Bugzilla Bug 189467

After upgrading from libpng 1.2.18 to libpng 1.2.19, every application on my
system that loaded a png segfaulted. I've included a sample backtrace in the
below. Recompiling with CFLAGS="" and LDFLAGS="" makes no difference.
Downgrading to 1.2.18-r1 fixes the problem.

Reproducible: Always

Steps to Reproduce:
1. Install libpng 1.2.19 on amd64 with LDFLAGS="-Wl,-O1"
2. Attempt to run any program that loads a PNG
Actual Results:  
Program segfaults. There are two different types of segfaults; both will be
included as attachments.

Expected Results:  
Program should -not- segfault. :-)

Portage 2.1.3.6 (default-linux/amd64/2006.1/desktop, gcc-4.2.0, glibc-2.6.1-r0,
2.6.22-gentoo-r1 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor
3800+
Gentoo Base System release 1.12.10
Timestamp of tree: Sun, 19 Aug 2007 12:20:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.3.6-r2, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17.50.0.18
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.3.5, 1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -mtune=athlon64 -mmmx -msse2 -msse3 -m3dnow -Os -pipe
-ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/
/etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild
/etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=athlon64 -mtune=athlon64 -mmmx -msse2 -msse3 -m3dnow -O2 -pipe
-ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks maketest metadata-transfer parallel-fetch sandbox
sfperms splitdebug strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.espri.arizona.edu/gentoo/
http://mirror.utdlug.org/linux/distributions/gentoo/
http://gentoo.mirrors.tera-byte.com/ http://gentoo.osuosl.org/
http://gentoo.arcticnetwork.ca/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/voip
/usr/portage/local/layman/sunrise /usr/portage/local/layman/xeffects
/usr/local/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="64bit 7zip X X509 aac aalib acl acpi aiglx aim alsa amd64 apache2 apm
applet artswrappersuid artworkextra automount avahi backtrace bash-completion
beagle berkdb binfilter bitmap-fonts bittorrent blender-game bonjour bonobo
bookmarks browserplugin bzip2 cairo ccache cdda cddb cdparanoia cdr cdrom cg
cgi cli console cpudetection cracklib crypt cscope css csv cups cursors d daap
dbus devhelp dhcp directfb divx dnd dvd dvdnav dvdr dvdread dvi ecc eds effects
emacs emboss emerald emul-linux-x86 encode epiphany erandom ethereal evince evo
evolution examples exif exo extensions fam fbcon fbdev fbsplash ffi ffmpeg fftw
firefox flac flash floppyd fltk fontconfig foomaticdb fortran fortran95
freetype ftp fuse gaim galago gcc-libffi gcj gd gdb gdbm gdm gedit geoip gif
gimp gimpprint glade glib glitz glut glx gmail gmailtimestamps gnome
gnome-print gnuplot gnustep gnutella gnutls gpgme gphoto2 gpm gs gsf gstreamer
gstreamer010 gtalk gtk gtk2 gtkspell guile gzip h323 hal hardenedphp hash hbci
hddtemp hfs howl-compat hpn html http ical icecast icons iconv icq id3 ilbc
imlib imlib2 inkjar innodb ipod ipv6 isdnlog jabber java java-external java5
javascript jikes jingle joystick jpeg jpeg2k kcal kdehiddenvisibility kerberos
keyring keyscrub kqemu krb4 latex latin1 ldap libnotify libsexy lm_sensors
logitech-mouse lua lucene lzo lzw mad math maya-shaderlibrary mbrola md5sum
mdnsresponder-compat midi mikmod ming mmap mng mod_python mono mouse
mozbranding mozcalendar mozdevelop mozdom moznoroaming mozsvg mozxmlterm mp3
mp4 mp4live mpeg mpeg2 mplayer mppe-mppc mschap msn mudflap music musicbrainz
mysql mysqli nautilus ncurses network networking neural nforce2 nfs nls nptl
nptlonly nsplugin ntfs numarray numeric nvidia nvtv objc objc++ objc-gc octave
odbc offensive ofx ogg oggvorbis ole on-the-fly-crypt openal openbabel openexr
opengl openmp openssl optimisememory ortp oscar pam pam_chroot pango pcntl pcre
pda pdf perl php plotutils png pnp pop pop3d posix ppds pppd print python qt3
qt3support qt4 quicktime quotes rar rdesktop readline realmedia reflection
regex reiser4 reiserfs rhythmbox rss rsvg ruby samba sasl scanner screen sdl
sdl-sound seamonkey sensord server session sftp shout silc smp smtp sockets
socks5 softmmu sound sourceview speex spell spl spreadsheet sql sqlite sqlite3
sse-filters ssl startup-notification stencil-buffer stream subtitles subversion
svg svgz swig sysfs syslog t1lib tabs tagwriting tcl tcltk tcpd tetex textures
tga theora threads threadsafe thumbnail thumbnailing thunar-vfs thunderbird
tidy tiff timidity tk tools totem tracker transcode transparency trayicon
truetype truetype-fonts type1 type1-fonts unac unicode unzip upnp ups urandom
usb v4l v4l2 valgrind vfat vhosts videos vim vim-syntax vnc vncviewer voice
vorbis webdav wireshark wma wma123 wnck wordperfect x264 xattr xcb xcf xchat
xcomposite xext xforms xft xhtml xinerama xml xml2 xmlrpc xmp xorg xosd xplanet
xpm xprint xrandr xscreensaver xv xvid yahoo zip zlib zvbi" ALSA_CARDS="ali5451
als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938
es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" CAMERAS="canon casio fuji kodak"
ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nv nvidia vesa"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Created an attachment (id=128587) [details]
Backtrace of first segfault

