naga: index out of bound in constant_evaluator.rs:217 #6506

wgslfuzz · 2024-11-08T19:50:31Z

Translating the following wgsl with naga a.wgsl a.hlsl results in a panic on naga 23.0.0

fn a() {
    const b = vec4(f32(), f32());
    saturate(b);
}

thread 'main' panicked at /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/naga-23.0.0/src/proc/constant_evaluator.rs:217:1:
index out of bounds: the len is 2 but the index is 2
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The text was updated successfully, but these errors were encountered:

ErichDonGubler · 2024-11-09T00:02:56Z

I can reproduce on my machine. The issue is that component_wise_* functions in the const_eval module presume that a Compose expression of a Vector of N elements (in the OP example, vec4) has N arguments in the IR. Splat and Zero expressions (viz., single- and no-argument overloads of constructors) are expanded into this form, but manually written arguments might not necessarily be.

We can make this not panic, and I've done so with #6508. However, after examining code, I think we have two further issues with const.-evaluation of vector constructors where:

The arg. count is less than N, but is a valid overload of the Compose constructor (like the overloads that offer a mix of scalars and vectors available for vec3 and vec4). For example, this should be const.-evaluated properly:

 fn func() {
 	_ = saturate(vec4(vec2(1., 1.), 1., 1.)); // works
 	_ = saturate(vec4(vec2(1.), 1., 1.)); // works
 	_ = saturate(vec4(vec2(), 1., 1.)); // should be fine, but it's not 😭	
 	_ = saturate(vec4(vec2(), vec2())); // should be fine, but it's not 😭	
 }

…but is not.

This code responsible for flattening Compose expressions into the full N-arguments form:

wgpu/naga/src/proc/mod.rs

Line 806 in 64a61ee

.take(size)

…takes only N expressions from the components of the Compose expression. This silently ignores all arguments after the Nth argument, which causes code like this to pass validation:
```
 fn func() {
 	_ = saturate(vec4(1., 1., 1., 1., 1., 1.)); // too many args 😭
 }
```

teoxoy · 2024-11-12T10:30:34Z

The arg. count is less than N, but is a valid overload of the Compose constructor (like the overloads that offer a mix of scalars and vectors available for vec3 and vec4). For example, this should be const.-evaluated properly:
 fn func() {
 	_ = saturate(vec4(vec2(1., 1.), 1., 1.)); // works
 	_ = saturate(vec4(vec2(1.), 1., 1.)); // works
 	_ = saturate(vec4(vec2(), 1., 1.)); // should be fine, but it's not 😭	
 	_ = saturate(vec4(vec2(), vec2())); // should be fine, but it's not 😭	
 }
…but is not.

We do use flatten_compose, is the issue somewhere else?

wgpu/naga/src/proc/constant_evaluator.rs

Lines 107 to 112 in 6a60458

    
           component_groups.push(crate::proc::flatten_compose( 
        
               first_ty, 
        
               components, 
        
               eval.expressions, 
        
               eval.types, 
        
           ).collect());

github-project-automation bot added this to WebGPU for Firefox Nov 8, 2024

github-project-automation bot moved this to Todo in WebGPU for Firefox Nov 8, 2024

ErichDonGubler mentioned this issue Nov 8, 2024

fix(const_eval): don't panic when a vecN constructor's arg. count is less than N #6508

Merged

7 tasks

teoxoy added type: bug Something isn't working naga Shader Translator labels Nov 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

naga: index out of bound in constant_evaluator.rs:217 #6506

naga: index out of bound in constant_evaluator.rs:217 #6506

wgslfuzz commented Nov 8, 2024

ErichDonGubler commented Nov 9, 2024 •

edited

Loading

teoxoy commented Nov 12, 2024

naga: index out of bound in constant_evaluator.rs:217 #6506

naga: index out of bound in constant_evaluator.rs:217 #6506

Comments

wgslfuzz commented Nov 8, 2024

ErichDonGubler commented Nov 9, 2024 • edited Loading

teoxoy commented Nov 12, 2024

ErichDonGubler commented Nov 9, 2024 •

edited

Loading