mewin/glslang
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Avoid double-free in functions cloned for vulkan relaxed mode (#2987)

Browse Source 
* Avoid double-free in functions cloned for vulkan relaxed mode

When rewriting function calls atomicCounterIncrement and
atoicCounterDecrement, clone the parameters so that the TParameter
'type' field is cloned.  This avoids double-free when both the original
and transformed functions are deleted by the parser.

Fixes a ubsan failure.
This commit is contained in:
David Neto 2022-08-02 20:07:01 -04:00 committed by GitHub
parent f0ce653a25
commit f28022c9f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
glslang/MachineIndependent/ParseHelper.cpp
View File

@ -7035,12 +7035,14 @@ TIntermTyped* TParseContext::vkRelaxedRemapFunctionCall(const TSourceLoc& loc, T
TFunction realFunc(&name, function->getType()); TFunction realFunc(&name, function->getType());
// Use copyParam to avoid shared ownership of the 'type' field
// of the parameter.
for (int i = 0; i < function->getParamCount(); ++i) { for (int i = 0; i < function->getParamCount(); ++i) {
realFunc.addParameter((*function)[i]); realFunc.addParameter(TParameter().copyParam((*function)[i]));
} }
TParameter tmpP = { 0, &uintType }; TParameter tmpP = { 0, &uintType };
realFunc.addParameter(tmpP); realFunc.addParameter(TParameter().copyParam(tmpP));
arguments = intermediate.growAggregate(arguments, intermediate.addConstantUnion(1, loc, true)); arguments = intermediate.growAggregate(arguments, intermediate.addConstantUnion(1, loc, true));
result = handleFunctionCall(loc, &realFunc, arguments); result = handleFunctionCall(loc, &realFunc, arguments);
@ -7053,11 +7055,11 @@ TIntermTyped* TParseContext::vkRelaxedRemapFunctionCall(const TSourceLoc& loc, T
TFunction realFunc(&name, function->getType()); TFunction realFunc(&name, function->getType());
for (int i = 0; i < function->getParamCount(); ++i) { for (int i = 0; i < function->getParamCount(); ++i) {
realFunc.addParameter((*function)[i]); realFunc.addParameter(TParameter().copyParam((*function)[i]));
} }
TParameter tmpP = { 0, &uintType }; TParameter tmpP = { 0, &uintType };
realFunc.addParameter(tmpP); realFunc.addParameter(TParameter().copyParam(tmpP));
arguments = intermediate.growAggregate(arguments, intermediate.addConstantUnion(-1, loc, true)); arguments = intermediate.growAggregate(arguments, intermediate.addConstantUnion(-1, loc, true));
result = handleFunctionCall(loc, &realFunc, arguments); result = handleFunctionCall(loc, &realFunc, arguments);

2
glslang/MachineIndependent/SymbolTable.cpp
View File

@ -383,7 +383,7 @@ TFunction::TFunction(const TFunction& copyOf) : TSymbol(copyOf)
for (unsigned int i = 0; i < copyOf.parameters.size(); ++i) { for (unsigned int i = 0; i < copyOf.parameters.size(); ++i) {
TParameter param; TParameter param;
parameters.push_back(param); parameters.push_back(param);
parameters.back().copyParam(copyOf.parameters[i]); (void)parameters.back().copyParam(copyOf.parameters[i]);
} }
extensions = nullptr; extensions = nullptr;

3
glslang/MachineIndependent/SymbolTable.h
View File

@ -224,7 +224,7 @@ struct TParameter {
TString *name; TString *name;
TType* type; TType* type;
TIntermTyped* defaultValue; TIntermTyped* defaultValue;
void copyParam(const TParameter& param) TParameter& copyParam(const TParameter& param)
{ {
if (param.name) if (param.name)
name = NewPoolTString(param.name->c_str()); name = NewPoolTString(param.name->c_str());
@ -232,6 +232,7 @@ struct TParameter {
name = 0; name = 0;
type = param.type->clone(); type = param.type->clone();
defaultValue = param.defaultValue; defaultValue = param.defaultValue;
return *this;
} }
TBuiltInVariable getDeclaredBuiltIn() const { return type->getQualifier().declaredBuiltIn; } TBuiltInVariable getDeclaredBuiltIn() const { return type->getQualifier().declaredBuiltIn; }
}; };