<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:petri.latvala@intel.com" title="Petri Latvala <petri.latvala@intel.com>"> <span class="fn">Petri Latvala</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - Mesa crash on shaders that have large number of active uniforms."
   href="https://bugs.freedesktop.org/show_bug.cgi?id=71254">bug 71254</a>
        <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">CC</td>
           <td>
                
           </td>
           <td>petri.latvala@intel.com
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - Mesa crash on shaders that have large number of active uniforms."
   href="https://bugs.freedesktop.org/show_bug.cgi?id=71254#c2">Comment # 2</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - Mesa crash on shaders that have large number of active uniforms."
   href="https://bugs.freedesktop.org/show_bug.cgi?id=71254">bug 71254</a>
              from <span class="vcard"><a class="email" href="mailto:petri.latvala@intel.com" title="Petri Latvala <petri.latvala@intel.com>"> <span class="fn">Petri Latvala</span></a>
</span></b>
        <pre>Reproduced with current git version.

brw_vec4.hpp has

class vec4_visitor {
...
int uniform_size[MAX_UNIFORMS];
int uniform_vector_size[MAX_UNIFORMS];
...
};

Accesses to those arrays are not checked for valid index.

For a test, I added checks when vec4_visitor::uniforms gets increased (that
seems to be used as the index for those arrays directly) and called fail(...)
to get the compilation abort (after adding enough if (failed) checks
elsewhere). That reveals another issue when compiling that shader, which is
that visit(ir_expression*) calls visit(ir_expression*) recursively enough times
to overflow the stack. The default 8MB stack was overflown, 16MB was enough.

In a nutshell: This is an i965-specific bug, and will crash the process in one
of two ways.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>