diff options
| author | Chris Craik <ccraik@google.com> | 2012-08-31 14:52:50 -0700 |
|---|---|---|
| committer | Chris Craik <ccraik@google.com> | 2012-08-31 14:52:50 -0700 |
| commit | cf1488f378638819eeb5fc276213437f6cbd0783 (patch) | |
| tree | 6b566cfb2e422be76129ac7bf83a01364f1b1a07 | |
| parent | 3f9aace3c8671247a9b06117658d44282871ba89 (diff) | |
| download | external_webkit-cf1488f378638819eeb5fc276213437f6cbd0783.zip external_webkit-cf1488f378638819eeb5fc276213437f6cbd0783.tar.gz external_webkit-cf1488f378638819eeb5fc276213437f6cbd0783.tar.bz2 | |
Avoid unsafe use of SkRefCnt::getRefCnt() in ImagesManager
The function isn't threadsafe, so races would occur and certain textures
wouldn't be removed from ImagesManager's master list. The list would then be
iterated over, all items dereferenced, and bad times would ensue.
The SkRefCnt class uses atomic inc/dec to decide when to destroy an object, but
reading such an integer non-atomically isn't safe. Instead use the real signal
we're looking for - when the ImageTexture is deleted - to know when to remove
the ImageTexture from ImagesManager's list.
Mutual exclusion from editing the list is now maintained by only unref-ing the
ImageTexture within releaseImage, which holds the ImagesManager's m_imagesLock
(which we already do anyway).
bug:6859278
Change-Id: I75ebf79f2617484e7df355d6539226ce64882369
3 files changed, 14 insertions, 2 deletions
diff --git a/Source/WebCore/platform/graphics/android/rendering/ImageTexture.cpp b/Source/WebCore/platform/graphics/android/rendering/ImageTexture.cpp index aa84427..db03753 100644 --- a/Source/WebCore/platform/graphics/android/rendering/ImageTexture.cpp +++ b/Source/WebCore/platform/graphics/android/rendering/ImageTexture.cpp @@ -101,6 +101,7 @@ ImageTexture::~ImageTexture() delete m_image; delete m_tileGrid; SkSafeUnref(m_picture); + ImagesManager::instance()->onImageTextureDestroy(m_crc); } SkBitmap* ImageTexture::convertBitmap(SkBitmap* bitmap) diff --git a/Source/WebCore/platform/graphics/android/rendering/ImagesManager.cpp b/Source/WebCore/platform/graphics/android/rendering/ImagesManager.cpp index 82ea3fa..d2bd8a0 100644 --- a/Source/WebCore/platform/graphics/android/rendering/ImagesManager.cpp +++ b/Source/WebCore/platform/graphics/android/rendering/ImagesManager.cpp @@ -102,12 +102,20 @@ void ImagesManager::releaseImage(unsigned imgCRC) android::Mutex::Autolock lock(m_imagesLock); if (m_images.contains(imgCRC)) { ImageTexture* image = m_images.get(imgCRC); - if (image->getRefCnt() == 1) - m_images.remove(imgCRC); + // don't need to remove image from the HashMap, it will unregister + // itself by calling onImageTextureDestroy(). + SkSafeUnref(image); } } +void ImagesManager::onImageTextureDestroy(unsigned imgCRC) +{ + // NOTE: all unrefs must go through releaseImage, to ensure that + // onImageTextureDestroy is called under the m_imagesLock + m_images.remove(imgCRC); +} + int ImagesManager::nbTextures() { android::Mutex::Autolock lock(m_imagesLock); diff --git a/Source/WebCore/platform/graphics/android/rendering/ImagesManager.h b/Source/WebCore/platform/graphics/android/rendering/ImagesManager.h index b915a46..718cfdd 100644 --- a/Source/WebCore/platform/graphics/android/rendering/ImagesManager.h +++ b/Source/WebCore/platform/graphics/android/rendering/ImagesManager.h @@ -47,6 +47,9 @@ public: ImageTexture* retainImage(unsigned imgCRC); void releaseImage(unsigned imgCRC); + // should be called only by ~ImageTexture() + void onImageTextureDestroy(unsigned imgCRC); + bool prepareTextures(GLWebViewState*); int nbTextures(); |