mesa: validate that sync objects were created by mesagles3-syncobj

Previously, the user could send in a pointer that was not created by mesa. When we dereferenced that pointer, there would be an exception. Now we keep a set of pointers and verify that the pointer exists in that set before dereferencing it. Note: This fixes several crashing gles3conform tests. Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
author: Jordan Justen <jordan.l.justen@intel.com> 2012-12-04 01:24:07 -0800
committer: Jordan Justen <jordan.l.justen@intel.com> 2012-12-04 15:37:04 -0800
commit: 0470c9ce0432fc779a93afcbb0d2f53542397d7e (patch)
tree: e03be3a1773af690f1e040cf1f9434cf53853d3d
parent: 6ad53fa25506e77ecceb4da33f0c13f73ef4ab10 (diff)
3 files changed, 26 insertions, 15 deletions
diff --git a/src/mesa/main/mtypes.h b/src/mesa/main/mtypes.h
index db67160809..2da807329e 100644
--- a/src/mesa/main/mtypes.h
+++ b/src/mesa/main/mtypes.h
@@ -79,6 +79,8 @@ struct st_context;
 struct gl_uniform_storage;
 struct prog_instruction;
 struct gl_program_parameter_list;
+struct set;
+struct set_entry;
 /*@}*/
 
 
@@ -2522,7 +2524,7 @@ struct gl_query_state
 /** Sync object state */
 struct gl_sync_object
 {
-   struct simple_node link;
+   struct set_entry *SetEntry;
    GLenum Type;               /**< GL_SYNC_FENCE */
    GLuint Name;               /**< Fence name */
    GLint RefCount;            /**< Reference count */
@@ -2589,7 +2591,7 @@ struct gl_shared_state
    struct _mesa_HashTable *FrameBuffers;
 
    /* GL_ARB_sync */
-   struct simple_node SyncObjects;
+   struct set *SyncObjects;
 
    /** GL_ARB_sampler_objects */
    struct _mesa_HashTable *SamplerObjects;
diff --git a/src/mesa/main/shared.c b/src/mesa/main/shared.c
index eaf9f8de1b..a98a45c75e 100644
--- a/src/mesa/main/shared.c
+++ b/src/mesa/main/shared.c
@@ -31,12 +31,14 @@
 #include "mfeatures.h"
 #include "mtypes.h"
 #include "hash.h"
+#include "hash_table.h"
 #include "atifragshader.h"
 #include "bufferobj.h"
 #include "shared.h"
 #include "program/program.h"
 #include "dlist.h"
 #include "samplerobj.h"
+#include "set.h"
 #include "shaderobj.h"
 #include "syncobj.h"
 
@@ -115,7 +117,7 @@ _mesa_alloc_shared_state(struct gl_context *ctx)
    shared->FrameBuffers = _mesa_NewHashTable();
    shared->RenderBuffers = _mesa_NewHashTable();
 
-   make_empty_list(& shared->SyncObjects);
+   shared->SyncObjects = _mesa_set_create(NULL, _mesa_key_pointer_equal);
 
    return shared;
 }
@@ -327,13 +329,13 @@ free_shared_state(struct gl_context *ctx, struct gl_shared_state *shared)
    _mesa_reference_buffer_object(ctx, &shared->NullBufferObj, NULL);
 
    {
-      struct simple_node *node;
-      struct simple_node *temp;
+      struct set_entry *entry;
 
-      foreach_s(node, temp, & shared->SyncObjects) {
-	 _mesa_unref_sync_object(ctx, (struct gl_sync_object *) node);
+      set_foreach(shared->SyncObjects, entry) {
+         _mesa_unref_sync_object(ctx, (struct gl_sync_object *) entry->key);
       }
    }
+   _mesa_set_destroy(shared->SyncObjects, NULL);
 
    _mesa_HashDeleteAll(shared->SamplerObjects, delete_sampler_object_cb, ctx);
    _mesa_DeleteHashTable(shared->SamplerObjects);
diff --git a/src/mesa/main/syncobj.c b/src/mesa/main/syncobj.c
index a2d3137340..3127a396cb 100644
--- a/src/mesa/main/syncobj.c
+++ b/src/mesa/main/syncobj.c
@@ -63,6 +63,8 @@
 #include "get.h"
 #include "dispatch.h"
 #include "mtypes.h"
+#include "set.h"
+#include "hash_table.h"
 
 #include "syncobj.h"
 
