After upgrading from libpng 1.2.18 to libpng 1.2.19, every application on my system that loaded a png segfaulted. I've included a sample backtrace in the below. Recompiling with CFLAGS="" and LDFLAGS="" makes no difference. Downgrading to 1.2.18-r1 fixes the problem. Reproducible: Always Steps to Reproduce: 1. Install libpng 1.2.19 on amd64 with LDFLAGS="-Wl,-O1" 2. Attempt to run any program that loads a PNG Actual Results: Program segfaults. There are two different types of segfaults; both will be included as attachments. Expected Results: Program should -not- segfault. :-) Portage 2.1.3.6 (default-linux/amd64/2006.1/desktop, gcc-4.2.0, glibc-2.6.1-r0, 2.6.22-gentoo-r1 x86_64) ================================================================= System uname: 2.6.22-gentoo-r1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ Gentoo Base System release 1.12.10 Timestamp of tree: Sun, 19 Aug 2007 12:20:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.3.6-r2, 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17.50.0.18 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.3.5, 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -mtune=athlon64 -mmmx -msse2 -msse3 -m3dnow -Os -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon64 -mtune=athlon64 -mmmx -msse2 -msse3 -m3dnow -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks maketest metadata-transfer parallel-fetch sandbox sfperms splitdebug strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.espri.arizona.edu/gentoo/ http://mirror.utdlug.org/linux/distributions/gentoo/ http://gentoo.mirrors.tera-byte.com/ http://gentoo.osuosl.org/ http://gentoo.arcticnetwork.ca/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/voip /usr/portage/local/layman/sunrise /usr/portage/local/layman/xeffects /usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="64bit 7zip X X509 aac aalib acl acpi aiglx aim alsa amd64 apache2 apm applet artswrappersuid artworkextra automount avahi backtrace bash-completion beagle berkdb binfilter bitmap-fonts bittorrent blender-game bonjour bonobo bookmarks browserplugin bzip2 cairo ccache cdda cddb cdparanoia cdr cdrom cg cgi cli console cpudetection cracklib crypt cscope css csv cups cursors d daap dbus devhelp dhcp directfb divx dnd dvd dvdnav dvdr dvdread dvi ecc eds effects emacs emboss emerald emul-linux-x86 encode epiphany erandom ethereal evince evo evolution examples exif exo extensions fam fbcon fbdev fbsplash ffi ffmpeg fftw firefox flac flash floppyd fltk fontconfig foomaticdb fortran fortran95 freetype ftp fuse gaim galago gcc-libffi gcj gd gdb gdbm gdm gedit geoip gif gimp gimpprint glade glib glitz glut glx gmail gmailtimestamps gnome gnome-print gnuplot gnustep gnutella gnutls gpgme gphoto2 gpm gs gsf gstreamer gstreamer010 gtalk gtk gtk2 gtkspell guile gzip h323 hal hardenedphp hash hbci hddtemp hfs howl-compat hpn html http ical icecast icons iconv icq id3 ilbc imlib imlib2 inkjar innodb ipod ipv6 isdnlog jabber java java-external java5 javascript jikes jingle joystick jpeg jpeg2k kcal kdehiddenvisibility kerberos keyring keyscrub kqemu krb4 latex latin1 ldap libnotify libsexy lm_sensors logitech-mouse lua lucene lzo lzw mad math maya-shaderlibrary mbrola md5sum mdnsresponder-compat midi mikmod ming mmap mng mod_python mono mouse mozbranding mozcalendar mozdevelop mozdom moznoroaming mozsvg mozxmlterm mp3 mp4 mp4live mpeg mpeg2 mplayer mppe-mppc mschap msn mudflap music musicbrainz mysql mysqli nautilus ncurses network networking neural nforce2 nfs nls nptl nptlonly nsplugin ntfs numarray numeric nvidia nvtv objc objc++ objc-gc octave odbc offensive ofx ogg oggvorbis ole on-the-fly-crypt openal openbabel openexr opengl openmp openssl optimisememory ortp oscar pam pam_chroot pango pcntl pcre pda pdf perl php plotutils png pnp pop pop3d posix ppds pppd print python qt3 qt3support qt4 quicktime quotes rar rdesktop readline realmedia reflection regex reiser4 reiserfs rhythmbox rss rsvg ruby samba sasl scanner screen sdl sdl-sound seamonkey sensord server session sftp shout silc smp smtp sockets socks5 softmmu sound sourceview speex spell spl spreadsheet sql sqlite sqlite3 sse-filters ssl startup-notification stencil-buffer stream subtitles subversion svg svgz swig sysfs syslog t1lib tabs tagwriting tcl tcltk tcpd tetex textures tga theora threads threadsafe thumbnail thumbnailing thunar-vfs thunderbird tidy tiff timidity tk tools totem tracker transcode transparency trayicon truetype truetype-fonts type1 type1-fonts unac unicode unzip upnp ups urandom usb v4l v4l2 valgrind vfat vhosts videos vim vim-syntax vnc vncviewer voice vorbis webdav wireshark wma wma123 wnck wordperfect x264 xattr xcb xcf xchat xcomposite xext xforms xft xhtml xinerama xml xml2 xmlrpc xmp xorg xosd xplanet xpm xprint xrandr xscreensaver xv xvid yahoo zip zlib zvbi" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" CAMERAS="canon casio fuji kodak" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nv nvidia vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 128587 [details] Backtrace of first segfault
Created attachment 128588 [details] Backtrace of second segfault
Err... Ignore the LDFLAGS="-Wl,-O1" part... For a second, I thought it was an LDFLAGS-induced problem, but it didn't turn out to be.
so rebuild it with simple CFLAGS: -O0 -pipe
Okay, more information: CFLAGS="-O0 -pipe" also does not work. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 47484115313040 (LWP 31697)] 0x00002b2fc00981fa in H�U�H�M�L�E�H�}� () from /usr/lib/libpng12.so.0 (gdb) bt #0 0x00002b2fc00981fa in H�U�H�M�L�E�H�}� () from /usr/lib/libpng12.so.0 Cannot access memory at address 0x11 Is this something to do with the NX bit on amd64 processors? That's just a stab in the dark, of course, but there is definitely something weird going on with memory access...
