[dawn][wire] Make the server object tracking thread-safe.

- Since server-side callbacks can now be spontaneous, i.e. may
  be called on different threads such as in Metal threads, we need
  to make sure that the object table on the server is protected.
  We use a Mutex instead of the MutexProtected helpers because it's
  easier to use given the requirements. (See comment in ServerBase.h).
- Removes direct access to the KnownObjects vectors in
  ServerBase so that they can be controlled via helpers that
  acquire locks when necessary.

Bug: 412761856
Change-Id: I9a2f36851ff9f0809312e69dd9853ff7d2a89a4c
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/261280
Reviewed-by: Corentin Wallez <[email protected]>
Reviewed-by: Kai Ninomiya <[email protected]>
Commit-Queue: Loko Kung <[email protected]>

Author: lokokung

generator/templates/dawn/wire/server/ServerBase.h

@@ -30,6 +30,7 @@
 
 #include <tuple>
 
+#include "dawn/common/Mutex.h"
 #include "dawn/dawn_proc_table.h"
 #include "dawn/wire/ChunkedCommandHandler.h"
 #include "dawn/wire/Wire.h"
@@ -45,17 +46,59 @@ namespace dawn::wire::server {
         ServerBase(const DawnProcTable& procs) : mProcs(procs) {}
         ~ServerBase() override = default;
 
+        Mutex::AutoLock GetGuard() { return Mutex::AutoLock(&mMutex); }
+
       protected:
         // Proc table may be used by children as well.
         DawnProcTable mProcs;
 
+        // Template functions that implement helpers on KnownObjects.
+        template <typename T>
+        WireResult Get(ObjectId id, Reserved<T>* result) {
+            return std::get<KnownObjects<T>>(mKnown).Get(id, result);
+        }
+        template <typename T>
+        WireResult Get(ObjectId id, Known<T>* result) {
+            return std::get<KnownObjects<T>>(mKnown).Get(id, result);
+        }
+        template <typename T>
+        WireResult FillReservation(ObjectId id, T handle, Known<T>* known = nullptr) {
+            auto result = std::get<KnownObjects<T>>(mKnown).FillReservation(id, handle, known);
+            if (result == WireResult::FatalError) {
+                Release(handle);
+            }
+            return result;
+        }
         template <typename T>
-        const KnownObjects<T>& Objects() const {
-            return std::get<KnownObjects<T>>(mKnown);
+        WireResult Allocate(Reserved<T>* result,
+                            ObjectHandle handler,
+                            AllocationState state = AllocationState::Allocated) {
+            // Allocations always take the lock because |vector::push_back| may be called which
+            // can invalidate pointers.
+            auto serverGuard = GetGuard();
+            return std::get<KnownObjects<T>>(mKnown).Allocate(result, handler, state);
         }
         template <typename T>
-        KnownObjects<T>& Objects() {
-            return std::get<KnownObjects<T>>(mKnown);
+        WireResult Free(ObjectId id, ObjectData<T>* data) {
+            // Free always take the lock to ensure that any callback handlers (which always take
+            // the lock), i.e. On*Callback functions, cannot race with object deletion.
+            auto serverGuard = GetGuard();
+            Reserved<T> obj;
+            WIRE_TRY(Get(id, &obj));
+            *data = std::move(*obj.data);
+            std::get<KnownObjects<T>>(mKnown).Free(id);
+            return WireResult::Success;
+        }
+
+        // Special functions that are currently needed.
+        bool IsDeviceKnown(WGPUDevice device) const {
+            return std::get<KnownObjects<WGPUDevice>>(mKnown).IsKnown(device);
+        }
+        std::vector<WGPUDevice> GetAllDeviceHandles() const {
+            return std::get<KnownObjects<WGPUDevice>>(mKnown).GetAllHandles();
+        }
+        std::vector<WGPUInstance> GetAllInstanceHandles() const {
+            return std::get<KnownObjects<WGPUInstance>>(mKnown).GetAllHandles();
         }
 
