Created attachment 105142 [details] cairo script valgrind --track-origins=yes util/cairo-script/.libs/csi-replay surf.trace reports ==27834== Invalid read of size 4 ==27834== at 0x4ED0A3F: _upload_image_inplace (cairo/src/cairo-xcb-surface-render.c:2811) ==27834== by 0x4ED1769: _clip_and_composite_boxes (cairo/src/cairo-xcb-surface-render.c:3109) ==27834== by 0x4ED402B: _cairo_xcb_render_compositor_fill (cairo/src/cairo-xcb-surface-render.c:3848) ==27834== by 0x4E5CA36: _cairo_compositor_fill (cairo/src/cairo-compositor.c:203) ==27834== by 0x4ECA08D: _cairo_xcb_surface_fill (cairo/src/cairo-xcb-surface.c:1013) ==27834== by 0x4EA1D13: _cairo_surface_fill (cairo/src/cairo-surface.c:2315) ==27834== by 0x4EA1D13: _cairo_surface_fill (cairo/src/cairo-surface.c:2315) ==27834== by 0x4E6443B: _cairo_gstate_fill (cairo/src/cairo-gstate.c:1317) ==27834== by 0x4E5DFE8: _cairo_default_context_fill (cairo/src/cairo-default-context.c:1055) ==27834== by 0x4E579D4: cairo_fill (cairo/src/cairo.c:2205) ==27834== by 0x4C1BC5A: _do_cairo_op (cairo/util/cairo-script/cairo-script-operators.c:581) ==27834== by 0x4C1A865: csi_object_execute (cairo/util/cairo-script/cairo-script-objects.c:631) ==27834== by 0x4C28A47: token_end.isra.13 (cairo/util/cairo-script/cairo-script-scanner.c:165) ==27834== by 0x4C2944F: _scan_file (cairo/util/cairo-script/cairo-script-scanner.c:1092) ==27834== by 0x4C29DB5: _csi_scan_file (cairo/util/cairo-script/cairo-script-scanner.c:1406) ==27834== by 0x4C1A8E3: csi_object_execute (cairo/util/cairo-script/cairo-script-objects.c:636) ==27834== by 0x4C197A7: cairo_script_interpreter_run (cairo/util/cairo-script/cairo-script-interpreter.c:562) ==27834== by 0x40102E: main (cairo/util/cairo-script/csi-replay.c:355) ==27834== Address 0x596e524 is 20 bytes after a block of size 352 alloc'd ==27834== at 0x4A0645D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27834== by 0x4EA75BC: cairo_surface_create_for_rectangle (cairo/src/cairo-surface-subsurface.c:465) ==27834== by 0x4C23F3E: _subsurface (cairo/util/cairo-script/cairo-script-operators.c:5731) ==27834== by 0x4C1A865: csi_object_execute (cairo/util/cairo-script/cairo-script-objects.c:631) ==27834== by 0x4C28A47: token_end.isra.13 (cairo/util/cairo-script/cairo-script-scanner.c:165) ==27834== by 0x4C2944F: _scan_file (cairo/util/cairo-script/cairo-script-scanner.c:1092) ==27834== by 0x4C29DB5: _csi_scan_file (cairo/util/cairo-script/cairo-script-scanner.c:1406) ==27834== by 0x4C1A8E3: csi_object_execute (cairo/util/cairo-script/cairo-script-objects.c:636) ==27834== by 0x4C197A7: cairo_script_interpreter_run (cairo/util/cairo-script/cairo-script-interpreter.c:562) ==27834== by 0x40102E: main (cairo/util/cairo-script/csi-replay.c:355) cairo configured with (at least): --enable-xlib-xcb --enable-valgrind=no csi-replay.c patched so that SINGLE_SURFACE is #defined 0 The problem seems to be that _upload_image_inplace (src/cairo-xcb-surface-render.c:2804) casts pattern->surface to an image_surface, which is not always right, even if pattern->surface->type == CAIRO_SURFACE_TYPE_IMAGE It seems that none of the tests in test/*.c exercises that code path with pattern->surface->backend->type == CAIRO_SURFACE_TYPE_SUBSURFACE from a quick reading of the code I'd say a possible alternative is to cast the result of: _cairo_pattern_get_source (pattern, NULL); or _cairo_surface_get_source (pattern->surface, NULL); instead of pattern->surface.
commit 545444ec1f79eab268647e9859efc9c8d1a10391 Author: Uli Schlachter <psychon@znc.in> Date: Sat Aug 23 14:38:36 2014 +0200 xcb: Correctly check for image surface for inplace upload Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=82987 Signed-off-by: Uli Schlachter <psychon@znc.in>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.