search

buliaoyin / libyuv

Automatically exported from code.google.com/p/libyuv
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

libyuv invalid memory read found in M34 #317

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
This is ported from https://code.google.com/p/chromium/issues/detail?id=352592

Version: 34.0.1846.60
OS: Mac OS 10.9.2
Macbook Retina using "best resolution/scale" (default)

What steps will reproduce the problem?
1. Browse to go/present (could probably do it from a normal hangout as well)
2. Select the hangout window in the window picker
3. Shrink the width of the window

What is the expected output? 
No crash

What do you see instead?
Chrome crashes

https://crash.corp.google.com/samples?q=reportid=%27451d549c5b46c57a%27#0

This seems to be related to "hidpi mode" as it does not repro on a MBA with 
lower res screen and no interpolation/scaling.

This does not repro on latest canary 35.0.1891.0.
However I could not find a bug for this hence it seems like this is solved part 
of a general fix. Having said that, we might need to identify what fixed it if 
we want to merge this to M34?

Call stack:

23afebcc 133ff1a1 content!ScaleARGB+0x3e2
23afec08 12c5f5cd content!ARGBScale+0x61
23afefd8 1340457c 
content!content::DesktopCaptureDevice::Core::OnCaptureCompleted+0x6cd
23aff00c 13425145 
content!webrtc::DesktopAndCursorComposer::OnCaptureCompleted+0xcc
23aff364 13404423 content!webrtc::`anonymous 
namespace'::WindowCapturerWin::Capture+0x715
23aff380 12c60f03 content!webrtc::DesktopAndCursorComposer::Capture+0x73
23aff604 12c60939 content!content::DesktopCaptureDevice::Core::DoCapture+0x253
23aff838 12c606ae 
content!content::DesktopCaptureDevice::Core::CaptureFrameAndScheduleNext+0x219
23aff91c 12c64111 
content!content::DesktopCaptureDevice::Core::OnCaptureTimer+0x12e
23aff92c 12c63fba content!base::internal::RunnableAdapter<void (__thiscall 
content::DesktopCaptureDevice::Core::*)(void)>::Run+0x21
23aff938 12c63e49 
content!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void
 (__thiscall content::DesktopCaptureDevice::Core::*)(void)>,void 
__cdecl(content::DesktopCaptureDevice::Core * const &)>::MakeItSo+0x1a
23aff954 1006433f 
content!base::internal::Invoker<1,base::internal::BindState<base::internal::Runn
ableAdapter<void (__thiscall 
content::DesktopCaptureDevice::Core::*)(void)>,void 
__cdecl(content::DesktopCaptureDevice::Core *),void 
__cdecl(content::DesktopCaptureDevice::Core *)>,void 
__cdecl(content::DesktopCaptureDevice::Core *)>::Run+0x49
23aff96c 1022dd6a base!base::Callback<void __cdecl(void)>::Run+0x2f
23affedc 1022b666 base!base::SequencedWorkerPool::Inner::ThreadLoop+0x53a
23affeec 10242875 base!base::SequencedWorkerPool::Worker::Run+0x46
23afff3c 10228ed1 base!base::SimpleThread::ThreadMain+0xc5
23afff88 7672336a base!base::`anonymous namespace'::ThreadFunc+0x101
WARNING: Stack unwind information not available. Following frames may be wrong.
23afff94 77b29f72 kernel32!BaseThreadInitThunk+0x12
23afffd4 77b29f45 ntdll!RtlInitializeExceptionChain+0x63
23afffec 00000000 ntdll!RtlInitializeExceptionChain+0x36

Original issue reported on code.google.com by jiayl@chromium.org on 18 Mar 2014 at 12:34

GoogleCodeExporter commented 9 years ago 
I'm not able to build/test Chrome myself.  If you have a unittest, I might 
manage that.

But it sounds like a plausible bug with the following parameters
source is odd width
destination height is smaller, so its a scale down.

set LIBYUV_WIDTH=805
set LIBYUV_HEIGHT=678
out\debug\libyuv_unittest.exe --gtest_catch_exceptions=0 
--gtest_filter=*libyuvTest.ARGBScaleTo569x480_Bilinear

didn't repro the issue, including under DrMemory.

