encounter
/
dawn-cmake
mirror of https://github.com/encounter/dawn-cmake.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix use-after-free of committed resource heaps 

Heaps were destroyed immediately instead of deferring destruction
until after all work using the buffer was complete. This is only
a problem on D3D12. Vulkan allocations already have deferred
deletion, and Metal allocations are managed by the driver.

Bug: chromium:1313172
Change-Id: I0ef43709949c9e86c40e766f7f2029b14c8a2e97
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/85840
Reviewed-by: Brandon Jones <bajones@chromium.org>
Commit-Queue: Austin Eng <enga@chromium.org>
This commit is contained in:
Austin Eng 2022-04-06 01:14:33 +00:00 committed by Dawn LUCI CQ
parent 8d9d132f7c
commit e8d5678b70
2 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/dawn/native/d3d12/ResourceAllocatorManagerD3D12.cpp
View File

@ -227,6 +227,7 @@ namespace dawn::native::d3d12 {
} }
} }
mAllocationsToDelete.ClearUpTo(completedSerial); mAllocationsToDelete.ClearUpTo(completedSerial);
mHeapsToDelete.ClearUpTo(completedSerial);
} }
void ResourceAllocatorManager::DeallocateMemory(ResourceHeapAllocation& allocation) { void ResourceAllocatorManager::DeallocateMemory(ResourceHeapAllocation& allocation) {
@ -238,9 +239,12 @@ namespace dawn::native::d3d12 {
// Directly allocated ResourceHeapAllocations are created with a heap object that must be // Directly allocated ResourceHeapAllocations are created with a heap object that must be
// manually deleted upon deallocation. See ResourceAllocatorManager::CreateCommittedResource // manually deleted upon deallocation. See ResourceAllocatorManager::CreateCommittedResource
// for more information. // for more information. Acquire this heap as a unique_ptr and add it to the queue of heaps
// to delete. It cannot be deleted immediately because it may be in use by in-flight or
// pending commands.
if (allocation.GetInfo().mMethod == AllocationMethod::kDirect) { if (allocation.GetInfo().mMethod == AllocationMethod::kDirect) {
delete allocation.GetResourceHeap(); mHeapsToDelete.Enqueue(std::unique_ptr<ResourceHeapBase>(allocation.GetResourceHeap()),
mDevice->GetPendingCommandSerial());
} }
// Invalidate the allocation immediately in case one accidentally // Invalidate the allocation immediately in case one accidentally

1
src/dawn/native/d3d12/ResourceAllocatorManagerD3D12.h
View File

@ -100,6 +100,7 @@ namespace dawn::native::d3d12 {
mPooledHeapAllocators; mPooledHeapAllocators;
SerialQueue<ExecutionSerial, ResourceHeapAllocation> mAllocationsToDelete; SerialQueue<ExecutionSerial, ResourceHeapAllocation> mAllocationsToDelete;
SerialQueue<ExecutionSerial, std::unique_ptr<ResourceHeapBase>> mHeapsToDelete;
}; };
} // namespace dawn::native::d3d12 } // namespace dawn::native::d3d12