I've tried several combinations of CFLAGS now, some seem to work, some don't, however this are the CFLAGS that do work (add -march=native -pipe everywhere): -O3 -O2 -O1 -O0 -fomit-frame-pointer -Os -falign-functions whereas the following do not work: -O0 -Os -Os -fomit-frame-pointer
uhm, small correction, -Os -fomit-frame-pointer seems to work now, even though I'm pretty sure it didn't work on my first attempt - may be my broken brain though
Created attachment 128698 [details] Backtrace of segfault with -Os -falign-functions The -Os -falign-functions version did not work for me. Nor did -Os with all of the -fblah flags that the gcc manpage said -Os removed from -O2. Which is sort of... odd... I'm attaching another backtrace (with gqview as the invoking program, if it matters), in case it is useful to anybody.
Hmm. Could this be related to bug #189433 ? It's interesting that there's another bug filed against the same version of libpng and with problems in the same file (pnggccrd.c)...
Well yeah, my libpng compiled with -Os -fomit-frame-pointer stopped working a few minutes after I posted this too, so anything with -Os seems complete random, whereas -O2 seemed pretty stable over the last hour
With -O2 it is stable enough for me, but in some cases, colors are messed up (perhaps related to libsdl?). Video driver is x11-drivers/nvidia-drivers-100.14.09 (as a base line, libpng-1.1.18-r1 is fine). (As a very quick check, compare the table in the foobillard game.)
backtraces on optimized code is useless either build it with -g -ggdb -O0 w/out stripping or dont bother
Created attachment 128708 [details] Backtrace of segfault with -O0 ...As you wish, SpanKY. As you can see, -O0 provides no more useful information, and the problem is with optimizations. But whatever, here it is...
I got the same problem although i cant reproduce it with compiles made with -O0 or -O2 for me it only segfaults with -Os. That is with gcc 4.1.2 and gcc 4.2.0. libpng versions prior to 1.2.19 are fine when compiles with -Os on my system
Just out of curiosity, what binutils version are you using?
binutils 2.17.50.0.18
someone post a .png that is causing a crash ... 1.2.19 + pngviewing works on my amd64 machine also, try doing: CPPFLAGS="-DPNG_NO_MMX_CODE" emerge libpng if that fails, you could also try 1.2.20rc1 posted here: http://sourceforge.net/project/showfiles.php?group_id=5624
How about images in libpng's self tests: ---- /bin/sh ./libtool --mode=link --tag=CC x86_64-pc-linux-gnu-gcc -Os -fomit-frame-pointer -march=native -pipe -Wl,-O1 -Wl,--as-needed -o pngtest pngtest.o libpng12.la -lz -lm x86_64-pc-linux-gnu-gcc -Os -fomit-frame-pointer -march=native -pipe -Wl,-O1 -Wl,--as-needed -o .libs/pngtest pngtest.o ./.libs/libpng12.so -lz -lm creating pngtest make[1]: Leaving directory `/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19' make check-TESTS make[1]: Entering directory `/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19' Testing libpng version 1.2.19 with zlib version 1.2.3 libpng version 1.2.19 - August 18, 2007 Copyright (c) 1998-2007 Glenn Randers-Pehrson Copyright (c) 1996-1997 Andreas Dilger Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. library (10219): libpng version 1.2.19 - August 18, 2007 (PNGGCRD x86_64, PIC) pngtest (10219): libpng version 1.2.19 - August 18, 2007 png_sizeof(png_struct)=1240, png_sizeof(png_info)=464 ./test-pngtest.sh: line 3: 9826 Segmentation fault ./pngtest ${srcdir}/pngtest.png FAIL: test-pngtest.sh ======================================================== 1 of 1 tests failed Please report to png-mng-implement@lists.sourceforge.net ======================================================== make[1]: *** [check-TESTS] Error 1 make[1]: Leaving directory `/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19' make: *** [check-am] Error 2 ----
passed tests on my machine ive added USE=mmx to the build which will do the CPPFLAGS="-DPNG_NO_MMX_CODE" automatically so people can work around this with USE=-mmx
It crashes for me at: (gdb) bt #0 0x00002aaaaabf63f3 in sub_go () at pnggccrd.c:5137 Cannot access memory at address 0x13 Code around 0x00002aaaaabf63f3 is: 0x00002aaaaabf63ef <sub_go+10>: sub %edx,%ecx 0x00002aaaaabf63f1 <sub_go+12>: mov %ebp,%eax 0x00002aaaaabf63f3 <sub_go+14>: mov %ecx,0xffffffffffffffd4(%rbp) 0x00002aaaaabf63f6 <sub_go+17>: mov %rdi,0xffffffffffffffe8(%rbp) "mov %ebp,%eax" is the last line of the asm block in pnggccrd.c:5137-5187. The asm block clobbers the value of the %ebp register, which causes a segfault when gcc tries to load a variable from stack using it. The block contains _CLOBBER_ebp (which expands to ,"%ebp") in the clobber list, but gcc seems to ignore it. The solution would be to define SAVE_ebp and RESTORE_ebp on x86-64 (like it is used on x86).
The MMX code has been removed from 1.2.20 version (due to the problems like these..) So this can be marked as a depending on bug 192119
should be fixed with libpng-1.2.20
