[Mesa-dev] [PATCH 3/3] mesa: validate that sync objects were created by mesa
Jordan Justen
jordan.l.justen at intel.com
Tue Dec 4 15:55:04 PST 2012
Previously, the user could send in a pointer that was not created
by mesa. When we dereferenced that pointer, there would be an
exception.
Now we keep a set of pointers and verify that the pointer
exists in that set before dereferencing it.
Note: This fixes several crashing gles3conform tests.
Signed-off-by: Jordan Justen <jordan.l.justen at intel.com>
---
src/mesa/main/mtypes.h | 6 ++++--
src/mesa/main/shared.c | 12 +++++++-----
src/mesa/main/syncobj.c | 23 +++++++++++++++--------
3 files changed, 26 insertions(+), 15 deletions(-)
diff --git a/src/mesa/main/mtypes.h b/src/mesa/main/mtypes.h
index db67160..2da8073 100644
--- a/src/mesa/main/mtypes.h
+++ b/src/mesa/main/mtypes.h
@@ -79,6 +79,8 @@ struct st_context;
struct gl_uniform_storage;
struct prog_instruction;
struct gl_program_parameter_list;
+struct set;
+struct set_entry;
/*@}*/
@@ -2522,7 +2524,7 @@ struct gl_query_state
/** Sync object state */
struct gl_sync_object
{
- struct simple_node link;
+ struct set_entry *SetEntry;
GLenum Type; /**< GL_SYNC_FENCE */
GLuint Name; /**< Fence name */
GLint RefCount; /**< Reference count */
@@ -2589,7 +2591,7 @@ struct gl_shared_state
struct _mesa_HashTable *FrameBuffers;
/* GL_ARB_sync */
- struct simple_node SyncObjects;
+ struct set *SyncObjects;
/** GL_ARB_sampler_objects */
struct _mesa_HashTable *SamplerObjects;
diff --git a/src/mesa/main/shared.c b/src/mesa/main/shared.c
index eaf9f8d..a98a45c 100644
--- a/src/mesa/main/shared.c
+++ b/src/mesa/main/shared.c
@@ -31,12 +31,14 @@
#include "mfeatures.h"
#include "mtypes.h"
#include "hash.h"
+#include "hash_table.h"
#include "atifragshader.h"
#include "bufferobj.h"
#include "shared.h"
#include "program/program.h"
#include "dlist.h"
#include "samplerobj.h"
+#include "set.h"
#include "shaderobj.h"
#include "syncobj.h"
@@ -115,7 +117,7 @@ _mesa_alloc_shared_state(struct gl_context *ctx)
shared->FrameBuffers = _mesa_NewHashTable();
shared->RenderBuffers = _mesa_NewHashTable();
- make_empty_list(& shared->SyncObjects);
+ shared->SyncObjects = _mesa_set_create(NULL, _mesa_key_pointer_equal);
return shared;
}
@@ -327,13 +329,13 @@ free_shared_state(struct gl_context *ctx, struct gl_shared_state *shared)
_mesa_reference_buffer_object(ctx, &shared->NullBufferObj, NULL);
{
- struct simple_node *node;
- struct simple_node *temp;
+ struct set_entry *entry;
- foreach_s(node, temp, & shared->SyncObjects) {
- _mesa_unref_sync_object(ctx, (struct gl_sync_object *) node);
+ set_foreach(shared->SyncObjects, entry) {
+ _mesa_unref_sync_object(ctx, (struct gl_sync_object *) entry->key);
}
}
+ _mesa_set_destroy(shared->SyncObjects, NULL);
_mesa_HashDeleteAll(shared->SamplerObjects, delete_sampler_object_cb, ctx);
_mesa_DeleteHashTable(shared->SamplerObjects);
diff --git a/src/mesa/main/syncobj.c b/src/mesa/main/syncobj.c
index a2d3137..3127a39 100644
