Fix NameExprType returning deleted canonical type when it's in a generic parent.

fixes shader-slang#339

`NamedExpressionType::CreateCanonicalType()` may return a deleted pointer. The original implementation is as follows:
```
    Type* NamedExpressionType::CreateCanonicalType()
    {
        return GetType(declRef)->GetCanonicalType();
    }
```
If `GetType()` returns a newly constructed Type (this happens when the `typedef` is defined inside a generic parent, which triggers a non-trivial substitution), the temporary type will be deleted when the function returns. The fix is to store the temporary type as a field of NamedExpressionType (`innerType`).

A relevant fix (though not the true cause of issue shader-slang#339) is to have `Type::GetCanonicalType()` also hold a `RefPtr` to the constructed canonical type, when the canonical type is not `this`. This prevents a returned canonical type being assigned to a RefPtr, which makes it possible for that RefPtr to be the sole owner of the canonical type and deleteing the canonical type when that RefPtr is destroyed.

Author: csyonghe

source/slang/syntax-base-defs.h

@@ -121,6 +121,7 @@ RAW(
 
     virtual Type* CreateCanonicalType() = 0;
     Type* canonicalType = nullptr;
+    RefPtr<Type> canonicalTypeRefPtr;
 
     Session* session = nullptr;
     )

source/slang/syntax.cpp

@@ -189,6 +189,8 @@ void Type::accept(IValVisitor* visitor, void* extra)
         {
             // TODO(tfoley): worry about thread safety here?
             et->canonicalType = et->CreateCanonicalType();
+            if (dynamic_cast<Type*>(et->canonicalType) != this)
+                et->canonicalTypeRefPtr = et->canonicalType;
             SLANG_ASSERT(et->canonicalType);
         }
         return et->canonicalType;
@@ -861,7 +863,9 @@ void Type::accept(IValVisitor* visitor, void* extra)
 
     Type* NamedExpressionType::CreateCanonicalType()
     {
-        return GetType(declRef)->GetCanonicalType();
+        if (!innerType)
+            innerType = GetType(declRef);
+        return innerType->GetCanonicalType();
     }
 
     int NamedExpressionType::GetHashCode()

source/slang/type-defs.h

@@ -420,9 +420,10 @@ END_SYNTAX_CLASS()
 
 // A type alias of some kind (e.g., via `typedef`)
 SYNTAX_CLASS(NamedExpressionType, Type)
-    DECL_FIELD(DeclRef<TypeDefDecl>, declRef)
+DECL_FIELD(DeclRef<TypeDefDecl>, declRef)
 
 RAW(
+    RefPtr<Type> innerType;
     NamedExpressionType()
     {}
     NamedExpressionType(

tests/compute/typedef-member.slang

@@ -0,0 +1,38 @@
+//TEST(compute):COMPARE_COMPUTE:-xslang -use-ir
+//TEST_INPUT:ubuffer(data=[0 0 0 0], stride=4):dxbinding(0),glbinding(0),out
+
+// Confirm that a struct type defined in a generic parent works
+
+RWStructuredBuffer<float> outputBuffer;
+
+struct SubType<T>
+{
+    T x;
+};
+
+struct GenStruct<T>
+{
+    typedef SubType<T> SubTypeT;
+    T getVal(SubTypeT v)
+    {
+        return v.x;
+    }
+};
+
+float test(float val)
+{
+    GenStruct<float>.SubTypeT sb;
+    sb.x = val;
+    GenStruct<float> obj;
+    return obj.getVal(sb);
+}
+
+
+[numthreads(4, 1, 1)]
+void computeMain(uint3 dispatchThreadID : SV_DispatchThreadID)
+{
+    uint tid = dispatchThreadID.x;
+    float inVal = float(tid);
+    float outVal = test(inVal);
+    outputBuffer[tid] = outVal.x;
+}

tests/compute/typedef-member.slang.expected.txt

@@ -0,0 +1,4 @@
+0
+3F800000
+40000000
+40400000