summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEduardo Lima Mitev <[email protected]>2015-06-02 13:42:46 +0200
committerEduardo Lima Mitev <[email protected]>2015-06-02 20:21:49 +0200
commit5b226a12420993a0f4aae2295b33aaa305242a3d (patch)
treea5e27f298b6a4b02b9332ec0734c1c0ae62a892b
parent762395736be3adcc810274e1e96acd4bdceb10c6 (diff)
nir: prevent use-after-free condition in should_lower_phi()
lower_phis_to_scalar() pass recurses the instruction dependence graph to determine if all the sources of a given instruction are scalarizable. To prevent cycles, it temporary marks the phi instruction before recursing in, then updates the entry with the resulting value. However, it does not consider that the entry value may have changed after a recursion pass, hence causing a use-after-free situation and a crash. This patch fixes this by reloading the entry corresponding to the 'phi' after recursing and before updating its value. The crash can be reproduced ~20% of times with the dEQP test: dEQP-GLES3.functional.shaders.loops.while_constant_iterations.nested_sequence_fragment Reviewed-by: Jason Ekstrand <[email protected]>
-rw-r--r--src/glsl/nir/nir_lower_phis_to_scalar.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/glsl/nir/nir_lower_phis_to_scalar.c b/src/glsl/nir/nir_lower_phis_to_scalar.c
index 4bdb80072ab..a57d253975d 100644
--- a/src/glsl/nir/nir_lower_phis_to_scalar.c
+++ b/src/glsl/nir/nir_lower_phis_to_scalar.c
@@ -153,6 +153,11 @@ should_lower_phi(nir_phi_instr *phi, struct lower_phis_to_scalar_state *state)
break;
}
+ /* The hash table entry for 'phi' may have changed while recursing the
+ * dependence graph, so we need to reset it */
+ entry = _mesa_hash_table_search(state->phi_table, phi);
+ assert(entry);
+
entry->data = (void *)(intptr_t)scalarizable;
return scalarizable;