[Bug 98694] "(5=2)?1:1" as array size decleration crashes glsl_compiler

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sun Nov 13 06:12:11 UTC 2016


https://bugs.freedesktop.org/show_bug.cgi?id=98694

Kenneth Graunke <kenneth at whitecape.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Kenneth Graunke <kenneth at whitecape.org> ---
Fixed by:

commit 9c676a64273f32c7fb3f2b6973399af1d7f24d46
Author: Kenneth Graunke <kenneth at whitecape.org>
Date:   Sat Nov 12 11:27:17 2016 -0800

    glsl: Fix assert fails when assignment expressions are in array sizes.

    Karol Herbst's fuzzing efforts discovered that we would hit the
    following assert:

       assert(dummy_instructions.is_empty());

    when processing an illegal array size expression of

       float[(1=1)?1:1] t;

    In do_assignment, we realized we needed an rvalue for (1 = 1), and
    generated a temporary variable and assignment from the RHS.  We've
    already flagged an error (non-lvalue in assignment), and return a bogus
    value as the rvalue.  But process_array_size sees the bogus value, which
    happened to be a constant expression, and rightly assumes that
    processing a constant expression shouldn't have generated any code.
    instructions.

    To handle this, make do_assignment not generate any temps or assignments
    when it's already raised an error - just return an error value directly.

    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98694
    Signed-off-by: Kenneth Graunke <kenneth at whitecape.org>
    Reviewed-by: Timothy Arceri <timothy.arceri at collabora.com>

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-3d-bugs/attachments/20161113/1bd53d5f/attachment.html>


More information about the intel-3d-bugs mailing list