MiraclePtr: Avoid storing ExtractAsDangling() into a variable.

ExtractAsDangling() converts the raw_ptr into a raw_ptr allowed to dangle. This is expected to be used immediately as a temporary object, and not stored as a naked pointer. This relies on C++ calling destructor of temporaries at the end of the full expression. It means MiraclePtr will continue to consider the object "referenced" during the expression and continue to protect against UAF during the callback call. Bug: None Change-Id: If9436fb9626253b24c51d2c1db1701d22513fcd3 Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/206274 Auto-Submit: Arthur Sonzogni <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Reviewed-by: Corentin Wallez <[email protected]> Commit-Queue: Corentin Wallez <[email protected]>
google · Sep 11, 2024 · b0dd53c · b0dd53c
1 parent b26fd0e
commit b0dd53c
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/src/dawn/wire/client/Device.cpp b/src/dawn/wire/client/Device.cpp
@@ -67,10 +67,9 @@ class PopErrorScopeEvent final : public TrackedEvent {
             mStatus = WGPUPopErrorScopeStatus_InstanceDropped;
             mMessage = std::nullopt;
         }
-        void* userdata1 = mUserdata1.ExtractAsDangling();
-        void* userdata2 = mUserdata2.ExtractAsDangling();
         if (mCallback) {
-            mCallback(mStatus, mType, mMessage ? mMessage->c_str() : nullptr, userdata1, userdata2);
+            mCallback(mStatus, mType, mMessage ? mMessage->c_str() : nullptr,
+                      mUserdata1.ExtractAsDangling(), mUserdata2.ExtractAsDangling());
         }
     }