[cairo] Testsuite changes this week

Uli Schlachter psychon at znc.in
Wed Apr 2 00:41:44 PDT 2014 

Hi,

On 02.04.2014 00:07, Bryce W. Harrington wrote:
> I'm going to try to do ~weekly test runs and post deltas, in hopes this
> helps us spot test regressions more swiftly.

Thanks a lot, that sounds great! (Although weekly might be a little often)

> == Changes since last week (03-17 to 03/29) ==
>       2 PASS -> FAIL

That's the following change which I cannot reproduce with Xephyr:

PASS -> FAIL # filter-nearest-transformed.xcb-window.rgb24
PASS -> FAIL # filter-nearest-transformed.xlib-window.rgb24

> == Changes since last release (v. 1.12 to 03/29) ==
>       2 FAIL -> CRASHED

FAIL -> CRASHED # random-clip.test-mask.argb32
FAIL -> CRASHED # random-clip.test-mask.rgb24

Only happens randomly. Valgrind smells a use-after-free. What happens begins in
cairo-mask-compositor.c, function get_clip_source() (simplified):

    surface = _cairo_clip_get_image (clip, dst, bounds);
    _cairo_pattern_init_for_surface (&pattern, surface);
    cairo_surface_destroy (surface);
    surface = compositor->pattern_to_surface (dst, &pattern.base, TRUE,
					      &r, &r, out_x, out_y);
    _cairo_pattern_fini (&pattern.base);
    return surface;

We have an image surface for which a surface pattern is created. This surface
pattern then owns the only reference to the surface. For this pattern, a new
surface is created (belonging to a different surface backend) and the pattern is
cleaned up and thus the original surface gets finished / destroyed.

Now let's skip into cairo-image-source.c function _pixman_image_for_surface()
(which gets called through _cairo_image_source_create_for_pattern() ->
_pixman_image_for_pattern()). This function notices that we are creating a
pixman image for a cairo image surface and thus skips the copy:

	    pixman_image = pixman_image_create_bits (source->pixman_format,
						     source->width,
						     source->height,
						     (uint32_t *) source->data,
						     source->stride);

So instead of creating a copy of the data, this function just makes the new
pixman_image_t refer to the same data and it assumes that this image won't live
longer than the original image. As we've seen, this assumption is wrong for this
code path.

Figuring out a way to fix this without possibly introducing a reference cycle
loop will be left as an exercise for the interested reader (Chris?). Oh and this
code already uses pixman's image destroy function for other purposes anyway.

>       1 FAIL -> UNTESTED
>      11 PASS -> UNTESTED
>       1 XFAIL -> UNTESTED

These are all on gl-window&. Can't say more than that.

>       3 XFAIL -> FAIL

XFAIL -> FAIL # record90-paint-alpha-clip.script.argb32
XFAIL -> FAIL # record90-paint-alpha-clip-mask.script.argb32
XFAIL -> FAIL # record-paint-alpha-clip-mask.script.argb32

Dunno. Script is too much black magic for me and I cannot find any commit
touching the ref images for record-paint-alpha-clip-mask.

>     703 PASS -> FAIL

Haven't looked into this. I'll just claim that this is due to the new image
scaling together with outdated reference images.

Cheers,
Uli
-- 
Sent from my Game Boy.

More information about the cairo mailing list