From e3607e96bb6691941f55edbfe2ed82e224c890c2 Mon Sep 17 00:00:00 2001
From: Emma Anholt <emma@anholt.net>
Date: Wed, 20 Apr 2022 14:31:50 -0700
Subject: [PATCH] nir: Eliminate out-of-bounds read/writes in local lowering.

Avoids nir validation assertion failures, and it's not like backend
drivers would want to see definitely-out-of-bounds read/writes either.

Reviewed-by: Matt Turner <mattst88@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/16066>
---
 src/compiler/nir/nir_lower_locals_to_regs.c    | 18 ++++++++++++++++++
 .../drivers/r600/ci/r600-rv770-fails.txt       |  4 ----
 .../drivers/r600/ci/r600-turks-fails.txt       |  4 ----
 .../drivers/softpipe/ci/softpipe-fails.txt     |  3 ---
 .../drivers/virgl/ci/virpipe-gl-fails.txt      |  5 -----
 .../drivers/virgl/ci/virpipe-gl-flakes.txt     |  2 --
 6 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/src/compiler/nir/nir_lower_locals_to_regs.c b/src/compiler/nir/nir_lower_locals_to_regs.c
index a0f5ecb61cd..40e10cadb0a 100644
--- a/src/compiler/nir/nir_lower_locals_to_regs.c
+++ b/src/compiler/nir/nir_lower_locals_to_regs.c
@@ -200,7 +200,17 @@ lower_locals_to_regs_block(nir_block *block,
 
          nir_alu_instr *mov = nir_alu_instr_create(b->shader, nir_op_mov);
          mov->src[0].src = get_deref_reg_src(deref, state);
+
+         if (mov->src[0].src.reg.reg->num_array_elems != 0 &&
+             mov->src[0].src.reg.base_offset >= mov->src[0].src.reg.reg->num_array_elems) {
+            /* out-of-bounds read, return 0 instead. */
+            mov->src[0].src = nir_src_for_ssa(nir_imm_intN_t(b, 0, mov->src[0].src.reg.reg->bit_size));
+            for (int i = 0; i < intrin->num_components; i++)
+               mov->src[0].swizzle[i] = 0;
+         }
+
          mov->dest.write_mask = (1 << intrin->num_components) - 1;
+
          if (intrin->dest.is_ssa) {
             nir_ssa_dest_init(&mov->instr, &mov->dest.dest,
                               intrin->num_components,
@@ -226,6 +236,14 @@ lower_locals_to_regs_block(nir_block *block,
 
          nir_src reg_src = get_deref_reg_src(deref, state);
 
+         if (reg_src.reg.reg->num_array_elems != 0 &&
+             reg_src.reg.base_offset >= reg_src.reg.reg->num_array_elems) {
+            /* Out of bounds write, just eliminate it. */
+            nir_instr_remove(&intrin->instr);
+            state->progress = true;
+            break;
+         }
+
          nir_alu_instr *mov = nir_alu_instr_create(b->shader, nir_op_mov);
 
          nir_src_copy(&mov->src[0].src, &intrin->src[1]);
diff --git a/src/gallium/drivers/r600/ci/r600-rv770-fails.txt b/src/gallium/drivers/r600/ci/r600-rv770-fails.txt
index 851d9cc2c7e..6e0fd3b7f6a 100644
--- a/src/gallium/drivers/r600/ci/r600-rv770-fails.txt
+++ b/src/gallium/drivers/r600/ci/r600-rv770-fails.txt
@@ -991,10 +991,6 @@ spec@glsl-1.20@execution@vs-nan-builtin-max,Fail
 spec@glsl-1.20@execution@vs-nan-builtin-min,Fail
 spec@glsl-1.30@execution@clipping@vs-clip-distance-primitives,Fail
 
