[impeller] ASAN failures in interactive tests on OpenGLES

[planetmarshall]

Summary

Interactive tests using the Impeller Playground trigger ASAN failures at runtime

Expected Behaviour

The interactive impeller tests should run without errors on all supported backends

Actual Behaviour

OpenGLES tests crash at runtime. ASAN (Address Sanitizer) failures are reported on an appropriately instrumented build - for example:

./impeller_unittests --enable_playground --gtest_filter='Play/RendererTest.BabysFirstTriangle/OpenGLES'
[INFO:flutter/testing/test_timeout_listener.cc(75)] Test timeout of 300 seconds per test case will be enforced.
Note: Google Test filter = Play/RendererTest.BabysFirstTriangle/OpenGLES
[==========] Running 1 test from 1 test suite.
[----------] Global test environment set-up.
[----------] 1 test from Play/RendererTest
[ RUN      ] Play/RendererTest.BabysFirstTriangle/OpenGLES
=================================================================
==332411==ERROR: AddressSanitizer: heap-use-after-free on address 0x7c90e8ee3e70 at pc 0x5589370aa026 bp 0x7fff60cfdae0 sp 0x7fff60cfdad8

Steps to Reproduce

1. Configure a build with Address Sanitizer

   $ gn --unoptimized --asan
   $ ninja -C out/host_debug_unopt/ exe.unstripped/impeller_unittests
   

2. Run an interactive renderer test with OpenGLES

   $ exe.unstripped/impeller_unittests --enable_playground --gtest_filter='Play/RendererTest.BabysFirstTriangle/OpenGLES'
   

System Info

Linux
flutter master (9c66d267b4d8f82e0e7c9cc6e06f4c3c3f7fe7a9)

Reproduced on

• OpenGL ES 3.2 NVIDIA 590.48.01
• OpenGL ES 3.2 Mesa 25.3.3-arch1.3

Notes

Looks a reference to the DeviceBufferGLES's backing store may be getting lost, resulting in a use after free when the underlying pointer is accessed.

Attached log

[jason-simmons]

This is happening because some of the RendererTest test cases are not properly managing the lifetimes of the HostBuffers and DeviceBuffers that they create.

Starting with f81ed55 a BufferView may hold a raw pointer to a DeviceBuffer. Impeller API callers are responsible for ensuring that the DeviceBuffer is valid until consumers such as RenderPass are no longer using the buffer.

Prior to f81ed55 the BufferView always held the DeviceBuffer through a shared_ptr. This made object lifetime management safer, but at the cost of increased reference counting overhead.

Many of the RendererTest cases were written before f81ed55 and were valid at the time but are not currently handling this correctly.

I'd like to merge the parts of #181389 that fix the HostBuffer lifetime in renderer_unittests.cc. But reverting to holding a shared_ptr<DeviceBuffer> or weak_ptr<DeviceBuffer> in every BufferView may be too expensive in terms of performance.

@gaaclarke

[gaaclarke]

We've gotten bitten twice by not having ASAN turned on in CI this week. This time and another time where our google3 integration tests that do have it turned on failed. So we have ASAN but it is happening late in the testing which means it's more painful than if it had failed in presubmit tests.

FWIW I think when this was authored, OpenGLES was not a supported backend for impeller. So it makes sense there was some integration problems that required care to manage lifetimes of the buffers that got overlooked.

I think the ideal fix would be to make sure the buffer's lifetime is correct and assert that it's correct by enabling ASAN in CI. We do that in vulkan with TrackedObjectsVK. I'm not sure if there is an easy alternative for opengles. If that isn't easily accessible, shared_ptr for opengles would be good for now until it can be addressed in the future.

The worst outcome would be to disable the optimization for vulkan too which I don't believe has a problem.

[jason-simmons]

The issue that causes the ASan error in RendererTest also affects Vulkan and other backends.

Running Play/RendererTest.BabysFirstTriangle/Vulkan with Vulkan validation layers enabled produces this error:

--- Vulkan Debug Report  ----------------------------------------
|                Severity: Error
|                    Type: { Validation }
|                 ID Name: VUID-vkEndCommandBuffer-commandBuffer-00059
|               ID Number: -543181122
|       Queue Breadcrumbs: [NONE]
|  CMD Buffer Breadcrumbs: QueueSubmit
|         Related Objects: CommandBuffer [136402001674336] [Playground Command Buffer], Buffer [191315023233198] [UNNAMED], DescriptorSet [197912092999860] [UNNAMED]
|                 Trigger: vkEndCommandBuffer(): was called in VkCommandBuffer 0x7c0e90db4060[Playground Command Buffer] which is now in an invalid state (instead of recording state) because the following objects bound to the command buffer were invalidated
 VkBuffer 0xae00000000ae was destroy
The Vulkan spec states: commandBuffer must be in the recording state (https://docs.vulkan.org/spec/latest/chapters/cmdbuffers.html#VUID-vkEndCommandBuffer-commandBuffer-00059)
-----------------------------------------------------------------

This is caused by the same object lifetime issue described in #181287 (comment). RendererTest.BabysFirstTriangle is calling FS::BindFragInfo using a HostBuffer and DeviceBuffer that are deleted before the RenderPass has finished using the buffer.

TrackedObjectsVK is not applicable in this case. In the Vulkan back end, TrackedObjectsVK will hold references to some objects (including DeviceBuffers) to ensure that they are available during the lifetime of the tracker's command buffer.

But buffers passed to a shader's FS::BindFragInfo function are usually not associated with the tracker. Entity contents instead call FS::BindFragInfo using the buffer provided by ContentContext::GetTransientsDataBuffer. The ContentContext and the buffers that it manages will be valid throughout the lifetime of the RenderPass.

The RendererTest tests are not using ContentContext. They are allocating their own HostBuffers/DeviceBuffers and using them with a RenderPass supplied by the playground test framework.

To meet the object lifetime requirements of f81ed55, RendererTest must keep those buffers around until the playground stops using them in its RenderPass.

I'd be fine with fixing the usage of HostBuffers in RendererTest and otherwise keeping the design introduced by f81ed55. The f81ed55 change has been working as intended in the engine's usage of Impeller.

[gaaclarke]

Jason has a fix for this issue by just fixing the lifetimes of the buffers. Ideally we'd get ASAN to verify this but it will take some effort to get that working on CI again.