Mesa (staging/18.3): mesa: Reference count shaders that are used by transform feedback objects

[GitLab Mirror]

Module: Mesa
Branch: staging/18.3
Commit: 05bd26b8ae39b7498b330a6194ded63590ae487c
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=05bd26b8ae39b7498b330a6194ded63590ae487c

Author: Gert Wollny <gert.wollny at collabora.com>
Date:   Mon Nov 12 12:34:26 2018 +0100

mesa: Reference count shaders that are used by transform feedback objects

Transform feedback objects may hold a pointer to a shader program, and
at least in Gallium, this must be a valid pointer until
ctx->Driver.EndTransformFeedback in glEndTransformFeedback has been called
- which is conform with the spec that any program that is part of a
current rendering state should only be flagged for deletion by glDeleteProgram.
This was not handled properly for the transform feedback objects so that
a call sequence

  glUseProgram(x)
  glBeginTransformFreedback(...)
  glPauseTransformFeedback(...)
  glDeleteProgram(x)
  glEndTransformFeedback(...)

would result in a use after free bug. With this patch the transform
feedback object also updates the reference count to the used program
thereby keeping the program valid as long as the transform feedback
objects links to it.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108713
Fixes: 654587696b4234d09a6b471b70e9629cf2887c27
       mesa: add end_transform_feedback() helper

Signed-off-by: Gert Wollny <gert.wollny at collabora.com>
Reviewed-by: Emil Velikov <emil.velikov at collabora.com>
(cherry picked from commit caa964b422152788a95a1b248c884df8918a2bbd)

---

 src/mesa/main/transformfeedback.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/mesa/main/transformfeedback.c b/src/mesa/main/transformfeedback.c
index a46c9f94bc..8eccdc20b7 100644
--- a/src/mesa/main/transformfeedback.c
+++ b/src/mesa/main/transformfeedback.c
@@ -40,6 +40,7 @@
 #include "shaderapi.h"
 #include "shaderobj.h"
 
+#include "program/program.h"
 #include "program/prog_parameter.h"
 
 struct using_program_tuple
@@ -470,6 +471,7 @@ begin_transform_feedback(struct gl_context *ctx, GLenum mode, bool no_error)
 
    if (obj->program != source) {
       ctx->NewDriverState |= ctx->DriverFlags.NewTransformFeedbackProg;
+      _mesa_reference_program_(ctx, &obj->program, source);
       obj->program = source;
    }
 
@@ -504,6 +506,7 @@ end_transform_feedback(struct gl_context *ctx,
    assert(ctx->Driver.EndTransformFeedback);
    ctx->Driver.EndTransformFeedback(ctx, obj);
 
+   _mesa_reference_program_(ctx, &obj->program, NULL);
    ctx->TransformFeedback.CurrentObject->Active = GL_FALSE;
    ctx->TransformFeedback.CurrentObject->Paused = GL_FALSE;
    ctx->TransformFeedback.CurrentObject->EndedAnytime = GL_TRUE;