         template <typename T>
@@ -65,7 +108,8 @@ namespace dawn::wire::server {
         void DestroyAllObjects() {
             //* Release devices first to force completion of any async work.
             {
-                std::vector<WGPUDevice> handles = Objects<WGPUDevice>().AcquireAllHandles();
+                std::vector<WGPUDevice> handles =
+                    std::get<KnownObjects<WGPUDevice>>(mKnown).AcquireAllHandles();
                 for (WGPUDevice handle : handles) {
                     Release(handle);
                 }
@@ -74,7 +118,8 @@ namespace dawn::wire::server {
             {% for type in by_category["object"] if type.name.get() != "device" %}
                 {% set cType = as_cType(type.name) %}
                 {
-                    std::vector<{{cType}}> handles = Objects<{{cType}}>().AcquireAllHandles();
+                    std::vector<{{cType}}> handles =
+                        std::get<KnownObjects<{{cType}}>>(mKnown).AcquireAllHandles();
                     for ({{cType}} handle : handles) {
                         Release(handle);
                     }
@@ -87,7 +132,7 @@ namespace dawn::wire::server {
         {% for type in by_category["object"] %}
             {% set cType = as_cType(type.name) %}
             WireResult GetFromId(ObjectId id, {{cType}}* out) const final {
-                return Objects<{{cType}}>().GetNativeHandle(id, out);
+                return std::get<KnownObjects<{{cType}}>>(mKnown).GetNativeHandle(id, out);
             }
 
             WireResult GetOptionalFromId(ObjectId id, {{cType}}* out) const final {
@@ -99,7 +144,34 @@ namespace dawn::wire::server {
             }
         {% endfor %}
 
-        //* The list of known IDs for each object type.
+        // The list of known IDs for each object type.
+        // We use an explicit Mutex to protect these lists instead of MutexProtected because:
+        //   1) It allows us to return AutoLock objects to hold the lock across function scopes.
+        //   2) It allows us to use |mKnown| when we know we can access it without the lock.
+        // To clarify the threading model of the KnownObjects, there is always a "main" thread on
+        // the server which is responsible for flushing commands from the client. This thread is
+        // the only thread that ever calls |HandleCommandsImpl| which ultimately calls into the
+        // command handlers in the generated ServerHandlers.cpp. All other threads that can
+        // interact with |mKnown| are async or spontaneous callback threads which always hold the
+        // lock for the full duration of their call, see |ForwardToServerHelper| where we force all
+        // callbacks to take the lock. On the "main" thread, we only acquire the lock whenever we
+        // |Allocate| or |Free|. We need to lock w.r.t other threads for |Allocate| because
+        // internally, that can cause a |std::vector::push_back| call which may invalidate all
+        // pointers. As a result, we cannot have another thread doing anything during that window.
+        // Similarly, for |Free|, we may release the WGPU* backing handle which is also not allowed
+        // to race. Reads on the "main" thread are not explicitly synchronized because callbacks
+        // are not allowed to allocate or free objects which guarantees that the reads on the
+        // "main" thread will be pointer stable. Furthermore, it is actually necessary that we
+        // don't hold the lock for reads on the "main" thread because APIs like |Device::Destroy|
+        // can cause us to wait on callbacks which as stated above, require the lock to complete.
+        // So if we were to hold the lock on the "main" thread during the read and execution of
+        // |Device::Destroy|, we could deadlock when we try waiting for callbacks which can't
+        // acquire this lock.
+        // TODO(https://crbug.com/412761856): Revisit this logic and consider using a rw-lock
+        // in conjunction with taking additional refs to "special" objects/function pairs that can
+        // cause callbacks to run when called. This would make this logic less specific to the way
+        // that the Dawn tests and Chromium uses the wire.
+        Mutex mMutex;
         std::tuple<
             {% for type in by_category["object"] %}
                 KnownObjects<{{as_cType(type.name)}}>{{ ", " if not loop.last else "" }}

generator/templates/dawn/wire/server/ServerDoers.cpp

@@ -82,19 +82,19 @@ namespace dawn::wire::server {
             {% for type in by_category["object"] %}
                 {% set cType = as_cType(type.name) %}
                 case ObjectType::{{type.name.CamelCase()}}: {
-                    Reserved<{{cType}}> obj;
-                    WIRE_TRY(Objects<{{cType}}>().Get(objectId, &obj));
+                    ObjectData<{{cType}}> data;
+                    WIRE_TRY(Free<{{cType}}>(objectId, &data));
 
