[Bug 779319] New: opcode size hard-coded to zero in orc_x86_emit_*() functions causes SIGSEGV (x86)

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Mon Feb 27 15:24:22 UTC 2017 

https://bugzilla.gnome.org/show_bug.cgi?id=779319

            Bug ID: 779319
           Summary: opcode size hard-coded to zero in orc_x86_emit_*()
                    functions causes SIGSEGV (x86)
    Classification: Platform
           Product: GStreamer
           Version: 0.4.26
                OS: other
            Status: NEW
          Severity: major
          Priority: Normal
         Component: orc
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: d_garry at mail.ru
        QA Contact: gstreamer-bugs at lists.freedesktop.org
                CC: ds at schleef.org
     GNOME version: ---

This bug (behavior?) was detected under GStreamer 1.10.3 and Orc 0.4.26 built
for QNX 6.5.0 SP1 operating system. Maybe in other OSes it's masked by
sprintf() or strlen() fuction, dunno.

Steps to reproduce (at least at x86 platform with SSE support):
1) Build orc, GStreamer, gst-plugins-base with orc support.
2) Run gst-launch with videotestsrc (e.g. gst-launch videotestsrc ! fakesink):

igor at irpc:~/PROJECTS$ ntox86-gdb /opt/gstreamer/x86/bin/gst-launch-1.0
---cut---
(gdb) run videotestsrc ! fakesink
Starting program: /opt/gstreamer/x86/bin/gst-launch-1.0 videotestsrc ! fakesink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
[New pid 733225 tid 2]

Program received signal SIGSEGV, Segmentation fault.
[Switching to pid 733225 tid 2]
0xb0361298 in strlen () from /opt/qnx650/target/qnx6/x86/lib/libc.so.3
(gdb) sharedlibrary 
(gdb) bt
#0  0xb0361298 in strlen () from /opt/qnx650/target/qnx6/x86/lib/libc.so.3
#1  0xb035a7a8 in _Putfld () from /opt/qnx650/target/qnx6/x86/lib/libc.so.3
#2  0xb035a2bc in _Printf () from /opt/qnx650/target/qnx6/x86/lib/libc.so.3
#3  0xb0355e4a in sprintf () from /opt/qnx650/target/qnx6/x86/lib/libc.so.3
#4  0xb87ba6c2 in orc_x86_insn_output_asm (p=0x8126018, xinsn=0x812d2d0) at
/home/src/orc-0.4.26/orc/orcx86insn.c:483
#5  0xb87bba32 in orc_x86_output_insns (p=0x8126018) at
/home/src/orc-0.4.26/orc/orcx86insn.c:923
#6  0xb87b7e09 in orc_compiler_sse_assemble (compiler=0x8126018) at
/home/src/orc-0.4.26/orc/orcprogram-sse.c:996
#7  0xb8794f6c in orc_program_compile_full (program=0x811eee8,
target=0xb88217c0, flags=31) at /home/src/orc-0.4.26/orc/orccompiler.c:352
#8  0xb87946bc in orc_program_compile_for_target (program=0x811eee8,
target=0xb88217c0) at /home/src/orc-0.4.26/orc/orccompiler.c:173
#9  0xb8794671 in orc_program_compile (program=0x811eee8) at
/home/src/orc-0.4.26/orc/orccompiler.c:150
#10 0xb866710b in video_test_src_orc_splat_u32 (d1=0x80fedc8 "",
p1=-2139034625, n=45) at tmp-orc.c:200
#11 0xb86662c2 in paint_tmpline_AYUV (p=0x7fc6980, x=0, w=45) at
/home/src/gst-plugins-base-1.10.3/gst/videotestsrc/videotestsrc.c:1144
#12 0xb866423e in gst_video_test_src_smpte (v=0x80ee210, frame=0x7fc6ad4) at
/home/src/gst-plugins-base-1.10.3/gst/videotestsrc/videotestsrc.c:350
#13 0xb86627ed in gst_video_test_src_fill (psrc=0x80ee210, buffer=0x80e9e78) at
/home/src/gst-plugins-base-1.10.3/gst/videotestsrc/gstvideotestsrc.c:1022
#14 0xb8763dd6 in gst_push_src_fill (bsrc=0x80ee210,
offset=18446744073709551615, length=4096, ret=0x80e9e78)
    at /home/src/gstreamer-1.10.3/libs/gst/base/gstpushsrc.c:167
#15 0xb8743089 in gst_base_src_default_create (src=0x80ee210,
offset=18446744073709551615, size=4096, buffer=0x7fc6dbc)
    at /home/src/gstreamer-1.10.3/libs/gst/base/gstbasesrc.c:1486
#16 0xb8763ce7 in gst_push_src_create (bsrc=0x80ee210,
offset=18446744073709551615, length=4096, ret=0x7fc6dbc)
    at /home/src/gstreamer-1.10.3/libs/gst/base/gstpushsrc.c:132
#17 0xb8746a20 in gst_base_src_get_range (src=0x80ee210,
offset=18446744073709551615, length=4096, buf=0x7fc6e3c)
    at /home/src/gstreamer-1.10.3/libs/gst/base/gstbasesrc.c:2464
#18 0xb87479dd in gst_base_src_loop (pad=0x80ed038) at
/home/src/gstreamer-1.10.3/libs/gst/base/gstbasesrc.c:2740
#19 0xb82be6df in gst_task_func (task=0x80e9860) at
/home/src/gstreamer-1.10.3/gst/gsttask.c:334
#20 0xb82bf7c5 in default_func (tdata=0x8091d40, pool=0x8060468) at
/home/src/gstreamer-1.10.3/gst/gsttaskpool.c:68
#21 0xb847d5dd in g_thread_pool_thread_proxy (data=0x80706b8) at
/home/igor/PROJECTS/extra_components/extra/src/glib-2.44.1/glib/gthreadpool.c:307
#22 0xb847cfc3 in g_thread_proxy (data=0x80e1ac0) at
/home/igor/PROJECTS/extra_components/extra/src/glib-2.44.1/glib/gthread.c:764

