From 78542af89e95f6baf173840b5f74bf8294bbbb34 Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Mon, 17 Sep 2018 17:07:04 +1000
Subject: [PATCH] Fix r600 sb crash (#1629401)

---
 ...if_conversion-iterator-to-be-legal-C.patch | 51 +++++++++++++++++++
 0001-r600-sb-fix-crash-in-fold_alu_op3.patch  | 42 +++++++++++++++
 mesa.spec                                     |  9 +++-
 3 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 0001-r600-sb-cleanup-if_conversion-iterator-to-be-legal-C.patch
 create mode 100644 0001-r600-sb-fix-crash-in-fold_alu_op3.patch

diff --git a/0001-r600-sb-cleanup-if_conversion-iterator-to-be-legal-C.patch b/0001-r600-sb-cleanup-if_conversion-iterator-to-be-legal-C.patch
new file mode 100644
index 0000000..db45a40
--- /dev/null
+++ b/0001-r600-sb-cleanup-if_conversion-iterator-to-be-legal-C.patch
@@ -0,0 +1,51 @@
+From 8c51caab2404c5c9f5211936d27e9fe1c0af2e7d Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Fri, 29 Jun 2018 03:47:26 +0100
+Subject: [PATCH] r600/sb: cleanup if_conversion iterator to be legal C++
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current code causes:
+/usr/include/c++/8/debug/safe_iterator.h:207:
+Error: attempt to copy from a singular iterator.
+
+This is due to the iterators getting invalidated, fix the
+reverse iterator to use the return value from erase, and
+cast it properly.
+
+(used Mathias suggestion)
+Cc: <mesa-stable@lists.freedesktop.org>
+Reviewed-by: Mathias Fröhlich <mathias.froehlich@web.de>
+---
+ src/gallium/drivers/r600/sb/sb_if_conversion.cpp | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/src/gallium/drivers/r600/sb/sb_if_conversion.cpp b/src/gallium/drivers/r600/sb/sb_if_conversion.cpp
+index 3f6431b80f5..017153434fc 100644
+--- a/src/gallium/drivers/r600/sb/sb_if_conversion.cpp
++++ b/src/gallium/drivers/r600/sb/sb_if_conversion.cpp
+@@ -42,16 +42,13 @@ int if_conversion::run() {
+ 	regions_vec &rv = sh.get_regions();
+ 
+ 	unsigned converted = 0;
+-
+-	for (regions_vec::reverse_iterator N, I = rv.rbegin(), E = rv.rend();
+-			I != E; I = N) {
+-		N = I; ++N;
+-
++	for (regions_vec::reverse_iterator I = rv.rbegin(); I != rv.rend(); ) {
+ 		region_node *r = *I;
+ 		if (run_on(r)) {
+-			rv.erase(I.base() - 1);
++			I = regions_vec::reverse_iterator(rv.erase((++I).base()));
+ 			++converted;
+-		}
++		} else
++			++I;
+ 	}
+ 	return 0;
+ }
+-- 
+2.17.1
+
diff --git a/0001-r600-sb-fix-crash-in-fold_alu_op3.patch b/0001-r600-sb-fix-crash-in-fold_alu_op3.patch
new file mode 100644
index 0000000..8724f64
--- /dev/null
+++ b/0001-r600-sb-fix-crash-in-fold_alu_op3.patch
@@ -0,0 +1,42 @@
+From 817efd89685efc6b5866e09cbdad01c4ff21c737 Mon Sep 17 00:00:00 2001
+From: Roland Scheidegger <sroland@vmware.com>
+Date: Wed, 4 Jul 2018 04:44:17 +0200
+Subject: [PATCH] r600/sb: fix crash in fold_alu_op3
+
+fold_assoc() called from fold_alu_op3() can lower the number of src to 2,
+which then leads to an invalid access to n.src[2]->gvalue().
+This didn't seem to have caused much harm in the past, but on Fedora 28
+it will crash (presumably because -D_GLIBCXX_ASSERTIONS is used, although
+with libstdc++ 4.8.5 this didn't do anything, -D_GLIBCXX_DEBUG was
+needed to show the issue).
+
+An alternative fix would be to instead call fold_alu_op2() from within
+fold_assoc() when the number of src is reduced and return always TRUE
+from fold_assoc() in this case, with the only actual difference being
+the return value from fold_alu_op3() then. I'm not sure what the return
+value actually should be in this case (or whether it even can make a
+difference).
+
+https://bugs.freedesktop.org/show_bug.cgi?id=106928
+Cc: mesa-stable@lists.freedesktop.org
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+---
+ src/gallium/drivers/r600/sb/sb_expr.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gallium/drivers/r600/sb/sb_expr.cpp b/src/gallium/drivers/r600/sb/sb_expr.cpp
+index 1df78da6608..ad798453bc1 100644
+--- a/src/gallium/drivers/r600/sb/sb_expr.cpp
++++ b/src/gallium/drivers/r600/sb/sb_expr.cpp
+@@ -945,6 +945,8 @@ bool expr_handler::fold_alu_op3(alu_node& n) {
+ 	if (!sh.safe_math && (n.bc.op_ptr->flags & AF_M_ASSOC)) {
+ 		if (fold_assoc(&n))
+ 			return true;
++		if (n.src.size() < 3)
++			return fold_alu_op2(n);
+ 	}
+ 
+ 	value* v0 = n.src[0]->gvalue();
+-- 
+2.17.1
+
diff --git a/mesa.spec b/mesa.spec
index 3d8bc13..31ba3d7 100644
--- a/mesa.spec
+++ b/mesa.spec
@@ -55,7 +55,7 @@
 Name:           mesa
 Summary:        Mesa graphics libraries
 Version:        18.0.5
-Release:        3%{?rctag:.%{rctag}}%{?dist}
+Release:        4%{?rctag:.%{rctag}}%{?dist}
 
 License:        MIT
 URL:            http://www.mesa3d.org
@@ -84,6 +84,10 @@ Patch7:         0001-gallium-Disable-rgb10-configs-by-default.patch
 Patch10:        glvnd-fix-gl-dot-pc.patch
 Patch11:        0001-Fix-linkage-against-shared-glapi.patch
 
+# r600 backport
+Patch20:	0001-r600-sb-cleanup-if_conversion-iterator-to-be-legal-C.patch
+Patch21:	0001-r600-sb-fix-crash-in-fold_alu_op3.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  automake
@@ -676,6 +680,9 @@ popd
 %{_includedir}/vulkan/
 
 %changelog
+* Mon Sep 17 2018 Dave Airlie <Airlied@redhat.com> - 18.0.5-4
+- Fix r600 sb crash (#1629401)
+
 * Fri Jul 06 2018 Adam Jackson <ajax@redhat.com> - 18.0.5-3
 - Drop texture float patch