-                    if (obj->state == AllocationState::Allocated) {
-                        DAWN_ASSERT(obj->handle != nullptr);
+                    //* Handle actually releasing the object after untracking it.
+                    if (data.state == AllocationState::Allocated) {
+                        DAWN_ASSERT(data.handle != nullptr);
                         {% if type.name.get() == "device" %}
                             //* Deregisters uncaptured error and device lost callbacks since
                             //* they should not be forwarded if the device no longer exists on the wire.
-                            ClearDeviceCallbacks(obj->handle);
+                            ClearDeviceCallbacks(data.handle);
                         {% endif %}
-                        Release(obj->handle);
+                        Release(data.handle);
                     }
-                    Objects<{{cType}}>().Free(objectId);
                     return WireResult::Success;
                 }
             {% endfor %}

generator/templates/dawn/wire/server/ServerHandlers.cpp

@@ -53,7 +53,7 @@ namespace dawn::wire::server {
                 {% set cType = as_cType(member.handle_type.name) %}
                 {% set name = as_varName(member.name) %}
                 Reserved<{{cType}}> {{name}}Data;
-                WIRE_TRY(Objects<{{cType}}>().Allocate(&{{name}}Data, cmd.{{name}}));
+                WIRE_TRY(Allocate(&{{name}}Data, cmd.{{name}}));
                 {{name}}Data->generation = cmd.{{name}}.generation;
             {%- endfor %}
 
@@ -62,7 +62,7 @@ namespace dawn::wire::server {
                 {% set cType = as_cType(member.id_type.name) %}
                 {% set name = as_varName(member.name) %}
                 Known<{{cType}}> {{name}}Handle;
-                WIRE_TRY(Objects<{{cType}}>().Get(cmd.{{name}}, &{{name}}Handle));
+                WIRE_TRY(Get(cmd.{{name}}, &{{name}}Handle));
             {% endfor %}
 
             //* Do command
@@ -124,7 +124,7 @@ namespace dawn::wire::server {
         // After the server handles all the commands from the stream, we additionally run
         // ProcessEvents on all known Instances so that any work done on the server side can be
         // forwarded through to the client.
-        for (auto instance : Objects<WGPUInstance>().GetAllHandles()) {
+        for (auto instance : GetAllInstanceHandles()) {
             if (DoInstanceProcessEvents(instance) != WireResult::Success) {
                 return nullptr;
             }

src/dawn/wire/server/Server.cpp

@@ -61,7 +61,7 @@ Server::Server(const DawnProcTable& procs,
 Server::~Server() {
     // Un-set the error and lost callbacks since we cannot forward them
     // after the server has been destroyed.
-    for (WGPUDevice device : Objects<WGPUDevice>().GetAllHandles()) {
+    for (WGPUDevice device : GetAllDeviceHandles()) {
         ClearDeviceCallbacks(device);
     }
     DestroyAllObjects();
@@ -72,13 +72,13 @@ WireResult Server::InjectBuffer(WGPUBuffer buffer,
                                 const Handle& deviceHandle) {
     DAWN_ASSERT(buffer != nullptr);
     Known<WGPUDevice> device;
-    WIRE_TRY(Objects<WGPUDevice>().Get(deviceHandle.id, &device));
+    WIRE_TRY(Get(deviceHandle.id, &device));
     if (device->generation != deviceHandle.generation) {
         return WireResult::FatalError;
     }
 
     Reserved<WGPUBuffer> data;
-    WIRE_TRY(Objects<WGPUBuffer>().Allocate(&data, handle));
+    WIRE_TRY(Allocate(&data, handle));
 
     data->handle = buffer;
     data->generation = handle.generation;
@@ -96,13 +96,13 @@ WireResult Server::InjectTexture(WGPUTexture texture,
                                  const Handle& deviceHandle) {
     DAWN_ASSERT(texture != nullptr);
     Known<WGPUDevice> device;
-    WIRE_TRY(Objects<WGPUDevice>().Get(deviceHandle.id, &device));
+    WIRE_TRY(Get(deviceHandle.id, &device));
     if (device->generation != deviceHandle.generation) {
         return WireResult::FatalError;
     }
 
     Reserved<WGPUTexture> data;
-    WIRE_TRY(Objects<WGPUTexture>().Allocate(&data, handle));
+    WIRE_TRY(Allocate(&data, handle));
 
     data->handle = texture;
     data->generation = handle.generation;
@@ -120,13 +120,13 @@ WireResult Server::InjectSurface(WGPUSurface surface,
                                  const Handle& instanceHandle) {
     DAWN_ASSERT(surface != nullptr);
     Known<WGPUInstance> instance;
-    WIRE_TRY(Objects<WGPUInstance>().Get(instanceHandle.id, &instance));
+    WIRE_TRY(Get(instanceHandle.id, &instance));
     if (instance->generation != instanceHandle.generation) {
         return WireResult::FatalError;
     }
 
