From: Nicolai Hähnle <nicolai.haeh...@amd.com>
Found by address sanitizer.
The loop here tries to be safe, but in doing so, it ends up doing
exactly the wrong thing: the safe foreach is for when the loop
variable (inst) could be deleted and nothing else. However, this
particular can delete inst's successor, but not inst itself.
Fixes: 8c6a0ebaad72 ("st/mesa: add st fp64 support (v7.1)")
---
src/mesa/state_tracker/st_glsl_to_tgsi.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
index 609920a7a87..f4870a1c606 100644
--- a/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
+++ b/src/mesa/state_tracker/st_glsl_to_tgsi.cpp
@@ -5141,21 +5141,22 @@ glsl_to_tgsi_visitor::eliminate_dead_code(void)
ralloc_free(write_level);
ralloc_free(writes);
return removed;
}
/* merge DFRACEXP instructions into one. */
void
glsl_to_tgsi_visitor::merge_two_dsts(void)
{
- foreach_in_list_safe(glsl_to_tgsi_instruction, inst, &this->instructions) {
+ /* We never delete inst, but we may delete its successor. */
+ foreach_in_list(glsl_to_tgsi_instruction, inst, &this->instructions) {
glsl_to_tgsi_instruction *inst2;
bool merged;
if (num_inst_dst_regs(inst) != 2)
continue;
if (inst->dst[0].file != PROGRAM_UNDEFINED &&
inst->dst[1].file != PROGRAM_UNDEFINED)
continue;
inst2 = (glsl_to_tgsi_instruction *) inst->next;
--
2.11.0
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
