feat(windows-drivers): host-gone watchdog, SET_RENDER_ADAPTER, log gate, mode bounds
Audit §4.1: implement the host-gone watchdog — it was dead code (WATCHDOG_PINGS bumped but never sampled, no thread). Every IOCTL now bumps a liveness counter; a watchdog thread reap_orphaned()s monitors (created_at grace) if no IOCTL arrives within WATCHDOG_TIMEOUT_S, so a crashed/TerminateProcess'd host no longer leaves its virtual monitor + swap-chain worker + pooled D3D device wedged until the next CLEAR_ALL. Removes the false 'watchdog thread' comments. Audit §4.2: implement SET_RENDER_ADAPTER (was STATUS_NOT_IMPLEMENTED) via IddCxAdapterSetRenderAdapter, so the host can pin the IDD render to the NVENC GPU on a hybrid iGPU+dGPU box (else the OS-picked iGPU makes the host ring textures un-openable -> DRV_STATUS_TEX_FAIL). Audit §4.4: gate the world-writable C:\Users\Public\pfvd-driver.log behind debug builds / PFVD_DEBUG_LOG (a release build never writes it). Audit §4.5: bounds-check the requested mode in IOCTL_ADD; compute display_info clock_rate in u64 + saturate (the old u32 refresh*(h+4)^2 overflowed/aborted the mode DDI for large modes). Verified: driver workspace builds clean on the RTX box (WDK 26100 + LLVM 21.1.2, MSVC). On-glass functional validation of the watchdog/render-pin is a follow-up (needs a driver reinstall + session). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -6,7 +6,7 @@
|
||||
|
||||
use std::sync::Mutex;
|
||||
use std::sync::atomic::{AtomicU32, Ordering};
|
||||
use std::time::Instant;
|
||||
use std::time::{Duration, Instant};
|
||||
|
||||
use wdk_sys::iddcx;
|
||||
|
||||
@@ -64,6 +64,50 @@ pub static MONITOR_MODES: Mutex<Vec<MonitorObject>> = Mutex::new(Vec::new());
|
||||
/// Monitor id / EDID-serial counter (unique per created monitor).
|
||||
static NEXT_ID: AtomicU32 = AtomicU32::new(1);
|
||||
|
||||
/// True if any virtual monitor currently exists — the host-gone watchdog only reaps when there's
|
||||
/// something to reap (see [`crate::control::start_watchdog`]).
|
||||
pub fn has_monitors() -> bool {
|
||||
MONITOR_MODES.lock().map(|l| !l.is_empty()).unwrap_or(false)
|
||||
}
|
||||
|
||||
/// Depart every monitor that has existed at least `grace` — the host-gone watchdog reap
|
||||
/// ([`crate::control::start_watchdog`]). The grace skips a just-created monitor (the host adds it, then
|
||||
/// starts pinging) so a momentarily-stale ping timer can't nuke a brand-new monitor. Returns the count
|
||||
/// departed. Same lock discipline as [`remove_monitor`]: drop each worker (which RAII-joins its thread)
|
||||
/// OUTSIDE the `MONITOR_MODES` lock, then depart.
|
||||
pub fn reap_orphaned(grace: Duration) -> usize {
|
||||
let mut drained: Vec<(
|
||||
Option<iddcx::IDDCX_MONITOR>,
|
||||
Option<crate::swap_chain_processor::SwapChainProcessor>,
|
||||
)> = {
|
||||
let Ok(mut lock) = MONITOR_MODES.lock() else {
|
||||
return 0;
|
||||
};
|
||||
let mut taken = Vec::new();
|
||||
let mut i = 0;
|
||||
while i < lock.len() {
|
||||
if lock[i].created_at.elapsed() >= grace {
|
||||
let mut m = lock.remove(i);
|
||||
taken.push((m.object, m.swap_chain_processor.take()));
|
||||
} else {
|
||||
i += 1;
|
||||
}
|
||||
}
|
||||
taken
|
||||
};
|
||||
let n = drained.len();
|
||||
for (_, processor) in &mut drained {
|
||||
drop(processor.take());
|
||||
}
|
||||
for (object, _) in drained {
|
||||
if let Some(m) = object {
|
||||
// SAFETY: `m` is a live IddCx monitor handle; departure tears it down.
|
||||
unsafe { wdk_iddcx::IddCxMonitorDeparture(m) };
|
||||
}
|
||||
}
|
||||
n
|
||||
}
|
||||
|
||||
/// Fallback modes appended after the requested mode, so a topology change still has options.
|
||||
fn default_modes() -> Vec<Mode> {
|
||||
vec![
|
||||
@@ -86,17 +130,21 @@ pub fn display_info(
|
||||
height: u32,
|
||||
refresh_rate: u32,
|
||||
) -> wdk_sys::DISPLAYCONFIG_VIDEO_SIGNAL_INFO {
|
||||
let clock_rate = refresh_rate * (height + 4) * (height + 4) + 1000;
|
||||
// Compute in u64 then saturate the u32 rational numerators: the old u32 `refresh*(h+4)^2` overflows
|
||||
// for a large mode (e.g. 8K@240), which panics→aborts the extern-"C" mode DDI in a debug build.
|
||||
// Identical for every real mode; only an absurd (also now bounds-rejected) mode saturates.
|
||||
let clock_rate: u64 = u64::from(refresh_rate) * u64::from(height + 4) * u64::from(height + 4) + 1000;
|
||||
let clock_rate_u32 = u32::try_from(clock_rate).unwrap_or(u32::MAX);
|
||||
// SAFETY: building a C POD — the all-zero bit pattern is a valid uninitialized
|
||||
// DISPLAYCONFIG_VIDEO_SIGNAL_INFO; every meaningful field is assigned below.
|
||||
let mut si: wdk_sys::DISPLAYCONFIG_VIDEO_SIGNAL_INFO = unsafe { core::mem::zeroed() };
|
||||
si.pixelRate = u64::from(clock_rate);
|
||||
si.pixelRate = clock_rate;
|
||||
si.hSyncFreq = wdk_sys::DISPLAYCONFIG_RATIONAL {
|
||||
Numerator: clock_rate,
|
||||
Numerator: clock_rate_u32,
|
||||
Denominator: height + 4,
|
||||
};
|
||||
si.vSyncFreq = wdk_sys::DISPLAYCONFIG_RATIONAL {
|
||||
Numerator: clock_rate,
|
||||
Numerator: clock_rate_u32,
|
||||
Denominator: (height + 4) * (height + 4),
|
||||
};
|
||||
si.activeSize = wdk_sys::DISPLAYCONFIG_2DREGION {
|
||||
|
||||
Reference in New Issue
Block a user