Created an attachment (id=128588) [details]
Backtrace of second segfault

Err... Ignore the LDFLAGS="-Wl,-O1" part... For a second, I thought it was an
LDFLAGS-induced problem, but it didn't turn out to be.

so rebuild it with simple CFLAGS: -O0 -pipe

Okay, more information:

CFLAGS="-O0 -pipe" also does not work.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47484115313040 (LWP 31697)]
0x00002b2fc00981fa in H�U�H�M�L�E�H�}� () from
/usr/lib/libpng12.so.0
(gdb) bt
#0  0x00002b2fc00981fa in H�U�H�M�L�E�H�}� () from
/usr/lib/libpng12.so.0
Cannot access memory at address 0x11

Is this something to do with the NX bit on amd64 processors? That's just a stab
in the dark, of course, but there is definitely something weird going on with
memory access...

I've tried several combinations of CFLAGS now, some seem to work, some don't,
however this are the CFLAGS that do work (add -march=native -pipe everywhere):
-O3
-O2
-O1
-O0 -fomit-frame-pointer
-Os -falign-functions
whereas the following do not work:
-O0
-Os
-Os -fomit-frame-pointer

uhm, small correction, -Os -fomit-frame-pointer seems to work now, even though
I'm pretty sure it didn't work on my first attempt - may be my broken brain
though

Created an attachment (id=128698) [details]
Backtrace of segfault with -Os -falign-functions

The -Os -falign-functions version did not work for me. Nor did -Os with all of
the -fblah flags that the gcc manpage said -Os removed from -O2. Which is sort
of... odd... I'm attaching another backtrace (with gqview as the invoking
program, if it matters), in case it is useful to anybody.

Hmm. Could this be related to bug #189433 ? It's interesting that there's
another bug filed against the same version of libpng and with problems in the
same file (pnggccrd.c)...

Well yeah, my libpng compiled with -Os -fomit-frame-pointer stopped working a
few minutes after I posted this too, so anything with -Os seems complete
random, whereas -O2 seemed pretty stable over the last hour

With -O2 it is stable enough for me, but in some cases, colors are messed up
(perhaps related to libsdl?).  Video driver is
x11-drivers/nvidia-drivers-100.14.09  (as a base line, libpng-1.1.18-r1 is
fine).
(As a very quick check, compare the table in the foobillard game.)

backtraces on optimized code is useless

either build it with -g -ggdb -O0 w/out stripping or dont bother

Created an attachment (id=128708) [details]
Backtrace of segfault with -O0

...As you wish, SpanKY. As you can see, -O0 provides no more useful
information, and the problem is with optimizations. But whatever, here it is...

