Evan Tang (@etang-cw) commented about libs/vkd3d/command.c:
+ vkd3d_private_store_destroy(&signature->private_store); + + vkd3d_free((void *)signature->desc.pArgumentDescs); + vkd3d_free(signature); + + d3d12_device_release(device); +} + +static void d3d12_command_signature_add_pending(struct d3d12_command_signature *signature) +{ + vkd3d_atomic_increment(&signature->pending_count); +} + +static void d3d12_command_signature_release_pending(struct d3d12_command_signature *signature) +{ + if (!vkd3d_atomic_decrement(&signature->pending_count) && !signature->refcount) Having two separate refcounts seems race-prone
I think you can double-free if one thread decrements the pending count while another decrements the refcount, then both see the other as zero -- https://gitlab.winehq.org/wine/vkd3d/-/merge_requests/260#note_39331