zink: fix cached descriptor set invalidation for array bindings

need to iterate over the descriptors in the binding to invalidate the whole thing here ================================================================= ==546534==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000ae6c0 at pc 0x7fe20e26fd9d bp 0x7ffd92be6bc0 sp 0x7ffd92be6bb8 READ of size 8 at 0x61a0000ae6c0 thread T0 #0 0x7fe20e26fd9c in zink_descriptor_set_refs_clear ../src/gallium/drivers/zink/zink_descriptors.c:950 #1 0x7fe20e401304 in zink_destroy_surface ../src/gallium/drivers/zink/zink_surface.c:340 #2 0x7fe20e21311b in zink_surface_reference ../src/gallium/drivers/zink/zink_surface.h:106 #3 0x7fe20e21a5b9 in zink_sampler_view_destroy ../src/gallium/drivers/zink/zink_context.c:835 #4 0x7fe20c41d35f in tc_sampler_view_destroy ../src/gallium/auxiliary/util/u_threaded_context.c:1848 #5 0x7fe20e210ff7 in pipe_sampler_view_reference ../src/gallium/auxiliary/util/u_inlines.h:216 #6 0x7fe20e22d592 in zink_set_sampler_views ../src/gallium/drivers/zink/zink_context.c:1532 #7 0x7fe20c41a3d8 in tc_call_set_sampler_views ../src/gallium/auxiliary/util/u_threaded_context.c:1393 #8 0x7fe20c411706 in tc_batch_execute ../src/gallium/auxiliary/util/u_threaded_context.c:211 #9 0x7fe20c4124ba in _tc_sync ../src/gallium/auxiliary/util/u_threaded_context.c:362 #10 0x7fe20c42b728 in tc_destroy ../src/gallium/auxiliary/util/u_threaded_context.c:4250 #11 0x7fe20b65176a in st_destroy_context_priv ../src/mesa/state_tracker/st_context.c:387 #12 0x7fe20b65669f in st_destroy_context ../src/mesa/state_tracker/st_context.c:1009 #13 0x7fe20b7055ab in st_context_destroy ../src/mesa/state_tracker/st_manager.c:944 #14 0x7fe20a9c75bd in dri_destroy_context ../src/gallium/frontends/dri/dri_context.c:256 #15 0x7fe20a9d4bef in driDestroyContext ../src/gallium/frontends/dri/dri_util.c:534 #16 0x7fe22361f25c in drisw_destroy_context ../src/glx/drisw_glx.c:429 #17 0x7fe223625d95 in glXDestroyContext ../src/glx/glxcmds.c:523 #18 0x7fe22636aaeb in glXDestroyContext /home/zmike/src/libglvnd-v1.3.2/src/GLX/libglx.c:332 #19 0x7fe2269d9e7d in glXDestroyContext /home/zmike/src/libglvnd-v1.3.2/src/GL/g_libglglxwrapper.c:384 #20 0x41b88a in tcu::lnx::x11::glx::GlxRenderContext::~GlxRenderContext() /home/zmike/src/VK-GL-CTS/framework/platform/lnx/X11/tcuLnxX11GlxPlatform.cpp:734 #21 0x41b8e9 in tcu::lnx::x11::glx::GlxRenderContext::~GlxRenderContext() /home/zmike/src/VK-GL-CTS/framework/platform/lnx/X11/tcuLnxX11GlxPlatform.cpp:735 #22 0x2323aa7 in deqp::gles31::Context::destroyRenderContext() /home/zmike/src/VK-GL-CTS/modules/gles31/tes31Context.cpp:77 #23 0x2323969 in deqp::gles31::Context::~Context() /home/zmike/src/VK-GL-CTS/modules/gles31/tes31Context.cpp:55 #24 0x232278e in deqp::gles31::TestPackage::deinit() /home/zmike/src/VK-GL-CTS/modules/gles31/tes31TestPackage.cpp:102 #25 0x2c866c2 in tcu::DefaultHierarchyInflater::leaveTestPackage(tcu::TestPackage*) /home/zmike/src/VK-GL-CTS/framework/common/tcuTestHierarchyIterator.cpp:75 #26 0x2c87058 in tcu::TestHierarchyIterator::next() /home/zmike/src/VK-GL-CTS/framework/common/tcuTestHierarchyIterator.cpp:252 #27 0x2c365da in