Hi Brad,
I configured and built Mesa as you described, but I can't repro the crash with your trace.  I tested both ToT and 807e2539e5 with softpipe and llvmpipe.

I'm using gcc/g++ 5.4.0, FWIW.

Created attachment 136976 [details]
apitrace of test recorded before change that crashes

Thanks Brian.  For another try, here is an apitrace of the test that is more complete by running it with a version of Mesa from just before the breakage.

Also, here is valgrind memcheck output from the segfault:

```
==27717== Invalid read of size 4
==27717==    at 0x8B2D542: (anonymous namespace)::prog_scope::begin() const (st_glsl_to_tgsi_temprename.cpp:437)
==27717==    by 0x8B2D32E: (anonymous namespace)::prog_scope::contains_range_of((anonymous namespace)::prog_scope const&) const (st_glsl_to_tgsi_temprename.cpp:365)                                                                                                                       
==27717==    by 0x8B2E047: (anonymous namespace)::temp_comp_access::get_required_lifetime() (st_glsl_to_tgsi_temprename.cpp:803)
==27717==    by 0x8B2D8DB: (anonymous namespace)::temp_access::get_required_lifetime() (st_glsl_to_tgsi_temprename.cpp:527)
==27717==    by 0x8B2E5B6: (anonymous namespace)::access_recorder::get_required_lifetimes(lifetime*) (st_glsl_to_tgsi_temprename.cpp:933)
==27717==    by 0x8B2EF39: get_temp_registers_required_lifetimes(void*, exec_list*, int, lifetime*) (st_glsl_to_tgsi_temprename.cpp:1120)
==27717==    by 0x8B243A3: glsl_to_tgsi_visitor::merge_registers() (st_glsl_to_tgsi.cpp:5316)
==27717==    by 0x8B28B28: get_mesa_program_tgsi(gl_context*, gl_shader_program*, gl_linked_shader*) (st_glsl_to_tgsi.cpp:6767)
==27717==    by 0x8B294C4: st_link_shader (st_glsl_to_tgsi.cpp:7065)
==27717==    by 0x8B4EB76: _mesa_glsl_link_shader (ir_to_mesa.cpp:3126)
==27717==    by 0x89FD6C2: link_program (shaderapi.c:1203)
==27717==    by 0x89FD6C2: link_program_error (shaderapi.c:1281)
==27717==    by 0x89FECAC: _mesa_LinkProgram (shaderapi.c:1773)
==27717==  Address 0xc is not stack'd, malloc'd or (recently) free'd
```

That "Address 0xc" looks suspicious.

OK, that trace triggers the crash.  I'll take a quick look, but it'll probably be up to Gert to investigate and fix.

This patch seems to fix the crash, but I'm not sure it's actually correct.  Gert will have to take a look.

diff --git a/src/mesa/state_tracker/st_glsl_to_tgsi_temprename.cpp b/src/mesa/state_tracker/st_glsl_to_tgsi_temprename.cpp
index 76b3f43..54802b3 100644
--- a/src/mesa/state_tracker/st_glsl_to_tgsi_temprename.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_tgsi_temprename.cpp
@@ -791,7 +791,8 @@ lifetime temp_comp_access::get_required_lifetime()
    const prog_scope *conditional = enclosing_scope_first_write->enclosing_conditional();
    if (conditional && !conditional->contains_range_of(*last_read_scope) &&
        (conditional->is_switchcase_scope_in_loop() ||
-        conditional_ifelse_write_in_loop())) {
+        conditional_ifelse_write_in_loop()) &&
+       conditional->outermost_loop()) {
          keep_for_full_loop = true;
          enclosing_scope_first_write = conditional->outermost_loop();
    }
@@ -800,6 +801,8 @@ lifetime temp_comp_access::get_required_lifetime()
     * required first read before write scope, and last read scope.
     */
    const prog_scope *enclosing_scope = enclosing_scope_first_read;
+   assert(enclosing_scope);
+   assert(enclosing_scope_first_write);
    if (enclosing_scope_first_write->contains_range_of(*enclosing_scope))
       enclosing_scope = enclosing_scope_first_write;

@Brian I can also reproduce the crash, and was able to add a test case for it, but I AFAICS  your fix is just a workaround, and the culprit is somewhere else.

Created attachment 136978 [details] [review]
Prelimiary fix

Hi Brad, 

this patch fixes the segfault in the trace you posted, could you test the patch to see if it fixes also the other tests?

Best, 
Gert

Gert, yes that fixes all the tests.  Thanks!

Fixed with commit 6a7d1ca2c49ae06bbb323936f1e1c17ba7e2c9a1