   // LTHI always has an active tree.
@@ skipping 1665 matching lines @@
 
 void LayerTreeHostImpl::SynchronouslyInitializeAllTiles() {
   // Only valid for the single-threaded non-scheduled/synchronous case
   // using the zero copy raster worker pool.
   single_thread_synchronous_task_graph_runner_->RunUntilIdle();
 }
 
 void LayerTreeHostImpl::DidLoseCompositorFrameSink() {
   if (resource_provider_)
     resource_provider_->DidLoseContextProvider();
+  has_valid_compositor_frame_sink_ = false;
   client_->DidLoseCompositorFrameSinkOnImplThread();
 }
 
 bool LayerTreeHostImpl::HaveRootScrollLayer() const {
   return !!InnerViewportScrollLayer();
 }
 
 LayerImpl* LayerTreeHostImpl::InnerViewportScrollLayer() const {
   return active_tree_->InnerViewportScrollLayer();
 }
@@ skipping 312 matching lines @@
   tile_manager_.FinishTasksAndCleanUp();
   resource_pool_ = nullptr;
   tile_task_manager_ = nullptr;
   single_thread_synchronous_task_graph_runner_ = nullptr;
   image_decode_controller_ = nullptr;
 }
 
 void LayerTreeHostImpl::ReleaseCompositorFrameSink() {
   TRACE_EVENT0("cc", "LayerTreeHostImpl::ReleaseCompositorFrameSink");
 
-  if (!compositor_frame_sink_)
+  if (!compositor_frame_sink_) {
+    DCHECK(!has_valid_compositor_frame_sink_);
     return;
+  }
+
+  has_valid_compositor_frame_sink_ = false;
 
   // Since we will create a new resource provider, we cannot continue to use
   // the old resources (i.e. render_surfaces and texture IDs). Clear them
   // before we destroy the old resource provider.
   ReleaseTreeResources();
 
   // Note: ui resource cleanup uses the |resource_provider_|.
   CleanUpTileManagerAndUIResources();
   resource_provider_ = nullptr;
 
@@ skipping 23 matching lines @@
   TRACE_EVENT0("cc", "LayerTreeHostImpl::InitializeRenderer");
 
   ReleaseCompositorFrameSink();
   if (!compositor_frame_sink->BindToClient(this)) {
     // Avoid recreating tree resources because we might not have enough
     // information to do this yet (eg. we don't have a TileManager at this
     // point).
     return false;
   }
 
+  has_valid_compositor_frame_sink_ = true;

[danakj, 2016/09/23 21:24:10]

nit: put this right beside the assignment to compositor_frame_sink_

[no sievers, 2016/09/23 21:27:31]

Done.

   // When using software compositing, change to the limits specified for it.
   // Since this is a one way trip, we don't need to worry about going back to
   // GPU compositing.
   if (!compositor_frame_sink->context_provider())
     SetMemoryPolicy(settings_.software_memory_policy);
 
   compositor_frame_sink_ = compositor_frame_sink;
   resource_provider_ = base::MakeUnique<ResourceProvider>(
       compositor_frame_sink_->context_provider(), shared_bitmap_manager_,
       gpu_memory_buffer_manager_,
@@ skipping 1379 matching lines @@
 void LayerTreeHostImpl::CreateUIResource(UIResourceId uid,
                                          const UIResourceBitmap& bitmap) {
   DCHECK_GT(uid, 0);
 
   // Allow for multiple creation requests with the same UIResourceId.  The
   // previous resource is simply deleted.
   ResourceId id = ResourceIdForUIResource(uid);
   if (id)
     DeleteUIResource(uid);
 
+  if (!has_valid_compositor_frame_sink_) {
+    evicted_ui_resources_.insert(uid);
+    return;
+  }
+
   ResourceFormat format = resource_provider_->best_texture_format();
   switch (bitmap.GetFormat()) {
     case UIResourceBitmap::RGBA8:
       break;
     case UIResourceBitmap::ALPHA_8:
       format = ALPHA_8;
       break;
     case UIResourceBitmap::ETC1:
       format = ETC1;
       break;
@@ skipping 65 matching lines @@
   data.opaque = bitmap.GetOpaque();
   ui_resource_map_[uid] = data;
 
   resource_provider_->GenerateSyncTokenForResource(id);
   MarkUIResourceNotEvicted(uid);
 }
 
 void LayerTreeHostImpl::DeleteUIResource(UIResourceId uid) {
   ResourceId id = ResourceIdForUIResource(uid);
   if (id) {
-    resource_provider_->DeleteResource(id);
+    if (has_valid_compositor_frame_sink_)
+      resource_provider_->DeleteResource(id);
     ui_resource_map_.erase(uid);
   }
   MarkUIResourceNotEvicted(uid);
 }
 
 void LayerTreeHostImpl::ClearUIResources() {
   for (UIResourceMap::const_iterator iter = ui_resource_map_.begin();
        iter != ui_resource_map_.end(); ++iter) {
     evicted_ui_resources_.insert(iter->first);
     resource_provider_->DeleteResource(iter->second.resource_id);
@@ skipping 390 matching lines @@
   if (is_visible) {
     worker_context_visibility_ =
         worker_context->CacheController()->ClientBecameVisible();
   } else {
     worker_context->CacheController()->ClientBecameNotVisible(
         std::move(worker_context_visibility_));
   }
 }
 
 }  // namespace cc