[Mesa-dev] [PATCH] compiler/spirv: reject invalid shader code properly

Jason Ekstrand jason at jlekstrand.net
Tue May 29 04:45:29 UTC 2018 

On Sun, May 13, 2018 at 9:01 AM, Martin Pelikán <mpel at google.com> wrote:

> After bebe3d626e5, b->fail_jump is prepared after vtn_create_builder
> which can longjmp(3) to it through its vtx_assert()s.  This corrupts
> the stack and creates confusing core dumps, so we need to avoid it.
>
> While there, I decided to print the offending values for debugability.
> ---
>  src/compiler/spirv/spirv_to_nir.c | 26 +++++++++++++++++++++-----
>  1 file changed, 21 insertions(+), 5 deletions(-)
>
> diff --git a/src/compiler/spirv/spirv_to_nir.c
> b/src/compiler/spirv/spirv_to_nir.c
> index 78437428aa..a05364ba2f 100644
> --- a/src/compiler/spirv/spirv_to_nir.c
> +++ b/src/compiler/spirv/spirv_to_nir.c
> @@ -4011,19 +4011,35 @@ vtn_create_builder(const uint32_t *words, size_t
> word_count,
>     b->entry_point_name = entry_point_name;
>     b->options = options;
>
> -   /* Handle the SPIR-V header (first 4 dwords)  */
> -   vtn_assert(word_count > 5);
> +   /*
> +    * Handle the SPIR-V header (first 4 dwords).
> +    * Can't use vtx_assert() as the setjmp(3) target isn't initialized
> yet.
> +    */
> +   if (word_count <= 5)
> +      goto fail;
>
> -   vtn_assert(words[0] == SpvMagicNumber);
> -   vtn_assert(words[1] >= 0x10000);
> +   if (words[0] != SpvMagicNumber) {
> +      vtn_warn("words[0] was 0x%x, want 0x%x", words[0], SpvMagicNumber);
> +      goto fail;
> +   }
> +   if (words[1] < 0x10000) {
> +      vtn_warn("words[1] was 0x%x, want >= 0x10000", words[1]);
> +      goto fail;
> +   }
>     /* words[2] == generator magic */
>     unsigned value_id_bound = words[3];
> -   vtn_assert(words[4] == 0);
> +   if (words[4] != 0) {
> +      vtn_warn("words[4] was %u, want 0", words[4]);
>

I think using vtn_log_error directly would be more appropriate so that we
can log it with DEBUG_LEVEL_ERROR.


> +      goto fail;
> +   }
>
>     b->value_id_bound = value_id_bound;
>     b->values = rzalloc_array(b, struct vtn_value, value_id_bound);
>
>     return b;
> + fail:
> +   ralloc_free(b);
> +   return NULL;
>  }
>
>  nir_function *
> --
> 2.17.0.441.gb46fe60e1d-goog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180528/e3213678/attachment-0001.html>

More information about the mesa-dev mailing list