Mesa (master): glsl: Fix assert fails when assignment expressions are in array sizes.

Sun Nov 13 06:11:23 UTC 2016

Module: Mesa
Branch: master
Commit: 9c676a64273f32c7fb3f2b6973399af1d7f24d46
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=9c676a64273f32c7fb3f2b6973399af1d7f24d46

Author: Kenneth Graunke <kenneth at whitecape.org>
Date:   Sat Nov 12 11:27:17 2016 -0800

glsl: Fix assert fails when assignment expressions are in array sizes.

Karol Herbst's fuzzing efforts discovered that we would hit the
following assert:

   assert(dummy_instructions.is_empty());

when processing an illegal array size expression of

   float[(1=1)?1:1] t;

In do_assignment, we realized we needed an rvalue for (1 = 1), and
generated a temporary variable and assignment from the RHS.  We've
already flagged an error (non-lvalue in assignment), and return a bogus
value as the rvalue.  But process_array_size sees the bogus value, which
happened to be a constant expression, and rightly assumes that
processing a constant expression shouldn't have generated any code.
instructions.

To handle this, make do_assignment not generate any temps or assignments
when it's already raised an error - just return an error value directly.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98694
Signed-off-by: Kenneth Graunke <kenneth at whitecape.org>
Reviewed-by: Timothy Arceri <timothy.arceri at collabora.com>

---

 src/compiler/glsl/ast_to_hir.cpp | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/compiler/glsl/ast_to_hir.cpp b/src/compiler/glsl/ast_to_hir.cpp
index 24067b6..9b8678c 100644
--- a/src/compiler/glsl/ast_to_hir.cpp
+++ b/src/compiler/glsl/ast_to_hir.cpp
@@ -1001,17 +1001,20 @@ do_assignment(exec_list *instructions, struct _mesa_glsl_parse_state *state,
     * i = j += 1;
     */
    if (needs_rvalue) {
-      ir_variable *var = new(ctx) ir_variable(rhs->type, "assignment_tmp",
-                                              ir_var_temporary);
-      instructions->push_tail(var);
-      instructions->push_tail(assign(var, rhs));
-
+      ir_rvalue *rvalue;
       if (!error_emitted) {
-         ir_dereference_variable *deref_var = new(ctx) ir_dereference_variable(var);
+         ir_variable *var = new(ctx) ir_variable(rhs->type, "assignment_tmp",
+                                                 ir_var_temporary);
+         instructions->push_tail(var);
+         instructions->push_tail(assign(var, rhs));
+
+         ir_dereference_variable *deref_var =
+            new(ctx) ir_dereference_variable(var);
          instructions->push_tail(new(ctx) ir_assignment(lhs, deref_var));
+         rvalue = new(ctx) ir_dereference_variable(var);
+      } else {
+         rvalue = ir_rvalue::error_value(ctx);
       }
-      ir_rvalue *rvalue = new(ctx) ir_dereference_variable(var);
-
       *out_rvalue = rvalue;
    } else {
       if (!error_emitted)


