From ebcf0d31c012ef603503aa9e5a7a6c600c26feda Mon Sep 17 00:00:00 2001
From: Corentin Wallez <cwallez@chromium.org>
Date: Wed, 26 Jun 2019 19:53:34 +0000
Subject: [PATCH] Add missing Reference count in null Device.

The pending CopyFromStagingBuffer operation didn't keep a reference to
its Buffer causing a use-after free in some cases.

BUG=chromium:976573

Change-Id: Ib53c294874d175d2a21b65676fb71e62f42619b0
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/8365
Commit-Queue: Kai Ninomiya <kainino@chromium.org>
Reviewed-by: Austin Eng <enga@chromium.org>
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
---
 src/dawn_native/null/DeviceNull.cpp | 12 ++++++------
 src/dawn_native/null/DeviceNull.h   |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/dawn_native/null/DeviceNull.cpp b/src/dawn_native/null/DeviceNull.cpp
index 954a26da66..428c772a56 100644
--- a/src/dawn_native/null/DeviceNull.cpp
+++ b/src/dawn_native/null/DeviceNull.cpp
@@ -62,7 +62,7 @@ namespace dawn_native { namespace null {
         }
 
         StagingBufferBase* staging;
-        Buffer* destination;
+        Ref<Buffer> destination;
         uint64_t sourceOffset;
         uint64_t destinationOffset;
         uint64_t size;
@@ -153,7 +153,7 @@ namespace dawn_native { namespace null {
                                                uint64_t size) {
         auto operation = std::make_unique<CopyFromStagingToBufferOperation>();
         operation->staging = source;
-        operation->destination = reinterpret_cast<Buffer*>(destination);
+        operation->destination = ToBackend(destination);
         operation->sourceOffset = sourceOffset;
         operation->destinationOffset = destinationOffset;
         operation->size = size;
@@ -208,9 +208,9 @@ namespace dawn_native { namespace null {
 
     // Buffer
 
-    struct BufferMapReadOperation : PendingOperation {
+    struct BufferMapOperation : PendingOperation {
         virtual void Execute() {
-            buffer->MapReadOperationCompleted(serial, ptr, isWrite);
+            buffer->MapOperationCompleted(serial, ptr, isWrite);
         }
 
         Ref<Buffer> buffer;
@@ -240,7 +240,7 @@ namespace dawn_native { namespace null {
         return {};
     }
 
-    void Buffer::MapReadOperationCompleted(uint32_t serial, void* ptr, bool isWrite) {
+    void Buffer::MapOperationCompleted(uint32_t serial, void* ptr, bool isWrite) {
         if (isWrite) {
             CallMapWriteCallback(serial, DAWN_BUFFER_MAP_ASYNC_STATUS_SUCCESS, ptr, GetSize());
         } else {
@@ -274,7 +274,7 @@ namespace dawn_native { namespace null {
     void Buffer::MapAsyncImplCommon(uint32_t serial, bool isWrite) {
         ASSERT(mBackingData);
 
-        auto operation = std::make_unique<BufferMapReadOperation>();
+        auto operation = std::make_unique<BufferMapOperation>();
         operation->buffer = this;
         operation->ptr = mBackingData.get();
         operation->serial = serial;
diff --git a/src/dawn_native/null/DeviceNull.h b/src/dawn_native/null/DeviceNull.h
index 5ebc64cc43..88b6962cb1 100644
--- a/src/dawn_native/null/DeviceNull.h
+++ b/src/dawn_native/null/DeviceNull.h
@@ -141,7 +141,7 @@ namespace dawn_native { namespace null {
         Buffer(Device* device, const BufferDescriptor* descriptor);
         ~Buffer();
 
-        void MapReadOperationCompleted(uint32_t serial, void* ptr, bool isWrite);
+        void MapOperationCompleted(uint32_t serial, void* ptr, bool isWrite);
         void CopyFromStaging(StagingBufferBase* staging,
                              uint64_t sourceOffset,
                              uint64_t destinationOffset,