Original comment by fbarch...@chromium.org on 18 Mar 2014 at 2:20

GoogleCodeExporter commented 9 years ago 
May have a repro
change unittests to align to end of buffer and not pad rows.
scale from 

set LIBYUV_WIDTH=805
set LIBYUV_HEIGHT=678
drmemory out\debug\libyuv_unittest.exe --gtest_catch_exceptions=0 
--gtest_filter=*ARGBScaleTo569x480_Bilinear
~~Dr.M~~ Dr. Memory version 1.6.1
~~Dr.M~~ Running "out\debug\libyuv_unittest.exe --gtest_catch_exceptions=0 
--gtest_filter=*ARGBScaleTo569x480_Bilinear"
Note: Google Test filter = *ARGBScaleTo569x480_Bilinear
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from libyuvTest
[ RUN      ] libyuvTest.ARGBScaleTo569x480_Bilinear
~~Dr.M~~
~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS: reading 0x00bc5020-0x00bc5021 1 byte(s)
~~Dr.M~~ # 0 InterpolateRow_C                                                   
        [d:\src\libyuv\trunk\source\row_common.cc:1910]
~~Dr.M~~ # 1 ScaleARGBBilinearDown                                              
        [d:\src\libyuv\trunk\source\scale_argb.cc:256]
~~Dr.M~~ # 2 ScaleARGB                                                          
        [d:\src\libyuv\trunk\source\scale_argb.cc:757]
~~Dr.M~~ # 3 ARGBScale                                                          
        [d:\src\libyuv\trunk\source\scale_argb.cc:798]
~~Dr.M~~ # 4 libyuv::ARGBTestFilter                                             
        [d:\src\libyuv\trunk\unit_test\scale_argb_test.cc:48]
~~Dr.M~~ # 5 libyuv::libyuvTest_ARGBScaleTo569x480_Bilinear_Test::TestBody      
        [d:\src\libyuv\trunk\unit_test\scale_argb_test.cc:265]
~~Dr.M~~ # 6 
testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,void> 
[d:\src\libyuv\trunk\testing\gtest\src\gtest.cc:2051]
~~Dr.M~~ # 7 testing::Test::Run                                                 
        [d:\src\libyuv\trunk\testing\gtest\src\gtest.cc:2068]
~~Dr.M~~ # 8 testing::TestInfo::Run                                             
        [d:\src\libyuv\trunk\testing\gtest\src\gtest.cc:2244]
~~Dr.M~~ # 9 testing::TestCase::Run                                             
        [d:\src\libyuv\trunk\testing\gtest\src\gtest.cc:2351]
~~Dr.M~~ #10 testing::internal::UnitTestImpl::RunAllTests                       
        [d:\src\libyuv\trunk\testing\gtest\src\gtest.cc:4177]
~~Dr.M~~ #11 
testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTe
stImpl,bool> [d:\src\libyuv\trunk\testing\gtest\src\gtest.cc:2051]
~~Dr.M~~ Note: @0:00:02.398 in thread 2612
~~Dr.M~~ Note: instruction: movzx  (%ecx,%eax,1) -> %eax
~~Dr.M~~
~~Dr.M~~ Error #2: UNADDRESSABLE ACCESS: reading 0x00bc5021-0x00bc5022 1 byte(s)

Original comment by fbarch...@chromium.org on 18 Mar 2014 at 8:10

GoogleCodeExporter commented 9 years ago 
When scaling down a clipped region, the left and right clip coordinates are 
aligned to 4 pixel / 16 byte boundaries for efficiency.
The issue was the right edge could go beyond the width after alignment.
The InterpolateRow does not require alignment, but is more efficient doing 16 
bytes at a time, so now if the width is odd, the number of pixels will be odd.

Original comment by fbarch...@chromium.org on 18 Mar 2014 at 9:07

GoogleCodeExporter commented 9 years ago 
Fixed in r985

Original comment by fbarch...@chromium.org on 19 Mar 2014 at 1:07