Add missing Reference count in null Device.
The pending CopyFromStagingBuffer operation didn't keep a reference to its Buffer causing a use-after free in some cases. BUG=chromium:976573 Change-Id: Ib53c294874d175d2a21b65676fb71e62f42619b0 Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/8365 Commit-Queue: Kai Ninomiya <kainino@chromium.org> Reviewed-by: Austin Eng <enga@chromium.org> Reviewed-by: Kai Ninomiya <kainino@chromium.org>
This commit is contained in:
parent
751252e372
commit
ebcf0d31c0
|
@ -62,7 +62,7 @@ namespace dawn_native { namespace null {
|
||||||
}
|
}
|
||||||
|
|
||||||
StagingBufferBase* staging;
|
StagingBufferBase* staging;
|
||||||
Buffer* destination;
|
Ref<Buffer> destination;
|
||||||
uint64_t sourceOffset;
|
uint64_t sourceOffset;
|
||||||
uint64_t destinationOffset;
|
uint64_t destinationOffset;
|
||||||
uint64_t size;
|
uint64_t size;
|
||||||
|
@ -153,7 +153,7 @@ namespace dawn_native { namespace null {
|
||||||
uint64_t size) {
|
uint64_t size) {
|
||||||
auto operation = std::make_unique<CopyFromStagingToBufferOperation>();
|
auto operation = std::make_unique<CopyFromStagingToBufferOperation>();
|
||||||
operation->staging = source;
|
operation->staging = source;
|
||||||
operation->destination = reinterpret_cast<Buffer*>(destination);
|
operation->destination = ToBackend(destination);
|
||||||
operation->sourceOffset = sourceOffset;
|
operation->sourceOffset = sourceOffset;
|
||||||
operation->destinationOffset = destinationOffset;
|
operation->destinationOffset = destinationOffset;
|
||||||
operation->size = size;
|
operation->size = size;
|
||||||
|
@ -208,9 +208,9 @@ namespace dawn_native { namespace null {
|
||||||
|
|
||||||
// Buffer
|
// Buffer
|
||||||
|
|
||||||
struct BufferMapReadOperation : PendingOperation {
|
struct BufferMapOperation : PendingOperation {
|
||||||
virtual void Execute() {
|
virtual void Execute() {
|
||||||
buffer->MapReadOperationCompleted(serial, ptr, isWrite);
|
buffer->MapOperationCompleted(serial, ptr, isWrite);
|
||||||
}
|
}
|
||||||
|
|
||||||
Ref<Buffer> buffer;
|
Ref<Buffer> buffer;
|
||||||
|
@ -240,7 +240,7 @@ namespace dawn_native { namespace null {
|
||||||
return {};
|
return {};
|
||||||
}
|
}
|
||||||
|
|
||||||
void Buffer::MapReadOperationCompleted(uint32_t serial, void* ptr, bool isWrite) {
|
void Buffer::MapOperationCompleted(uint32_t serial, void* ptr, bool isWrite) {
|
||||||
if (isWrite) {
|
if (isWrite) {
|
||||||
CallMapWriteCallback(serial, DAWN_BUFFER_MAP_ASYNC_STATUS_SUCCESS, ptr, GetSize());
|
CallMapWriteCallback(serial, DAWN_BUFFER_MAP_ASYNC_STATUS_SUCCESS, ptr, GetSize());
|
||||||
} else {
|
} else {
|
||||||
|
@ -274,7 +274,7 @@ namespace dawn_native { namespace null {
|
||||||
void Buffer::MapAsyncImplCommon(uint32_t serial, bool isWrite) {
|
void Buffer::MapAsyncImplCommon(uint32_t serial, bool isWrite) {
|
||||||
ASSERT(mBackingData);
|
ASSERT(mBackingData);
|
||||||
|
|
||||||
auto operation = std::make_unique<BufferMapReadOperation>();
|
auto operation = std::make_unique<BufferMapOperation>();
|
||||||
operation->buffer = this;
|
operation->buffer = this;
|
||||||
operation->ptr = mBackingData.get();
|
operation->ptr = mBackingData.get();
|
||||||
operation->serial = serial;
|
operation->serial = serial;
|
||||||
|
|
|
@ -141,7 +141,7 @@ namespace dawn_native { namespace null {
|
||||||
Buffer(Device* device, const BufferDescriptor* descriptor);
|
Buffer(Device* device, const BufferDescriptor* descriptor);
|
||||||
~Buffer();
|
~Buffer();
|
||||||
|
|
||||||
void MapReadOperationCompleted(uint32_t serial, void* ptr, bool isWrite);
|
void MapOperationCompleted(uint32_t serial, void* ptr, bool isWrite);
|
||||||
void CopyFromStaging(StagingBufferBase* staging,
|
void CopyFromStaging(StagingBufferBase* staging,
|
||||||
uint64_t sourceOffset,
|
uint64_t sourceOffset,
|
||||||
uint64_t destinationOffset,
|
uint64_t destinationOffset,
|
||||||
|
|
Loading…
Reference in New Issue