Bug 90627 - crash in sse2_blt
Summary: crash in sse2_blt
Status: RESOLVED MOVED
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
URL: https://bugs.webkit.org/show_bug.cgi?...
Whiteboard:
Keywords:
: 93964 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-05-25 09:38 UTC by (bitlord)
Modified: 2018-08-25 13:38 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

Attachments
part of the trace (9.63 KB, text/plain)
2015-05-25 09:38 UTC, (bitlord) 		Details
frame3_pixman_image_composite32_src_dest (11.49 KB, text/plain)
2015-05-25 09:39 UTC, (bitlord) 		Details
less_optimized_pixman_build (64.36 KB, text/plain)
2015-05-25 14:40 UTC, (bitlord) 		Details
View All

Description (bitlord) 2015-05-25 09:38:01 UTC 
Created attachment 116022 [details]
part of the trace

webkitgtk browser crashes on certain pages in sse2_blt, I tested it without SSE2 support enabled in pixman (with rebuilding it), still crashes in MMX optimized function on same page, also tried to PIXMAN_DISABLE="mmx sse2 ssse3" and with that disabled, I wasn't able to crash it on the same page.
Comment 1 (bitlord) 2015-05-25 09:39:29 UTC 
Created attachment 116023 [details]
frame3_pixman_image_composite32_src_dest
Comment 2 (bitlord) 2015-05-25 09:44:28 UTC 
Just to add, pixman version used here is 'pixman-0.32.6'
Comment 3 (bitlord) 2015-05-25 14:40:15 UTC 
Created attachment 116027 [details]
less_optimized_pixman_build

Not sure if this is anything more helpful, I removed some optimizations ... from the build, I hope this gives better output
also I have few of the frames disassembled if you need them I can attach those too (first few)
Comment 4 Siarhei Siamashka 2015-06-02 01:49:02 UTC 
Based on the backtrace, it looks like pixman gets an incorrect source image.

We can see that the source image pixel data is supposed to start at src_bits=0x7fff53dddd7c, it has height 19 pixels and stride 3600 bytes. Using this information, the pixel data is supposed to end at 0x7fff53dddd7c + 19 + 3600 = 0x7fff53dee8ac

The crash happens when attempting to read 128-bit SSE data at 0x7fff53dedff4, which means that the page 0x7fff53dee000 is not mapped in the process address space. However it is supposed to be a part of the image (see the calculations above).

So the pixman caller code is the most likely culprit. It could be the cairo library or something else futher down the call stack.
Comment 5 Siarhei Siamashka 2015-10-03 01:38:02 UTC 
> the pixel data is supposed to end at 0x7fff53dddd7c + 19 + 3600

There was a typo here and it should read as "0x7fff53dddd7c + 19 * 3600", but this does not change anything.

> also tried to PIXMAN_DISABLE="mmx sse2 ssse3" and with that disabled,
> I wasn't able to crash it on the same page.

Yes, pixman_blt function just returns FALSE and does nothing in this case. The caller is supposed to take a fallback path and implement this operation in some other way.

Closing the issue as "not our bug" for now.
Comment 6 Michael Catanzaro 2016-03-06 17:10:29 UTC 
*** Bug 93964 has been marked as a duplicate of this bug. ***
Comment 7 Luka Napotnik 2017-03-02 09:43:47 UTC 
Hello,

I've hit a similar problem, the same backtrace but is extremely hard to reproduce. Are there any updates about this bug?
Comment 8 GitLab Migration User 2018-08-25 13:38:10 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/111.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.