[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] [bug #40315] tummy_trouble.swf segfaults
From: |
Petter Reinholdtsen |
Subject: |
[Gnash-commit] [bug #40315] tummy_trouble.swf segfaults |
Date: |
Fri, 10 Jan 2014 08:00:28 +0000 |
User-agent: |
Opera/9.80 (X11; Linux x86_64) Presto/2.12.388 Version/12.16 |
Follow-up Comment #6, bug #40315 (project gnash):
I tested the tummy_trouble.swf flash with the current HEAD
(1eaf85f95a8aabb0275447df9500357081bd333a) using valgrind, and got
this crash after playing and entering and exiting rooms.
address@hidden:/scratch/pere/src/gnash$ ./gui/gnash tummy_trouble.swf
==25928== Memcheck, a memory error detector
==25928== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==25928== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==25928== Command: /scratch/pere/src/gnash/gui/.libs/lt-gtk-gnash
tummy_trouble.swf
==25928==
** (lt-gtk-gnash:25928): WARNING **: Couldn't find pixmap file: GnashG.png
==25928== Invalid read of size 2
==25928== at 0x4EF6924: gnash::DynamicShape::lineTo(int, int, int)
(DynamicShape.cpp:207)
==25928== by 0x4FC7228: gnash::(anonymous
namespace)::movieclip_lineTo(gnash::fn_call const&) (MovieClip_as.cpp:1459)
==25928== by 0x4FA3EC4: gnash::NativeFunction::call(gnash::fn_call const&)
(NativeFunction.h:65)
==25928== by 0x506F307: gnash::(anonymous
namespace)::ActionCallMethod(gnash::ActionExec&) (ASHandlers.cpp:2811)
==25928== by 0x50651E9:
gnash::SWF::SWFHandlers::execute(gnash::SWF::ActionType, gnash::ActionExec&)
const (ASHandlers.cpp:432)
==25928== by 0x5078064: gnash::ActionExec::operator()()
(ActionExec.cpp:260)
==25928== by 0x4F5F609: gnash::Function2::call(gnash::fn_call const&)
(Function2.cpp:219)
==25928== by 0x506F307: gnash::(anonymous
namespace)::ActionCallMethod(gnash::ActionExec&) (ASHandlers.cpp:2811)
==25928== by 0x50651E9:
gnash::SWF::SWFHandlers::execute(gnash::SWF::ActionType, gnash::ActionExec&)
const (ASHandlers.cpp:432)
==25928== by 0x5078064: gnash::ActionExec::operator()()
(ActionExec.cpp:260)
==25928== by 0x4F5EE49: gnash::Function::call(gnash::fn_call const&)
(Function.cpp:145)
==25928== by 0x4EDB936: gnash::invoke(gnash::as_value const&,
gnash::as_environment const&, gnash::as_object*,
gnash::FunctionArgs<gnash::as_value>&, gnash::as_object*,
gnash::movie_definition const*) (Global_as.h:185)
==25928== Address 0x18435814 is not stack'd, malloc'd or (recently) free'd
==25928==
==25928== Invalid read of size 1
==25928== at 0x548D069:
gnash::Renderer_agg<agg::pixfmt_alpha_blend_rgba<agg::blender_rgba_pre<agg::rgba8,
agg::order_bgra>, agg::row_accessor<unsigned char>, unsigned int>
>::buildPaths_rounded(std::vector<agg::path_base<agg::vertex_block_storage<double,
8u, 256u> >, std::allocator<agg::path_base<agg::vertex_block_storage<double,
8u, 256u> > > >&, std::vector<gnash::Path, std::allocator<gnash::Path> >
const&, std::vector<gnash::LineStyle, std::allocator<gnash::LineStyle> >
const&) (Renderer_agg.cpp:2208)
==25928== by 0x54C9687:
gnash::Renderer_agg<agg::pixfmt_alpha_blend_rgba<agg::blender_rgba_pre<agg::rgba8,
agg::order_bgra>, agg::row_accessor<unsigned char>, unsigned int>
>::drawShape(std::vector<gnash::FillStyle, std::allocator<gnash::FillStyle> >
const&, std::vector<gnash::LineStyle, std::allocator<gnash::LineStyle> >
const&, std::vector<gnash::Path, std::allocator<gnash::Path> > const&,
gnash::SWFMatrix const&, gnash::SWFCxForm const&) (Renderer_agg.cpp:1180)
==25928== by 0x54CFE4A:
gnash::Renderer_agg<agg::pixfmt_alpha_blend_rgba<agg::blender_rgba_pre<agg::rgba8,
agg::order_bgra>, agg::row_accessor<unsigned char>, unsigned int>
>::drawShape(gnash::SWF::ShapeRecord const&, gnash::Transform const&)
(Renderer_agg.cpp:1141)
==25928== by 0x4F2E068: gnash::MovieClip::draw(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1201)
==25928== by 0x4F2E111: gnash::MovieClip::display(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1216)
==25928== by 0x4F66662: gnash::DisplayList::display(gnash::Renderer&,
gnash::Transform const&) (DisplayList.cpp:593)
==25928== by 0x4F2E07A: gnash::MovieClip::draw(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1202)
==25928== by 0x4F2E111: gnash::MovieClip::display(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1216)
==25928== by 0x4F66662: gnash::DisplayList::display(gnash::Renderer&,
gnash::Transform const&) (DisplayList.cpp:593)
==25928== by 0x4F2E07A: gnash::MovieClip::draw(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1202)
==25928== by 0x4F2E111: gnash::MovieClip::display(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1216)
==25928== by 0x4F66662: gnash::DisplayList::display(gnash::Renderer&,
gnash::Transform const&) (DisplayList.cpp:593)
==25928== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==25928==
==25928==
==25928== Process terminating with default action of signal 11 (SIGSEGV)
==25928== Access not within mapped region at address 0x8
