summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAustin Eng <enga@chromium.org>2022-06-23 03:12:49 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2022-08-08 09:20:58 +0000
commit3c43c4aaca3548ae5b72be71adb13e3a50416b4b (patch)
treec33333d55bb294b5a53e4865221af5c2f2cb3b97
parent9353f70aaebce920bd5644e658bae594f2736ea1 (diff)
downloadqtwebengine-chromium-3c43c4aaca3548ae5b72be71adb13e3a50416b4b.tar.gz
[Backport] Security bug 1336014
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3708646: WebGPU: Mark the context lost on GPU context lost M102 merge issues: - dawn_control_client_holder.h/cc: GetWGPUInstance() not present in M102 Fixes a bug where completely destructing the context instead of marking it lost when receiving a context lost notification freed memory still accessible by the page. Fixed: 1336014 Change-Id: I662e531102af91362b4f62700bfbee507fc44d1f Commit-Queue: Austin Eng <enga@chromium.org> Cr-Commit-Position: refs/heads/main@{#1017003} (cherry picked from commit 6c7f327b7a15aabd3fc5d57e9c05b95d02f1cd36) Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat
-rw-r--r--chromium/third_party/blink/renderer/modules/webgpu/DEPS1
-rw-r--r--chromium/third_party/blink/renderer/modules/webgpu/gpu.cc5
-rw-r--r--chromium/third_party/blink/renderer/modules/webgpu/gpu.h10
-rw-r--r--chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.cc22
-rw-r--r--chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.h4
5 files changed, 36 insertions, 6 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webgpu/DEPS b/chromium/third_party/blink/renderer/modules/webgpu/DEPS
index 55b27bec5c3..cab332cf584 100644
--- a/chromium/third_party/blink/renderer/modules/webgpu/DEPS
+++ b/chromium/third_party/blink/renderer/modules/webgpu/DEPS
@@ -9,6 +9,7 @@ include_rules = [
"+gpu/command_buffer/client/raster_interface.h",
"+gpu/command_buffer/client/shared_image_interface.h",
"+gpu/command_buffer/client/webgpu_interface.h",
+ "+gpu/command_buffer/client/webgpu_interface_stub.h",
"+media/base/video_frame.h",
"+services/metrics/public/cpp/ukm_builders.h",
]
diff --git a/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc b/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc
index 47cdbeda554..21eabbfdfb7 100644
--- a/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc
+++ b/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc
@@ -257,4 +257,9 @@ void GPU::TrackMappableBuffer(GPUBuffer* buffer) {
mappable_buffers_.insert(buffer);
}
+void GPU::SetDawnControlClientHolderForTesting(
+ scoped_refptr<DawnControlClientHolder> dawn_control_client) {
+ dawn_control_client_ = std::move(dawn_control_client);
+}
+
} // namespace blink
diff --git a/chromium/third_party/blink/renderer/modules/webgpu/gpu.h b/chromium/third_party/blink/renderer/modules/webgpu/gpu.h
index f0d39e2b3ba..ab864371c97 100644
--- a/chromium/third_party/blink/renderer/modules/webgpu/gpu.h
+++ b/chromium/third_party/blink/renderer/modules/webgpu/gpu.h
@@ -9,6 +9,7 @@
#include "third_party/blink/renderer/bindings/core/v8/script_promise.h"
#include "third_party/blink/renderer/core/execution_context/execution_context.h"
#include "third_party/blink/renderer/core/execution_context/execution_context_lifecycle_observer.h"
+#include "third_party/blink/renderer/modules/modules_export.h"
#include "third_party/blink/renderer/core/execution_context/navigator_base.h"
#include "third_party/blink/renderer/platform/bindings/script_wrappable.h"
#include "third_party/blink/renderer/platform/supplementable.h"
@@ -25,9 +26,9 @@ class ScriptPromiseResolver;
class ScriptState;
class DawnControlClientHolder;
-class GPU final : public ScriptWrappable,
- public Supplement<NavigatorBase>,
- public ExecutionContextLifecycleObserver {
+class MODULES_EXPORT GPU final : public ScriptWrappable,
+ public Supplement<NavigatorBase>,