--- a/src/mesa/main/syncobj.c
+++ b/src/mesa/main/syncobj.c
@@ -63,6 +63,8 @@
#include "get.h"
#include "dispatch.h"
#include "mtypes.h"
+#include "set.h"
+#include "hash_table.h"
#include "syncobj.h"
@@ -173,9 +175,12 @@ _mesa_free_sync_data(struct gl_context *ctx)
static int
-_mesa_validate_sync(struct gl_sync_object *syncObj)
+_mesa_validate_sync(struct gl_context *ctx, struct gl_sync_object *syncObj)
{
return (syncObj != NULL)
+ && _mesa_set_search(ctx->Shared->SyncObjects,
+ _mesa_hash_pointer(syncObj),
+ syncObj) != NULL
&& (syncObj->Type == GL_SYNC_FENCE)
&& !syncObj->DeletePending;
}
@@ -196,7 +201,7 @@ _mesa_unref_sync_object(struct gl_context *ctx, struct gl_sync_object *syncObj)
_glthread_LOCK_MUTEX(ctx->Shared->Mutex);
syncObj->RefCount--;
if (syncObj->RefCount == 0) {
- remove_from_list(& syncObj->link);
+ _mesa_set_remove(ctx->Shared->SyncObjects, syncObj->SetEntry);
_glthread_UNLOCK_MUTEX(ctx->Shared->Mutex);
ctx->Driver.DeleteSyncObject(ctx, syncObj);
@@ -213,7 +218,7 @@ _mesa_IsSync(GLsync sync)
struct gl_sync_object *const syncObj = (struct gl_sync_object *) sync;
ASSERT_OUTSIDE_BEGIN_END_WITH_RETVAL(ctx, GL_FALSE);
- return _mesa_validate_sync(syncObj) ? GL_TRUE : GL_FALSE;
+ return _mesa_validate_sync(ctx, syncObj) ? GL_TRUE : GL_FALSE;
}
@@ -234,7 +239,7 @@ _mesa_DeleteSync(GLsync sync)
return;
}
- if (!_mesa_validate_sync(syncObj)) {
+ if (!_mesa_validate_sync(ctx, syncObj)) {
_mesa_error(ctx, GL_INVALID_VALUE, "glDeleteSync (not a valid sync object)");
return;
}
@@ -284,7 +289,9 @@ _mesa_FenceSync(GLenum condition, GLbitfield flags)
ctx->Driver.FenceSync(ctx, syncObj, condition, flags);
_glthread_LOCK_MUTEX(ctx->Shared->Mutex);
- insert_at_tail(& ctx->Shared->SyncObjects, & syncObj->link);
+ syncObj->SetEntry = _mesa_set_add(ctx->Shared->SyncObjects,
+ _mesa_hash_pointer(syncObj),
+ syncObj);
_glthread_UNLOCK_MUTEX(ctx->Shared->Mutex);
return (GLsync) syncObj;
@@ -302,7 +309,7 @@ _mesa_ClientWaitSync(GLsync sync, GLbitfield flags, GLuint64 timeout)
GLenum ret;
ASSERT_OUTSIDE_BEGIN_END_WITH_RETVAL(ctx, GL_WAIT_FAILED);
- if (!_mesa_validate_sync(syncObj)) {
+ if (!_mesa_validate_sync(ctx, syncObj)) {
_mesa_error(ctx, GL_INVALID_VALUE, "glClientWaitSync (not a valid sync object)");
return GL_WAIT_FAILED;
}
@@ -346,7 +353,7 @@ _mesa_WaitSync(GLsync sync, GLbitfield flags, GLuint64 timeout)
struct gl_sync_object *const syncObj = (struct gl_sync_object *) sync;
ASSERT_OUTSIDE_BEGIN_END(ctx);
- if (!_mesa_validate_sync(syncObj)) {
+ if (!_mesa_validate_sync(ctx, syncObj)) {
_mesa_error(ctx, GL_INVALID_VALUE, "glWaitSync (not a valid sync object)");
return;
}
@@ -375,7 +382,7 @@ _mesa_GetSynciv(GLsync sync, GLenum pname, GLsizei bufSize, GLsizei *length,
GLint v[1];
ASSERT_OUTSIDE_BEGIN_END(ctx);
- if (!_mesa_validate_sync(syncObj)) {
+ if (!_mesa_validate_sync(ctx, syncObj)) {
_mesa_error(ctx, GL_INVALID_VALUE, "glGetSynciv (not a valid sync object)");
return;
}
--
1.7.10.4
More information about the mesa-dev
mailing list