| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/child/child_shared_bitmap_manager.h" | 5 #include "content/child/child_shared_bitmap_manager.h" |
| 6 | 6 |
| 7 #include "content/child/child_thread.h" | 7 #include "content/child/child_thread.h" |
| 8 #include "content/common/child_process_messages.h" | 8 #include "content/common/child_process_messages.h" |
| 9 #include "ui/gfx/size.h" | 9 #include "ui/gfx/size.h" |
| 10 | 10 |
| 11 namespace content { | 11 namespace content { |
| 12 | 12 |
| 13 namespace { |
| 14 |
| 15 void FreeSharedMemory(scoped_refptr<ThreadSafeSender> sender, |
| 16 cc::SharedBitmap* bitmap) { |
| 17 TRACE_EVENT0("renderer", "ChildSharedBitmapManager::FreeSharedMemory"); |
| 18 sender->Send(new ChildProcessHostMsg_DeletedSharedBitmap(bitmap->id())); |
| 19 delete bitmap->memory(); |
| 20 } |
| 21 |
| 22 void ReleaseSharedBitmap(scoped_refptr<ThreadSafeSender> sender, |
| 23 cc::SharedBitmap* handle) { |
| 24 TRACE_EVENT0("renderer", "ChildSharedBitmapManager::ReleaseSharedBitmap"); |
| 25 sender->Send(new ChildProcessHostMsg_DeletedSharedBitmap(handle->id())); |
| 26 } |
| 27 |
| 28 } // namespace |
| 29 |
| 13 ChildSharedBitmapManager::ChildSharedBitmapManager( | 30 ChildSharedBitmapManager::ChildSharedBitmapManager( |
| 14 scoped_refptr<ThreadSafeSender> sender) | 31 scoped_refptr<ThreadSafeSender> sender) |
| 15 : sender_(sender) {} | 32 : sender_(sender) { |
| 33 } |
| 16 | 34 |
| 17 ChildSharedBitmapManager::~ChildSharedBitmapManager() {} | 35 ChildSharedBitmapManager::~ChildSharedBitmapManager() {} |
| 18 | 36 |
| 19 scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::AllocateSharedBitmap( | 37 scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::AllocateSharedBitmap( |
| 20 const gfx::Size& size) { | 38 const gfx::Size& size) { |
| 21 TRACE_EVENT2("renderer", | 39 TRACE_EVENT2("renderer", |
| 22 "ChildSharedBitmapManager::AllocateSharedMemory", | 40 "ChildSharedBitmapManager::AllocateSharedMemory", |
| 23 "width", | 41 "width", |
| 24 size.width(), | 42 size.width(), |
| 25 "height", | 43 "height", |
| 26 size.height()); | 44 size.height()); |
| 27 size_t memory_size; | 45 size_t memory_size; |
| 28 if (!cc::SharedBitmap::SizeInBytes(size, &memory_size)) | 46 if (!cc::SharedBitmap::SizeInBytes(size, &memory_size)) |
| 29 return scoped_ptr<cc::SharedBitmap>(); | 47 return scoped_ptr<cc::SharedBitmap>(); |
| 30 cc::SharedBitmapId id = cc::SharedBitmap::GenerateId(); | 48 cc::SharedBitmapId id = cc::SharedBitmap::GenerateId(); |
| 31 scoped_ptr<base::SharedMemory> memory; | 49 scoped_ptr<base::SharedMemory> memory; |
| 32 #if defined(OS_POSIX) | 50 #if defined(OS_POSIX) |
| 33 base::SharedMemoryHandle handle; | 51 base::SharedMemoryHandle handle; |
| 34 sender_->Send(new ChildProcessHostMsg_SyncAllocateSharedBitmap( | 52 sender_->Send(new ChildProcessHostMsg_SyncAllocateSharedBitmap( |
| 35 memory_size, id, &handle)); | 53 memory_size, id, &handle)); |
| 36 memory = make_scoped_ptr(new base::SharedMemory(handle, false)); | 54 memory = make_scoped_ptr(new base::SharedMemory(handle, false)); |
| 37 CHECK(memory->Map(memory_size)); | 55 CHECK(memory->Map(memory_size)); |
| 38 #else | 56 #else |
| 39 memory.reset(ChildThread::AllocateSharedMemory(memory_size, sender_)); | 57 memory.reset(ChildThread::AllocateSharedMemory(memory_size, sender_)); |
| 40 CHECK(memory); | 58 CHECK(memory); |
| 41 base::SharedMemoryHandle handle_to_send = memory->handle(); | 59 base::SharedMemoryHandle handle_to_send = memory->handle(); |
| 42 sender_->Send(new ChildProcessHostMsg_AllocatedSharedBitmap( | 60 sender_->Send(new ChildProcessHostMsg_AllocatedSharedBitmap( |
