Closed
Bug 1292402
Opened 8 years ago
Closed 8 years ago
Use of uninitialised value in [@mozilla::gfx::FilterProcessing::DoUnpremultiplicationCalculation_SSE2]
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
Tracking | Status | |
---|---|---|
firefox51 | --- | fixed |
People
(Reporter: tsmith, Assigned: eflores)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uninitialized, testcase, Whiteboard: [gfx-noted][adv-main51-])
Attachments
(3 files, 1 obsolete file)
Found with Valgrind. Use of uninitialised value of size 8 at 0x11BB8017: _mm_set_epi16 (emmintrin.h:593) by 0x11BB8017: _mm_setr_epi16 (emmintrin.h:660) by 0x11BB8017: FromU16<__vector(2) long long int> (SIMD.h:837) by 0x11BB8017: DoUnpremultiplicationCalculation_SIMD<__vector(2) long long int, __vector(2) long long int> (FilterProcessingSIMD-inl.h:940) by 0x11BB8017: mozilla::gfx::FilterProcessing::DoUnpremultiplicationCalculation_SSE2(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned char*, int, unsigned char*, int) (FilterProcessingSSE2.cpp:95) Uninitialised value was created by a heap allocation at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x11BF0C70: Realloc (Tools.h:181) by 0x11BF0C70: mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) (SourceSurfaceRawData.cpp:61) see log.txt for full log.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Updated•8 years ago
|
Summary: Use of uninitialised in [@mozilla::gfx::FilterProcessing::DoUnpremultiplicationCalculation_SSE2] → Use of uninitialised value in [@mozilla::gfx::FilterProcessing::DoUnpremultiplicationCalculation_SSE2]
Comment 2•8 years ago
|
||
In DoUnpremultiplicationCalculation_SSE2 and friends, should we be verifying the size is actually a multiple of 4? We don't seem to be doing so, but in the test case the size requested for the canvas is definitely not.
Flags: needinfo?(mstange)
Whiteboard: [gfx-noted]
Reporter | ||
Updated•8 years ago
|
Flags: in-testsuite?
Comment 3•8 years ago
|
||
This code is somewhat intentionally using uninitialized values and may even propagate values derived from them into other surfaces, but the idea is that all those values will be ignored in the final surface (and during the final draw operation) because they'll be outside the declared size of the surface. That said, it probably wouldn't hurt too much to zero out just the alignment padding at the right edge of the surface after allocation.
Flags: needinfo?(mstange)
Updated•8 years ago
|
Assignee: nobody → edwin
Assignee | ||
Comment 4•8 years ago
|
||
I can't reproduce the warning, but this patch should fix it.
Attachment #8780169 -
Flags: review?(mstange)
Assignee | ||
Comment 5•8 years ago
|
||
Comment on attachment 8780169 [details] [diff] [review] 1292402.patch On second thought, this happens a bunch of times in that file. I'll go through and put up a more exhaustive patch.
Attachment #8780169 -
Flags: review?(mstange)
Comment 6•8 years ago
|
||
Comment on attachment 8780169 [details] [diff] [review] 1292402.patch Review of attachment 8780169 [details] [diff] [review]: ----------------------------------------------------------------- thanks ::: gfx/2d/FilterNodeSoftware.cpp @@ +1724,5 @@ > } > } > + > + // Zero padding to keep valgrind happy. > + memset(&targetData[y * targetStride + sourceStride * BytesPerPixel], 0, Could you use PodZero instead?
Comment 7•8 years ago
|
||
oh
Assignee | ||
Comment 8•8 years ago
|
||
This should be all of it. There was a bug in the original patch as well, which assumed that the stride was in pixels instead of bytes. Then valgrind would have had two things to complain about. :)
Attachment #8780169 -
Attachment is obsolete: true
Attachment #8780471 -
Flags: review?(mstange)
Updated•8 years ago
|
Attachment #8780471 -
Flags: review?(mstange) → review+
Assignee | ||
Comment 9•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b0e580940a42734ceada1375199f04bf0e138080
https://hg.mozilla.org/mozilla-central/rev/b0e580940a42
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Updated•8 years ago
|
Group: gfx-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [gfx-noted] → [gfx-noted][adv-main51-]
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•