summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoland Scheidegger <sroland@vmware.com>2018-07-04 04:44:17 +0200
committerDave Airlie <airlied@redhat.com>2018-07-09 07:17:29 +0100
commit817efd89685efc6b5866e09cbdad01c4ff21c737 (patch)
treee978e5a752ce2b8be158b20d598f766097f9728e
parent7c92c7d15162111d2e2deab672a5428db1a2dce3 (diff)
r600/sb: fix crash in fold_alu_op3
fold_assoc() called from fold_alu_op3() can lower the number of src to 2, which then leads to an invalid access to n.src[2]->gvalue(). This didn't seem to have caused much harm in the past, but on Fedora 28 it will crash (presumably because -D_GLIBCXX_ASSERTIONS is used, although with libstdc++ 4.8.5 this didn't do anything, -D_GLIBCXX_DEBUG was needed to show the issue). An alternative fix would be to instead call fold_alu_op2() from within fold_assoc() when the number of src is reduced and return always TRUE from fold_assoc() in this case, with the only actual difference being the return value from fold_alu_op3() then. I'm not sure what the return value actually should be in this case (or whether it even can make a difference). https://bugs.freedesktop.org/show_bug.cgi?id=106928 Cc: mesa-stable@lists.freedesktop.org Reviewed-by: Dave Airlie <airlied@redhat.com>
-rw-r--r--src/gallium/drivers/r600/sb/sb_expr.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/gallium/drivers/r600/sb/sb_expr.cpp b/src/gallium/drivers/r600/sb/sb_expr.cpp
index 1df78da6608..ad798453bc1 100644
--- a/src/gallium/drivers/r600/sb/sb_expr.cpp
+++ b/src/gallium/drivers/r600/sb/sb_expr.cpp
@@ -945,6 +945,8 @@ bool expr_handler::fold_alu_op3(alu_node& n) {
if (!sh.safe_math && (n.bc.op_ptr->flags & AF_M_ASSOC)) {
if (fold_assoc(&n))
return true;
+ if (n.src.size() < 3)
+ return fold_alu_op2(n);
}
value* v0 = n.src[0]->gvalue();