tcu::TestSessionExecutor::iterate() /home/zmike/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:122 #28 0x2c00b0c in tcu::App::iterate() /home/zmike/src/VK-GL-CTS/framework/common/tcuApp.cpp:221 #29 0x4141b7 in main /home/zmike/src/VK-GL-CTS/framework/platform/tcuMain.cpp:58 #30 0x7fe2263e155f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #31 0x7fe2263e160b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #32 0x413fa4 in _start (/home/zmike/src/VK-GL-CTS/build/external/openglcts/modules/glcts+0x413fa4) 0x61a0000ae6c0 is located 64 bytes inside of 1328-byte region [0x61a0000ae680,0x61a0000aebb0) freed by thread T0 here: #0 0x7fe226cb6627 in free (/usr/lib64/libasan.so.6+0xae627) #1 0x7fe20aab1751 in unsafe_free ../src/util/ralloc.c:302 #2 0x7fe20aab16c8 in unsafe_free ../src/util/ralloc.c:295 #3 0x7fe20aab13c3 in ralloc_free ../src/util/ralloc.c:265 #4 0x7fe20e269234 in descriptor_pool_free ../src/gallium/drivers/zink/zink_descriptors.c:286 #5 0x7fe20e26937d in descriptor_pool_delete ../src/gallium/drivers/zink/zink_descriptors.c:296 #6 0x7fe20e26ff53 in zink_descriptor_pool_reference ../src/gallium/drivers/zink/zink_descriptors.c:967 #7 0x7fe20e270db2 in zink_descriptor_program_deinit ../src/gallium/drivers/zink/zink_descriptors.c:1071 #8 0x7fe20e3b6536 in zink_destroy_gfx_program ../src/gallium/drivers/zink/zink_program.c:695 #9 0x7fe20e1eaaf9 in zink_gfx_program_reference ../src/gallium/drivers/zink/zink_program.h:242 #10 0x7fe20e20d386 in zink_shader_free ../src/gallium/drivers/zink/zink_compiler.c:2099 #11 0x7fe20e3b9f0b in zink_delete_shader_state ../src/gallium/drivers/zink/zink_program.c:1074 #12 0x7fe20c3e29ad in util_shader_reference ../src/gallium/auxiliary/util/u_live_shader_cache.c:188 #13 0x7fe20e3ba11e in zink_delete_cached_shader_state ../src/gallium/drivers/zink/zink_program.c:1093 #14 0x7fe20c41709e in tc_call_delete_fs_state ../src/gallium/auxiliary/util/u_threaded_context.c:998 #15 0x7fe20c411706 in tc_batch_execute ../src/gallium/auxiliary/util/u_threaded_context.c:211 #16 0x7fe20c4124ba in _tc_sync ../src/gallium/auxiliary/util/u_threaded_context.c:362 #17 0x7fe20c423683 in tc_flush ../src/gallium/auxiliary/util/u_threaded_context.c:3003 #18 0x7fe20b62d996 in st_flush ../src/mesa/state_tracker/st_cb_flush.c:60 #19 0x7fe20b62dbe3 in st_glFlush ../src/mesa/state_tracker/st_cb_flush.c:94 #20 0x7fe20ae4bded in _mesa_make_current ../src/mesa/main/context.c:1493 #21 0x7fe20ae49702 in _mesa_free_context_data ../src/mesa/main/context.c:1187 #22 0x7fe20b65668b in st_destroy_context ../src/mesa/state_tracker/st_context.c:1005 #23 0x7fe20b7055ab in st_context_destroy ../src/mesa/state_tracker/st_manager.c:944 #24 0x7fe20a9c75bd in dri_destroy_context ../src/gallium/frontends/dri/dri_context.c:256 #25 0x7fe20a9d4bef in driDestroyContext ../src/gallium/frontends/dri/dri_util.c:534 #26 0x7fe22361f25c in drisw_destroy_context ../src/glx/drisw_glx.c:429 #27 0x7fe223625d95 in glXDestroyContext ../src/glx/glxcmds.c:523 #28 0x7fe22636aaeb in glXDestroyContext /home/zmike/src/libglvnd-v1.3.2/src/GLX/libglx.c:332 #29 0x7fe2269d9e7d in glXDestroyContext /home/zmike/src/libglvnd-v1.3.2/src/GL/g_libglglxwrapper.c:384 