Add missing Reference count in null Device.

The pending CopyFromStagingBuffer operation didn't keep a reference to
its Buffer causing a use-after free in some cases.

BUG=chromium:976573

Change-Id: Ib53c294874d175d2a21b65676fb71e62f42619b0
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/8365
Commit-Queue: Kai Ninomiya <kainino@chromium.org>
Reviewed-by: Austin Eng <enga@chromium.org>
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
This commit is contained in:
Corentin Wallez 2019-06-26 19:53:34 +00:00 committed by Commit Bot service account
parent 751252e372
commit ebcf0d31c0
2 changed files with 7 additions and 7 deletions

View File

@ -62,7 +62,7 @@ namespace dawn_native { namespace null {
} }
StagingBufferBase* staging; StagingBufferBase* staging;
Buffer* destination; Ref<Buffer> destination;
uint64_t sourceOffset; uint64_t sourceOffset;
uint64_t destinationOffset; uint64_t destinationOffset;
uint64_t size; uint64_t size;
@ -153,7 +153,7 @@ namespace dawn_native { namespace null {
uint64_t size) { uint64_t size) {
auto operation = std::make_unique<CopyFromStagingToBufferOperation>(); auto operation = std::make_unique<CopyFromStagingToBufferOperation>();
operation->staging = source; operation->staging = source;
operation->destination = reinterpret_cast<Buffer*>(destination); operation->destination = ToBackend(destination);
operation->sourceOffset = sourceOffset; operation->sourceOffset = sourceOffset;
operation->destinationOffset = destinationOffset; operation->destinationOffset = destinationOffset;
operation->size = size; operation->size = size;
@ -208,9 +208,9 @@ namespace dawn_native { namespace null {
// Buffer // Buffer
struct BufferMapReadOperation : PendingOperation { struct BufferMapOperation : PendingOperation {
virtual void Execute() { virtual void Execute() {
buffer->MapReadOperationCompleted(serial, ptr, isWrite); buffer->MapOperationCompleted(serial, ptr, isWrite);
} }
Ref<Buffer> buffer; Ref<Buffer> buffer;
@ -240,7 +240,7 @@ namespace dawn_native { namespace null {
return {}; return {};
} }
void Buffer::MapReadOperationCompleted(uint32_t serial, void* ptr, bool isWrite) { void Buffer::MapOperationCompleted(uint32_t serial, void* ptr, bool isWrite) {
if (isWrite) { if (isWrite) {
CallMapWriteCallback(serial, DAWN_BUFFER_MAP_ASYNC_STATUS_SUCCESS, ptr, GetSize()); CallMapWriteCallback(serial, DAWN_BUFFER_MAP_ASYNC_STATUS_SUCCESS, ptr, GetSize());
} else { } else {
@ -274,7 +274,7 @@ namespace dawn_native { namespace null {
void Buffer::MapAsyncImplCommon(uint32_t serial, bool isWrite) { void Buffer::MapAsyncImplCommon(uint32_t serial, bool isWrite) {
ASSERT(mBackingData); ASSERT(mBackingData);
auto operation = std::make_unique<BufferMapReadOperation>(); auto operation = std::make_unique<BufferMapOperation>();
operation->buffer = this; operation->buffer = this;
operation->ptr = mBackingData.get(); operation->ptr = mBackingData.get();
operation->serial = serial; operation->serial = serial;

View File

@ -141,7 +141,7 @@ namespace dawn_native { namespace null {
Buffer(Device* device, const BufferDescriptor* descriptor); Buffer(Device* device, const BufferDescriptor* descriptor);
~Buffer(); ~Buffer();
void MapReadOperationCompleted(uint32_t serial, void* ptr, bool isWrite); void MapOperationCompleted(uint32_t serial, void* ptr, bool isWrite);
void CopyFromStaging(StagingBufferBase* staging, void CopyFromStaging(StagingBufferBase* staging,
uint64_t sourceOffset, uint64_t sourceOffset,
uint64_t destinationOffset, uint64_t destinationOffset,