nir/serialize: Alloc constants off the variable

nir_sweep assumes that constants area always allocated off the variable to which they belong. Violating this assumption causes them to get freed early and leads to use-after-free bugs. Fixes: 120da00975541 "nir: add serialization and deserialization" Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107366 Reviewed-by: Lionel Landwerlin <[email protected]> Tested-by: Mark Janes <[email protected]>
author: Jason Ekstrand <[email protected]> 2018-07-24 11:01:20 -0700
committer: Jason Ekstrand <[email protected]> 2018-07-24 12:34:07 -0700
commit: f214baf72ff89ba03342067f89c38b4bc84e298b (patch)
tree: f7dce49d0e443d4cda23d6c47b261944b6cf2c12 /src/compiler
parent: 7f95564a22d11ee3f54915ee02f9fa1f78c6adcf (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/compiler/nir/nir_serialize.c b/src/compiler/nir/nir_serialize.c
index 6a30738c2d7..43016310048 100644
--- a/src/compiler/nir/nir_serialize.c
+++ b/src/compiler/nir/nir_serialize.c
@@ -124,7 +124,7 @@ read_constant(read_ctx *ctx, nir_variable *nvar)
 
    blob_copy_bytes(ctx->blob, (uint8_t *)c->values, sizeof(c->values));
    c->num_elements = blob_read_uint32(ctx->blob);
-   c->elements = ralloc_array(ctx->nir, nir_constant *, c->num_elements);
+   c->elements = ralloc_array(nvar, nir_constant *, c->num_elements);
    for (unsigned i = 0; i < c->num_elements; i++)
       c->elements[i] = read_constant(ctx, nvar);
author	Jason Ekstrand <[email protected]>	2018-07-24 11:01:20 -0700
committer	Jason Ekstrand <[email protected]>	2018-07-24 12:34:07 -0700
commit	f214baf72ff89ba03342067f89c38b4bc84e298b (patch)
tree	f7dce49d0e443d4cda23d6c47b261944b6cf2c12 /src/compiler
parent	7f95564a22d11ee3f54915ee02f9fa1f78c6adcf (diff)