[15] ANGLE Metal: zero-init return for functions missing return statements
Severity: Medium | Component: ANGLE MSL translator | e539895
Rated Medium because the observable effect is garbage memory ... written to the framebuffer per the commit message, reachable from any web origin via WebGL2 and readPixels; the leak is passive (attacker observes but does not choose) and bounded by what Metal's compiler leaves in the return slot in practice.
Source/ThirdParty/ANGLE/src/compiler/translator/msl/TranslatorMSL.cpp
+#include "compiler/translator/tree_ops/AddDefaultReturnStatements.h"
...
+ if (!sh::AddDefaultReturnStatements(this, root))
+ return false;
+
if (!WrapMain(*this, idGen, *root))
return false;
Patch Details
The AddDefaultReturnStatements tree-op pass (previously HLSL-only) is moved from tree_ops/hlsl/ to the common tree_ops/ folder and invoked as the first transformation in TranslatorMSL::translateImpl(), before WrapMain. Two WebGL2 regression tests verify zero-init for vector and struct return types when GLSL functions fall off the end without an explicit return.
Failure to normalize GLSL's permissive end-of-function semantics to MSL's stricter rules, leaving a backend-specific undefined-behavior path that surfaces uninitialized GPU-thread memory.
Background
ANGLE translates WebGL's GLSL ES sources to platform-native shading languages — HLSL, MSL, SPIR-V. GLSL ES allows non-void functions to lack a guaranteed return on every control-flow path; reaching the end is permitted and yields an unspecified value. MSL treats falling off the end of a non-void function as undefined behaviour — the Metal compiler may emit code that returns whatever lives in the return register/stack slot. AddDefaultReturnStatements walks the AST and appends a zero-initialised return to any function body whose final statement is not a return.
Analysis
When a fragment shader's helper function takes the no-return branch and the caller writes the result to gl_FragColor, the framebuffer pixel ends up containing residual stack/register contents from the GPU thread.
Aaa Aaaaaaa Aaaaa Aa Aaaa Aaa Aaaa Aaaaaaaaaa a Aaaaaaaa Aaaaaa Aaaaaaaaaa a Aaaaaaaaaa Aaaaaa Aaaa a Aaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaa Aaaaa Aaaaaaaaa Aa a Aa Aa a Aaaa Aaaaaa Aaaaaaaaaa Aaaa Aaaaa Aaa Aaaaaaa Aaaa Aaa Aaaaaaaaa Aaaaa Aaaaa Aaa Aaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaa Aa Aaa Aaaaaaa Aaa Aaaaaaaa Aaa Aaaaaaaa Aaaaaa Aaaaaaaa Aaaaaaaa Aaa Aaaaa Aaaaaaaa Aaaa Aa Aaa Aaaaaa Aaaaa
Aaaaaaa Aaaaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaa a Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaaaa Aa a Aaaaaaaa Aaaaaa Aaaaaaaaaa Aaaaaa Aa Aaaaaa Aaaaaa Aaaaaaa Aa Aaaaaa Aaa Aaaaaa Aa Aaaaaaa Aa Aaaaa Aaaaaaaa Aaaa Aaaaa Aaaaa Aaa Aaa Aaaaaaa Aaaaaaaa Aaaaaa a Aaaaaaaaaaaaa Aaaa Aaa Aaaa Aaaaaaa Aaaa a Aaaaaaaaaa Aaaaa Aaaaa Aaaa Aaaaaaaaa Aaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaa Aaaa Aaaaaa Aaa Aaa Aaaa Aaaaa Aaaaaa Aaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaa a Aaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaaa Aaaaa Aaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaa
🔒Examines how a permissive corner of the GLSL spec turns into a content-observable framebuffer leak when crossed into a stricter shading language
Subscribe to read more
Audit directions
a Aaaaaaaaaa Aaaa Aaaaa Aaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaaaaa Aa Aaaa Aaa Aaaaaaa Aa Aaaaaa Aa a Aaaaaaaaaa
a Aaaaaa Aaaaaaaaaa Aaaaa Aaaaaa Aa Aaaaaaaaaaaaa Aa Aaaa Aaa Aaaaaaaaaaa Aa Aaa Aaaaaa Aaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaa Aaaaaaaaaa Aaaaaa Aaa Aaaaaaaa a Aaaaaaaaaaaaa Aaaaaaa Aaaaa Aa Aaaaaaaaaa Aaaaaaaaa Aaa Aaaaa Aaaaaaaa Aa Aaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aa Aaaaa Aaaaaaa Aa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a Aaa Aaa Aaaa Aaaaaa a Aaaa Aaaa Aaa Aaaaaaa Aa a Aaaaaa Aaaaaaaa Aaa Aaaa Aa Aa Aaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaa Aaaaa Aaaaa Aaaaaaa Aaaaaaaa Aaaaaaaaaaaaaa
a Aaaaaaaaaaaaaa Aaaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaa Aa Aaaaaaaaaaa Aaaaaaaaaa
🔒Multiple reusable audit patterns identified across ANGLE's per-backend translator passes, with concrete starting points for divergence-driven variant discovery
Subscribe to read more