commit b0dd53cc7fb0ff6f3390747daf125b269a3cd0b5
author Arthur Sonzogni <arthursonzogni@chromium.org> Wed Sep 11 18:08:31 2024 +0000
committer Dawn LUCI CQ <dawn-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Sep 11 18:08:31 2024 +0000
tree 366ccbafc93bab5bbb05063acfd8797647007b95
parent b26fd0e4802008b5296d54cc0b0d14367109eff2

MiraclePtr: Avoid storing ExtractAsDangling() into a variable.

ExtractAsDangling() converts the raw_ptr into a raw_ptr allowed to
dangle. This is expected to be used immediately as a temporary object,
and not stored as a naked pointer.

This relies on C++ calling destructor of temporaries at the end of the
full expression. It means MiraclePtr will continue to consider the
object "referenced" during the expression and continue to protect
against UAF during the callback call.

Bug: None
Change-Id: If9436fb9626253b24c51d2c1db1701d22513fcd3
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/206274
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>

src/dawn/wire/client/Device.cpp

diff --git a/src/dawn/wire/client/Device.cpp b/src/dawn/wire/client/Device.cpp
index 5e6227f..45ef133 100644
--- a/src/dawn/wire/client/Device.cpp
+++ b/src/dawn/wire/client/Device.cpp
@@ -67,10 +67,9 @@
             mStatus = WGPUPopErrorScopeStatus_InstanceDropped;
             mMessage = std::nullopt;
         }
-        void* userdata1 = mUserdata1.ExtractAsDangling();
-        void* userdata2 = mUserdata2.ExtractAsDangling();
         if (mCallback) {
-            mCallback(mStatus, mType, mMessage ? mMessage->c_str() : nullptr, userdata1, userdata2);
+            mCallback(mStatus, mType, mMessage ? mMessage->c_str() : nullptr,
+                      mUserdata1.ExtractAsDangling(), mUserdata2.ExtractAsDangling());
         }
     }