fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-01-05 04:40:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ir3: Prevent oob writes to inputs/outputs array

Browse source 
Don't setup inputs and outputs if we aren't using
load_input/store_output intrinsics. While it's mostly harmless, there
may be more outputs than expected which would lead to an oob write of
the outputs array when setting the register id to INVALID_REG.

Also be more paranoid with asserts to catch this.

Fixes: a6291b1 ("freedreno/ir3: rework setup_{input,output} to make struct varyings work")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/7274>
This commit is contained in:
Connor Abbott 2021-04-22 15:52:05 +02:00 committed by Marge Bot
parent b2b8b6c0e3
commit decfea2f4e
1 changed files with 42 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
src/freedreno/ir3/ir3_compiler_nir.c
View file

@ -3055,6 +3055,7 @@ setup_input(struct ir3_context *ctx, nir_intrinsic_instr *intr)
so->inputs[n].slot = slot;
so->inputs[n].compmask |= compmask;
so->inputs_count = MAX2(so->inputs_count, n + 1);
compile_assert(ctx, so->inputs_count < ARRAY_SIZE(so->inputs));
so->inputs[n].flat = !coord;
if (ctx->so->type == MESA_SHADER_FRAGMENT) {
@ -3347,6 +3348,31 @@ setup_output(struct ir3_context *ctx, nir_intrinsic_instr *intr)
}
}
static bool
uses_load_input(struct ir3_shader_variant *so)
{
return so->type == MESA_SHADER_VERTEX || so->type == MESA_SHADER_FRAGMENT;
}
static bool
uses_store_output(struct ir3_shader_variant *so)
{
switch (so->type) {
case MESA_SHADER_VERTEX:
return !so->key.has_gs && !so->key.tessellation;
case MESA_SHADER_TESS_EVAL:
return !so->key.has_gs;
case MESA_SHADER_GEOMETRY:
case MESA_SHADER_FRAGMENT:
return true;
case MESA_SHADER_TESS_CTRL:
case MESA_SHADER_COMPUTE:
return false;
default:
unreachable("unknown stage");
}
}
static void
emit_instructions(struct ir3_context *ctx)
{
@ -3377,14 +3403,22 @@ emit_instructions(struct ir3_context *ctx)
}
}
/* TODO: for GS/HS/DS, load_input isn't used. but ctx->s->num_inputs is non-zero
* likely the same for num_outputs in cases where store_output isn't used
*/
ctx->so->inputs_count = ctx->s->num_inputs;
ctx->ninputs = ctx->s->num_inputs * 4;
ctx->noutputs = ctx->s->num_outputs * 4;
ctx->inputs = rzalloc_array(ctx, struct ir3_instruction *, ctx->ninputs);
ctx->outputs = rzalloc_array(ctx, struct ir3_instruction *, ctx->noutputs);
if (uses_load_input(ctx->so)) {
ctx->so->inputs_count = ctx->s->num_inputs;
compile_assert(ctx, ctx->so->inputs_count < ARRAY_SIZE(ctx->so->inputs));
ctx->ninputs = ctx->s->num_inputs * 4;
ctx->inputs = rzalloc_array(ctx, struct ir3_instruction *, ctx->ninputs);
} else {
ctx->ninputs = 0;
ctx->so->inputs_count = 0;
}
if (uses_store_output(ctx->so)) {
ctx->noutputs = ctx->s->num_outputs * 4;
ctx->outputs = rzalloc_array(ctx, struct ir3_instruction *, ctx->noutputs);
} else {
ctx->noutputs = 0;
}
ctx->ir = ir3_create(ctx->compiler, ctx->so);