==25928== at 0x548D069:
gnash::Renderer_agg<agg::pixfmt_alpha_blend_rgba<agg::blender_rgba_pre<agg::rgba8,
agg::order_bgra>, agg::row_accessor<unsigned char>, unsigned int>
>::buildPaths_rounded(std::vector<agg::path_base<agg::vertex_block_storage<double,
8u, 256u> >, std::allocator<agg::path_base<agg::vertex_block_storage<double,
8u, 256u> > > >&, std::vector<gnash::Path, std::allocator<gnash::Path> >
const&, std::vector<gnash::LineStyle, std::allocator<gnash::LineStyle> >
const&) (Renderer_agg.cpp:2208)
==25928== by 0x54C9687:
gnash::Renderer_agg<agg::pixfmt_alpha_blend_rgba<agg::blender_rgba_pre<agg::rgba8,
agg::order_bgra>, agg::row_accessor<unsigned char>, unsigned int>
>::drawShape(std::vector<gnash::FillStyle, std::allocator<gnash::FillStyle> >
const&, std::vector<gnash::LineStyle, std::allocator<gnash::LineStyle> >
const&, std::vector<gnash::Path, std::allocator<gnash::Path> > const&,
gnash::SWFMatrix const&, gnash::SWFCxForm const&) (Renderer_agg.cpp:1180)
==25928== by 0x54CFE4A:
gnash::Renderer_agg<agg::pixfmt_alpha_blend_rgba<agg::blender_rgba_pre<agg::rgba8,
agg::order_bgra>, agg::row_accessor<unsigned char>, unsigned int>
>::drawShape(gnash::SWF::ShapeRecord const&, gnash::Transform const&)
(Renderer_agg.cpp:1141)
==25928== by 0x4F2E068: gnash::MovieClip::draw(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1201)
==25928== by 0x4F2E111: gnash::MovieClip::display(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1216)
==25928== by 0x4F66662: gnash::DisplayList::display(gnash::Renderer&,
gnash::Transform const&) (DisplayList.cpp:593)
==25928== by 0x4F2E07A: gnash::MovieClip::draw(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1202)
==25928== by 0x4F2E111: gnash::MovieClip::display(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1216)
==25928== by 0x4F66662: gnash::DisplayList::display(gnash::Renderer&,
gnash::Transform const&) (DisplayList.cpp:593)
==25928== by 0x4F2E07A: gnash::MovieClip::draw(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1202)
==25928== by 0x4F2E111: gnash::MovieClip::display(gnash::Renderer&,
gnash::Transform const&) (MovieClip.cpp:1216)
==25928== by 0x4F66662: gnash::DisplayList::display(gnash::Renderer&,
gnash::Transform const&) (DisplayList.cpp:593)
==25928== If you believe this happened as a result of a stack
==25928== overflow in your program's main thread (unlikely but
==25928== possible), you can try to increase the size of the
==25928== main thread stack using the --main-stacksize= flag.
==25928== The main thread stack size used in this run was 8388608.
==25928==
==25928== HEAP SUMMARY:
==25928== in use at exit: 16,224,662 bytes in 109,400 blocks
==25928== total heap usage: 3,900,169 allocs, 3,790,769 frees, 2,374,121,314
bytes allocated
==25928==
==25928== LEAK SUMMARY:
==25928== definitely lost: 20,736 bytes in 8 blocks
==25928== indirectly lost: 11,392 bytes in 354 blocks
==25928== possibly lost: 3,059,977 bytes in 25,543 blocks
==25928== still reachable: 13,132,557 bytes in 83,495 blocks
==25928== suppressed: 0 bytes in 0 blocks
==25928== Rerun with --leak-check=full to see details of leaked memory
==25928==
==25928== For counts of detected and suppressed errors, rerun with: -v
==25928== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 75 from 10)
Killed
The crash is due to the line_styles vector passed to the
buildPaths_rounded() function being empty when its first element is
accessed. The first invalid read happen just before the crash, after
playing a bit and moving the player into the next room, back to the
initial room and re-entering the next room again.
Perhaps an assert like this is better than the crash to document the
problem better?
--- a/librender/agg/Renderer_agg.cpp
+++ b/librender/agg/Renderer_agg.cpp
@@ -1265,6 +1265,7 @@ public:
bool hinting=false, closed=false, hairline=false;
if (this_path.m_line) {
+ assert(line_styles.size() > 0);
const LineStyle& lstyle = line_styles[this_path.m_line-1];
hinting = lstyle.doPixelHinting();
This change get rid of the invalid read of 2 bytes. It seem to be
caused by the DynamicShape code assuming all subshapes have a list of
line styles, which is false when re-entering the second room. The
crash still happen after this change.
--- a/libcore/DynamicShape.cpp
+++ b/libcore/DynamicShape.cpp
@@ -204,7 +204,7 @@ DynamicShape::lineTo(boost::int32_t x, boost::int32_t y,
in
SWFRect bounds = _shape.getBounds();
unsigned thickness = _currline ?
- _currsubshape.lineStyles().back().getThickness() : 0;
+ (_currsubshape.lineStyles().size() > 0 ?
_currsubshape.lineStyles().b
if (_currpath->size() == 1) {
_currpath->expandBounds(bounds, thickness, swfVersion);
--
Happy hacking
Petter Reinholdtsen
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?40315>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [Gnash-commit] [bug #40315] tummy_trouble.swf segfaults,
Petter Reinholdtsen <=