I got the same problem although i cant reproduce it with compiles made with -O0
or -O2 for me it only segfaults with -Os. That is with gcc 4.1.2 and gcc 4.2.0.
libpng versions prior to 1.2.19 are fine when compiles with -Os on my system

Just out of curiosity, what binutils version are you using?

binutils 2.17.50.0.18

someone post a .png that is causing a crash ... 1.2.19 + pngviewing works on my
amd64 machine

also, try doing:
CPPFLAGS="-DPNG_NO_MMX_CODE" emerge libpng

if that fails, you could also try 1.2.20rc1 posted here:
http://sourceforge.net/project/showfiles.php?group_id=5624

How about images in libpng's self tests:
----
/bin/sh ./libtool --mode=link --tag=CC x86_64-pc-linux-gnu-gcc  -Os
-fomit-frame-pointer -march=native -pipe  -Wl,-O1 -Wl,--as-needed -o pngtest 
pngtest.o libpng12.la -lz -lm
x86_64-pc-linux-gnu-gcc -Os -fomit-frame-pointer -march=native -pipe -Wl,-O1
-Wl,--as-needed -o .libs/pngtest pngtest.o  ./.libs/libpng12.so -lz -lm
creating pngtest
make[1]: Leaving directory
`/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19'
make  check-TESTS
make[1]: Entering directory
`/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19'
Testing libpng version 1.2.19
   with zlib   version 1.2.3

 libpng version 1.2.19 - August 18, 2007
   Copyright (c) 1998-2007 Glenn Randers-Pehrson
   Copyright (c) 1996-1997 Andreas Dilger
   Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
 library (10219): libpng version 1.2.19 - August 18, 2007
     (PNGGCRD x86_64, PIC)
 pngtest (10219): libpng version 1.2.19 - August 18, 2007
 png_sizeof(png_struct)=1240, png_sizeof(png_info)=464
./test-pngtest.sh: line 3:  9826 Segmentation fault      ./pngtest
${srcdir}/pngtest.png
FAIL: test-pngtest.sh
========================================================
1 of 1 tests failed
Please report to png-mng-implement@lists.sourceforge.net
========================================================
make[1]: *** [check-TESTS] Error 1
make[1]: Leaving directory
`/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19'
make: *** [check-am] Error 2
----

passed tests on my machine

ive added USE=mmx to the build which will do the CPPFLAGS="-DPNG_NO_MMX_CODE"
automatically so people can work around this with USE=-mmx

It crashes for me at:
(gdb) bt
#0  0x00002aaaaabf63f3 in sub_go () at pnggccrd.c:5137
Cannot access memory at address 0x13

Code around 0x00002aaaaabf63f3 is:
0x00002aaaaabf63ef <sub_go+10>: sub    %edx,%ecx
0x00002aaaaabf63f1 <sub_go+12>: mov    %ebp,%eax
0x00002aaaaabf63f3 <sub_go+14>: mov    %ecx,0xffffffffffffffd4(%rbp)
0x00002aaaaabf63f6 <sub_go+17>: mov    %rdi,0xffffffffffffffe8(%rbp)

"mov %ebp,%eax" is the last line of the asm block in pnggccrd.c:5137-5187.
The asm block clobbers the value of the %ebp register, which causes a segfault
when gcc tries to load a variable from stack using it. The block contains
_CLOBBER_ebp (which expands to ,"%ebp") in the clobber list, but gcc seems to
ignore it. The solution would be to define SAVE_ebp and RESTORE_ebp on x86-64
(like it is used on x86).

The MMX code has been removed from 1.2.20 version (due to the problems like
these..)
So this can be marked as a depending on bug 192119 

should be fixed with libpng-1.2.20