encounter/dawn-cmake
1
0
Fork 0
mirror of https://github.com/encounter/dawn-cmake.git synced 2025-06-30 02:13:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

SlabAllocator: Fix writing to freed memory on slab destruction

Browse Source 
unique_ptr's destructor sets itself to null and frees its owned
memory. This is a problem because for the slab allocator, the
member variable holding the unique_ptr is inside the freed memory.

Bug: skia:10501
Change-Id: I41179261041fe415bb2af3667114b079f61b3c7b
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/48100
Auto-Submit: Austin Eng <enga@chromium.org>
Reviewed-by: Stephen White <senorblanco@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Austin Eng <enga@chromium.org>
This commit is contained in:
Austin Eng 2021-04-20 17:53:50 +00:00 committed by Commit Bot service account
parent cd39ade86f
commit 9aadf94c15
2 changed files with 9 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/common/SlabAllocator.cpp
View File

@ -30,12 +30,8 @@ SlabAllocatorImpl::IndexLinkNode::IndexLinkNode(Index index, Index nextIndex)
// Slab // Slab
SlabAllocatorImpl::Slab::Slab(std::unique_ptr<char[]> allocation, IndexLinkNode* head) SlabAllocatorImpl::Slab::Slab(char allocation[], IndexLinkNode* head)
: allocation(std::move(allocation)), : allocation(allocation), freeList(head), prev(nullptr), next(nullptr), blocksInUse(0) {
freeList(head),
prev(nullptr),
next(nullptr),
blocksInUse(0) {
} }
SlabAllocatorImpl::Slab::Slab(Slab&& rhs) = default; SlabAllocatorImpl::Slab::Slab(Slab&& rhs) = default;
@ -50,7 +46,8 @@ SlabAllocatorImpl::SentinelSlab::~SentinelSlab() {
while (slab != nullptr) { while (slab != nullptr) {
Slab* next = slab->next; Slab* next = slab->next;
ASSERT(slab->blocksInUse == 0); ASSERT(slab->blocksInUse == 0);
slab->~Slab(); // Delete the slab's allocation. The slab is allocated inside slab->allocation.
delete[] slab->allocation;
slab = next; slab = next;
} }
} }
@ -232,8 +229,8 @@ void SlabAllocatorImpl::GetNewSlab() {
} }
// TODO(enga): Use aligned_alloc with C++17. // TODO(enga): Use aligned_alloc with C++17.
auto allocation = std::unique_ptr<char[]>(new char[mTotalAllocationSize]); char* allocation = new char[mTotalAllocationSize];
char* alignedPtr = AlignPtr(allocation.get(), mAllocationAlignment); char* alignedPtr = AlignPtr(allocation, mAllocationAlignment);
char* dataStart = alignedPtr + mSlabBlocksOffset; char* dataStart = alignedPtr + mSlabBlocksOffset;
@ -245,5 +242,5 @@ void SlabAllocatorImpl::GetNewSlab() {
IndexLinkNode* lastNode = OffsetFrom(node, mBlocksPerSlab - 1); IndexLinkNode* lastNode = OffsetFrom(node, mBlocksPerSlab - 1);
lastNode->nextIndex = kInvalidIndex; lastNode->nextIndex = kInvalidIndex;
mAvailableSlabs.Prepend(new (alignedPtr) Slab(std::move(allocation), node)); mAvailableSlabs.Prepend(new (alignedPtr) Slab(allocation, node));
} }

5
src/common/SlabAllocator.h
View File

@ -18,7 +18,6 @@
#include "common/PlacementAllocated.h" #include "common/PlacementAllocated.h"
#include <cstdint> #include <cstdint>
#include <memory>
#include <type_traits> #include <type_traits>
// The SlabAllocator allocates objects out of one or more fixed-size contiguous "slabs" of memory. // The SlabAllocator allocates objects out of one or more fixed-size contiguous "slabs" of memory.
@ -77,12 +76,12 @@ class SlabAllocatorImpl {
// Ownership of the allocation is transferred to the slab on creation. // Ownership of the allocation is transferred to the slab on creation.
// | ---------- allocation --------- | // | ---------- allocation --------- |
// | pad | Slab | data ------------> | // | pad | Slab | data ------------> |
Slab(std::unique_ptr<char[]> allocation, IndexLinkNode* head); Slab(char allocation[], IndexLinkNode* head);
Slab(Slab&& rhs); Slab(Slab&& rhs);
void Splice(); void Splice();
std::unique_ptr<char[]> allocation; char* allocation;
IndexLinkNode* freeList; IndexLinkNode* freeList;
Slab* prev; Slab* prev;
Slab* next; Slab* next;