Fix ASAN error when inlining array constructor expressions.
Constructors such as `float[2](0, 0)` add a type to the symbol table;
this type needs to be copied into the new symbol table if the
constructor is cloned by the inliner.
Change-Id: Ifa8d2dec87103c6223ce493e2201a904c14c2137
Bug: oss-fuzz:28050
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/339168
Auto-Submit: John Stiles <johnstiles@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
diff --git a/src/sksl/SkSLInliner.cpp b/src/sksl/SkSLInliner.cpp
index 910194c..5e3e906 100644
--- a/src/sksl/SkSLInliner.cpp
+++ b/src/sksl/SkSLInliner.cpp
@@ -324,10 +324,11 @@
std::unique_ptr<Expression> Inliner::inlineExpression(int offset,
VariableRewriteMap* varMap,
+ SymbolTable* symbolTableForExpression,
const Expression& expression) {
auto expr = [&](const std::unique_ptr<Expression>& e) -> std::unique_ptr<Expression> {
if (e) {
- return this->inlineExpression(offset, varMap, *e);
+ return this->inlineExpression(offset, varMap, symbolTableForExpression, *e);
}
return nullptr;
};
@@ -356,8 +357,8 @@
return expression.clone();
case Expression::Kind::kConstructor: {
const Constructor& constructor = expression.as<Constructor>();
- return std::make_unique<Constructor>(offset, &constructor.type(),
- argList(constructor.arguments()));
+ const Type* type = copy_if_needed(&constructor.type(), *symbolTableForExpression);
+ return std::make_unique<Constructor>(offset, type, argList(constructor.arguments()));
}
case Expression::Kind::kExternalFunctionCall: {
const ExternalFunctionCall& externalCall = expression.as<ExternalFunctionCall>();
@@ -449,7 +450,7 @@
};
auto expr = [&](const std::unique_ptr<Expression>& e) -> std::unique_ptr<Expression> {
if (e) {
- return this->inlineExpression(offset, varMap, *e);
+ return this->inlineExpression(offset, varMap, symbolTableForStatement, *e);
}
return nullptr;
};