Fix OOB in subscript indexing of col-major matrix in cbuffer#7866
Fix OOB in subscript indexing of col-major matrix in cbuffer#7866tex3d merged 2 commits intomicrosoft:mainfrom
Conversation
bogner
left a comment
bogner
left a comment
There was a problem hiding this comment.
The fix is obviously good.
Not sure if its worth spending the time, but we might be able to reduce the test case a bit to make it clearer what exactly we're testing.
bob80905
left a comment
bob80905
left a comment
There was a problem hiding this comment.
LGTM, but echoing Justin, if it can be made more concise that would be great too.
|
#8131 might have a test case we can use for this :) |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This is already as minimal (if not more) than that example. A more custom IR, rather than one originally generated from HLSL, could potentially be a bit smaller, but it'll be a bit more work to craft and rewrite the checks. Since it's an IR test for dxilgen, it has to start with High Level (HL) IR and check the output immediately after the It could simply check for the |
tools/clang/test/DXC/Passes/DxilGen/cb-col-matrix-subscript-dxilgen.ll
Outdated
Show resolved
Hide resolved
A bug in HLOperationLower code that lowers the matrix subscript operation when the matrix is in a cbuffer could cause out-of-bounds alloca indexing. The indexing creates an alloca to store a column-vector loaded from one cbuffer vector. This should have one element per row of the matrix, so it can then index along that dimension using the local array. The bug was using the number of columns when sizing the alloca instead of the number of rows. This caused it to write to out-of-bounds index when the number of rows exceeded the number of columns (like for float3x2).
Also added CHECK-NEXT, where possible.
tex3d
force-pushed
the
fix-cb-col-matrix-subscript
branch
from
b6636d3 to
57502a7
Compare
5 participants
A bug in HLOperationLower code that lowers the matrix subscript operation when the matrix is in a cbuffer could cause out-of-bounds alloca indexing.
The indexing creates an alloca to store a column-vector loaded from one cbuffer vector. This should have one element per row of the matrix, so it can then index along that dimension using the local array.
The bug was using the number of columns when sizing the alloca instead of the number of rows. This caused it to write to out-of-bounds index when the number of rows exceeded the number of columns (like for float3x2).
Fixes #7865.