From b2619443d9a66620e886a0a78cc1237ef1e0354e Mon Sep 17 00:00:00 2001
From: James Price <jrprice@google.com>
Date: Fri, 6 Aug 2021 20:31:59 +0000
Subject: [PATCH] reader/spirv: Propagate errors during composite extraction

This prevents nullptr dereferences when invalid OpConstantComposite
instructions make it past spirv-val.

Fixed: chromium:1231650
Change-Id: Iddfe04dcfdce382096ae7dec7af8718b579f7951
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61080
Auto-Submit: James Price <jrprice@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: James Price <jrprice@google.com>
Reviewed-by: David Neto <dneto@google.com>
---
 src/reader/spirv/function.cc | 5 +++++
 src/reader/spirv/function.h  | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/reader/spirv/function.cc b/src/reader/spirv/function.cc
index b4aeaeccda..f5dcc36dab 100644
--- a/src/reader/spirv/function.cc
+++ b/src/reader/spirv/function.cc
@@ -4399,6 +4399,10 @@ TypedExpression FunctionEmitter::MakeCompositeExtract(
   auto composite_index = 0;
   auto first_index_position = 1;
   TypedExpression current_expr(MakeOperand(inst, composite_index));
+  if (!current_expr) {
+    return {};
+  }
+
   const auto composite_id = inst.GetSingleWordInOperand(composite_index);
   auto current_type_id = def_use_mgr_->GetDef(composite_id)->type_id();
 
@@ -4474,6 +4478,7 @@ TypedExpression FunctionEmitter::MakeCompositeValueDecomposition(
         if (index_val >= kMaxVectorLen) {
           Fail() << "internal error: swizzle index " << index_val
                  << " is too big. Max handled index is " << kMaxVectorLen - 1;
+          return {};
         }
         next_expr = create<ast::MemberAccessorExpression>(
             Source{}, current_expr.expr, Swizzle(index_val));
diff --git a/src/reader/spirv/function.h b/src/reader/spirv/function.h
index b803ad545f..f128b41cab 100644
--- a/src/reader/spirv/function.h
+++ b/src/reader/spirv/function.h
@@ -762,7 +762,8 @@ class FunctionEmitter {
   /// Makes an expression from a SPIR-V ID.
   /// if the SPIR-V result type is a pointer.
   /// @param id the SPIR-V ID of the value
-  /// @returns true if emission has not yet failed.
+  /// @returns an AST expression for the instruction, or an invalid
+  /// TypedExpression on error.
   TypedExpression MakeExpression(uint32_t id);
 
   /// Creates an expression and supporting statements for a combinatorial