Fix GPU UAF in D3D12VideoProcessorWrapper teardown. [chromium/src : main]
0 views
Skip to first unread message
Qiu, Jianlin (Gerrit)
Jun 22, 2026, 12:41:53 AM (6 days ago) Jun 22
to Eugene Zemtsov, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Eugene Zemtsov
Qiu, Jianlin voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Eugene Zemtsov
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Eugene Zemtsov (Gerrit)
Jun 22, 2026, 10:31:12 PM (5 days ago) Jun 22
to Qiu, Jianlin, Chromium LUCI CQ, Eugene Zemtsov, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Qiu, Jianlin
Eugene Zemtsov added 2 comments![]( "Open in Gerrit")
File media/base/win/d3d12_mocks.h
Line 420, Patchset 1 (Latest):
class D3D12CommandQueueMockEugene Zemtsov . unresolved
Modernize the mock declarations using the unified `MOCK_METHOD` macro
For example:
```
MOCK_METHOD(HRESULT, Signal, (ID3D12Fence* fence, UINT64 value), (Calltype(STDMETHODCALLTYPE)));
```
File media/gpu/windows/d3d12_video_processor_wrapper.cc
Line 24, Patchset 1 (Latest):
if (auto status = WaitForInFlightWork(); !status.is_ok()) {Eugene Zemtsov . unresolved
I don't think we can call virtual methods in destructors.
Related details
Attention is currently required from:
- Qiu, Jianlin
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Qiu, Jianlin (Gerrit)
Jun 23, 2026, 1:31:39 AM (5 days ago) Jun 23
to Chromium LUCI CQ, Eugene Zemtsov, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Eugene Zemtsov
Qiu, Jianlin voted and added 2 comments![]( "Open in Gerrit")
Votes added by Qiu, Jianlin
| Commit-Queue | +1 |
2 comments
File media/base/win/d3d12_mocks.h
Modernize the mock declarations using the unified `MOCK_METHOD` macro
For example:
```
MOCK_METHOD(HRESULT, Signal, (ID3D12Fence* fence, UINT64 value), (Calltype(STDMETHODCALLTYPE)));
```
Qiu, Jianlin
Done
File media/gpu/windows/d3d12_video_processor_wrapper.cc
Line 24, Patchset 1:
if (auto status = WaitForInFlightWork(); !status.is_ok()) {Eugene Zemtsov . resolved
I don't think we can call virtual methods in destructors.
Qiu, Jianlin
Thanks for pointing this out! Updated to use a private Impl API in the dtor.
Related details
Attention is currently required from:
- Eugene Zemtsov
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Qiu, Jianlin (Gerrit)
Jun 25, 2026, 8:13:03 PM (2 days ago) Jun 25
to Chromium LUCI CQ, Eugene Zemtsov, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Eugene Zemtsov
Qiu, Jianlin added 1 comment![]( "Open in Gerrit")
Patchset-level comments
Related details
Attention is currently required from:
- Eugene Zemtsov
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Eugene Zemtsov (Gerrit)
Jun 26, 2026, 5:37:23 PM (yesterday) Jun 26
to Qiu, Jianlin, Eugene Zemtsov, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Qiu, Jianlin
Eugene Zemtsov voted and added 1 comment![]( "Open in Gerrit")
Votes added by Eugene Zemtsov
| Code-Review | +1 |
1 comment
File media/gpu/windows/d3d12_video_processor_wrapper.cc
Line 21, Patchset 2 (Latest):
D3D12VideoProcessorWrapper::~D3D12VideoProcessorWrapper() {Eugene Zemtsov . unresolved
Reorder the member declarations in `D3D12VideoEncodeDelegate` so that `video_processor_wrapper_` is declared *after* `processed_input_frame_`.
Because C++ destroys class members in the reverse order of their declaration, `processed_input_frame_` is destroyed and its underlying D3D12 resource reference is released before `video_processor_wrapper_`'s destructor is invoked.
