[Bug 98694] "(5=2)?1:1" as array size decleration crashes glsl_compiler
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sun Nov 13 06:12:11 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=98694
Kenneth Graunke <kenneth at whitecape.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Kenneth Graunke <kenneth at whitecape.org> ---
Fixed by:
commit 9c676a64273f32c7fb3f2b6973399af1d7f24d46
Author: Kenneth Graunke <kenneth at whitecape.org>
Date: Sat Nov 12 11:27:17 2016 -0800
glsl: Fix assert fails when assignment expressions are in array sizes.
Karol Herbst's fuzzing efforts discovered that we would hit the
following assert:
assert(dummy_instructions.is_empty());
when processing an illegal array size expression of
float[(1=1)?1:1] t;
In do_assignment, we realized we needed an rvalue for (1 = 1), and
generated a temporary variable and assignment from the RHS. We've
already flagged an error (non-lvalue in assignment), and return a bogus
value as the rvalue. But process_array_size sees the bogus value, which
happened to be a constant expression, and rightly assumes that
processing a constant expression shouldn't have generated any code.
instructions.
To handle this, make do_assignment not generate any temps or assignments
when it's already raised an error - just return an error value directly.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98694
Signed-off-by: Kenneth Graunke <kenneth at whitecape.org>
Reviewed-by: Timothy Arceri <timothy.arceri at collabora.com>
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20161113/1bd53d5f/attachment.html>
More information about the intel-3d-bugs
mailing list