[Mesa-dev] [PATCH] nir: prevent use-after-free condition in should_lower_phi()
Jason Ekstrand
jason at jlekstrand.net
Tue Jun 2 09:33:32 PDT 2015
Good work on finding this!
Reviewed-by: Jason Ekstrand <jason.ekstrand at intel.com>
On Tue, Jun 2, 2015 at 4:42 AM, Eduardo Lima Mitev <elima at igalia.com> wrote:
> lower_phis_to_scalar() pass recurses the instruction dependence graph to
> determine if all the sources of a given instruction are scalarizable.
> To prevent cycles, it temporary marks the phi instruction before recursing in,
> then updates the entry with the resulting value. However, it does not consider
> that the entry value may have changed after a recursion pass, hence causing
> a use-after-free situation and a crash.
>
> This patch fixes this by reloading the entry corresponding to the 'phi'
> after recursing and before updating its value.
>
> The crash can be reproduced ~20% of times with the dEQP test:
>
> dEQP-GLES3.functional.shaders.loops.while_constant_iterations.nested_sequence_fragment
> ---
> src/glsl/nir/nir_lower_phis_to_scalar.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/src/glsl/nir/nir_lower_phis_to_scalar.c b/src/glsl/nir/nir_lower_phis_to_scalar.c
> index 4bdb800..a57d253 100644
> --- a/src/glsl/nir/nir_lower_phis_to_scalar.c
> +++ b/src/glsl/nir/nir_lower_phis_to_scalar.c
> @@ -153,6 +153,11 @@ should_lower_phi(nir_phi_instr *phi, struct lower_phis_to_scalar_state *state)
> break;
> }
>
> + /* The hash table entry for 'phi' may have changed while recursing the
> + * dependence graph, so we need to reset it */
> + entry = _mesa_hash_table_search(state->phi_table, phi);
> + assert(entry);
> +
> entry->data = (void *)(intptr_t)scalarizable;
>
> return scalarizable;
> --
> 2.1.3
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
More information about the mesa-dev
mailing list