Commit `5d896a6cc6`

Robin Voetter <robin@voetter.nl>

2023-04-10 18:27:22

spirv: fix use-after-realloc in resolveType()

The pointer to a slot in a hash map was fetched before a recursive call. If the hash map's size changed during the recursive call, this would write to an invalid pointer. The solution is to use an index instead of a pointer. Note that care must be taken that resolved types (from the type_cahce) must not be accessed, as they might be incomplete during this operation.

master

1 parent 5e62ba1

Changed files (1)

src

codegen

spirv

Module.zig

@@ -393,11 +393,14 @@ pub fn resolveSourceFileName(self: *Module, decl: *ZigDecl) !IdRef {
 /// be emitted at this point.
 pub fn resolveType(self: *Module, ty: Type) !Type.Ref {
     const result = try self.type_cache.getOrPut(self.gpa, ty);
+    const index = @intToEnum(Type.Ref, result.index);
+
     if (!result.found_existing) {
-        result.value_ptr.* = try self.emitType(ty);
+        const ref = try self.emitType(ty);
+        self.type_cache.values()[result.index] = ref;
     }
 
-    return @intToEnum(Type.Ref, result.index);
+    return index;
 }
 
 pub fn resolveTypeId(self: *Module, ty: Type) !IdResultType {

Commit 5d896a6cc6

Commit `5d896a6cc6`