Created attachment 83211 [details] test document Opening the attached file with LibreOffice with enabled anti-aliasing will crash the Intel Xorg driver (see launchpad bug for details). While a crashing driver is not our bug, it might still be worth a look to see if we are asking anything illegal from X or if we can workaround the driver bug easily.
Observable with LO 3.5 trough 4.1 -> confirming. Feel free to close as NOTOURBUG, if we do not want to make such workarounds.
Created attachment 86883 [details] [review] proposed patch Program received signal SIGSEGV, Segmentation fault. 0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210 210 WRITE (image, ap + lxi, (gdb) bt #0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210 #1 pixman_rasterize_edges_no_accessors (b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>, image=<optimized out>) at pixman-edge.c:359 #2 pixman_rasterize_edges (image=0xffffffff, image@entry=0x1cc9bc0, l=0x7fff8dcfd410, r=0x7fff8dcfd440, t=1055852681, b=2147481463) at pixman-edge.c:382 #3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0) at pixman-trap.c:386 #4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=0x16a6eb8, xSrc=<optimized out>, ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816 #5 0x00000000005251bf in ProcRenderTrapezoids (client=0x1be9030) at render.c:759 #6 0x000000000043a137 in Dispatch () at dispatch.c:432 #7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcfd788, envp=<optimized out>) at main.c:298 (gdb) fram 3 #3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0) at pixman-trap.c:386 386 pixman_rasterize_edges (image, &l, &r, t, b); (gdb) list 359 354 pixman_fixed_t y_off_fixed; 355 pixman_edge_t l, r; 356 pixman_fixed_t t, b; 357 358 return_if_fail (image->type == BITS); 359 360 _pixman_image_validate (image); 361 362 if (!pixman_trapezoid_valid (trap)) 363 return; ... 380 if (b >= t) 381 { 382 /* initialize edge walkers */ 383 pixman_line_fixed_edge_init (&l, bpp, t, &trap->left, x_off, y_off); 384 pixman_line_fixed_edge_init (&r, bpp, t, &trap->right, x_off, y_off); 385 386 pixman_rasterize_edges (image, &l, &r, t, b); 387 } 388 } (gdb) p *trap $8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = { x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}} from pixman.h 1029 /* whether 't' is a well defined not obviously empty trapezoid */ 1030 #define pixman_trapezoid_valid(t) \ 1031 ((t)->left.p1.y != (t)->left.p2.y && \ 1032 (t)->right.p1.y != (t)->right.p2.y && \ 1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw 1034 An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer )
Created attachment 87290 [details] [review] proposed patch
Additionally, been pushed for xserver http://lists.x.org/archives/xorg-devel/2013-October/037996.html
Thanks for the patch. Do you mind sending it to pixman@lists.freedesktop.org for review?
Also, if you have a test that demonstrates the issue, it would be valuable to add to the test suite in the pixman/test directory.
Created attachment 87659 [details] [review] proposed patch with test case posted for review at http://lists.freedesktop.org/archives/pixman/2013-October/003087.html
Thanks for the test case, that's much appreciated. Just a few comments: - We might as well extend the existing trap-crasher test instead of adding a new one that is a near duplicate. - The test should ideally be added in its own commit before the fix so that it's easy to verify that the fix actually fixes the test case - We need all patches to go through the mailing list, including this updated one. I have added you to the mailman whitelist, so it won't get stuck in moderation if you send it.
Created attachment 87924 [details] [review] test case
Created attachment 87925 [details] [review] proposed patch
Fixed in commit 2f876cf86718d3dd9b3b04ae9552530edafe58a1 in pixman.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.