Fix resource allocation bugs in CompositorFrame fuzzer.

Bitmaps allocated for TileDrawQuads cannot be located by the SoftwareRenderer when the time came to DrawAndSwap. This is caused by two issues: 1. The message queue is not flushed before drawing, leading to an attempt at drawing bitmaps before they are allocated. 2. The bitmaps are allocated by a different SharedBitmapManager than is accessed by the renderer. This CL fixes both of these issues. The contents of TileDrawQuad resources are now actually drawn to the output surface. R=kylechar@chromium.org, riajiang@chromium.org Bug: 923088 Change-Id: Ia835dcc139f1e9b8e7803203d5c8296ae695a3a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1542153Reviewed-by: kylechar <kylechar@chromium.org> Commit-Queue: kylechar <kylechar@chromium.org> Auto-Submit: Céline O'Neil <celineo@google.com> Cr-Commit-Position: refs/heads/master@{#645340}

Fix resource allocation bugs in CompositorFrame fuzzer.
Bitmaps allocated for TileDrawQuads cannot be located by the SoftwareRenderer when the time came to DrawAndSwap. This is caused by two issues: 1. The message queue is not flushed before drawing, leading to an attempt at drawing bitmaps before they are allocated. 2. The bitmaps are allocated by a different SharedBitmapManager than is accessed by the renderer. This CL fixes both of these issues. The contents of TileDrawQuad resources are now actually drawn to the output surface. R=kylechar@chromium.org, riajiang@chromium.org Bug: 923088 Change-Id: Ia835dcc139f1e9b8e7803203d5c8296ae695a3a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1542153Reviewed-by: kylechar <kylechar@chromium.org> Commit-Queue: kylechar <kylechar@chromium.org> Auto-Submit: Céline O'Neil <celineo@google.com> Cr-Commit-Position: refs/heads/master@{#645340}
2f7a4918 · Céline O'Neil · Commit Bot · 31f7ebd2 · 2f7a4918 · 2f7a4918
Commit 2f7a4918 authored Mar 28, 2019 by Céline O'Neil Committed by Commit Bot Mar 28, 2019
3 changed files
--- a/components/viz/service/compositor_frame_fuzzer/fuzzer_browser_process.cc
+++ b/components/viz/service/compositor_frame_fuzzer/fuzzer_browser_process.cc
@@ -30,7 +30,7 @@ constexpr FrameSinkId kRootFrameSinkId(1, 1);
 FuzzerBrowserProcess::FuzzerBrowserProcess(
    base::Optional<base::FilePath> png_dir_path)
    : root_local_surface_id_(1, 1, base::UnguessableToken::Create()),
-      display_provider_(std::move(png_dir_path)),
+      display_provider_(&shared_bitmap_manager_, std::move(png_dir_path)),
      frame_sink_manager_(&shared_bitmap_manager_,
                          base::nullopt,
                          &display_provider_) {
@@ -77,13 +77,18 @@ void FuzzerBrowserProcess::EmbedFuzzedCompositorFrame(
      BuildBrowserUICompositorFrame(embedded_surface_id);
  root_compositor_frame_sink_ptr_->SubmitCompositorFrame(
      root_local_surface_id_, std::move(browser_frame), base::nullopt, 0);
+  // run queued messages (memory allocation and frame submission)
+  base::RunLoop().RunUntilIdle();
  display_private_->ForceImmediateDrawAndSwapIfPossible();
  for (auto& fuzzed_bitmap : allocated_bitmaps) {
    sink_ptr->DidDeleteSharedBitmap(fuzzed_bitmap.id);
  }
-  base::RunLoop().RunUntilIdle();  // needed to actually run queued messages
+  // run queued messages (memory deallocation)
+  base::RunLoop().RunUntilIdle();
  frame_sink_manager_.DestroyCompositorFrameSink(kEmbeddedFrameSinkId,
                                                 base::DoNothing());

--- a/components/viz/service/compositor_frame_fuzzer/fuzzer_software_display_provider.cc
+++ b/components/viz/service/compositor_frame_fuzzer/fuzzer_software_display_provider.cc
@@ -77,8 +77,10 @@ class PNGSoftwareOutputDevice : public SoftwareOutputDevice {
 }  // namespace
 FuzzerSoftwareDisplayProvider::FuzzerSoftwareDisplayProvider(
+    ServerSharedBitmapManager* server_shared_bitmap_manager,
    base::Optional<base::FilePath> png_dir_path)
-    : png_dir_path_(png_dir_path),
+    : shared_bitmap_manager_(server_shared_bitmap_manager),
+      png_dir_path_(png_dir_path),
      begin_frame_source_(std::make_unique<StubBeginFrameSource>()) {}
 FuzzerSoftwareDisplayProvider::~FuzzerSoftwareDisplayProvider() = default;
@@ -106,7 +108,7 @@ std::unique_ptr<Display> FuzzerSoftwareDisplayProvider::CreateDisplay(
      begin_frame_source_.get(), task_runner.get(),
      output_surface->capabilities().max_frames_pending);
-  return std::make_unique<Display>(&shared_bitmap_manager_, renderer_settings,
+  return std::make_unique<Display>(shared_bitmap_manager_, renderer_settings,
                                   frame_sink_id, std::move(output_surface),
                                   std::move(scheduler), task_runner);
 }

--- a/components/viz/service/compositor_frame_fuzzer/fuzzer_software_display_provider.h
+++ b/components/viz/service/compositor_frame_fuzzer/fuzzer_software_display_provider.h
@@ -22,7 +22,8 @@ namespace viz {
 // ignoring the BeginFrameSource parameters passed to CreateDisplay.
 class FuzzerSoftwareDisplayProvider : public DisplayProvider {
 public:
-  explicit FuzzerSoftwareDisplayProvider(
+  FuzzerSoftwareDisplayProvider(
+      ServerSharedBitmapManager* server_shared_bitmap_manager,
      base::Optional<base::FilePath> png_dir_path);
  ~FuzzerSoftwareDisplayProvider() override;
@@ -39,8 +40,8 @@ class FuzzerSoftwareDisplayProvider : public DisplayProvider {
  uint32_t GetRestartId() const override;
 private:
+  ServerSharedBitmapManager* const shared_bitmap_manager_;
  base::Optional<base::FilePath> png_dir_path_;
-  ServerSharedBitmapManager shared_bitmap_manager_;
  std::unique_ptr<StubBeginFrameSource> begin_frame_source_;
  DISALLOW_COPY_AND_ASSIGN(FuzzerSoftwareDisplayProvider);