Related details
Attention is currently required from:
- Qiu, Jianlin
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Qiu, Jianlin (Gerrit)
Jun 26, 2026, 6:02:17 PM (yesterday) Jun 26
to Eugene Zemtsov, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Eugene Zemtsov
Qiu, Jianlin voted and added 2 comments![]( "Open in Gerrit")
Votes added by Qiu, Jianlin
| Auto-Submit | +1 |
| Commit-Queue | +1 |
2 comments
Patchset-level comments
File-level comment, Patchset 3 (Latest):
Qiu, Jianlin . resolved
The +1 got removed. Please help to re-stamp. Thanks!
File media/gpu/windows/d3d12_video_processor_wrapper.cc
Line 21, Patchset 2:
D3D12VideoProcessorWrapper::~D3D12VideoProcessorWrapper() {Eugene Zemtsov . resolved
Reorder the member declarations in `D3D12VideoEncodeDelegate` so that `video_processor_wrapper_` is declared *after* `processed_input_frame_`.
Because C++ destroys class members in the reverse order of their declaration, `processed_input_frame_` is destroyed and its underlying D3D12 resource reference is released before `video_processor_wrapper_`'s destructor is invoked.
Attention is currently required from:
- Eugene Zemtsov
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Eugene Zemtsov (Gerrit)
Jun 26, 2026, 6:04:44 PM (yesterday) Jun 26
to Qiu, Jianlin, Eugene Zemtsov, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Qiu, Jianlin
Eugene Zemtsov voted![]( "Open in Gerrit")
Attention is currently required from:
- Qiu, Jianlin
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Qiu, Jianlin (Gerrit)
Jun 26, 2026, 6:36:30 PM (yesterday) Jun 26
to Eugene Zemtsov, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Attention needed from Eugene Zemtsov
Qiu, Jianlin voted Commit-Queue+2![]( "Open in Gerrit")
| Commit-Queue | +2 |
Related details
Attention is currently required from:
- Eugene Zemtsov
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Chromium LUCI CQ (Gerrit)
Jun 26, 2026, 7:17:40 PM (yesterday) Jun 26
to Qiu, Jianlin, Eugene Zemtsov, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromeos-gfx-...@google.com, feature-me...@chromium.org, media-cro...@chromium.org, media-wi...@chromium.org
Chromium LUCI CQ submitted the change![]( "Open in Gerrit")
Change information
Commit message:
Fix GPU UAF in D3D12VideoProcessorWrapper teardown.
D3D12VideoEncodeDelegate::Encode() submits asynchronous video
processing work to D3D12VideoProcessorWrapper::ProcessFrames() and
relies on the CPU sync inside D3D12VideoEncoderWrapper::Encode() to
wait on it later. If a codec-specific EncodeImpl() bails between those
two steps (e.g. with kBadReferenceBuffer for a manual reference buffer
that was never populated), that sync is skipped and the subsequent
teardown releases the wrapper's command allocator, command list and
processed input frame while the video processor queue is still using
them.
Wait for in-flight video-processor work whenever EncodeImpl() errors
after ProcessFrames() may have submitted work, so the delegate's
resources are safe by the time NotifyError() begins teardown.
Bug: 523718303
Change-Id: Ifded931b5381a76ed3b3d4c3baae2f8cb703a983
Reviewed-by: Eugene Zemtsov <eug...@chromium.org>
Commit-Queue: Qiu, Jianlin <jianl...@intel.com>
Auto-Submit: Qiu, Jianlin <jianl...@intel.com>
Cr-Commit-Position: refs/heads/main@{#1653518}
Files:
- M media/base/win/d3d12_mocks.cc
- M media/base/win/d3d12_mocks.h
- M media/base/win/d3d12_video_mocks.cc
- M media/base/win/d3d12_video_mocks.h
- M media/gpu/BUILD.gn
- M media/gpu/windows/d3d12_video_encode_delegate.cc
- M media/gpu/windows/d3d12_video_encode_delegate.h
- M media/gpu/windows/d3d12_video_processor_wrapper.cc
- M media/gpu/windows/d3d12_video_processor_wrapper.h
- A media/gpu/windows/d3d12_video_processor_wrapper_unittest.cc
Change size: L
Delta: 10 files changed, 414 insertions(+), 9 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Eugene Zemtsov
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages