Good work on finding this! Reviewed-by: Jason Ekstrand <jason.ekstr...@intel.com>
On Tue, Jun 2, 2015 at 4:42 AM, Eduardo Lima Mitev <el...@igalia.com> wrote: > lower_phis_to_scalar() pass recurses the instruction dependence graph to > determine if all the sources of a given instruction are scalarizable. > To prevent cycles, it temporary marks the phi instruction before recursing in, > then updates the entry with the resulting value. However, it does not consider > that the entry value may have changed after a recursion pass, hence causing > a use-after-free situation and a crash. > > This patch fixes this by reloading the entry corresponding to the 'phi' > after recursing and before updating its value. > > The crash can be reproduced ~20% of times with the dEQP test: > > dEQP-GLES3.functional.shaders.loops.while_constant_iterations.nested_sequence_fragment > --- > src/glsl/nir/nir_lower_phis_to_scalar.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/src/glsl/nir/nir_lower_phis_to_scalar.c > b/src/glsl/nir/nir_lower_phis_to_scalar.c > index 4bdb800..a57d253 100644 > --- a/src/glsl/nir/nir_lower_phis_to_scalar.c > +++ b/src/glsl/nir/nir_lower_phis_to_scalar.c > @@ -153,6 +153,11 @@ should_lower_phi(nir_phi_instr *phi, struct > lower_phis_to_scalar_state *state) > break; > } > > + /* The hash table entry for 'phi' may have changed while recursing the > + * dependence graph, so we need to reset it */ > + entry = _mesa_hash_table_search(state->phi_table, phi); > + assert(entry); > + > entry->data = (void *)(intptr_t)scalarizable; > > return scalarizable; > -- > 2.1.3 > > _______________________________________________ > mesa-dev mailing list > mesa-dev@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/mesa-dev _______________________________________________ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
