Author: Frank Henigman <fjhenigman@google.com>
Date:   Wed Jan 16 16:49:35 2013 -0500

    intel: handle bad uniform access in remove_dead_constants().
    
    fs_visitor::remove_dead_constants() hits an assert if the shader code
    contains an out-of-bounds array access.  Obvious instances of that are
    caught before this point, but evidently the check is not done after code
    transformations like loop unrolling.  See
    https://bugs.freedesktop.org/show_bug.cgi?id=59429
    
    Signed-off-by: Frank Henigman <fjhenigman@google.com>

diff --git a/src/mesa/drivers/dri/i965/brw_fs.cpp b/src/mesa/drivers/dri/i965/brw_fs.cpp
index 0d2dde7..9ce49c7 100644
--- a/src/mesa/drivers/dri/i965/brw_fs.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs.cpp
@@ -1463,7 +1463,10 @@ fs_visitor::remove_dead_constants()
 	    if (inst->src[i].file != UNIFORM)
 	       continue;
 
-	    assert(constant_nr < (int)c->prog_data.nr_params);
+	    if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
+	       fail("accessed non-existent uniform");
+	       return false;
+	    }
 
 	    /* For now, set this to non-negative.  We'll give it the
 	     * actual new number in a moment, in order to keep the
diff --git a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
index 5885989..edc6dde 100644
--- a/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
+++ b/src/mesa/drivers/dri/i965/brw_fs_visitor.cpp
@@ -2325,6 +2325,7 @@ fs_visitor::fs_visitor(struct brw_context *brw,
    this->force_sechalf_stack = 0;
 
    memset(&this->param_size, 0, sizeof(this->param_size));
+   this->params_remap = NULL;
 }
 
 fs_visitor::~fs_visitor()