[ir] Validate index operands for lve and sve
Fixes a fuzzer crash that used a function as an index operand.
Fixed: 441310936
Change-Id: Id3c08f9843fe25c2476d13255be5429a75d7202d
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/260135
Commit-Queue: James Price <jrprice@google.com>
Commit-Queue: dan sinclair <dsinclair@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
diff --git a/src/tint/lang/core/ir/validator.cc b/src/tint/lang/core/ir/validator.cc
index d2f25e5f..2bf4d92 100644
--- a/src/tint/lang/core/ir/validator.cc
+++ b/src/tint/lang/core/ir/validator.cc
@@ -3922,6 +3922,11 @@
}
}
}
+
+ if (!l->Index()->Type()->IsIntegerScalar()) {
+ AddError(l, LoadVectorElement::kIndexOperandOffset)
+ << "load vector element index must be an integer scalar";
+ }
}
void Validator::CheckStoreVectorElement(const StoreVectorElement* s) {
@@ -3939,6 +3944,11 @@
}
}
}
+
+ if (!s->Index()->Type()->IsIntegerScalar()) {
+ AddError(s, StoreVectorElement::kIndexOperandOffset)
+ << "store vector element index must be an integer scalar";
+ }
}
void Validator::CheckPhony(const Phony* p) {
diff --git a/src/tint/lang/core/ir/validator_access_test.cc b/src/tint/lang/core/ir/validator_access_test.cc
index 970d3214..3db9c93 100644
--- a/src/tint/lang/core/ir/validator_access_test.cc
+++ b/src/tint/lang/core/ir/validator_access_test.cc
@@ -906,6 +906,26 @@
)")) << res.Failure();
}
+TEST_F(IR_ValidatorTest, LoadVectorElement_InvalidIndexType) {
+ auto* f = b.Function("my_func", ty.void_());
+
+ b.Append(f->Block(), [&] {
+ auto* var = b.Var(ty.ptr<function, vec3<f32>>());
+ b.LoadVectorElement(var->Result(), 1_f);
+ b.Return(f);
+ });
+
+ auto res = ir::Validate(mod);
+ ASSERT_NE(res, Success);
+ EXPECT_THAT(
+ res.Failure().reason,
+ testing::HasSubstr(
+ R"(:4:38 error: load_vector_element: load vector element index must be an integer scalar
+ %3:f32 = load_vector_element %2, 1.0f
+ ^^^^
+)")) << res.Failure();
+}
+
TEST_F(IR_ValidatorTest, StoreVectorElement_NullTo) {
auto* f = b.Function("my_func", ty.void_());
@@ -1002,6 +1022,26 @@
)")) << res.Failure();
}
+TEST_F(IR_ValidatorTest, StoreVectorElement_InvalidIndexType) {
+ auto* f = b.Function("my_func", ty.void_());
+
+ b.Append(f->Block(), [&] {
+ auto* var = b.Var(ty.ptr<function, vec3<f32>>());
+ b.StoreVectorElement(var->Result(), 1_f, 1_f);
+ b.Return(f);
+ });
+
+ auto res = ir::Validate(mod);
+ ASSERT_NE(res, Success);
+ EXPECT_THAT(
+ res.Failure().reason,
+ testing::HasSubstr(
+ R"(:4:30 error: store_vector_element: store vector element index must be an integer scalar
+ store_vector_element %2, 1.0f, 1.0f
+ ^^^^
+)")) << res.Failure();
+}
+
TEST_F(IR_ValidatorTest, Swizzle_MissingValue) {
auto* f = b.Function("my_func", ty.void_());
b.Append(f->Block(), [&] {