previously allocated by thread T0 here: #0 0x7fe226cb691f in __interceptor_malloc (/usr/lib64/libasan.so.6+0xae91f) #1 0x7fe20aab0c81 in ralloc_size ../src/util/ralloc.c:120 #2 0x7fe20aab0e33 in rzalloc_size ../src/util/ralloc.c:153 #3 0x7fe20aab12c8 in rzalloc_array_size ../src/util/ralloc.c:233 #4 0x7fe20e26c76d in allocate_desc_set ../src/gallium/drivers/zink/zink_descriptors.c:657 #5 0x7fe20e26e9cb in zink_descriptor_set_get ../src/gallium/drivers/zink/zink_descriptors.c:840 #6 0x7fe20e2747aa in zink_descriptors_update ../src/gallium/drivers/zink/zink_descriptors.c:1424 #7 0x7fe20e36fc48 in void zink_draw<(zink_multidraw)1, (zink_dynamic_state)2, true, false>(pipe_context*, pipe_draw_info const*, unsigned int, pipe_draw_indirect_info const*, pipe_draw_start_count_bias const*, unsigned int, pipe_vertex_state*, unsigned int) ../src/gallium/drivers/zink/zink_draw.cpp:788 #8 0x7fe20e29166d in zink_draw_vbo<(zink_multidraw)1, (zink_dynamic_state)2, true> ../src/gallium/drivers/zink/zink_draw.cpp:907 #9 0x7fe20c424982 in tc_call_draw_single ../src/gallium/auxiliary/util/u_threaded_context.c:3155 #10 0x7fe20c411706 in tc_batch_execute ../src/gallium/auxiliary/util/u_threaded_context.c:211 #11 0x7fe20c4124ba in _tc_sync ../src/gallium/auxiliary/util/u_threaded_context.c:362 #12 0x7fe20c41f7a9 in tc_texture_map ../src/gallium/auxiliary/util/u_threaded_context.c:2279 #13 0x7fe20b630757 in pipe_texture_map_3d ../src/gallium/auxiliary/util/u_inlines.h:572 #14 0x7fe20b6341f6 in st_ReadPixels ../src/mesa/state_tracker/st_cb_readpixels.c:546 #15 0x7fe20b42fea7 in read_pixels ../src/mesa/main/readpix.c:1178 #16 0x7fe20b42fea7 in _mesa_ReadnPixelsARB ../src/mesa/main/readpix.c:1195 #17 0x7fe20b42ffc0 in _mesa_ReadPixels ../src/mesa/main/readpix.c:1210 #18 0x2a6d094 in glu::readPixels(glu::RenderContext const&, int, int, tcu::PixelBufferAccess const&) /home/zmike/src/VK-GL-CTS/framework/opengl/gluPixelTransfer.cpp:61 #19 0x29eaa06 in deqp::gls::ShaderExecUtil::FragmentOutExecutor::execute(int, void const* const*, void* const*) /home/zmike/src/VK-GL-CTS/modules/glshared/glsShaderExecUtil.cpp:677 #20 0x25a600b in iterate /home/zmike/src/VK-GL-CTS/modules/gles31/functional/es31fOpaqueTypeIndexingTests.cpp:585 #21 0x2322b53 in deqp::gles31::TestCaseWrapper<deqp::gles31::TestPackage>::iterate(tcu::TestCase*) /home/zmike/src/VK-GL-CTS/modules/gles31/tes31TestCaseWrapper.hpp:86 #22 0x2c376fd in tcu::TestSessionExecutor::iterateTestCase(tcu::TestCase*) /home/zmike/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:302 #23 0x2c366e3 in tcu::TestSessionExecutor::iterate() /home/zmike/src/VK-GL-CTS/framework/common/tcuTestSessionExecutor.cpp:139 #24 0x2c00b0c in tcu::App::iterate() /home/zmike/src/VK-GL-CTS/framework/common/tcuApp.cpp:221 #25 0x4141b7 in main /home/zmike/src/VK-GL-CTS/framework/platform/tcuMain.cpp:58 #26 0x7fe2263e155f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) cc: mesa-stable Reviewed-by: Emma Anholt <emma@anholt.net> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/15173>
grate-driver · Feb 26, 2022 · 698ae34 · 698ae34
1 parent 62b8daa
commit 698ae34
Showing 1 changed file with 37 additions and 33 deletions.
