Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(193)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 552423002: Fix crash in Canvas2DLayerBridge after a GPU resource is lost (Closed)

Created:
6 years, 3 months ago by Justin Novosad
Modified:
6 years, 3 months ago
CC:
blink-reviews, jamesr, krit, jbroman, danakj, Rik, Stephen Chennney, pdr., rwlbuis, Sami
Project:
blink
Visibility:
Public.

Description

Fix crash in Canvas2DLayerBridge after a GPU resource is lost BUG=411864 TEST=blink unit test Canvas2DLayerBridgeTest.testPrepareMailboxAndLoseResource Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=181679

Patch Set 1 #

Total comments: 2

Patch Set 2 : response to review #

Total comments: 1
Unified diffs Side-by-side diffs Delta from patch set Stats (+73 lines, -16 lines) Patch
M Source/platform/graphics/Canvas2DLayerBridge.cpp View 1 3 chunks +33 lines, -15 lines 1 comment Download
M Source/platform/graphics/Canvas2DLayerBridgeTest.cpp View 2 chunks +40 lines, -1 line 0 comments Download

Messages

Total messages: 11 (3 generated)
Justin Novosad
PTAL
6 years, 3 months ago (2014-09-09 20:16:54 UTC) #2
danakj
6 years, 3 months ago (2014-09-09 20:17:37 UTC) #3
Stephen White
https://codereview.chromium.org/552423002/diff/1/Source/platform/graphics/Canvas2DLayerBridge.cpp File Source/platform/graphics/Canvas2DLayerBridge.cpp (right): https://codereview.chromium.org/552423002/diff/1/Source/platform/graphics/Canvas2DLayerBridge.cpp#newcode513 Source/platform/graphics/Canvas2DLayerBridge.cpp:513: if (mailboxInfo->m_image->getTexture()) { Nit: refactor out mailboxInfo->m_image->getTexture() into a ...
6 years, 3 months ago (2014-09-09 20:33:06 UTC) #4
Stephen White
LGTM (bots willing)
6 years, 3 months ago (2014-09-09 20:44:40 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/junov@chromium.org/552423002/20001
6 years, 3 months ago (2014-09-09 20:45:10 UTC) #7
commit-bot: I haz the power
Committed patchset #2 (id:20001) as 181679
6 years, 3 months ago (2014-09-09 22:16:34 UTC) #8
Hongbo Min
https://codereview.chromium.org/552423002/diff/20001/Source/platform/graphics/Canvas2DLayerBridge.cpp File Source/platform/graphics/Canvas2DLayerBridge.cpp (right): https://codereview.chromium.org/552423002/diff/20001/Source/platform/graphics/Canvas2DLayerBridge.cpp#newcode525 Source/platform/graphics/Canvas2DLayerBridge.cpp:525: // mailboxes will not be recycled after this point. ...
6 years, 3 months ago (2014-09-10 04:51:08 UTC) #10
Justin Novosad
6 years, 3 months ago (2014-09-10 14:54:10 UTC) #11
Message was sent while issue was closed. 
On 2014/09/10 04:51:08, Hongbo Min wrote:
>
https://codereview.chromium.org/552423002/diff/20001/Source/platform/graphics...
> File Source/platform/graphics/Canvas2DLayerBridge.cpp (right):
> 
>
https://codereview.chromium.org/552423002/diff/20001/Source/platform/graphics...
> Source/platform/graphics/Canvas2DLayerBridge.cpp:525: // mailboxes will not be
> recycled after this point. Calling remove()
> It seems that the issue of memory-use-after-free is caused by not reset
> m_releasedMailboxInfoIndex in case of gpu context is lost, right? If so,
> alternatively we can also reset m_releasedMailboxInfoIndex to avoid
> freeReleasedMailbox called by accident. Of course, in your code, it ensures
> freeReleasedMailbox not called again.

It was caused by the call to remove(i), which triggers self-destruction of the
canvas 2D layer bridge. The problem is that this destroys the m_mailboxes member
while we are manipulating it in remove().

Powered by Google App Engine
This is Rietveld 408576698