Fix corruption of D3D12 CPU descriptor heap free blocks#113000
Merged
Repiteo merged 1 commit intogodotengine:masterfrom Nov 21, 2025
Merged
Conversation
blueskythlikesclouds
approved these changes
Nov 21, 2025
Contributor
blueskythlikesclouds
left a comment
blueskythlikesclouds
left a comment
There was a problem hiding this comment.
Makes sense to me, that's a very obvious "use after free" situation. It should fix the heap corruption.
Contributor
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
While running my own build of Godot 4.5.1 I was seeing heap corruption in D3D12 code. To investigate I made a dev build and found I was hitting a dev assert in the D3D12 CPU descriptor heap management logic:
I believe the problem due to the order of deletion and update, specifically:
next->value.global_offsetalways matches the key of the pair in this RBMap, so this is erasing "next" itself. So thenextiterator now points to deleted memory, but thennextis updated and put back into free_blocks_by_offset. Sincenextpoints to deleted memory, this is undefined behavior. In my debug builds, you can see in the screenshot that some kind of sentinel values get set to make this "use-after-free" issue more obvious.To fix this I create a block separate from the one that
nextpoints to so I can mutate it before deleting the old block and inserting in the new merged block. I don't know if this fixes the original heap corruption but it does fix the DEV_ASSERT (on line 497 in my screenshot) and corrupted block data.