     Reserved<WGPUSurface> data;
-    WIRE_TRY(Objects<WGPUSurface>().Allocate(&data, handle));
+    WIRE_TRY(Allocate(&data, handle));
 
     data->handle = surface;
     data->generation = handle.generation;
@@ -142,7 +142,7 @@ WireResult Server::InjectSurface(WGPUSurface surface,
 WireResult Server::InjectInstance(WGPUInstance instance, const Handle& handle) {
     DAWN_ASSERT(instance != nullptr);
     Reserved<WGPUInstance> data;
-    WIRE_TRY(Objects<WGPUInstance>().Allocate(&data, handle));
+    WIRE_TRY(Allocate(&data, handle));
 
     data->handle = instance;
     data->generation = handle.generation;
@@ -157,17 +157,12 @@ WireResult Server::InjectInstance(WGPUInstance instance, const Handle& handle) {
 
 WGPUDevice Server::GetDevice(uint32_t id, uint32_t generation) {
     Known<WGPUDevice> device;
-    if (Objects<WGPUDevice>().Get(id, &device) != WireResult::Success ||
-        device->generation != generation) {
+    if (Get(id, &device) != WireResult::Success || device->generation != generation) {
         return nullptr;
     }
     return device->handle;
 }
 
-bool Server::IsDeviceKnown(WGPUDevice device) const {
-    return Objects<WGPUDevice>().IsKnown(device);
-}
-
 void Server::Flush() {
     if (mUseSpontaneousCallbacks) {
         mSerializer->Flush();

src/dawn/wire/server/Server.h

@@ -88,7 +88,10 @@ struct ForwardToServerHelper<F, void (Server::*)(UserdataT*, Args...)> {
             return;
         }
         // Forward the arguments and the typed userdata to the Server:: member function.
-        (server.get()->*F)(data.get(), std::forward<decltype(args)>(args)...);
+        {
+            auto serverGuard = server.get()->GetGuard();
+            (server.get()->*F)(data.get(), std::forward<decltype(args)>(args)...);
+        }
         server.get()->Flush();
     }
 };
@@ -180,7 +183,7 @@ class Server : public ServerBase {
     WireResult InjectInstance(WGPUInstance instance, const Handle& handle);
 
     WGPUDevice GetDevice(uint32_t id, uint32_t generation);
-    bool IsDeviceKnown(WGPUDevice device) const;
+    using ServerBase::IsDeviceKnown;
 
     // Flushes the command serialized from server->client if spontaneous callbacks are enabled.
     void Flush();
@@ -215,15 +218,6 @@ class Server : public ServerBase {
         mSerializer->SerializeCommand(cmd, std::forward<Extensions>(es)...);
     }
 
-    template <typename T>
-    WireResult FillReservation(ObjectId id, T handle, Known<T>* known = nullptr) {
-        auto result = Objects<T>().FillReservation(id, handle, known);
-        if (result == WireResult::FatalError) {
-            Release(handle);
-        }
-        return result;
-    }
-
     // Wrapper RAII helper for structs with FreeMember calls.
     template <typename Struct>
     class FreeMembers : public Struct {

src/dawn/wire/server/ServerAdapter.cpp

@@ -43,7 +43,7 @@ WireResult Server::DoAdapterRequestDevice(Known<WGPUAdapter> adapter,
                                           WGPUFuture deviceLostFuture,
                                           const WGPUDeviceDescriptor* descriptor) {
     Reserved<WGPUDevice> device;
-    WIRE_TRY(Objects<WGPUDevice>().Allocate(&device, deviceHandle, AllocationState::Reserved));
+    WIRE_TRY(Allocate(&device, deviceHandle, AllocationState::Reserved));
 
     auto userdata = MakeUserdata<RequestDeviceUserdata>();
     userdata->eventManager = eventManager;

src/dawn/wire/server/ServerBuffer.cpp

@@ -54,7 +54,7 @@ WireResult Server::PreHandleDeviceCreateErrorBuffer(const DeviceCreateErrorBuffe
 
 WireResult Server::PreHandleBufferUnmap(const BufferUnmapCmd& cmd) {
     Known<WGPUBuffer> buffer;
-    WIRE_TRY(Objects<WGPUBuffer>().Get(cmd.selfId, &buffer));
+    WIRE_TRY(Get(cmd.selfId, &buffer));
 
     if (buffer->mappedAtCreation && !(buffer->usage & WGPUBufferUsage_MapWrite)) {
         // This indicates the writeHandle is for mappedAtCreation only. Destroy on unmap
@@ -71,7 +71,7 @@ WireResult Server::PreHandleBufferUnmap(const BufferUnmapCmd& cmd) {
 WireResult Server::PreHandleBufferDestroy(const BufferDestroyCmd& cmd) {
     // Destroying a buffer does an implicit unmapping.
     Known<WGPUBuffer> buffer;
-    WIRE_TRY(Objects<WGPUBuffer>().Get(cmd.selfId, &buffer));
+    WIRE_TRY(Get(cmd.selfId, &buffer));
 
