[Mesa-dev] [PATCH] r600g: Drop references to destroyed blend state

[Dieter Nützel]

Hello Michel,

this patch fixes this, too:
https://bugs.freedesktop.org/show_bug.cgi?id=84140
Tested-by: Dieter Nützel <Dieter at nuetzel-hh.de>

GREAT stuff!

Dieter

Am 21.10.2014 11:52, schrieb Michel Dänzer:
> From: Michel Dänzer <michel.daenzer at amd.com>
> 
> Fixes use-after-free when the currently bound blend state is destroyed.
> 
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85267
> Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
> ---
>  src/gallium/drivers/r600/r600_state_common.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/src/gallium/drivers/r600/r600_state_common.c
> b/src/gallium/drivers/r600/r600_state_common.c
> index 68365f9..879ec35 100644
> --- a/src/gallium/drivers/r600/r600_state_common.c
> +++ b/src/gallium/drivers/r600/r600_state_common.c
> @@ -158,8 +158,10 @@ static void r600_bind_blend_state(struct
> pipe_context *ctx, void *state)
>  	struct r600_context *rctx = (struct r600_context *)ctx;
>  	struct r600_blend_state *blend = (struct r600_blend_state *)state;
> 
> -	if (blend == NULL)
> +	if (blend == NULL) {
> +		r600_set_cso_state_with_cb(&rctx->blend_state, NULL, NULL);
>  		return;
> +	}
> 
>  	r600_bind_blend_state_internal(rctx, blend, 
> rctx->force_blend_disable);
>  }
> @@ -447,8 +449,13 @@ static void r600_delete_sampler_state(struct
> pipe_context *ctx, void *state)
> 
>  static void r600_delete_blend_state(struct pipe_context *ctx, void 
> *state)
>  {
> +	struct r600_context *rctx = (struct r600_context *)ctx;
>  	struct r600_blend_state *blend = (struct r600_blend_state*)state;
> 
> +	if (rctx->blend_state.cso == state) {
> +		ctx->bind_blend_state(ctx, NULL);
> +	}
> +
>  	r600_release_command_buffer(&blend->buffer);
>  	r600_release_command_buffer(&blend->buffer_no_blend);
>  	FREE(blend);