[Mesa-dev] [PATCH] r600/sb: fix crash in fold_alu_op3

[sroland at vmware.com]

From: Roland Scheidegger <sroland at vmware.com>

fold_assoc() called from fold_alu_op3() can lower the number of src to 2,
which then leads to an invalid access to n.src[2]->gvalue().
This didn't seem to have caused much harm in the past, but on Fedora 28
it will crash (presumably because -D_GLIBCXX_ASSERTIONS is used, although
with libstdc++ 4.8.5 this didn't do anything, -D_GLIBCXX_DEBUG was
needed to show the issue).

An alternative fix would be to instead call fold_alu_op2() from within
fold_assoc() when the number of src is reduced and return always TRUE
from fold_assoc() in this case, with the only actual difference being
the return value from fold_alu_op3() then. I'm not sure what the return
value actually should be in this case (or whether it even can make a
difference).

https://bugs.freedesktop.org/show_bug.cgi?id=106928
Cc: mesa-stable at lists.freedesktop.org
---
 src/gallium/drivers/r600/sb/sb_expr.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/gallium/drivers/r600/sb/sb_expr.cpp b/src/gallium/drivers/r600/sb/sb_expr.cpp
index 1df78da660..ad798453bc 100644
--- a/src/gallium/drivers/r600/sb/sb_expr.cpp
+++ b/src/gallium/drivers/r600/sb/sb_expr.cpp
@@ -945,6 +945,8 @@ bool expr_handler::fold_alu_op3(alu_node& n) {
 	if (!sh.safe_math && (n.bc.op_ptr->flags & AF_M_ASSOC)) {
 		if (fold_assoc(&n))
 			return true;
+		if (n.src.size() < 3)
+			return fold_alu_op2(n);
 	}
 
 	value* v0 = n.src[0]->gvalue();
-- 
2.12.3