dawn/wire: Fix dangling pointers in WireDeserializeAllocator
Bug: dawn:2345
Change-Id: I95f78e7a5f3cbb2c97b6d5bfbb297886f3c200c7
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/181943
Commit-Queue: Jiawei Shao <jiawei.shao@intel.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Austin Eng <enga@chromium.org>
diff --git a/src/dawn/wire/WireDeserializeAllocator.cpp b/src/dawn/wire/WireDeserializeAllocator.cpp
index b3e43a9..ca66341 100644
--- a/src/dawn/wire/WireDeserializeAllocator.cpp
+++ b/src/dawn/wire/WireDeserializeAllocator.cpp
@@ -61,13 +61,13 @@
}
void WireDeserializeAllocator::Reset() {
- for (auto* allocation : mAllocations) {
- free(allocation);
- }
- mAllocations.clear();
-
// The initial buffer is the inline buffer so that some allocations can be skipped
mCurrentBuffer = mStaticBuffer;
mRemainingSize = sizeof(mStaticBuffer);
+
+ for (auto& allocation : mAllocations) {
+ free(allocation.ExtractAsDangling());
+ }
+ mAllocations.clear();
}
} // namespace dawn::wire
diff --git a/src/dawn/wire/WireDeserializeAllocator.h b/src/dawn/wire/WireDeserializeAllocator.h
index 08e992f..6410bcb 100644
--- a/src/dawn/wire/WireDeserializeAllocator.h
+++ b/src/dawn/wire/WireDeserializeAllocator.h
@@ -48,10 +48,9 @@
private:
size_t mRemainingSize = 0;
- // TODO(https://crbug.com/dawn/2345): Investigate `DanglingUntriaged` in dawn/wire.
- raw_ptr<char, AllowPtrArithmetic | DanglingUntriaged> mCurrentBuffer = nullptr;
+ raw_ptr<char, AllowPtrArithmetic> mCurrentBuffer = nullptr;
char mStaticBuffer[2048];
- std::vector<char*> mAllocations;
+ std::vector<raw_ptr<char>> mAllocations;
};
} // namespace dawn::wire