+ public ExecutionContextLifecycleObserver {
DEFINE_WRAPPERTYPEINFO();
public:
@@ -56,6 +57,9 @@ class GPU final : public ScriptWrappable,
// https://chromium.googlesource.com/chromium/src/+/refs/heads/main/third_party/blink/renderer/platform/heap/BlinkGCAPIReference.md#weak-collections
void TrackMappableBuffer(GPUBuffer* buffer);
+ void SetDawnControlClientHolderForTesting(
+ scoped_refptr<DawnControlClientHolder> dawn_control_client);
+
private:
void OnRequestAdapterCallback(ScriptState* script_state,
const GPURequestAdapterOptions* options,
diff --git a/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.cc b/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.cc
index 65a72b047f3..3ab5796e9c2 100644
--- a/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.cc
+++ b/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.cc
@@ -17,9 +17,17 @@ scoped_refptr<DawnControlClientHolder> DawnControlClientHolder::Create(
auto dawn_control_client_holder =
base::MakeRefCounted<DawnControlClientHolder>(std::move(context_provider),
std::move(task_runner));
+ // The context lost callback occurs when the client receives
+ // OnGpuControlLostContext. This can happen on fatal errors when the GPU
+ // channel is disconnected: the GPU process crashes, the GPU process fails to
+ // deserialize a message, etc. We mark the context lost, but NOT destroy the
+ // entire WebGraphicsContext3DProvider as that would free services for mapping
+ // shared memory. There may still be outstanding mapped GPUBuffers pointing to
+ // this memory.
dawn_control_client_holder->context_provider_->ContextProvider()
->SetLostContextCallback(WTF::BindRepeating(
- &DawnControlClientHolder::Destroy, dawn_control_client_holder));
+ &DawnControlClientHolder::MarkContextLost,
+ dawn_control_client_holder->weak_ptr_factory_.GetWeakPtr()));
return dawn_control_client_holder;
}
@@ -38,7 +46,7 @@ DawnControlClientHolder::DawnControlClientHolder(
DawnControlClientHolder::~DawnControlClientHolder() = default;
void DawnControlClientHolder::Destroy() {
- api_channel_->Disconnect();
+ MarkContextLost();
// Destroy the WebGPU context.
// This ensures that GPU resources are eagerly reclaimed.
@@ -68,8 +76,16 @@ DawnControlClientHolder::GetContextProviderWeakPtr() const {
return context_provider_->GetWeakPtr();
}
+void DawnControlClientHolder::MarkContextLost() {
+ if (context_lost_) {
+ return;
+ }
+ api_channel_->Disconnect();
+ context_lost_ = true;
+}
+
bool DawnControlClientHolder::IsContextLost() const {
- return !context_provider_;
+ return context_lost_;
}
std::unique_ptr<RecyclableCanvasResource>
diff --git a/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.h b/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.h
index fd58ce91182..efa8dc7dce4 100644
--- a/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.h
+++ b/chromium/third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.h
@@ -47,6 +47,7 @@ class PLATFORM_EXPORT DawnControlClientHolder
base::WeakPtr<WebGraphicsContext3DProviderWrapper> GetContextProviderWeakPtr()
const;
const DawnProcTable& GetProcs() const { return procs_; }
+ void MarkContextLost();
bool IsContextLost() const;
std::unique_ptr<RecyclableCanvasResource> GetOrCreateCanvasResource(
const IntSize& size,
@@ -57,11 +58,14 @@ class PLATFORM_EXPORT DawnControlClientHolder
friend class RefCounted<DawnControlClientHolder>;
~DawnControlClientHolder();
+ bool context_lost_ = false;
std::unique_ptr<WebGraphicsContext3DProviderWrapper> context_provider_;
scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
scoped_refptr<gpu::webgpu::APIChannel> api_channel_;
DawnProcTable procs_;
WebGPURecyclableResourceCache recyclable_resource_cache_;
+
+ base::WeakPtrFactory<DawnControlClientHolder> weak_ptr_factory_{this};
};
} // namespace blink
View Lorry Controller Status