[Mesa-dev] [PATCH] i965: Fix invalid pointer read in dead_control_flow_eliminate().
Francisco Jerez
currojerez at riseup.net
Wed Mar 30 20:24:09 UTC 2016
Kenneth Graunke <kenneth at whitecape.org> writes:
> There may not be a previous block. In this case, there's no real work
> to do, so just continue on to the next one.
>
> Signed-off-by: Kenneth Graunke <kenneth at whitecape.org>
> ---
> src/mesa/drivers/dri/i965/brw_dead_control_flow.cpp | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/mesa/drivers/dri/i965/brw_dead_control_flow.cpp b/src/mesa/drivers/dri/i965/brw_dead_control_flow.cpp
> index 2c1abaf..116a6c7 100644
> --- a/src/mesa/drivers/dri/i965/brw_dead_control_flow.cpp
> +++ b/src/mesa/drivers/dri/i965/brw_dead_control_flow.cpp
> @@ -42,6 +42,10 @@ dead_control_flow_eliminate(backend_shader *s)
>
> foreach_block_safe (block, s->cfg) {
> bblock_t *prev_block = block->prev();
> +
> + if (prev_block->link.is_head_sentinel())
> + continue;
> +
Heh, the fact this code declares a "prev_block" pointer of type bblock_t
and then asks the object whether it actually is a bblock_t really makes
me itch -- If it's not a bblock_t you're likely relying on UB (At least
the strict aliasing rule seems to be violated).
I sent a patch to address the same issue a couple of weeks ago which
doesn't have this problem. It's still pending review:
https://patchwork.freedesktop.org/patch/77199/
> backend_instruction *const inst = block->start();
> backend_instruction *const prev_inst = prev_block->end();
>
> --
> 2.7.4
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/mesa-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 212 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20160330/2156f600/attachment-0001.sig>
More information about the mesa-dev
mailing list