| 43 memory_size, handle_to_send, id)); | 61 memory_size, handle_to_send, id)); |
| 44 #endif | 62 #endif |
| 45 // The compositor owning the SharedBitmap will be closed before the | |
| 46 // ChildThread containng this, making the use of base::Unretained safe. | |
| 47 return scoped_ptr<cc::SharedBitmap>(new cc::SharedBitmap( | 63 return scoped_ptr<cc::SharedBitmap>(new cc::SharedBitmap( |
| 48 memory.release(), | 64 memory.release(), id, base::Bind(&FreeSharedMemory, sender_))); |
| 49 id, | |
| 50 base::Bind(&ChildSharedBitmapManager::FreeSharedMemory, | |
| 51 base::Unretained(this)))); | |
| 52 } | 65 } |
| 53 | 66 |
| 54 scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetSharedBitmapFromId( | 67 scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetSharedBitmapFromId( |
| 55 const gfx::Size&, | 68 const gfx::Size&, |
| 56 const cc::SharedBitmapId&) { | 69 const cc::SharedBitmapId&) { |
| 57 NOTREACHED(); | 70 NOTREACHED(); |
| 58 return scoped_ptr<cc::SharedBitmap>(); | 71 return scoped_ptr<cc::SharedBitmap>(); |
| 59 } | 72 } |
| 60 | 73 |
| 61 scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetBitmapForSharedMemory( | 74 scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetBitmapForSharedMemory( |
| 62 base::SharedMemory* mem) { | 75 base::SharedMemory* mem) { |
| 63 cc::SharedBitmapId id = cc::SharedBitmap::GenerateId(); | 76 cc::SharedBitmapId id = cc::SharedBitmap::GenerateId(); |
| 64 base::SharedMemoryHandle handle_to_send = mem->handle(); | 77 base::SharedMemoryHandle handle_to_send = mem->handle(); |
| 65 #if defined(OS_POSIX) | 78 #if defined(OS_POSIX) |
| 66 if (!mem->ShareToProcess(base::GetCurrentProcessHandle(), &handle_to_send)) | 79 if (!mem->ShareToProcess(base::GetCurrentProcessHandle(), &handle_to_send)) |
| 67 return scoped_ptr<cc::SharedBitmap>(); | 80 return scoped_ptr<cc::SharedBitmap>(); |
| 68 #endif | 81 #endif |
| 69 sender_->Send(new ChildProcessHostMsg_AllocatedSharedBitmap( | 82 sender_->Send(new ChildProcessHostMsg_AllocatedSharedBitmap( |
| 70 mem->mapped_size(), handle_to_send, id)); | 83 mem->mapped_size(), handle_to_send, id)); |
| 71 // The compositor owning the SharedBitmap will be closed before the | 84 // The compositor owning the SharedBitmap will be closed before the |
| 72 // ChildThread containng this, making the use of base::Unretained safe. | 85 // ChildThread containng this, making the use of base::Unretained safe. |
| 73 return scoped_ptr<cc::SharedBitmap>(new cc::SharedBitmap( | 86 return scoped_ptr<cc::SharedBitmap>( |
| 74 mem, | 87 new cc::SharedBitmap(mem, id, base::Bind(&ReleaseSharedBitmap, sender_))); |
| 75 id, | |
| 76 base::Bind(&ChildSharedBitmapManager::ReleaseSharedBitmap, | |
| 77 base::Unretained(this)))); | |
| 78 } | |
| 79 | |
| 80 void ChildSharedBitmapManager::FreeSharedMemory(cc::SharedBitmap* bitmap) { | |
| 81 TRACE_EVENT0("renderer", "ChildSharedBitmapManager::FreeSharedMemory"); | |
| 82 sender_->Send(new ChildProcessHostMsg_DeletedSharedBitmap(bitmap->id())); | |
| 83 delete bitmap->memory(); | |
| 84 } | |
| 85 | |
| 86 void ChildSharedBitmapManager::ReleaseSharedBitmap(cc::SharedBitmap* handle) { | |
| 87 TRACE_EVENT0("renderer", "ChildSharedBitmapManager::ReleaseSharedBitmap"); | |
| 88 sender_->Send(new ChildProcessHostMsg_DeletedSharedBitmap(handle->id())); | |
| 89 } | 88 } |
| 90 | 89 |
| 91 } // namespace content | 90 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 382133002:
Fix use-after-free of ChildSharedBitmapManager (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src