WebGPU: Fix use-after-free of device lost callback.

The device lost callback is stored in a unique_ptr since it may
never be called. If it's never called we need to free the allocation
on GPUDevice deletion. However, if it is called, we should release
the managed pointer since the callback is self-deleting.

Bug: 1160448
Change-Id: I780eae1dcb8fac34a0128351f47224c83d8c6727
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2612120Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Austin Eng <enga@chromium.org>
Cr-Commit-Position: refs/heads/master@{#841173}

third_party/blink/renderer/modules/webgpu/gpu_device.cc

@@ -141,6 +141,12 @@ void GPUDevice::OnUncapturedError(WGPUErrorType errorType,
 }
 
 void GPUDevice::OnDeviceLostError(const char* message) {
+  // This function is called by a callback created by BindDawnCallback.
+  // Release the unique_ptr holding it since BindDawnCallback is self-deleting.
+  // This is stored as a unique_ptr because the lost callback may never be
+  // called.
+  lost_callback_.release();
+
   AddConsoleWarning(message);
 
   if (lost_property_->GetState() == LostProperty::kPending) {

third_party/blink/renderer/modules/webgpu/gpu_device.h

@@ -146,6 +146,10 @@ class GPUDevice final : public EventTargetWithInlineData,
   std::unique_ptr<
       DawnCallback<base::RepeatingCallback<void(WGPUErrorType, const char*)>>>
       error_callback_;
+  // lost_callback_ is stored as a unique_ptr since it may never be called.
+  // We need to be sure to free it on deletion of the device.
+  // Inside OnDeviceLostError we'll release the unique_ptr to avoid a double
+  // free.
   std::unique_ptr<DawnCallback<base::OnceCallback<void(const char*)>>>
       lost_callback_;