anv: Fix anv_descriptor_set reference error on deletion

anv_descriptor_set_destroy uses the descriptor sets's set_layout member
to iterate the set's buffer views.  However, the set_layout reference
may have previously been freed.

On 64 bit builds, this bug generated valgrind errors but did not affect
CTS test results.  On 32 bit builds, it reliably produces assertions and
memory corruption.

diff --git a/src/vulkan/anv_descriptor_set.c b/src/vulkan/anv_descriptor_set.c
index 8997f50297afa3ce138bfb124bcd9f0a1bf1e37c..f93ea819b0c8bbbf907b22ca613b4e66397704d7 100644 (file)
--- a/src/vulkan/anv_descriptor_set.c
+++ b/src/vulkan/anv_descriptor_set.c
@@ -391,7 +391,7 @@ anv_descriptor_set_create(struct anv_device *device,
       set->buffer_views[b].surface_state =
          anv_state_pool_alloc(&device->surface_state_pool, 64, 64);
    }
-
+   set->buffer_count = layout->buffer_count;
    *out_set = set;
 
    return VK_SUCCESS;
@@ -402,7 +402,7 @@ anv_descriptor_set_destroy(struct anv_device *device,
                            struct anv_descriptor_set *set)
 {
    /* XXX: Use the pool */
-   for (uint32_t b = 0; b < set->layout->buffer_count; b++)
+   for (uint32_t b = 0; b < set->buffer_count; b++)
       anv_state_pool_free(&device->surface_state_pool,
                           set->buffer_views[b].surface_state);
 
@@ -589,5 +589,6 @@ void anv_UpdateDescriptorSets(
          dest->descriptors[copy->dstBinding + j] =
             src->descriptors[copy->srcBinding + j];
       }
+      dest->buffer_count = src->buffer_count;
    }
 }

diff --git a/src/vulkan/anv_private.h b/src/vulkan/anv_private.h
index b9490ae31e2464de8263a1547c37a83cd59d46ac..ad51b1fa4729e0b19be8e78a5414d42c85974f44 100644 (file)
--- a/src/vulkan/anv_private.h
+++ b/src/vulkan/anv_private.h
@@ -928,6 +928,7 @@ struct anv_descriptor {
 
 struct anv_descriptor_set {
    const struct anv_descriptor_set_layout *layout;
+   uint32_t buffer_count;
    struct anv_buffer_view *buffer_views;
    struct anv_descriptor descriptors[0];
 };