-# "error: (dest->reg->num_array_elems == 0 || dest->base_offset < dest->reg->num_array_elems) && "definitely out-of-bounds array access" (../src/compiler/nir/nir_validate.c:277)"
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-read,Crash
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-write,Crash
-
 spec@glsl-1.30@execution@range_analysis_fsat_of_nan,Fail
 spec@glsl-1.30@execution@tex-miplevel-selection texture(bias) 1darrayshadow,Fail
 spec@glsl-1.30@execution@tex-miplevel-selection texture(bias) cubeshadow,Fail
diff --git a/src/gallium/drivers/r600/ci/r600-turks-fails.txt b/src/gallium/drivers/r600/ci/r600-turks-fails.txt
index 7ab129e482a..1944cd15ace 100644
--- a/src/gallium/drivers/r600/ci/r600-turks-fails.txt
+++ b/src/gallium/drivers/r600/ci/r600-turks-fails.txt
@@ -1453,10 +1453,6 @@ spec@glsl-1.20@execution@clipping@vs-clip-vertex-primitives,Fail
 
 spec@glsl-1.30@execution@clipping@vs-clip-distance-primitives,Fail
 
-# "error: (src->reg.reg->num_array_elems == 0 || src->reg.base_offset < src->reg.reg->num_array_elems) && "definitely out-of-bounds array access" (../src/compiler/nir/nir_validate.c:174)"
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-read,Crash
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-write,Crash
-
 spec@glsl-1.30@execution@range_analysis_fsat_of_nan,Fail
 
 spec@glsl-1.30@execution@tex-miplevel-selection texture(bias) 1darrayshadow,Fail
diff --git a/src/gallium/drivers/softpipe/ci/softpipe-fails.txt b/src/gallium/drivers/softpipe/ci/softpipe-fails.txt
index eacbfff5065..d5dd0495a22 100644
--- a/src/gallium/drivers/softpipe/ci/softpipe-fails.txt
+++ b/src/gallium/drivers/softpipe/ci/softpipe-fails.txt
@@ -1252,9 +1252,6 @@ spec@ext_transform_feedback2@counting with pause,Fail
 spec@ext_transform_feedback@pipeline-basic-primgen,Fail
 spec@ext_transform_feedback@primgen-query transform-feedback-disabled,Fail
 
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-read,Crash
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-write,Crash
-
 spec@glsl-1.30@execution@tex-miplevel-selection texturegrad 1d,Fail
 spec@glsl-1.30@execution@tex-miplevel-selection texturegrad 1darray,Fail
 spec@glsl-1.30@execution@tex-miplevel-selection texturegrad 1darrayshadow,Fail
diff --git a/src/gallium/drivers/virgl/ci/virpipe-gl-fails.txt b/src/gallium/drivers/virgl/ci/virpipe-gl-fails.txt
index 482c4b79f74..40ee5c0c868 100644
--- a/src/gallium/drivers/virgl/ci/virpipe-gl-fails.txt
+++ b/src/gallium/drivers/virgl/ci/virpipe-gl-fails.txt
@@ -867,11 +867,6 @@ spec@glsl-1.10@execution@samplers@glsl-fs-shadow2d-08,Fail
 spec@glsl-1.10@execution@samplers@glsl-fs-shadow2d-clamp-z,Fail
 spec@glsl-1.20@compiler@invalid-vec4-array-to-vec3-array-conversion.vert,Fail
 
-# "ERROR - Piglit error: NIR validation failed after nir_lower_locals_to_regs"
-# "ERROR - Piglit error: error: (src->reg.reg->num_array_elems == 0 || src->reg.base_offset < src->reg.reg->num_array_elems) && "definitely out-of-bounds array access" (../src/compiler/nir/nir_validate.c:174)"
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-read,Crash
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-write,Crash
-
 spec@glsl-1.30@execution@vs-isnan-and-more-comparison,Fail
 
 spec@glsl-1.50@execution@primitive-id-no-gs-quad-strip,Fail
diff --git a/src/gallium/drivers/virgl/ci/virpipe-gl-flakes.txt b/src/gallium/drivers/virgl/ci/virpipe-gl-flakes.txt
index dc6c1eee520..f18d0ec14f5 100644
--- a/src/gallium/drivers/virgl/ci/virpipe-gl-flakes.txt
+++ b/src/gallium/drivers/virgl/ci/virpipe-gl-flakes.txt
@@ -54,7 +54,5 @@ spec@oes_viewport_array@viewport-gs-writes-in-range
 
 spec@arb_timer_query@timestamp-get
 
-spec@glsl-1.30@execution@fs-large-local-array-out-of-bounds-write
-
 spec@nv_primitive_restart@primitive-restart-draw-mode-polygon
 spec@nv_primitive_restart@primitive-restart-draw-mode-quad_strip