From 5d896a6cc6b7127dd4db0bd386ebe33da82d7824 Mon Sep 17 00:00:00 2001
From: Robin Voetter <robin@voetter.nl>
Date: Mon, 10 Apr 2023 18:27:22 +0200
Subject: [PATCH] spirv: fix use-after-realloc in resolveType()

The pointer to a slot in a hash map was fetched before a recursive call.
If the hash map's size changed during the recursive call, this would write
to an invalid pointer.

The solution is to use an index instead of a pointer. Note that care must be
taken that resolved types (from the type_cahce) must not be accessed, as they
might be incomplete during this operation.
---
 src/codegen/spirv/Module.zig | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/codegen/spirv/Module.zig b/src/codegen/spirv/Module.zig
index 7ae6cb0c6a..be8e5b24d1 100644
--- a/src/codegen/spirv/Module.zig
+++ b/src/codegen/spirv/Module.zig
@@ -393,11 +393,14 @@ pub fn resolveSourceFileName(self: *Module, decl: *ZigDecl) !IdRef {
 /// be emitted at this point.
 pub fn resolveType(self: *Module, ty: Type) !Type.Ref {
     const result = try self.type_cache.getOrPut(self.gpa, ty);
+    const index = @intToEnum(Type.Ref, result.index);
+
     if (!result.found_existing) {
-        result.value_ptr.* = try self.emitType(ty);
+        const ref = try self.emitType(ty);
+        self.type_cache.values()[result.index] = ref;
     }
 
-    return @intToEnum(Type.Ref, result.index);
+    return index;
 }
 
 pub fn resolveTypeId(self: *Module, ty: Type) !IdResultType {