Project

General

Profile

Bug #11271

Liquify: modify_roi_in(): off-by-one?

Added by Roman Lebedev almost 3 years ago. Updated almost 3 years ago.

Status:
Fixed
Priority:
Medium
Assignee:
Category:
Darkroom
Target version:
Start date:
10/29/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
git master branch
System:
all
bitness:
64-bit
hardware architecture:
amd64/x86

Description

That functions results in roi_in being smaller than roi_out.

Since this block https://github.com/darktable-org/darktable/blob/b7d9591b8cf2f68a2e9d3730e3c9fa7f8a6e3750/src/iop/liquify.c#L1306-L1316 assumes roi_out is >= roi_in, it breaks.

I would guess that cairo_region_*() expect sizes to be in 1<..<=width, while we do 0<..<width.

I'm not sure of the exact steps, i think just using asan build and having enabled Liquify in history stack is enough.

=================================================================
==31742==ERROR: AddressSanitizer: use-after-poison on address 0x7f7ecc9d4800 at pc 0x7f7f5039885f bp 0x7f7f36c089c0 sp 0x7f7f36c08170
READ of size 11520 at 0x7f7ecc9d4800 thread T3
    #0 0x7f7f5039885e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5c85e)
    #1 0x7f7f296c6294 in process /home/lebedevri/darktable/src/iop/liquify.c:1313
    #2 0x7f7f4ff74185 in default_process /home/lebedevri/darktable/src/develop/imageop.c:185
    #3 0x7f7f4ff9e0e8 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:1526
    #4 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #5 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #6 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #7 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #8 0x7f7f4ff99d07 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #9 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #10 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #11 0x7f7f4ff99d07 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #12 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #13 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #14 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #15 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #16 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #17 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #18 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #19 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #20 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #21 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #22 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #23 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #24 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #25 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #26 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #27 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #28 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #29 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #30 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #31 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #32 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #33 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #34 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #35 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #36 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #37 0x7f7f4ff99d07 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #38 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #39 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #40 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #41 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #42 0x7f7f4ff99d07 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #43 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #44 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #45 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #46 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #47 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #48 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #49 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #50 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #51 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #52 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #53 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #54 0x7f7f4ff98d67 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #55 0x7f7f4ff99d07 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #56 0x7f7f4ffa5882 in dt_dev_pixelpipe_process_rec_and_backcopy /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:2150
    #57 0x7f7f4ffa5882 in dt_dev_pixelpipe_process /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:2236
    #58 0x7f7f4fee6ae3 in dt_imageio_export_with_flags /home/lebedevri/darktable/src/common/imageio.c:770
    #59 0x7f7f4ff0ec07 in _init_8 /home/lebedevri/darktable/src/common/mipmap_cache.c:1215
    #60 0x7f7f4ff0ec07 in dt_mipmap_cache_get_with_caller /home/lebedevri/darktable/src/common/mipmap_cache.c:795
    #61 0x7f7f4ff5f705 in dt_image_load_job_run /home/lebedevri/darktable/src/control/jobs/image_jobs.c:35
    #62 0x7f7f4ff50a33 in dt_control_job_execute /home/lebedevri/darktable/src/control/jobs.c:298
    #63 0x7f7f4ff51da7 in dt_control_run_job /home/lebedevri/darktable/src/control/jobs.c:317
    #64 0x7f7f4ff51da7 in dt_control_work /home/lebedevri/darktable/src/control/jobs.c:555
    #65 0x7f7f4b953463 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7463)
    #66 0x7f7f47e8c9de in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe89de)

0x7f7ecc9d4800 is located 5160960 bytes inside of 262938624-byte region [0x7f7ecc4e8800,0x7f7edbfaa800)
allocated by thread T3 here:
    #0 0x7f7f503fe760 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2760)
    #1 0x7f7f4fe8ace0 in dt_alloc_align /home/lebedevri/darktable/src/common/darktable.c:1196
    #2 0x7f7f4ff97733 in dt_dev_pixelpipe_cache_init /home/lebedevri/darktable/src/develop/pixelpipe_cache.c:51
    #3 0x7f7f4ffa3576 in dt_dev_pixelpipe_init_cached /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:140
    #4 0x7f7f4ffa3853 in dt_dev_pixelpipe_init_thumbnail /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:102
    #5 0x7f7f4fee50aa in dt_imageio_export_with_flags /home/lebedevri/darktable/src/common/imageio.c:581
    #6 0x7f7f4ff0ec07 in _init_8 /home/lebedevri/darktable/src/common/mipmap_cache.c:1215
    #7 0x7f7f4ff0ec07 in dt_mipmap_cache_get_with_caller /home/lebedevri/darktable/src/common/mipmap_cache.c:795
    #8 0x7f7f4ff5f705 in dt_image_load_job_run /home/lebedevri/darktable/src/control/jobs/image_jobs.c:35
    #9 0x7f7f4ff50a33 in dt_control_job_execute /home/lebedevri/darktable/src/control/jobs.c:298
    #10 0x7f7f4ff51da7 in dt_control_run_job /home/lebedevri/darktable/src/control/jobs.c:317
    #11 0x7f7f4ff51da7 in dt_control_work /home/lebedevri/darktable/src/control/jobs.c:555
    #12 0x7f7f4b953463 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7463)

Thread T3 created by T0 here:
    #0 0x7f7f5036cf59 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x7f7f4fe9c38d in dt_pthread_create /home/lebedevri/darktable/src/common/dtpthread.c:90
    #2 0x7f7f4ff522ea in dt_control_jobs_init /home/lebedevri/darktable/src/control/jobs.c:611
    #3 0x7f7f4ff4749d in dt_control_init /home/lebedevri/darktable/src/control/control.c:119
    #4 0x7f7f4fe8e884 in dt_init /home/lebedevri/darktable/src/common/darktable.c:908
    #5 0x55bfe7abad4f in main /home/lebedevri/darktable/src/main.c:24
    #6 0x7f7f47dc42b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: use-after-poison (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5c85e) 
Shadow bytes around the buggy address:
  0x0ff0599328b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0599328c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0599328d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0599328e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0599328f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff059932900:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0ff059932910: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0ff059932920: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0ff059932930: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0ff059932940: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0ff059932950: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31742==ABORTING

History

#1 Updated by Roman Lebedev almost 3 years ago

More specifically, if i add printfs at the beginning of process():

  printf("roi_in x %i y %i w %i h %i\n", roi_in->x, roi_in->y, roi_in->width, roi_in->height);
  printf("roi_out x %i y %i w %i h %i\n", roi_out->x, roi_out->y, roi_out->width, roi_out->height);
roi_in x 0 y 0 w 720 h 448
roi_out x 0 y 0 w 720 h 449

#2 Updated by Pascal Obry almost 3 years ago

I cannot reproduce on my side. Tested on two different images and with the printf() I have correct values:

roi_in x 0 y 0 w 1351 h 900
roi_out x 0 y 0 w 1351 h 900

or

roi_in x 0 y 0 w 1354 h 900
roi_out x 0 y 0 w 1354 h 900

#3 Updated by Roman Lebedev almost 3 years ago

That is in darkroom, right?
For me it always happened when staring dt, i.e. for preview in lighttable.

#4 Updated by Pascal Obry almost 3 years ago

I see, reproduced! This is a rounding error, a tentative fix is there: https://github.com/darktable-org/darktable/pull/1336

#5 Updated by Pascal Obry almost 3 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Fixed

#6 Updated by Roman Lebedev almost 3 years ago

  • Target version set to 2.2.0

Also available in: Atom PDF

Go to top