[Mesa-dev] [PATCH 0/5] compiler/glsl: fix crashes when running with ubsan

[Nicolai Hähnle]

Hi,

this is a re-send of two patches that didn't get anybody's attention, when I
sent them out last week, plus some additional fixes for rarer instances of
the same problem that I've encountered since then.

The problem that these patches fix is simple: the exec_list iterations often
cast sentinel nodes that are mere exec_nodes to ir_* types. This leads to
crashes when running ubsan, because ubsan attempts to verify the type of the
object.

Since the target type has a virtual method table, it does the verification by
calling into the dynamic_cast implementation, under the assumption that this
virtual method table is there. However, since the object is really only an
exec_node, which _doesn't_ have a virtual method table, ubsan crashes.

So I've converted loops into forms that only do the cast once we are assured
that we are not looking at a sentinel node. This looks a bit funny in the
macros, because an additional outer for-loop is used to define a variable of
a different type, but the compiler is able to remove that outer loop and the
__flag variable entirely.

Please review!

Thanks,
Nicolai
--
 src/compiler/glsl/ast_function.cpp           |   4 +-
 .../glsl/link_uniform_initializers.cpp       |   8 +-
 src/compiler/glsl/list.h                     | 147 ++++++++++++-----
 src/compiler/glsl/lower_jumps.cpp            |   7 +-
 src/compiler/glsl/opt_dead_code_local.cpp    |   7 +-
 src/compiler/glsl/opt_tree_grafting.cpp      |  10 +-
 6 files changed, 111 insertions(+), 72 deletions(-)