Viz: Fix UAF on context loss

Fixed: 1250655 Change-Id: I2898316635d370fa36b94e0ae2564ed357745b2c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3413372 Auto-Submit: Ken Rockot <rockot@google.com> Reviewed-by: Kyle Charbonneau <kylechar@chromium.org> Commit-Queue: Kyle Charbonneau <kylechar@chromium.org> Cr-Commit-Position: refs/heads/main@{#963012}
chromium · Jan 25, 2022 · 98d246c · 98d246c
1 parent e1432e2
commit 98d246c
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/services/viz/public/cpp/gpu/context_provider_command_buffer.cc b/services/viz/public/cpp/gpu/context_provider_command_buffer.cc
@@ -478,9 +478,13 @@ const gpu::GpuFeatureInfo& ContextProviderCommandBuffer::GetGpuFeatureInfo()
 void ContextProviderCommandBuffer::OnLostContext() {
   CheckValidThreadOrLockAcquired();
 
-  // Ensure |this| isn't destroyed in the middle of OnLostContext() if observers
-  // drop all references to it.
-  scoped_refptr<ContextProviderCommandBuffer> ref(this);
+  // Observers may drop the last persistent references to `this`, but there may
+  // be weak references in use further up the stack. This task is posted to
+  // ensure that destruction is deferred until it's safe.
+  base::SequencedTaskRunnerHandle::Get()->PostTask(
+      FROM_HERE,
+      base::BindOnce([](scoped_refptr<ContextProviderCommandBuffer>) {},
+                     base::WrapRefCounted(this)));
 
   for (auto& observer : observers_)
     observer.OnContextLost();