glsl: fix downcasting addresses to wrong object types

This fixes several downcasting of address to object types when the
original object types were either different or invalid.

This has been detected throught Undefined Behaviour Sanitizer (UBSan).
An example of such issue were:

`downcast of address 0x55559c0cbcc0 which does not point to an object of
type 'ir_variable' 0x55559c0cbcc0: note: object is of type 'ir_constant'

Reviewed-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Signed-off-by: Juan A. Suarez Romero <jasuarez@igalia.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/29772>

src/compiler/glsl/ast_function.cpp

@@ -97,8 +97,11 @@ prototype_string(const glsl_type *return_type, const char *name,
    ralloc_asprintf_append(&str, "%s(", name);
 
    const char *comma = "";
-   foreach_in_list(const ir_variable, param, parameters) {
-      ralloc_asprintf_append(&str, "%s%s", comma, glsl_get_type_name(param->type));
+   foreach_in_list(const ir_instruction, param, parameters) {
+      ralloc_asprintf_append(&str, "%s%s", comma,
+                             glsl_get_type_name(param->ir_type ==
+                                                ir_type_variable ? ((ir_variable *)param)->type :
+                                                ((ir_rvalue *)param)->type));
       comma = ", ";
    }
 

src/compiler/glsl/glsl_to_nir.cpp

@@ -1153,7 +1153,7 @@ nir_visitor::visit(ir_call *ir)
          /* Set the intrinsic parameters. */
          if (!param->is_tail_sentinel()) {
             instr->src[1] =
-               nir_src_for_ssa(evaluate_rvalue((ir_dereference *)param));
+               nir_src_for_ssa(evaluate_rvalue((ir_rvalue *)param));
             param = param->get_next();
          }
 
@@ -1234,7 +1234,7 @@ nir_visitor::visit(ir_call *ir)
           * components.
           */
          nir_def *src_addr =
-            evaluate_rvalue((ir_dereference *)param);
+            evaluate_rvalue((ir_rvalue *)param);
          nir_def *srcs[4];
 
          for (int i = 0; i < 4; i++) {
@@ -1261,7 +1261,7 @@ nir_visitor::visit(ir_call *ir)
          /* Set the intrinsic parameters. */
          if (!param->is_tail_sentinel()) {
             instr->src[3] =
-               nir_src_for_ssa(evaluate_rvalue((ir_dereference *)param));
+               nir_src_for_ssa(evaluate_rvalue((ir_rvalue *)param));
             param = param->get_next();
          } else if (op == nir_intrinsic_image_deref_load ||
                     op == nir_intrinsic_image_deref_sparse_load) {
@@ -1270,7 +1270,7 @@ nir_visitor::visit(ir_call *ir)
 
          if (!param->is_tail_sentinel()) {
             instr->src[4] =
-               nir_src_for_ssa(evaluate_rvalue((ir_dereference *)param));
+               nir_src_for_ssa(evaluate_rvalue((ir_rvalue *)param));
             param = param->get_next();
          } else if (op == nir_intrinsic_image_deref_store) {
             instr->src[4] = nir_src_for_ssa(nir_imm_int(&b, 0)); /* LOD */

src/compiler/glsl/lower_jumps.cpp

@@ -722,9 +722,10 @@ lower_continue:
              * any instructions that that are already wrapped in the
              * appropriate guard.
              */
-            ir_instruction* ir_after;
-            for(ir_after = (ir_instruction*)ir->get_next(); !ir_after->is_tail_sentinel();)
+            exec_node *node;
+            for(node = ir->get_next(); !node->is_tail_sentinel();)
             {
+               ir_instruction* ir_after = (ir_instruction*)node;
                ir_if* ir_if = ir_after->as_if();
                if(ir_if && ir_if->else_instructions.is_empty()) {
                   ir_dereference_variable* ir_if_cond_deref = ir_if->condition->as_dereference_variable();
@@ -736,7 +737,7 @@ lower_continue:
                      continue;
                   }
                }
-               ir_after = (ir_instruction*)ir_after->get_next();
+               node = ir_after->get_next();
 
                /* only set this if we find any unprotected instruction */
                this->progress = true;

src/compiler/glsl/opt_dead_code_local.cpp

@@ -303,7 +303,8 @@ dead_code_local_basic_block(ir_instruction *first,
 			     ir_instruction *last,
 			     void *data)
 {
-   ir_instruction *ir, *ir_next;
+   ir_instruction *ir;
+   exec_node *node, *node_next;
    /* List of avaialble_copy */
    exec_list assignments;
    bool *out_progress = (bool *)data;
@@ -313,8 +314,9 @@ dead_code_local_basic_block(ir_instruction *first,
    linear_ctx *lin_ctx = linear_context(ctx);
 
    /* Safe looping, since process_assignment */
-   for (ir = first, ir_next = (ir_instruction *)first->next;;
-	ir = ir_next, ir_next = (ir_instruction *)ir->next) {
+   for (node = first, node_next = first->next;;
+	node = node_next, node_next = node->next) {
+      ir = (ir_instruction *) node;
       ir_assignment *ir_assign = ir->as_assignment();
 
       if (debug) {

src/compiler/glsl/opt_tree_grafting.cpp

@@ -323,9 +323,10 @@ try_tree_grafting(ir_assignment *start,
       fprintf(stderr, "\n");
    }
 
-   for (ir_instruction *ir = (ir_instruction *)start->next;
-	ir != bb_last->next;
-	ir = (ir_instruction *)ir->next) {
+   for (exec_node *node = start->next;
+	node != bb_last->next;
+	node = node->next) {
+      ir_instruction *ir = (ir_instruction *) node;
 
       if (debug) {
 	 fprintf(stderr, "- ");
@@ -347,11 +348,13 @@ tree_grafting_basic_block(ir_instruction *bb_first,
 			  void *data)
 {
    struct tree_grafting_info *info = (struct tree_grafting_info *)data;
-   ir_instruction *ir, *next;
+   ir_instruction *ir;
+   exec_node *node, *node_next;
 
-   for (ir = bb_first, next = (ir_instruction *)ir->next;
-	ir != bb_last->next;
-	ir = next, next = (ir_instruction *)ir->next) {
+   for (node = bb_first, node_next = bb_first->next;
+	node != bb_last->next;
+	node = node_next, node_next = node->next) {
+      ir = (ir_instruction *) node;
       ir_assignment *assign = ir->as_assignment();
 
       if (!assign)