Bug 97422 - trying to call a number as a function results into a crash
Summary: trying to call a number as a function results into a crash
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: glsl-compiler (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Kenneth Graunke
QA Contact: Intel 3D Bugs Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-20 17:12 UTC by Karol Herbst
Modified: 2016-11-13 06:12 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
fragment shader (47 bytes, text/plain)
2016-08-20 17:12 UTC, Karol Herbst 		Details
more simple example (30 bytes, text/plain)
2016-11-11 20:19 UTC, Karol Herbst 		Details
possible patch (1.16 KB, patch)
2016-11-12 12:00 UTC, Karol Herbst 		Details | Splinter Review
View All

Description Karol Herbst 2016-08-20 17:12:09 UTC 
Created attachment 125922 [details]
fragment shader

mesa-git-a2ae67aa47df6dd41802462105dac7ce5ab676a2

attached fragment shader crashes glsl_compiler with SIGSEGV

backtrace:
#0  0x00000000005e98f8 in hash_table_string_hash (key=0x2) at ../../src/mesa/program/prog_hash_table.c:42
#1  0x000000000051006b in _mesa_hash_table_search (ht=0x9bab40, key=0x2, key@entry=0xffffffffffffffff) at ../../../src/util/hash_table.c:245
#2  0x00000000005ea96e in hash_table_find (key=key@entry=0xffffffffffffffff, ht=<optimized out>) at ../../src/mesa/program/hash_table.h:102
#3  find_symbol (table=<optimized out>, name=name@entry=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>) at ../../src/mesa/program/symbol_table.c:189
#4  _mesa_symbol_table_find_symbol (table=<optimized out>, name_space=name_space@entry=-1, name=name@entry=0x2 <error: Cannot access memory at address 0x2>) at ../../src/mesa/program/symbol_table.c:227
#5  0x000000000046142d in glsl_symbol_table::get_entry (name=0x2 <error: Cannot access memory at address 0x2>, this=<optimized out>) at ../../../src/compiler/glsl/glsl_symbol_table.cpp:264
#6  glsl_symbol_table::get_function (this=<optimized out>, name=name@entry=0x2 <error: Cannot access memory at address 0x2>) at ../../../src/compiler/glsl/glsl_symbol_table.cpp:248
#7  0x0000000000712a3d in match_function_by_name (state=0x9b75f0, actual_parameters=0x7fffffffd060, name=<optimized out>) at ../../../src/compiler/glsl/ast_function.cpp:561
#8  ast_function_expression::hir (this=0x9bc110, instructions=0x9cc4d0, state=0x9b75f0) at ../../../src/compiler/glsl/ast_function.cpp:2128
#9  0x000000000060eed5 in ast_expression::do_hir (this=0x9bc1d0, instructions=0x9cc4d0, state=0x9b75f0, needs_rvalue=<optimized out>) at ../../../src/compiler/glsl/ast_to_hir.cpp:1521
#10 0x0000000000613066 in ast_expression_statement::hir (this=<optimized out>, instructions=<optimized out>, state=<optimized out>) at ../../../src/compiler/glsl/ast_to_hir.cpp:2161
#11 0x0000000000622647 in ast_compound_statement::hir (state=0x9b75f0, instructions=0x9cc4d0, this=0x9bc290) at ../../../src/compiler/glsl/ast_to_hir.cpp:2177
#12 ast_function_definition::hir (this=0x9bc320, instructions=<optimized out>, state=0x9b75f0) at ../../../src/compiler/glsl/ast_to_hir.cpp:5663
#13 0x000000000060bca1 in _mesa_ast_to_hir (instructions=0x9b8280, state=state@entry=0x9b75f0) at ../../../src/compiler/glsl/ast_to_hir.cpp:154
#14 0x000000000045dd33 in _mesa_glsl_compile_shader (ctx=ctx@entry=0x979aa0 <standalone_compile_shader::local_ctx>, shader=shader@entry=0x9b6910, dump_ast=<optimized out>, dump_hir=<optimized out>)
    at ../../../src/compiler/glsl/glsl_parser_extras.cpp:1865
#15 0x000000000040e170 in compile_shader (shader=0x9b6910, ctx=0x979aa0 <standalone_compile_shader::local_ctx>) at ../../../src/compiler/glsl/standalone.cpp:282
#16 standalone_compile_shader (_options=_options@entry=0x979a50 <options>, num_files=num_files@entry=1, files=<optimized out>) at ../../../src/compiler/glsl/standalone.cpp:386
#17 0x0000000000409045 in main (argc=<optimized out>, argv=0x7fffffffd5c8) at ../../../src/compiler/glsl/main.cpp:91
Comment 1 Karol Herbst 2016-08-20 17:14:51 UTC 
also works with "*", "&" or "+" instead of "|" (maybe operators in general?
Comment 2 Karol Herbst 2016-08-20 17:15:06 UTC 
and with "works" I mean "crashes"
Comment 3 Karol Herbst 2016-11-11 20:19:37 UTC 
Created attachment 127920 [details]
more simple example

seems like this crashes mesa already
Comment 4 Karol Herbst 2016-11-12 12:00:54 UTC 
Created attachment 127929 [details] [review]
possible patch

would something like that be okay to fix this or is it actually the wrong place?
Comment 5 Kenneth Graunke 2016-11-12 20:48:05 UTC 
A bit more defensive fix on list:
https://lists.freedesktop.org/archives/mesa-dev/2016-November/135131.html
Comment 6 Kenneth Graunke 2016-11-13 06:12:41 UTC 
Fixed by:

commit 151aecabe4be9d45627ef1f6ae6b8d732cea0c28
Author: Kenneth Graunke <kenneth@whitecape.org>
Date:   Sat Nov 12 11:55:30 2016 -0800

    glsl: Don't crash on function names with invalid identifiers.
    
    Karol Herbst's fuzzing efforts noticed that we would segfault on:
    
       void bug() {
          2(0);
       }
    
    We just need to bail if the function name isn't an identifier.
    
    Based on a bug fix by Karol Herbst.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97422
    Signed-off-by: Kenneth Graunke <kenneth@whitecape.org>
    Reviewed-by: Timothy Arceri <timothy.arceri@collabora.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.