From 417d8917d4924652f1cd0c64dbf3677d4eddbf8c Mon Sep 17 00:00:00 2001 From: Paul Berry Date: Tue, 16 Apr 2013 12:49:51 -0700 Subject: [PATCH] i965/vec4: Fix hypothetical use of uninitialized data in attribute_map[]. Fixes issue identified by Klocwork analysis: 'attribute_map' array elements might be used uninitialized in this function (vec4_visitor::lower_attributes_to_hw_regs). The attribute_map array contains the mapping from shader input attributes to the hardware registers they are stored in. vec4_vs_visitor::setup_attributes() only populates elements of this array which, according to core Mesa, are actually used by the shader. Therefore, when vec4_visitor::lower_attributes_to_hw_regs() accesses the array to lower a register access in the shader, it should in principle only access elements of attribute_map that contain valid data. However, if a bug ever caused the driver back-end to access an input that was not flagged as used by core Mesa, then lower_attributes_to_hw_regs() would access uninitialized memory, which could cause illegal instructions to get generated, resulting in a possible GPU hang. This patch makes the situation more robust by using memset() to pre-initialize the attribute_map array to zero, so that if such a bug ever occurred, lower_attributes_to_hw_regs() would generate a (mostly) harmless access to r0. In addition, it adds assertions to lower_attributes_to_hw_regs() so that if we do have such a bug, we're likely to discover it quickly. Reviewed-by: Jordan Justen --- src/mesa/drivers/dri/i965/brw_vec4.cpp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/mesa/drivers/dri/i965/brw_vec4.cpp b/src/mesa/drivers/dri/i965/brw_vec4.cpp index b0527c7..0afff6f 100644 --- a/src/mesa/drivers/dri/i965/brw_vec4.cpp +++ b/src/mesa/drivers/dri/i965/brw_vec4.cpp @@ -1197,6 +1197,11 @@ vec4_visitor::lower_attributes_to_hw_regs(const int *attribute_map) if (inst->dst.file == ATTR) { int grf = attribute_map[inst->dst.reg + inst->dst.reg_offset]; + /* All attributes used in the shader need to have been assigned a + * hardware register by the caller + */ + assert(grf != 0); + struct brw_reg reg = brw_vec8_grf(grf, 0); reg.type = inst->dst.type; reg.dw1.bits.writemask = inst->dst.writemask; @@ -1211,6 +1216,11 @@ vec4_visitor::lower_attributes_to_hw_regs(const int *attribute_map) int grf = attribute_map[inst->src[i].reg + inst->src[i].reg_offset]; + /* All attributes used in the shader need to have been assigned a + * hardware register by the caller + */ + assert(grf != 0); + struct brw_reg reg = brw_vec8_grf(grf, 0); reg.dw1.bits.swizzle = inst->src[i].swizzle; reg.type = inst->src[i].type; @@ -1230,6 +1240,7 @@ vec4_vs_visitor::setup_attributes(int payload_reg) { int nr_attributes; int attribute_map[VERT_ATTRIB_MAX + 1]; + memset(attribute_map, 0, sizeof(attribute_map)); nr_attributes = 0; for (int i = 0; i < VERT_ATTRIB_MAX; i++) { -- 2.7.4