What's inside OrcX86Insn structure (see backtrace line #4):

(gdb) print *(OrcX86Insn*)0x812d2d0
$1 = {opcode_index = ORC_X86_push, opcode = 0xb88049b8, imm = 0, src = 37, dest
= 37, size = 0, label = 0, type = 0, offset = 0, index_reg = 0, shift = 0,
code_offset = 0}

(NOTICE: size == 0)

So, seems that the main cause of this bug is that OrcX86Insn structure for
ORC_X86_push opcode has its 'size' field value set to zero.

These fuctions (for some reason - i don't know if it's right or wrong because
i'm not an expert in Orc at all) ignore 'size' argument and explicitly set
opcode's size to 0. So they emit 'push' opcode to OrcCompiler's list with zero
size:

(orc/orcx86.c:127)
void
orc_x86_emit_push (OrcCompiler *compiler, int size, int reg)
{
  orc_x86_emit_cpuinsn_size (compiler, ORC_X86_push, 0, reg, reg);
}

void
orc_x86_emit_pop (OrcCompiler *compiler, int size, int reg)
{
  orc_x86_emit_cpuinsn_size (compiler, ORC_X86_pop, 0, reg, reg); 
}

But later, it's used here as an argument of orc_x86_get_regname_size() function
(orc/orcx86insn.c:483):

-------- cut ----------
    case ORC_X86_INSN_TYPE_REGM_REG:
    case ORC_X86_INSN_TYPE_STACK:
      sprintf(op2_str, "%%%s", orc_x86_get_regname_size (xinsn->dest,
      xinsn->size));
      break;  
-------- cut ----------

In this case, function orc_x86_get_regname_size() returns NULL and causes
sprintf (at lease in QNX's libc) to cause SIGSEGV.

My fix for this issue (no deep testing yet, but it seems reasonable and at
least it works for me):
void

orc_x86_emit_push (OrcCompiler *compiler, int size, int reg)
{
/*  orc_x86_emit_cpuinsn_size (compiler, ORC_X86_push, 0, reg, reg); */
  orc_x86_emit_cpuinsn_size (compiler, ORC_X86_push, size, reg, reg);
}

void
orc_x86_emit_pop (OrcCompiler *compiler, int size, int reg)
{
/*  orc_x86_emit_cpuinsn_size (compiler, ORC_X86_pop, 0, reg, reg); */
  orc_x86_emit_cpuinsn_size (compiler, ORC_X86_pop, size, reg, reg);
}

Regards, Igor.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list