diff --git a/src/gallium/drivers/zink/zink_descriptors.c b/src/gallium/drivers/zink/zink_descriptors.c
@@ -213,41 +213,45 @@ static void
 descriptor_set_invalidate(struct zink_descriptor_set *zds)
 {
    zds->invalid = true;
+   unsigned idx = 0;
    for (unsigned i = 0; i < zds->pool->key->layout->num_bindings; i++) {
-      switch (zds->pool->type) {
-      case ZINK_DESCRIPTOR_TYPE_UBO:
-      case ZINK_DESCRIPTOR_TYPE_SSBO:
-         if (zds->res_objs[i])
-            pop_desc_set_ref(zds, &zds->res_objs[i]->desc_set_refs.refs);
-         zds->res_objs[i] = NULL;
-         break;
-      case ZINK_DESCRIPTOR_TYPE_IMAGE:
-         if (zds->surfaces[i].is_buffer) {
-            if (zds->surfaces[i].bufferview)
-               pop_desc_set_ref(zds, &zds->surfaces[i].bufferview->desc_set_refs.refs);
-            zds->surfaces[i].bufferview = NULL;
-         } else {
-            if (zds->surfaces[i].surface)
-               pop_desc_set_ref(zds, &zds->surfaces[i].surface->desc_set_refs.refs);
-            zds->surfaces[i].surface = NULL;
-         }
-         break;
-      case ZINK_DESCRIPTOR_TYPE_SAMPLER_VIEW:
-         if (zds->surfaces[i].is_buffer) {
-            if (zds->surfaces[i].bufferview)
-               pop_desc_set_ref(zds, &zds->surfaces[i].bufferview->desc_set_refs.refs);
-            zds->surfaces[i].bufferview = NULL;
-         } else {
-            if (zds->surfaces[i].surface)
-               pop_desc_set_ref(zds, &zds->surfaces[i].surface->desc_set_refs.refs);
-            zds->surfaces[i].surface = NULL;
+      for (unsigned j = 0; j < zds->pool->key->layout->bindings[i].descriptorCount; j++) {
+         switch (zds->pool->type) {
+         case ZINK_DESCRIPTOR_TYPE_UBO:
+         case ZINK_DESCRIPTOR_TYPE_SSBO:
+            if (zds->res_objs[idx])
+               pop_desc_set_ref(zds, &zds->res_objs[idx]->desc_set_refs.refs);
+            zds->res_objs[idx] = NULL;
+            break;
+         case ZINK_DESCRIPTOR_TYPE_IMAGE:
+            if (zds->surfaces[idx].is_buffer) {
+               if (zds->surfaces[idx].bufferview)
+                  pop_desc_set_ref(zds, &zds->surfaces[idx].bufferview->desc_set_refs.refs);
+               zds->surfaces[idx].bufferview = NULL;
+            } else {
+               if (zds->surfaces[idx].surface)
+                  pop_desc_set_ref(zds, &zds->surfaces[idx].surface->desc_set_refs.refs);
+               zds->surfaces[idx].surface = NULL;
+            }
+            break;
+         case ZINK_DESCRIPTOR_TYPE_SAMPLER_VIEW:
+            if (zds->surfaces[idx].is_buffer) {
+               if (zds->surfaces[idx].bufferview)
+                  pop_desc_set_ref(zds, &zds->surfaces[idx].bufferview->desc_set_refs.refs);
+               zds->surfaces[idx].bufferview = NULL;
+            } else {
+               if (zds->surfaces[idx].surface)
+                  pop_desc_set_ref(zds, &zds->surfaces[idx].surface->desc_set_refs.refs);
+               zds->surfaces[idx].surface = NULL;
+            }
+            if (zds->sampler_states[idx])
+               pop_desc_set_ref(zds, &zds->sampler_states[idx]->desc_set_refs.refs);
+            zds->sampler_states[idx] = NULL;
+            break;
+         default:
+            break;
          }
-         if (zds->sampler_states[i])
-            pop_desc_set_ref(zds, &zds->sampler_states[i]->desc_set_refs.refs);
-         zds->sampler_states[i] = NULL;
-         break;
-      default:
-         break;
+         idx++;
       }
    }
 }