[Backport] CVE-2024-2885: Use after free in Dawn

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/external/github.com/microsoft/DirectXShaderCompiler/+/5383595:
Fix HLMatrixLowerPass leaving call to dangling FunctionVal

When lowering an hl.cast, when the operand was an undef matrix, the pass would insert a call to a mat2vec stub, but since the undef value is not
an alloca, it never gets handled, and the call to the temporary stub
remains. Since the stub FunctionVal gets deleted, when the instruction
is accessed in a future pass, it reads a dangling pointer.

The fix is to handle undef similarly to how constant 0 is handled, and
to return an undef vector from lowerHLCast.

Bug: chromium:328958020
Change-Id: Id31e3aa326d9cb9f03ea97139f14dc5292cd6f7b
Reviewed-on: https://chromium-review.googlesource.com/c/external/github.com/microsoft/DirectXShaderCompiler/+/5383595
Reviewed-by: Ben Clayton <[email protected]>
Reviewed-by: David Neto <[email protected]>
Reviewed-by: Kenneth Russell <[email protected]>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553291
Reviewed-by: Michal Klocek <[email protected]>

Author: amaiorano

chromium/third_party/dawn/third_party/dxc/lib/HLSL/HLMatrixLowerPass.cpp

@@ -381,6 +381,11 @@ Value* HLMatrixLowerPass::getLoweredByValOperand(Value *Val, IRBuilder<> &Builde
   if (isa<ConstantAggregateZero>(Val))
     return ConstantAggregateZero::get(LoweredTy);
 
+  // Lower undef mat as undef vec
+  if (isa<UndefValue>(Val)) {
+      return UndefValue::get(LoweredTy);
+  }
+
   // Return a mat-to-vec translation stub
   FunctionType *TranslationStubTy = FunctionType::get(LoweredTy, { Ty }, /* isVarArg */ false);
   Function *TranslationStub = m_matToVecStubs->get(TranslationStubTy);