From 3a3f9de4865839bcd4a7903fb042ab5d638b2630 Mon Sep 17 00:00:00 2001
From: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Date: Thu, 22 Feb 2024 17:46:56 -0400
Subject: [PATCH] agx: fix stack smash with spilling

ASAN saves the day! Was stuck on this for hours.

==37495==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xfffff29ecdbc at pc 0xffff7c0751f4 bp 0xfffff29eca30 sp 0xfffff29eca48
READ of size 4 at 0xfffff29ecdbc thread T0
    #0 0xffff7c0751f0 in __bitset_set_range ../src/util/bitset.h:249
    #1 0xffff7c0751f0 in find_regs ../src/asahi/compiler/agx_register_allocate.c:642
    #2 0xffff7c077d2c in pick_regs ../src/asahi/compiler/agx_register_allocate.c:1008
    #3 0xffff7c077d2c in agx_ra_assign_local ../src/asahi/compiler/agx_register_allocate.c:1096
    #4 0xffff7c077d2c in agx_ra ../src/asahi/compiler/agx_register_allocate.c:1353
    #5 0xffff7c03b6c4 in agx_compile_function_nir ../src/asahi/compiler/agx_compile.c:2840

Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/28483>
---
 src/asahi/compiler/agx_register_allocate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/asahi/compiler/agx_register_allocate.c b/src/asahi/compiler/agx_register_allocate.c
index 64224b43bfc..0631888e366 100644
--- a/src/asahi/compiler/agx_register_allocate.c
+++ b/src/asahi/compiler/agx_register_allocate.c
@@ -535,9 +535,11 @@ find_regs(struct ra_ctx *rctx, agx_instr *I, unsigned dest_idx, unsigned count,
       agx_foreach_ssa_src(I, s) {
          unsigned v = I->src[s].value;
 
-         if (BITSET_TEST(rctx->visited, v)) {
+         if (BITSET_TEST(rctx->visited, v) && !I->src[s].memory) {
             unsigned base = rctx->ssa_to_reg[v];
             unsigned nr = rctx->ncomps[v];
+
+            assert(base + nr <= AGX_NUM_REGS);
             BITSET_SET_RANGE(killed, base, base + nr - 1);
          }
       }