[Mesa-dev] [PATCH 16/16] gallium/radeon: protect against out of bounds temporary array accesses

[Nicolai Hähnle]

From: Nicolai Hähnle <nicolai.haehnle at amd.com>

They can lead to VM faults and worse, which goes against the GL robustness
promises.
---
 src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c b/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
index 7cdf228..88c7b3c 100644
--- a/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
+++ b/src/gallium/drivers/radeon/radeon_setup_tgsi_llvm.c
@@ -232,20 +232,35 @@ get_pointer_into_array(struct radeon_llvm_context *ctx,
 	if (!alloca)
 		return NULL;
 
 	array = &ctx->temp_arrays[array_id - 1];
 
 	if (!(array->writemask & (1 << swizzle)))
 		return ctx->undef_alloca;
 
 	index = emit_array_index(&ctx->soa, reg_indirect,
 				 reg_index - ctx->temp_arrays[array_id - 1].range.First);
+
+	/* Ensure that the index is within a valid range, to guard against
+	 * VM faults and overwriting critical data (e.g. spilled resource
+	 * descriptors).
+	 *
+	 * TODO It should be possible to avoid the additional instructions
+	 * if LLVM is changed so that it guarantuees:
+	 * 1. the scratch space descriptor isolates the current wave (this
+	 *    could even save the scratch offset SGPR at the cost of an
+	 *    additional SALU instruction)
+	 * 2. the memory for allocas must be allocated at the _end_ of the
+	 *    scratch space (after spilled registers)
+	 */
+	index = radeon_llvm_bound_index(ctx, index, array->range.Last - array->range.First + 1);
+
 	index = LLVMBuildMul(
 		builder, index,
 		lp_build_const_int32(gallivm, util_bitcount(array->writemask)),
 		"");
 	index = LLVMBuildAdd(
 		builder, index,
 		lp_build_const_int32(
 			gallivm,
 			util_bitcount(array->writemask & ((1 << swizzle) - 1))),
 		"");
-- 
2.7.4