SlabAllocator: Fix writing to freed memory on slab destruction

unique_ptr's destructor sets itself to null and frees its owned memory. This is a problem because for the slab allocator, the member variable holding the unique_ptr is inside the freed memory. Bug: skia:10501 Change-Id: I41179261041fe415bb2af3667114b079f61b3c7b Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/48100 Auto-Submit: Austin Eng <enga@chromium.org> Reviewed-by: Stephen White <senorblanco@chromium.org> Reviewed-by: Corentin Wallez <cwallez@chromium.org> Commit-Queue: Austin Eng <enga@chromium.org>
2021-04-20 17:53:50 +00:00 · 2021-04-20 17:53:50 +00:00 · 9aadf94c15
parent cd39ade86f
commit 9aadf94c15
2 changed files with 9 additions and 13 deletions
--- a/src/common/SlabAllocator.cpp
+++ b/src/common/SlabAllocator.cpp
@ -30,12 +30,8 @@ SlabAllocatorImpl::IndexLinkNode::IndexLinkNode(Index index, Index nextIndex)

 // Slab

-SlabAllocatorImpl::Slab::Slab(std::unique_ptr<char[]> allocation, IndexLinkNode* head)
-    : allocation(std::move(allocation)),
-      freeList(head),
-      prev(nullptr),
-      next(nullptr),
-      blocksInUse(0) {
+SlabAllocatorImpl::Slab::Slab(char allocation[], IndexLinkNode* head)
+    : allocation(allocation), freeList(head), prev(nullptr), next(nullptr), blocksInUse(0) {
 }

 SlabAllocatorImpl::Slab::Slab(Slab&& rhs) = default;
@ -50,7 +46,8 @@ SlabAllocatorImpl::SentinelSlab::~SentinelSlab() {
    while (slab != nullptr) {
        Slab* next = slab->next;
        ASSERT(slab->blocksInUse == 0);
-        slab->~Slab();
+        // Delete the slab's allocation. The slab is allocated inside slab->allocation.
+        delete[] slab->allocation;
        slab = next;
    }
 }
@ -232,8 +229,8 @@ void SlabAllocatorImpl::GetNewSlab() {
    }

    // TODO(enga): Use aligned_alloc with C++17.
-    auto allocation = std::unique_ptr<char[]>(new char[mTotalAllocationSize]);
-    char* alignedPtr = AlignPtr(allocation.get(), mAllocationAlignment);
+    char* allocation = new char[mTotalAllocationSize];
+    char* alignedPtr = AlignPtr(allocation, mAllocationAlignment);

    char* dataStart = alignedPtr + mSlabBlocksOffset;

@ -245,5 +242,5 @@ void SlabAllocatorImpl::GetNewSlab() {
    IndexLinkNode* lastNode = OffsetFrom(node, mBlocksPerSlab - 1);
    lastNode->nextIndex = kInvalidIndex;

-    mAvailableSlabs.Prepend(new (alignedPtr) Slab(std::move(allocation), node));
+    mAvailableSlabs.Prepend(new (alignedPtr) Slab(allocation, node));
 }
--- a/src/common/SlabAllocator.h
+++ b/src/common/SlabAllocator.h
@ -18,7 +18,6 @@
 #include "common/PlacementAllocated.h"

 #include <cstdint>
-#include <memory>
 #include <type_traits>

 // The SlabAllocator allocates objects out of one or more fixed-size contiguous "slabs" of memory.
@ -77,12 +76,12 @@ class SlabAllocatorImpl {
        // Ownership of the allocation is transferred to the slab on creation.
        // | ---------- allocation --------- |
        // | pad | Slab | data ------------> |
-        Slab(std::unique_ptr<char[]> allocation, IndexLinkNode* head);
+        Slab(char allocation[], IndexLinkNode* head);
        Slab(Slab&& rhs);

        void Splice();

-        std::unique_ptr<char[]> allocation;
+        char* allocation;
        IndexLinkNode* freeList;
        Slab* prev;
        Slab* next;