[mutter/wip/smcv/cogl-test-premult-use-after-free] cogl test-premult: Don't free texture data until CoglBitmap is freed

[Simon McVittie <smcv src gnome org>]

commit c3bf10d19a925504a6b11999a9d24dfa1b79aa05
Author: Simon McVittie <smcv debian org>
Date:   Sun Aug 25 16:44:07 2019 +0100

    cogl test-premult: Don't free texture data until CoglBitmap is freed
    
    According to the cogl_bitmap_new_for_data documentation, the data is not
    copied, so the application must keep the buffer alive for the lifetime
    of the CoglBitmap. Freeing it too early led to a use-after-free in the
    cogl unit tests. With that fixed, the test passes, so remove the known
    failure annotation.
    
    This AddressSanitizer trace is from the original cogl, but the bug and
    fix apply equally to mutter's fork of cogl:
    
    ==6223==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100001a500 at pc 0x7f3e2d4e7f4e bp 
0x7ffcd9c41f30 sp 0x7ffcd9c416e0
    READ of size 4096 at 0x62100001a500 thread T0
        #0 0x7f3e2d4e7f4d  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x96f4d)
        #1 0x7f3e260c7f6b in util_copy_box ../src/gallium/auxiliary/util/u_surface.c:131
        #2 0x7f3e268c6c10 in u_default_texture_subdata ../src/gallium/auxiliary/util/u_transfer.c:67
        #3 0x7f3e26486459 in st_TexSubImage ../src/mesa/state_tracker/st_cb_texture.c:1480
        #4 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1709
        #5 0x7f3e26487029 in st_TexImage ../src/mesa/state_tracker/st_cb_texture.c:1691
        #6 0x7f3e2644bdba in teximage ../src/mesa/main/teximage.c:3105
        #7 0x7f3e2644bdba in teximage_err ../src/mesa/main/teximage.c:3132
        #8 0x7f3e2644d84f in _mesa_TexImage2D ../src/mesa/main/teximage.c:3170
        #9 0x7f3e2cd1f7df in _cogl_texture_driver_upload_to_gl driver/gl/gl/cogl-texture-driver-gl.c:347
        #10 0x7f3e2ccd441b in allocate_from_bitmap driver/gl/cogl-texture-2d-gl.c:255
        #11 0x7f3e2ccd441b in _cogl_texture_2d_gl_allocate driver/gl/cogl-texture-2d-gl.c:462
        #12 0x7f3e2ce3a6c0 in cogl_texture_allocate cogl/cogl-texture.c:1398
        #13 0x7f3e2ce3e116 in _cogl_texture_pre_paint cogl/cogl-texture.c:359
        #14 0x7f3e2cdee177 in _cogl_pipeline_layer_pre_paint cogl/cogl-pipeline-layer.c:864
        #15 0x7f3e2cd574af in _cogl_rectangles_validate_layer_cb cogl/cogl-primitives.c:542
        #16 0x7f3e2cdd742f in cogl_pipeline_foreach_layer cogl/cogl-pipeline.c:735
        #17 0x7f3e2cd5c8b0 in _cogl_framebuffer_draw_multitextured_rectangles cogl/cogl-primitives.c:658
        #18 0x7f3e2cd60152 in cogl_rectangle cogl/cogl-primitives.c:858
        #19 0x5570a71ed6a0 in check_texture tests/conform/test-premult.c:103
        #20 0x5570a71ed946 in test_premult tests/conform/test-premult.c:159
        #21 0x5570a71df0d6 in main tests/conform/test-conform-main.c:58
        #22 0x7f3e2bcd809a in __libc_start_main ../csu/libc-start.c:308
        #23 0x5570a71e0869 in _start (/home/smcv/src/debian/cogl/tests/conform/.libs/test-conformance+0x33869)
    
    0x62100001a500 is located 0 bytes inside of 4096-byte region [0x62100001a500,0x62100001b500)
    freed by thread T0 here:
        #0 0x7f3e2d5581d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7)
        #1 0x5570a71ed58b in make_texture tests/conform/test-premult.c:69
    
    previously allocated by thread T0 here:
        #0 0x7f3e2d558588 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x107588)
        #1 0x7f3e2d384500 in g_malloc ../../../glib/gmem.c:99
    
    This was originally cogl!12.
    
    https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1274
    
    Signed-off-by: Simon McVittie <smcv debian org>

 cogl/tests/conform/test-conform-main.c | 2 +-
 cogl/tests/conform/test-premult.c      | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)
---
diff --git a/cogl/tests/conform/test-conform-main.c b/cogl/tests/conform/test-conform-main.c
index 73f72c8464..5afa0ed8f3 100644
--- a/cogl/tests/conform/test-conform-main.c
+++ b/cogl/tests/conform/test-conform-main.c
@@ -55,7 +55,7 @@ main (int argc, char **argv)
   ADD_TEST (test_pipeline_user_matrix, 0, 0);
   ADD_TEST (test_blend_strings, 0, 0);
   ADD_TEST (test_blend, 0, 0);
-  ADD_TEST (test_premult, 0, TEST_KNOWN_FAILURE);
+  ADD_TEST (test_premult, 0, 0);
   UNPORTED_TEST (test_readpixels);
   ADD_TEST (test_depth_test, 0, 0);
   ADD_TEST (test_backface_culling, 0, TEST_REQUIREMENT_NPOT);
diff --git a/cogl/tests/conform/test-premult.c b/cogl/tests/conform/test-premult.c
index 70a67318ae..cd0687d94e 100644
--- a/cogl/tests/conform/test-premult.c
+++ b/cogl/tests/conform/test-premult.c
@@ -50,6 +50,7 @@ make_texture (uint32_t color,
              CoglPixelFormat src_format,
               MakeTextureFlags flags)
 {
+  static CoglUserDataKey bitmap_free_key;
   CoglTexture2D *tex_2d;
   guchar *tex_data = gen_tex_data (color);
   CoglBitmap *bmp = cogl_bitmap_new_for_data (test_ctx,
@@ -58,6 +59,10 @@ make_texture (uint32_t color,
                                               src_format,
                                               QUAD_WIDTH * 4,
                                               tex_data);
+  cogl_object_set_user_data (COGL_OBJECT (bmp),
+                             &bitmap_free_key,
+                             tex_data,
+                             g_free);
 
   tex_2d = cogl_texture_2d_new_from_bitmap (bmp);
 
@@ -67,7 +72,6 @@ make_texture (uint32_t color,
     cogl_texture_set_premultiplied (tex_2d, FALSE);
 
   cogl_object_unref (bmp);
-  g_free (tex_data);
 
   return tex_2d;
 }