Comment 8 for bug 756237

I can confirm David Beswick's findings and add a few details.

I experience this bug with versions 0.20.2, 0.22.0 and 0.23.1 (from today's git
master). Please have a look at my attached gdb trace (pixman git master on
Ubuntu 11.04 x86_64, all optimizations disabled (./configure --disable-openmp
--disable-mmx --disable-sse2 --disable-vmx --disable-arm-simd
--disable-arm-neon CFLAGS='-g -O0')).
The interesting parts are:

[...]
#0 0x00007fffea9b64d3 in lookup_composite_function (op=PIXMAN_OP_SRC,
src=0xf93b80, mask=0x0, dest=0xf93fb0, src_x=0, src_y=0, mask_x=0, mask_y=0,
dest_x=0, dest_y=0, width=8, height=1) at ../../pixman/pixman.c:378
        info = 0x8
[...]
rax 0x8 8
[...]
=> 0x7fffea9b64d3 <pixman_image_composite32+883>: mov (%rax),%eax

The corresponding part in pixman/pixman.c:378 is:

369 for (i = 0; i < N_CACHED_FAST_PATHS; ++i)
    {
    const pixman_fast_path_t *info = &(cache->cache[i].fast_path);

    /* Note that we check for equality here, not whether
     * the cached fast path matches. This is to prevent
     * us from selecting an overly general fast path
     * when a more specific one would work.
     */
378 if (info->op == op &&
        info->src_format == src_format &&
        info->mask_format == mask_format &&
        info->dest_format == dest_format &&
        info->src_flags == src_flags &&
        info->mask_flags == mask_flags &&
        info->dest_flags == dest_flags &&
        info->func)
    {
        *out_imp = cache->cache[i].imp;
        *out_func = cache->cache[i].fast_path.func;

        goto update_cache;
    }
392 }

So in line 378 pixman tries to read from a bad pointer.

When I comment that code part, everything seems fine.