@@ -173,9 +175,12 @@ _mesa_free_sync_data(struct gl_context *ctx)
 
 
 static int
-_mesa_validate_sync(struct gl_sync_object *syncObj)
+_mesa_validate_sync(struct gl_context *ctx, struct gl_sync_object *syncObj)
 {
    return (syncObj != NULL)
+      && _mesa_set_search(ctx->Shared->SyncObjects,
+                          _mesa_hash_pointer(syncObj),
+                          syncObj) != NULL
       && (syncObj->Type == GL_SYNC_FENCE)
       && !syncObj->DeletePending;
 }
@@ -196,7 +201,7 @@ _mesa_unref_sync_object(struct gl_context *ctx, struct gl_sync_object *syncObj)
    _glthread_LOCK_MUTEX(ctx->Shared->Mutex);
    syncObj->RefCount--;
    if (syncObj->RefCount == 0) {
-      remove_from_list(& syncObj->link);
+      _mesa_set_remove(ctx->Shared->SyncObjects, syncObj->SetEntry);
       _glthread_UNLOCK_MUTEX(ctx->Shared->Mutex);
 
       ctx->Driver.DeleteSyncObject(ctx, syncObj);
@@ -213,7 +218,7 @@ _mesa_IsSync(GLsync sync)
    struct gl_sync_object *const syncObj = (struct gl_sync_object *) sync;
    ASSERT_OUTSIDE_BEGIN_END_WITH_RETVAL(ctx, GL_FALSE);
 
-   return _mesa_validate_sync(syncObj) ? GL_TRUE : GL_FALSE;
+   return _mesa_validate_sync(ctx, syncObj) ? GL_TRUE : GL_FALSE;
 }
 
 
@@ -234,7 +239,7 @@ _mesa_DeleteSync(GLsync sync)
       return;
    }
 
-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
       _mesa_error(ctx, GL_INVALID_VALUE, "glDeleteSync (not a valid sync object)");
       return;
    }
@@ -284,7 +289,9 @@ _mesa_FenceSync(GLenum condition, GLbitfield flags)
       ctx->Driver.FenceSync(ctx, syncObj, condition, flags);
 
       _glthread_LOCK_MUTEX(ctx->Shared->Mutex);
-      insert_at_tail(& ctx->Shared->SyncObjects, & syncObj->link);
+      syncObj->SetEntry = _mesa_set_add(ctx->Shared->SyncObjects,
+                                        _mesa_hash_pointer(syncObj),
+                                        syncObj);
       _glthread_UNLOCK_MUTEX(ctx->Shared->Mutex);
 
       return (GLsync) syncObj;
@@ -302,7 +309,7 @@ _mesa_ClientWaitSync(GLsync sync, GLbitfield flags, GLuint64 timeout)
    GLenum ret;
    ASSERT_OUTSIDE_BEGIN_END_WITH_RETVAL(ctx, GL_WAIT_FAILED);
 
-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
       _mesa_error(ctx, GL_INVALID_VALUE, "glClientWaitSync (not a valid sync object)");
       return GL_WAIT_FAILED;
    }
@@ -346,7 +353,7 @@ _mesa_WaitSync(GLsync sync, GLbitfield flags, GLuint64 timeout)
    struct gl_sync_object *const syncObj = (struct gl_sync_object *) sync;
    ASSERT_OUTSIDE_BEGIN_END(ctx);
 
-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
       _mesa_error(ctx, GL_INVALID_VALUE, "glWaitSync (not a valid sync object)");
       return;
    }
@@ -375,7 +382,7 @@ _mesa_GetSynciv(GLsync sync, GLenum pname, GLsizei bufSize, GLsizei *length,
    GLint v[1];
    ASSERT_OUTSIDE_BEGIN_END(ctx);
 
-   if (!_mesa_validate_sync(syncObj)) {
+   if (!_mesa_validate_sync(ctx, syncObj)) {
       _mesa_error(ctx, GL_INVALID_VALUE, "glGetSynciv (not a valid sync object)");
       return;
    }
author	Jordan Justen <jordan.l.justen@intel.com>	2012-12-04 01:24:07 -0800
committer	Jordan Justen <jordan.l.justen@intel.com>	2012-12-04 15:37:04 -0800
commit	0470c9ce0432fc779a93afcbb0d2f53542397d7e (patch)
tree	e03be3a1773af690f1e040cf1f9434cf53853d3d
parent	6ad53fa25506e77ecceb4da33f0c13f73ef4ab10 (diff)