Fix fuzzer-discovered error with variable declarations.
As soon as a single VarDeclaration is successfully created, its Variable is added to the current symbol table. However, if a variable-declaration line declared several variables in a row, we would stop if ANY of the declarations contained an error and discard the entire statement, but would continue processing the rest of the program. This left us in a position where some Variables existed in the SymbolTable with valid, reachable names, but their corresponding VarDeclaration statement had been thrown away as erroneous. Since Variables point back to VarDeclarations for their initialValues, this gave us a stale pointer. Any future reference to that variable name which could trigger an access to its initialValue would read from this dead pointer. This CL fixes the conversion of VarDeclarations so that we no longer throw away any VarDeclarations associated with a successfully-parsed Variable. Change-Id: If8ec3c160933e48a0e1f36414234b3a849d8978c Bug: oss-fuzz:32587 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/389636 Commit-Queue: John Stiles <johnstiles@google.com> Commit-Queue: Brian Osman <brianosman@google.com> Auto-Submit: John Stiles <johnstiles@google.com> Reviewed-by: Brian Osman <brianosman@google.com>
This commit is contained in:
parent
02f72022c5
commit
fabed8bb79
@ -142,6 +142,7 @@ sksl_error_tests = [
|
|||||||
"/sksl/errors/Ossfuzz29849.sksl",
|
"/sksl/errors/Ossfuzz29849.sksl",
|
||||||
"/sksl/errors/Ossfuzz31410.sksl",
|
"/sksl/errors/Ossfuzz31410.sksl",
|
||||||
"/sksl/errors/Ossfuzz31469.sksl",
|
"/sksl/errors/Ossfuzz31469.sksl",
|
||||||
|
"/sksl/errors/Ossfuzz32587.sksl",
|
||||||
"/sksl/errors/OverflowFloatLiteral.sksl",
|
"/sksl/errors/OverflowFloatLiteral.sksl",
|
||||||
"/sksl/errors/OverflowIntLiteral.sksl",
|
"/sksl/errors/OverflowIntLiteral.sksl",
|
||||||
"/sksl/errors/OverflowParamArraySize.sksl",
|
"/sksl/errors/OverflowParamArraySize.sksl",
|
||||||
|
2
resources/sksl/errors/Ossfuzz32587.sksl
Normal file
2
resources/sksl/errors/Ossfuzz32587.sksl
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
const float x=1, _=x1;
|
||||||
|
half x=x*8;
|
@ -457,13 +457,13 @@ StatementArray IRGenerator::convertVarDeclarations(const ASTNode& decls,
|
|||||||
arraySize = this->convertExpression(*iter++);
|
arraySize = this->convertExpression(*iter++);
|
||||||
} else {
|
} else {
|
||||||
this->errorReporter().error(decls.fOffset, "array must have a size");
|
this->errorReporter().error(decls.fOffset, "array must have a size");
|
||||||
return {};
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (iter != varDecl.end()) {
|
if (iter != varDecl.end()) {
|
||||||
value = this->convertExpression(*iter);
|
value = this->convertExpression(*iter);
|
||||||
if (!value) {
|
if (!value) {
|
||||||
return {};
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
std::unique_ptr<Statement> varDeclStmt = this->convertVarDeclaration(varDecl.fOffset,
|
std::unique_ptr<Statement> varDeclStmt = this->convertVarDeclaration(varDecl.fOffset,
|
||||||
|
5
tests/sksl/errors/Ossfuzz32587.glsl
Normal file
5
tests/sksl/errors/Ossfuzz32587.glsl
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
### Compilation failed:
|
||||||
|
|
||||||
|
error: 1: unknown identifier 'x1'
|
||||||
|
error: 2: symbol 'x' was already defined
|
||||||
|
2 errors
|
Loading…
Reference in New Issue
Block a user