Mesa (master): nir: prevent use-after-free condition in should_lower_phi()

[Eduardo Lima Mitev]

Module: Mesa
Branch: master
Commit: 5b226a12420993a0f4aae2295b33aaa305242a3d
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=5b226a12420993a0f4aae2295b33aaa305242a3d

Author: Eduardo Lima Mitev <elima at igalia.com>
Date:   Tue Jun  2 13:42:46 2015 +0200

nir: prevent use-after-free condition in should_lower_phi()

lower_phis_to_scalar() pass recurses the instruction dependence graph to
determine if all the sources of a given instruction are scalarizable.
To prevent cycles, it temporary marks the phi instruction before recursing in,
then updates the entry with the resulting value. However, it does not consider
that the entry value may have changed after a recursion pass, hence causing
a use-after-free situation and a crash.

This patch fixes this by reloading the entry corresponding to the 'phi'
after recursing and before updating its value.

The crash can be reproduced ~20% of times with the dEQP test:

dEQP-GLES3.functional.shaders.loops.while_constant_iterations.nested_sequence_fragment

Reviewed-by: Jason Ekstrand <jason.ekstrand at intel.com>

---

 src/glsl/nir/nir_lower_phis_to_scalar.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/glsl/nir/nir_lower_phis_to_scalar.c b/src/glsl/nir/nir_lower_phis_to_scalar.c
index 4bdb800..a57d253 100644
--- a/src/glsl/nir/nir_lower_phis_to_scalar.c
+++ b/src/glsl/nir/nir_lower_phis_to_scalar.c
@@ -153,6 +153,11 @@ should_lower_phi(nir_phi_instr *phi, struct lower_phis_to_scalar_state *state)
          break;
    }
 
+   /* The hash table entry for 'phi' may have changed while recursing the
+    * dependence graph, so we need to reset it */
+   entry = _mesa_hash_table_search(state->phi_table, phi);
+   assert(entry);
+
    entry->data = (void *)(intptr_t)scalarizable;
 
    return scalarizable;