Re: [PATCH v2 4/6] wined3d: Set an array of rendertarget views as a single CS operation.

On Fri, 9 Jul 2021 at 00:19, Zebediah Figura zfigura@codeweavers.com wrote:

• if (prev)
• {

•    wined3d_rtv_bind_count_dec(prev);
  

•    wined3d_rendertarget_view_decref(prev);
  

•    struct wined3d_rendertarget_view *prev = state->fb.render_targets[start_idx + i];
  

•    struct wined3d_rendertarget_view *view = views[i];
  

•    if (view && !(view->resource->bind_flags & WINED3D_BIND_RENDER_TARGET))
  

•    {
  

•        WARN("View resource %p doesn't have render target bind flags.\n", views[i]->resource);
  

•        hr = WINED3DERR_INVALIDCALL;
  

•        continue;
  

•    }
  

That mostly works, but you'd also need to skip the view in wined3d_cs_exec_set_rendertarget_views(). Specifically, if you don't, the command stream may store a pointer to the view, without us having a reference to it, and a subsequent wined3d_cs_exec_set_rendertarget_views() call may dereference an already freed "prev" pointer.