Crash during Vulkan replay in push descriptor replay #1182
Description
RenderDoc nightly (11/19) crashes during replay of the capture below, taken from https://github.com/zeux/niagara master on RTX 2080 with drawCount = 1000:
The crash can be reproduced as follows:
- Open the capture
- Click on the "Colour pass 2" without expanding any commands
The crash happens with the following callstack:
> renderdoc.dll!VulkanRenderState::BindDescriptorSet(const DescSetLayout & descLayout, VkCommandBuffer_T * cmd, VkPipelineLayout_T * layout, VkPipelineBindPoint bindPoint, unsigned int setIndex, unsigned int * dynamicOffsets) Line 447 C++
renderdoc.dll!VulkanRenderState::BindPipeline(VkCommandBuffer_T * cmd, VulkanRenderState::PipelineBinding binding, bool subpass0) Line 367 C++
renderdoc.dll!WrappedVulkan::ReplayLog(unsigned int startEventID, unsigned int endEventID, ReplayLogType replayType) Line 2931 C++
renderdoc.dll!VulkanReplay::ReplayLog(unsigned int endEventID, ReplayLogType replayType) Line 99 C++
renderdoc.dll!ReplayController::SetFrameEvent(unsigned int eventId, bool force) Line 223 C++
qrenderdoc.exe!CaptureContext::SetEventID::__l2::<lambda>(IReplayController * r) Line 1370 C++
descLayout.bindings.size() has 6 elements, but setInfo.currentBindings only has 3; therefore the following line:
DescriptorSetSlot *slots = setInfo.currentBindings[b];
Performs an out-of-bounds read, slots ends up as nullptr and the following access to slots crashes:
dst[a] = slots[a].bufferInfo;
It looks like setInfo.currentBindings corresponds to the push descriptor setup for the indirect draw call (3 input buffers), and descLayout.bindings corresponds to the push descriptor setup for the preceding compute dispatch (5 input buffers and 1 input sampler).