pixman: Branch 'master' - 3 commits

Søren Sandmann Pedersen sandmann at kemper.freedesktop.org
Mon Sep 24 15:46:35 PDT 2012 

 pixman/pixman-inlines.h |    2 +-
 test/Makefile.sources   |    1 +
 test/affine-test.c      |   16 ++++++++++++----
 test/infinite-loop.c    |   39 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 53 insertions(+), 5 deletions(-)

New commits:
commit de60e2e0e3eb6084f8f14b63f25b3cbfb012943f
Author: Søren Sandmann Pedersen <ssp at redhat.com>
Date:   Sat Sep 15 03:13:09 2012 -0400

    Fix for infinite-loop test
    
    The infinite loop detected by "affine-test 212944861" is caused by an
    overflow in this expression:
    
        max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1;
    
    where (width - 1) * unit_x doesn't fit in a signed int. This causes
    max_x to be too small so that this:
    
        src_width = 0
    
        while (src_width < REPEAT_NORMAL_MIN_WIDTH && src_width <= max_x)
            src_width += src_image->bits.width;
    
    results in src_width being 0. Later on when src_width is used for
    repeat calculations, we get the infinite loop.
    
    By casting unit_x to int64_t, the expression no longer overflows and
    affine-test 212944861 and infinite-loop no longer loop forever.

diff --git a/pixman/pixman-inlines.h b/pixman/pixman-inlines.h
index 5517de5..3a3c658 100644
--- a/pixman/pixman-inlines.h
+++ b/pixman/pixman-inlines.h
@@ -859,7 +859,7 @@ fast_composite_scaled_bilinear ## scale_func_name (pixman_implementation_t *imp,
     {												\
 	vx = v.vector[0];									\
 	repeat (PIXMAN_REPEAT_NORMAL, &vx, pixman_int_to_fixed(src_image->bits.width));		\
-	max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1;				\
+	max_x = pixman_fixed_to_int (vx + (width - 1) * (int64_t)unit_x) + 1;			\
 												\
 	if (src_image->bits.width < REPEAT_NORMAL_MIN_WIDTH)					\
 	{											\
commit aa311a4641b79eac39fe602b75d7bee3de9b1dce
Author: Søren Sandmann Pedersen <ssp at redhat.com>
Date:   Thu Sep 13 19:31:29 2012 -0400

    test: Add inifinite-loop test
    
    This test demonstrates a bug where a certain transformation matrix can
    result in an infinite loop. It was extracted as a standalone version
    of "affine-test 212944861".
    
    If given the option -nf, the test program will not call fail_after()
    and therefore potentially run forever.

diff --git a/test/Makefile.sources b/test/Makefile.sources
index 3e37e32..0f34411 100644
--- a/test/Makefile.sources
+++ b/test/Makefile.sources
@@ -7,6 +7,7 @@ TESTPROGRAMS =			\
 	fetch-test		\
 	rotate-test		\
 	oob-test		\
+	infinite-loop		\
 	trap-crasher		\
 	alpha-loop		\
 	scaling-crash-test	\
diff --git a/test/infinite-loop.c b/test/infinite-loop.c
new file mode 100644
index 0000000..02addaa
--- /dev/null
+++ b/test/infinite-loop.c
@@ -0,0 +1,39 @@
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "utils.h"
+
+int
+main (int argc, char **argv)
+{
+#define SRC_WIDTH 16
+#define SRC_HEIGHT 12
+#define DST_WIDTH 7
+#define DST_HEIGHT 2
+
+    static const pixman_transform_t transform = {
+	{ { 0x200017bd, 0x00000000, 0x000e6465 },
+	  { 0x00000000, 0x000a42fd, 0x000e6465 },
+	  { 0x00000000, 0x00000000, 0x00010000 },
+	}
+    };
+    pixman_image_t *src, *dest;
+
+    src = pixman_image_create_bits (
+	PIXMAN_a8r8g8b8, SRC_WIDTH, SRC_HEIGHT, NULL, -1);
+    dest = pixman_image_create_bits (
+	PIXMAN_a8r8g8b8, DST_WIDTH, DST_HEIGHT, NULL, -1);
+
+    pixman_image_set_transform (src, &transform);
+    pixman_image_set_repeat (src, PIXMAN_REPEAT_NORMAL);
+    pixman_image_set_filter (src, PIXMAN_FILTER_BILINEAR, NULL, 0);
+
+    if (argc == 1 || strcmp (argv[1], "-nf") != 0)
+	fail_after (1, "infinite loop detected");
+
+    pixman_image_composite (
+	PIXMAN_OP_OVER, src, NULL, dest, -3, -3, 0, 0, 0, 0, 6, 2);
+
+    return 0;
+}
commit d5c721768c9811ce22bc0cd50bdf1c7bccc264e0
Author: Søren Sandmann Pedersen <ssp at redhat.com>
Date:   Thu Sep 13 19:29:19 2012 -0400

    affine-test: Print out the transformation matrix when verbose
    
    Printing out the translation and scale is a bit misleading because the
    actual transformation matrix can be modified in various other ways.
    
    Instead simply print the whole transformation matrix that is actually
    used.

diff --git a/test/affine-test.c b/test/affine-test.c
index 6827cc3..7bc28b4 100644
--- a/test/affine-test.c
+++ b/test/affine-test.c
@@ -200,11 +200,19 @@ test_composite (int      testnum,
 
     if (verbose)
     {
+#define M(r,c)								\
+	transform.matrix[r][c]
+
 	printf ("src_fmt=%08X, dst_fmt=%08X\n", src_fmt, dst_fmt);
-	printf ("op=%d, scale_x=%d, scale_y=%d, repeat=%d\n",
-	        op, scale_x, scale_y, repeat);
-	printf ("translate_x=%d, translate_y=%d\n",
-	        translate_x, translate_y);
+	printf ("op=%d, repeat=%d, transform=\n",
+	        op, repeat);
+	printf (" { { { 0x%08x, 0x%08x, 0x%08x },\n"
+		"     { 0x%08x, 0x%08x, 0x%08x },\n"
+		"     { 0x%08x, 0x%08x, 0x%08x },\n"
+		" } };\n",
+		M(0,0), M(0,1), M(0,2),
+		M(1,0), M(1,1), M(1,2),
+		M(2,0), M(2,1), M(2,2));
 	printf ("src_width=%d, src_height=%d, dst_width=%d, dst_height=%d\n",
 	        src_width, src_height, dst_width, dst_height);
 	printf ("src_x=%d, src_y=%d, dst_x=%d, dst_y=%d\n",

More information about the xorg-commit mailing list