From 3a819aac70dd26f675644f6a35b13be5fb3de2f1 Mon Sep 17 00:00:00 2001
From: Chris Craik <ccraik@google.com>
Date: Mon, 17 Oct 2011 12:18:09 -0700
Subject: Prevent race condition in tile texture discard

bug:5461107

Tiles were being destroyed, and subsequently dereferenced in TransferQueue

Change-Id: I4fea289e5fda03a69f07554f57120c4c5bf7b016
---
 Source/WebCore/platform/graphics/android/TransferQueue.cpp | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'Source/WebCore/platform/graphics/android/TransferQueue.cpp')

diff --git a/Source/WebCore/platform/graphics/android/TransferQueue.cpp b/Source/WebCore/platform/graphics/android/TransferQueue.cpp
index 3fc1b93..4e29870 100644
--- a/Source/WebCore/platform/graphics/android/TransferQueue.cpp
+++ b/Source/WebCore/platform/graphics/android/TransferQueue.cpp
@@ -440,6 +440,7 @@ void TransferQueue::addItemInTransferQueue(const TileRenderInfo* renderInfo,
         XLOG("ERROR update a tile which is dirty already @ index %d", index);
     }
 
+    m_transferQueue[index].savedBaseTileTexturePtr = renderInfo->baseTile->backTexture();
     m_transferQueue[index].savedBaseTilePtr = renderInfo->baseTile;
     m_transferQueue[index].status = pendingBlit;
     m_transferQueue[index].uploadType = type;
@@ -493,14 +494,16 @@ void TransferQueue::cleanupTransportQueue()
             // since tiles in the queue may be from another webview, remove
             // their textures so that they will be repainted / retransferred
             BaseTile* tile = m_transferQueue[index].savedBaseTilePtr;
-            if (tile) {
-                BaseTileTexture* texture = tile->backTexture();
-                if (texture)
-                    texture->releaseAndRemoveFromTile();
+            BaseTileTexture* texture = m_transferQueue[index].savedBaseTileTexturePtr;
+            if (tile && texture && texture->owner() == tile) {
+                // since tile destruction removes textures on the UI thread, the
+                // texture->owner ptr guarantees the tile is valid
+                tile->discardBackTexture();
+                XLOG("transfer queue discarded tile %p, removed texture", tile);
             }
-            XLOG("transfer queue discarded tile %p, removed texture", tile);
 
             m_transferQueue[index].savedBaseTilePtr = 0;
+            m_transferQueue[index].savedBaseTileTexturePtr = 0;
             m_transferQueue[index].status = emptyItem;
         }
         index = (index + 1) % ST_BUFFER_NUMBER;
-- 
cgit v1.1