Fixed SkSL use-after-free fuzzer bug and added defensive code to catch such problems in the future.

Bug: skia:7558 Change-Id: I5098c0ed08f2328828969e819db7785270b26656 Reviewed-on: https://skia-review.googlesource.com/111460 Reviewed-by: Greg Daniel <egdaniel@google.com> Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
author: Ethan Nicholas <ethannicholas@google.com> 2018-03-01 15:05:17 -0500
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> 2018-03-01 20:42:04 +0000
commit: 68dd2c1fa051019354d0c441c78b3885d8e72a7a (patch)
tree: 9b518d216d71742c1948c574db089bdc627b060e /src/sksl/ir/SkSLVariableReference.h
parent: a7f320507dcf765313e27001774042cf1882dfea (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/sksl/ir/SkSLVariableReference.h b/src/sksl/ir/SkSLVariableReference.h
index ad54d43515..e1f19ac742 100644
--- a/src/sksl/ir/SkSLVariableReference.h
+++ b/src/sksl/ir/SkSLVariableReference.h
@@ -45,6 +45,9 @@ struct VariableReference : public Expression {
     }
 
     ~VariableReference() override {
+        if (fRefKind != kRead_RefKind) {
+            fVariable.fWriteCount--;
+        }
         if (fRefKind != kWrite_RefKind) {
             fVariable.fReadCount--;
         }
author	Ethan Nicholas <ethannicholas@google.com>	2018-03-01 15:05:17 -0500
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	2018-03-01 20:42:04 +0000
commit	68dd2c1fa051019354d0c441c78b3885d8e72a7a (patch)
tree	9b518d216d71742c1948c574db089bdc627b060e /src/sksl/ir/SkSLVariableReference.h
parent	a7f320507dcf765313e27001774042cf1882dfea (diff)