nir: Use nir_src_copy instead of direct assignments.

If the source is an indirect register, there is ralloc'd data.  Copying
with a direct assignment will copy the pointer, but the data will still
belong to the old instruction's memory context.  Since we're lowering
and throwing away instructions, that could free the data by mistake.

Instead, use nir_src_copy, which properly handles this.

This is admittedly not a common case, so I think the bug is real,
but unlikely to be hit.

Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: Matt Turner <mattst88@gmail.com>

diff --git a/src/compiler/nir/nir_lower_atomics.c b/src/compiler/nir/nir_lower_atomics.c
index 1993013..2252e16 100644 (file)
--- a/src/compiler/nir/nir_lower_atomics.c
+++ b/src/compiler/nir/nir_lower_atomics.c
@@ -155,7 +155,7 @@ lower_instr(nir_intrinsic_instr *instr,
     * instruction.
     */
    for (unsigned i = 0; i < nir_intrinsic_infos[instr->intrinsic].num_srcs; i++)
-      new_instr->src[i + 1] = instr->src[i];
+      nir_src_copy(&new_instr->src[i + 1], &instr->src[i], new_instr);
 
    if (instr->dest.is_ssa) {
       nir_ssa_dest_init(&new_instr->instr, &new_instr->dest,

diff --git a/src/compiler/nir/nir_lower_atomics_to_ssbo.c b/src/compiler/nir/nir_lower_atomics_to_ssbo.c
index fd6eefb..371eb0b 100644 (file)
--- a/src/compiler/nir/nir_lower_atomics_to_ssbo.c
+++ b/src/compiler/nir/nir_lower_atomics_to_ssbo.c
@@ -115,7 +115,7 @@ lower_instr(nir_intrinsic_instr *instr, unsigned ssbo_offset, nir_builder *b)
       /* remapped to ssbo_atomic_add: { buffer_idx, offset, +1 } */
       temp = nir_imm_int(b, +1);
       new_instr->src[0] = nir_src_for_ssa(buffer);
-      new_instr->src[1] = instr->src[0];
+      nir_src_copy(&new_instr->src[1], &instr->src[0], new_instr);
       new_instr->src[2] = nir_src_for_ssa(temp);
       break;
    case nir_intrinsic_atomic_counter_dec:
@@ -123,21 +123,21 @@ lower_instr(nir_intrinsic_instr *instr, unsigned ssbo_offset, nir_builder *b)
       /* NOTE semantic difference so we adjust the return value below */
       temp = nir_imm_int(b, -1);
       new_instr->src[0] = nir_src_for_ssa(buffer);
-      new_instr->src[1] = instr->src[0];
+      nir_src_copy(&new_instr->src[1], &instr->src[0], new_instr);
       new_instr->src[2] = nir_src_for_ssa(temp);
       break;
    case nir_intrinsic_atomic_counter_read:
       /* remapped to load_ssbo: { buffer_idx, offset } */
       new_instr->src[0] = nir_src_for_ssa(buffer);
-      new_instr->src[1] = instr->src[0];
+      nir_src_copy(&new_instr->src[1], &instr->src[0], new_instr);
       break;
    default:
       /* remapped to ssbo_atomic_x: { buffer_idx, offset, data, (compare)? } */
       new_instr->src[0] = nir_src_for_ssa(buffer);
-      new_instr->src[1] = instr->src[0];
-      new_instr->src[2] = instr->src[1];
+      nir_src_copy(&new_instr->src[1], &instr->src[0], new_instr);
+      nir_src_copy(&new_instr->src[2], &instr->src[1], new_instr);
       if (op == nir_intrinsic_ssbo_atomic_comp_swap)
-         new_instr->src[3] = instr->src[2];
+         nir_src_copy(&new_instr->src[3], &instr->src[2], new_instr);
       break;
    }
 

diff --git a/src/compiler/nir/nir_lower_io_to_scalar.c b/src/compiler/nir/nir_lower_io_to_scalar.c
index f2345d5..fffd1d3 100644 (file)
--- a/src/compiler/nir/nir_lower_io_to_scalar.c
+++ b/src/compiler/nir/nir_lower_io_to_scalar.c
@@ -49,7 +49,7 @@ lower_load_input_to_scalar(nir_builder *b, nir_intrinsic_instr *intr)
       nir_intrinsic_set_base(chan_intr, nir_intrinsic_base(intr));
       nir_intrinsic_set_component(chan_intr, nir_intrinsic_component(intr) + i);
       /* offset */
-      chan_intr->src[0] = intr->src[0];
+      nir_src_copy(&chan_intr->src[0], &intr->src[0], chan_intr);
 
       nir_builder_instr_insert(b, &chan_intr->instr);
 
@@ -84,7 +84,7 @@ lower_store_output_to_scalar(nir_builder *b, nir_intrinsic_instr *intr)
       /* value */
       chan_intr->src[0] = nir_src_for_ssa(nir_channel(b, value, i));
       /* offset */
-      chan_intr->src[1] = intr->src[1];
+      nir_src_copy(&chan_intr->src[1], &intr->src[1], chan_intr);
 
       nir_builder_instr_insert(b, &chan_intr->instr);
    }