From ea8c2d118a8c9645bedc86259ba42968ac27c239 Mon Sep 17 00:00:00 2001 From: Mark Janes Date: Mon, 1 Feb 2016 17:13:02 -0800 Subject: [PATCH] anv: Fix anv_descriptor_set reference error on deletion anv_descriptor_set_destroy uses the descriptor sets's set_layout member to iterate the set's buffer views. However, the set_layout reference may have previously been freed. On 64 bit builds, this bug generated valgrind errors but did not affect CTS test results. On 32 bit builds, it reliably produces assertions and memory corruption. --- src/vulkan/anv_descriptor_set.c | 5 +++-- src/vulkan/anv_private.h | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/vulkan/anv_descriptor_set.c b/src/vulkan/anv_descriptor_set.c index 8997f50297a..f93ea819b0c 100644 --- a/src/vulkan/anv_descriptor_set.c +++ b/src/vulkan/anv_descriptor_set.c @@ -391,7 +391,7 @@ anv_descriptor_set_create(struct anv_device *device, set->buffer_views[b].surface_state = anv_state_pool_alloc(&device->surface_state_pool, 64, 64); } - + set->buffer_count = layout->buffer_count; *out_set = set; return VK_SUCCESS; @@ -402,7 +402,7 @@ anv_descriptor_set_destroy(struct anv_device *device, struct anv_descriptor_set *set) { /* XXX: Use the pool */ - for (uint32_t b = 0; b < set->layout->buffer_count; b++) + for (uint32_t b = 0; b < set->buffer_count; b++) anv_state_pool_free(&device->surface_state_pool, set->buffer_views[b].surface_state); @@ -589,5 +589,6 @@ void anv_UpdateDescriptorSets( dest->descriptors[copy->dstBinding + j] = src->descriptors[copy->srcBinding + j]; } + dest->buffer_count = src->buffer_count; } } diff --git a/src/vulkan/anv_private.h b/src/vulkan/anv_private.h index b9490ae31e2..ad51b1fa472 100644 --- a/src/vulkan/anv_private.h +++ b/src/vulkan/anv_private.h @@ -928,6 +928,7 @@ struct anv_descriptor { struct anv_descriptor_set { const struct anv_descriptor_set_layout *layout; + uint32_t buffer_count; struct anv_buffer_view *buffer_views; struct anv_descriptor descriptors[0]; }; -- 2.30.2