I can confirm David Beswick's findings and add a few details.
I experience this bug with versions 0.20.2, 0.22.0 and 0.23.1 (from today's git
master). Please have a look at my attached gdb trace (pixman git master on
Ubuntu 11.04 x86_64, all optimizations disabled (./configure --disable-openmp
--disable-mmx --disable-sse2 --disable-vmx --disable-arm-simd
--disable-arm-neon CFLAGS='-g -O0')).
The interesting parts are:
369 for (i = 0; i < N_CACHED_FAST_PATHS; ++i)
{
const pixman_fast_path_t *info = &(cache->cache[i].fast_path);
/* Note that we check for equality here, not whether
* the cached fast path matches. This is to prevent
* us from selecting an overly general fast path
* when a more specific one would work.
*/
378 if (info->op == op && info->src_format == src_format && info->mask_format == mask_format && info->dest_format == dest_format && info->src_flags == src_flags && info->mask_flags == mask_flags && info->dest_flags == dest_flags &&
info->func)
{
*out_imp = cache->cache[i].imp;
*out_func = cache->cache[i].fast_path.func;
goto update_cache;
}
392 }
So in line 378 pixman tries to read from a bad pointer.
When I comment that code part, everything seems fine.
I can confirm David Beswick's findings and add a few details.
I experience this bug with versions 0.20.2, 0.22.0 and 0.23.1 (from today's git
master). Please have a look at my attached gdb trace (pixman git master on
Ubuntu 11.04 x86_64, all optimizations disabled (./configure --disable-openmp
--disable-mmx --disable-sse2 --disable-vmx --disable-arm-simd
--disable-arm-neon CFLAGS='-g -O0')).
The interesting parts are:
[...] composite_ function (op=PIXMAN_OP_SRC, pixman. c:378 image_composite 32+883> : mov (%rax),%eax
#0 0x00007fffea9b64d3 in lookup_
src=0xf93b80, mask=0x0, dest=0xf93fb0, src_x=0, src_y=0, mask_x=0, mask_y=0,
dest_x=0, dest_y=0, width=8, height=1) at ../../pixman/
info = 0x8
[...]
rax 0x8 8
[...]
=> 0x7fffea9b64d3 <pixman_
The corresponding part in pixman/pixman.c:378 is:
369 for (i = 0; i < N_CACHED_ FAST_PATHS; ++i) >cache[ i].fast_ path);
{
const pixman_fast_path_t *info = &(cache-
/* Note that we check for equality here, not whether
info-> src_format == src_format &&
info-> mask_format == mask_format &&
info-> dest_format == dest_format &&
info-> src_flags == src_flags &&
info-> mask_flags == mask_flags &&
info-> dest_flags == dest_flags && cache[i] .imp; cache[i] .fast_path. func;
* the cached fast path matches. This is to prevent
* us from selecting an overly general fast path
* when a more specific one would work.
*/
378 if (info->op == op &&
info->func)
{
*out_imp = cache->
*out_func = cache->
goto update_cache;
}
392 }
So in line 378 pixman tries to read from a bad pointer.
When I comment that code part, everything seems fine.