     // The buffer was destroyed. Clear the Read/WriteHandle.
     buffer->readHandle = nullptr;
@@ -135,7 +135,7 @@ WireResult Server::DoDeviceCreateBuffer(Known<WGPUDevice> device,
                                         const uint8_t* writeHandleCreateInfo) {
     // Create and register the buffer object.
     Reserved<WGPUBuffer> buffer;
-    WIRE_TRY(Objects<WGPUBuffer>().Allocate(&buffer, bufferHandle));
+    WIRE_TRY(Allocate(&buffer, bufferHandle));
     buffer->handle = mProcs.deviceCreateBuffer(device->handle, descriptor);
     buffer->usage = descriptor->usage;
     buffer->mappedAtCreation = (descriptor->mappedAtCreation != 0u);
@@ -250,7 +250,7 @@ void Server::OnBufferMapAsyncCallback(MapUserdata* data,
                                       WGPUStringView message) {
     // Skip sending the callback if the buffer has already been destroyed.
     Known<WGPUBuffer> buffer;
-    if (Objects<WGPUBuffer>().Get(data->buffer.id, &buffer) != WireResult::Success ||
+    if (Get(data->buffer.id, &buffer) != WireResult::Success ||
         buffer->generation != data->buffer.generation) {
         return;
     }

src/dawn/wire/server/ServerDevice.cpp

@@ -101,8 +101,7 @@ WireResult Server::DoDeviceCreateComputePipelineAsync(
     ObjectHandle pipelineObjectHandle,
     const WGPUComputePipelineDescriptor* descriptor) {
     Reserved<WGPUComputePipeline> pipeline;
-    WIRE_TRY(Objects<WGPUComputePipeline>().Allocate(&pipeline, pipelineObjectHandle,
-                                                     AllocationState::Reserved));
+    WIRE_TRY(Allocate(&pipeline, pipelineObjectHandle, AllocationState::Reserved));
 
     auto userdata = MakeUserdata<CreatePipelineAsyncUserData>();
     userdata->device = device.AsHandle();
@@ -142,8 +141,7 @@ WireResult Server::DoDeviceCreateRenderPipelineAsync(
     ObjectHandle pipelineObjectHandle,
     const WGPURenderPipelineDescriptor* descriptor) {
     Reserved<WGPURenderPipeline> pipeline;
-    WIRE_TRY(Objects<WGPURenderPipeline>().Allocate(&pipeline, pipelineObjectHandle,
-                                                    AllocationState::Reserved));
+    WIRE_TRY(Allocate(&pipeline, pipelineObjectHandle, AllocationState::Reserved));
 
     auto userdata = MakeUserdata<CreatePipelineAsyncUserData>();
     userdata->device = device.AsHandle();

src/dawn/wire/server/ServerInstance.cpp

@@ -41,7 +41,7 @@ WireResult Server::DoInstanceRequestAdapter(Known<WGPUInstance> instance,
                                             ObjectHandle adapterHandle,
                                             const WGPURequestAdapterOptions* options) {
     Reserved<WGPUAdapter> adapter;
-    WIRE_TRY(Objects<WGPUAdapter>().Allocate(&adapter, adapterHandle, AllocationState::Reserved));
+    WIRE_TRY(Allocate(&adapter, adapterHandle, AllocationState::Reserved));
 
     auto userdata = MakeUserdata<RequestAdapterUserdata>();
     userdata->eventManager = eventManager;

src/dawn/wire/server/ServerSurface.cpp

@@ -34,7 +34,7 @@ WireResult Server::DoSurfaceGetCurrentTexture(Known<WGPUSurface> surface,
                                               Known<WGPUDevice> configuredDevice,
                                               ObjectHandle textureHandle) {
     Reserved<WGPUTexture> texture;
-    WIRE_TRY(Objects<WGPUTexture>().Allocate(&texture, textureHandle, AllocationState::Reserved));
+    WIRE_TRY(Allocate(&texture, textureHandle, AllocationState::Reserved));
 
     WGPUSurfaceTexture surfaceTexture;
     mProcs.surfaceGetCurrentTexture(surface->handle, &surfaceTexture);