WireAndFrontendFuzzer "wait" for all commands before freeing

Otherwise the Device might fire callbacks when it is destroyed, causing use-after-frees on the wire server. BUG=chromium:914620 BUG=chromium:914615 Change-Id: Ic47b219b4ebe2eb5abd525741c0ff1180282c87d Reviewed-on: https://dawn-review.googlesource.com/c/3322 Reviewed-by: Stephen White <senorblanco@chromium.org> Reviewed-by: Kai Ninomiya <kainino@chromium.org> Commit-Queue: Corentin Wallez <cwallez@chromium.org>
2018-12-15 10:34:02 +00:00 · 2018-12-15 10:34:02 +00:00 · e018292bed
parent 48485e36a8
commit e018292bed
1 changed files with 7 additions and 0 deletions
--- a/src/fuzzers/DawnWireServerAndFrontendFuzzer.cpp
+++ b/src/fuzzers/DawnWireServerAndFrontendFuzzer.cpp
@ -53,5 +53,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    wireServer->HandleCommands(reinterpret_cast<const char*>(data), size);

+    // Fake waiting for all previous commands before destroying the server.
+    nullDevice.Tick();
+
+    // Destroy the server before the device because it needs to free all objects.
+    wireServer = nullptr;
+    nullDevice = nullptr;
+
    return 0;
 }