Google Git
Sign in
dawn/dawn/refs/heads/chromium/7732
commit
6ec9bf51b0952b13848c8c7c16c54780e74e2a42
[log]
author
Antonio Maiorano <amaiorano@google.com>
Thu Mar 12 10:23:54 2026 -0700
committer
Dawn LUCI CQ <dawn-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu Mar 12 10:23:54 2026 -0700
tree
f3a975c84dc9a93ae4da440b13b9d938eeb9d1fb
parent
e271ac9c6038365abbb79ede3cba994dccf0581a [diff]
[native] Fix UAF in CopyTextureToTexture

This was happening with
use_blit_for_depth_texture_to_texture_copy_to_nonzero_subresource
enabled, and doing a 0-depth (no-op) copy, then making sure that the src
and dst texture refs go to 0 so they are deleted, and then submitting.
The bug was that the raw texture pointers were being added
CommandEncoder::mTopLevelTextures but without the texture refs being
also stored in a command

Fixed by ensuring we only take the BlitDepthToDepth path if
depthOrArrayLayers > 1.

Added a validation test that reproduced the UAF with ASAN before my fix,
and no longer with my fix.

Bug: 489585038
Change-Id: I390b09bbb69ed0ceffbec2017ec7556a05a023e3
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/296675
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
4 files changed
tree: f3a975c84dc9a93ae4da440b13b9d938eeb9d1fb
  1. .github/
  2. .vscode/
  3. build_overrides/
  4. docs/
  5. generator/
  6. include/
  7. infra/
  8. scripts/
  9. src/
  10. test/
  11. third_party/
  12. tools/
  13. webgpu-cts/
  14. build
  15. buildtools
  16. testing
  17. .bazelrc
  18. .clang-format
  19. .clang-format-ignore
  20. .clang-tidy
  21. .git-blame-ignore-revs
  22. .gitattributes
  23. .gitignore
  24. .gitmodules
  25. .gn
  26. .style.yapf
  27. .vpython3
  28. AUTHORS
  29. BUILD.bazel
  30. BUILD.gn
  31. CMakeLists.txt
  32. CMakeSettings.json
  33. CODE_OF_CONDUCT.md
  34. codereview.settings
  35. CONTRIBUTING.md
  36. CPPLINT.cfg
  37. DEPS
  38. DIR_METADATA
  39. go.mod
  40. go.sum
  41. go_presubmit_support.py
  42. LICENSE
  43. OWNERS
  44. PRESUBMIT.py
  45. README.chromium
  46. README.md
  47. test_spec_presubmit_support.py
  48. unsafe_buffers_paths.txt
  49. WATCHLISTS
  50. WORKSPACE.bazel
README.md

Build Status Matrix Space

Dawn, a WebGPU implementation

Dawn is an open-source and cross-platform implementation of the WebGPU standard. More precisely it implements webgpu.h that is a one-to-one mapping with the WebGPU IDL. Dawn is meant to be integrated as part of a larger system and is the underlying implementation of WebGPU in Chromium.

Dawn provides several WebGPU building blocks:

  • WebGPU C/C++ headers that applications and other building blocks use.
    • The webgpu.h version that Dawn implements.
    • A C++ wrapper for the webgpu.h.
  • A “native” implementation of WebGPU using platforms' GPU APIs: D3D12, Metal, Vulkan and OpenGL. See per API support for more details.
  • A client-server implementation of WebGPU for applications that are in a sandbox without access to native drivers
  • Tint is a compiler for the WebGPU Shader Language (WGSL) that can be used in standalone to convert shaders from and to WGSL.

Helpful links:

Documentation table of content

Developer documentation:

User documentation: (TODO, figure out what overlaps with the webgpu.h docs)

License

BSD 3-Clause License, please see LICENSE.

Disclaimer

This is not an officially supported Google product.