Closed Bug 625773 Opened 15 years ago Closed 15 years ago

uninitialised value use in FastConvertYUVToRGB32Row

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b10

People

(Reporter: jseward, Assigned: derf)

Details

Attachments

(1 file)

Patch version 1.
2.86 KB, patch
cpearce
: review+
roc
: approval2.0+
Details | Diff | Splinter Review
M-C of 15 Jan 2011. x64-linux release build, "--disable-jemalloc", "-g -O2". TEST_PATH=content/media/test/test_playback.html Produces the error shown below. On peering at the assembly (this is handwritten assembly): 0000000001547000 <FastConvertYUVToRGB32Row>: 1547000: 48 8d 05 79 01 d3 00 lea 0xd30179(%rip),%rax # 2277180 <kCoefficientsRgbY> 1547007: eb 5e jmp 1547067 <FastConvertYUVToRGB32Row+0x67> 0: (loop head) 1547009: 4c 0f b6 16 movzbq (%rsi),%r10 154700d: 48 83 c6 01 add $0x1,%rsi 1547011: 4c 0f b6 1a movzbq (%rdx),%r11 1547015: 48 83 c2 01 add $0x1,%rdx 1547019: f3 42 0f 7e 84 d0 00 movq 0x800(%rax,%r10,8),%xmm0 what is uninitialised is the address expression "0x800(%rax,%r10,8)", so either rax or r10 (or both) contain at least one bit which is undefined. Thread 19: Use of uninitialised value of size 8 at 0x6592019: FastConvertYUVToRGB32Row (gfx/ycbcr/yuv_row_posix.cpp:69) by 0x6591195: mozilla::gfx::ConvertYCbCrToRGB32 (gfx/ycbcr/yuv_convert.cpp:113) by 0x65612C8: mozilla::layers::BasicPlanarYCbCrImage::SetData (gfx/layers/basic/BasicImages.cpp:231) by 0x5D1DA62: VideoData::Create (content/media/nsBuiltinDecoderReader.cpp:153) by 0x5D310E2: nsOggReader::DecodeTheora (content/media/ogg/nsOggReader.cpp:568) by 0x5D314E0: nsOggReader::DecodeVideoFrame (content/media/ogg/nsOggReader.cpp:622) by 0x5D1E578: nsBuiltinDecoderReader::DecodeVideoFrame() (content/media/nsBuiltinDecoderReader.h:527) by 0x5D1E645: VideoData* nsBuiltinDecoderReader::DecodeToFirstData (content/media/nsBuiltinDecoderReader.cpp:314) by 0x5D1D748: nsBuiltinDecoderReader::FindStartTime (content/media/nsBuiltinDecoderReader.cpp:276) by 0x5D19D5F: nsBuiltinDecoderStateMachine::FindStartTime (content/media/nsBuiltinDecoderStateMachine.cpp:1375) by 0x5D1C50D: nsBuiltinDecoderStateMachine::Run (content/media/nsBuiltinDecoderStateMachine.cpp:938) by 0x64921DD: nsThread::ProcessNextEvent (xpcom/threads/nsThread.cpp:633) Uninitialised value was created by a heap allocation at 0x4C27878: malloc (vg_replace_malloc.c:236) by 0x5D2810D: oc_aligned_malloc (media/libtheora/lib/internal.c:103) by 0x5D29D7C: oc_state_init (media/libtheora/lib/state.c:586) by 0x5D234C8: th_decode_alloc (media/libtheora/lib/decode.c:374) by 0x5D2D6A4: nsTheoraState::Init() (content/media/ogg/nsOggCodecState.cpp:190) by 0x5D30784: nsOggReader::ReadMetadata() (content/media/ogg/nsOggReader.cpp:290) by 0x5D1A922: nsBuiltinDecoderStateMachine::LoadMetadata() (content/media/nsBuiltinDecoderStateMachine.cpp:1451) by 0x5D2CBC8: nsOggDecoderStateMachine::LoadMetadata() (content/media/ogg/nsOggDecoderStateMachine.cpp:51) by 0x5D1C4FB: nsBuiltinDecoderStateMachine::Run() (content/media/nsBuiltinDecoderStateMachine.cpp:933) by 0x64921DD: nsThread::ProcessNextEvent(int, int*) (xpcom/threads/nsThread.cpp:633) by 0x644F2F3: NS_ProcessNextEvent_P(nsIThread*, int) (ff-opt/xpcom/build/nsThreadUtils.cpp:250) by 0x6492C84: nsThread::ThreadFunc(void*) (xpcom/threads/nsThread.cpp:278)
Attached patch Patch version 1.Splinter Review
This was actually a libtheora bug. I've just committed a patch upstream in r17780. This was harmless (instead of clearing the desired reference frame, it actually cleared most of the current frame's buffer, and some of the padding to the side), but did lead to unpredictable output for streams that started without a keyframe. For reference, the file that triggered this behavior was content/media/test/bug498380.ogv I've verified on a local 64-bit Linux build that this fixes the problem.
Assignee: nobody → tterribe
Status: NEW → ASSIGNED
Attachment #504052 - Flags: review?(chris)
Attachment #504052 - Flags: review?(chris) → review+
Attachment #504052 - Flags: approval2.0?
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/14f62a4633a6
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b10
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: