Fix fuzzer-discovered error with variable declarations.

As soon as a single VarDeclaration is successfully created, its Variable is added to the current symbol table. However, if a variable-declaration line declared several variables in a row, we would stop if ANY of the declarations contained an error and discard the entire statement, but would continue processing the rest of the program. This left us in a position where some Variables existed in the SymbolTable with valid, reachable names, but their corresponding VarDeclaration statement had been thrown away as erroneous. Since Variables point back to VarDeclarations for their initialValues, this gave us a stale pointer. Any future reference to that variable name which could trigger an access to its initialValue would read from this dead pointer. This CL fixes the conversion of VarDeclarations so that we no longer throw away any VarDeclarations associated with a successfully-parsed Variable. Change-Id: If8ec3c160933e48a0e1f36414234b3a849d8978c Bug: oss-fuzz:32587 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/389636 Commit-Queue: John Stiles <johnstiles@google.com> Commit-Queue: Brian Osman <brianosman@google.com> Auto-Submit: John Stiles <johnstiles@google.com> Reviewed-by: Brian Osman <brianosman@google.com>
2021-03-29 09:38:59 -04:00 · 2021-03-29 09:38:59 -04:00 · fabed8bb79
commit fabed8bb79
parent 02f72022c5
4 changed files with 10 additions and 2 deletions
--- a/gn/sksl_tests.gni
+++ b/gn/sksl_tests.gni
@ -142,6 +142,7 @@ sksl_error_tests = [
  "/sksl/errors/Ossfuzz29849.sksl",
  "/sksl/errors/Ossfuzz31410.sksl",
  "/sksl/errors/Ossfuzz31469.sksl",
+  "/sksl/errors/Ossfuzz32587.sksl",
  "/sksl/errors/OverflowFloatLiteral.sksl",
  "/sksl/errors/OverflowIntLiteral.sksl",
  "/sksl/errors/OverflowParamArraySize.sksl",
--- a/resources/sksl/errors/Ossfuzz32587.sksl
+++ b/resources/sksl/errors/Ossfuzz32587.sksl
@ -0,0 +1,2 @@
+const float x=1, _=x1;
+half x=x*8;
--- a/src/sksl/SkSLIRGenerator.cpp
+++ b/src/sksl/SkSLIRGenerator.cpp
@ -457,13 +457,13 @@ StatementArray IRGenerator::convertVarDeclarations(const ASTNode& decls,
                arraySize = this->convertExpression(*iter++);
            } else {
                this->errorReporter().error(decls.fOffset, "array must have a size");
-                return {};
+                continue;
            }
        }
        if (iter != varDecl.end()) {
            value = this->convertExpression(*iter);
            if (!value) {
-                return {};
+                continue;
            }
        }
        std::unique_ptr<Statement> varDeclStmt = this->convertVarDeclaration(varDecl.fOffset,
--- a/tests/sksl/errors/Ossfuzz32587.glsl
+++ b/tests/sksl/errors/Ossfuzz32587.glsl
@ -0,0 +1,5 @@
+### Compilation failed:
+
+error: 1: unknown identifier 'x1'
+error: 2: symbol 'x' was already defined
+2 errors