Bug 189467

Summary:	media-libs/libpng-1.2.19 causes frequent segfaults on amd64 due to mmx code
Product:	Gentoo Linux	Reporter:	James Brown <Roguelazer>
Component:	[OLD] Library	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED FIXED
Severity:	critical	CC:	amd64, angelos, gentoo-bugzilla, martijn.berger, mbartoszkiewicz, plaes
Priority:	High
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Backtrace of first segfault Backtrace of second segfault Backtrace of segfault with -Os -falign-functions Backtrace of segfault with -O0

Description James Brown 2007-08-19 13:39:16 UTC

After upgrading from libpng 1.2.18 to libpng 1.2.19, every application on my system that loaded a png segfaulted. I've included a sample backtrace in the below. Recompiling with CFLAGS="" and LDFLAGS="" makes no difference. Downgrading to 1.2.18-r1 fixes the problem.

Reproducible: Always

Steps to Reproduce:
1. Install libpng 1.2.19 on amd64 with LDFLAGS="-Wl,-O1"
2. Attempt to run any program that loads a PNG
Actual Results:  
Program segfaults. There are two different types of segfaults; both will be included as attachments.

Expected Results:  
Program should -not- segfault. :-)

Portage 2.1.3.6 (default-linux/amd64/2006.1/desktop, gcc-4.2.0, glibc-2.6.1-r0, 2.6.22-gentoo-r1 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
Gentoo Base System release 1.12.10
Timestamp of tree: Sun, 19 Aug 2007 12:20:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.3.6-r2, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17.50.0.18
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.3.5, 1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -mtune=athlon64 -mmmx -msse2 -msse3 -m3dnow -Os -pipe -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=athlon64 -mtune=athlon64 -mmmx -msse2 -msse3 -m3dnow -O2 -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks maketest metadata-transfer parallel-fetch sandbox sfperms splitdebug strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.espri.arizona.edu/gentoo/ http://mirror.utdlug.org/linux/distributions/gentoo/ http://gentoo.mirrors.tera-byte.com/ http://gentoo.osuosl.org/ http://gentoo.arcticnetwork.ca/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/voip /usr/portage/local/layman/sunrise /usr/portage/local/layman/xeffects /usr/local/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="64bit 7zip X X509 aac aalib acl acpi aiglx aim alsa amd64 apache2 apm applet artswrappersuid artworkextra automount avahi backtrace bash-completion beagle berkdb binfilter bitmap-fonts bittorrent blender-game bonjour bonobo bookmarks browserplugin bzip2 cairo ccache cdda cddb cdparanoia cdr cdrom cg cgi cli console cpudetection cracklib crypt cscope css csv cups cursors d daap dbus devhelp dhcp directfb divx dnd dvd dvdnav dvdr dvdread dvi ecc eds effects emacs emboss emerald emul-linux-x86 encode epiphany erandom ethereal evince evo evolution examples exif exo extensions fam fbcon fbdev fbsplash ffi ffmpeg fftw firefox flac flash floppyd fltk fontconfig foomaticdb fortran fortran95 freetype ftp fuse gaim galago gcc-libffi gcj gd gdb gdbm gdm gedit geoip gif gimp gimpprint glade glib glitz glut glx gmail gmailtimestamps gnome gnome-print gnuplot gnustep gnutella gnutls gpgme gphoto2 gpm gs gsf gstreamer gstreamer010 gtalk gtk gtk2 gtkspell guile gzip h323 hal hardenedphp hash hbci hddtemp hfs howl-compat hpn html http ical icecast icons iconv icq id3 ilbc imlib imlib2 inkjar innodb ipod ipv6 isdnlog jabber java java-external java5 javascript jikes jingle joystick jpeg jpeg2k kcal kdehiddenvisibility kerberos keyring keyscrub kqemu krb4 latex latin1 ldap libnotify libsexy lm_sensors logitech-mouse lua lucene lzo lzw mad math maya-shaderlibrary mbrola md5sum mdnsresponder-compat midi mikmod ming mmap mng mod_python mono mouse mozbranding mozcalendar mozdevelop mozdom moznoroaming mozsvg mozxmlterm mp3 mp4 mp4live mpeg mpeg2 mplayer mppe-mppc mschap msn mudflap music musicbrainz mysql mysqli nautilus ncurses network networking neural nforce2 nfs nls nptl nptlonly nsplugin ntfs numarray numeric nvidia nvtv objc objc++ objc-gc octave odbc offensive ofx ogg oggvorbis ole on-the-fly-crypt openal openbabel openexr opengl openmp openssl optimisememory ortp oscar pam pam_chroot pango pcntl pcre pda pdf perl php plotutils png pnp pop pop3d posix ppds pppd print python qt3 qt3support qt4 quicktime quotes rar rdesktop readline realmedia reflection regex reiser4 reiserfs rhythmbox rss rsvg ruby samba sasl scanner screen sdl sdl-sound seamonkey sensord server session sftp shout silc smp smtp sockets socks5 softmmu sound sourceview speex spell spl spreadsheet sql sqlite sqlite3 sse-filters ssl startup-notification stencil-buffer stream subtitles subversion svg svgz swig sysfs syslog t1lib tabs tagwriting tcl tcltk tcpd tetex textures tga theora threads threadsafe thumbnail thumbnailing thunar-vfs thunderbird tidy tiff timidity tk tools totem tracker transcode transparency trayicon truetype truetype-fonts type1 type1-fonts unac unicode unzip upnp ups urandom usb v4l v4l2 valgrind vfat vhosts videos vim vim-syntax vnc vncviewer voice vorbis webdav wireshark wma wma123 wnck wordperfect x264 xattr xcb xcf xchat xcomposite xext xforms xft xhtml xinerama xml xml2 xmlrpc xmp xorg xosd xplanet xpm xprint xrandr xscreensaver xv xvid yahoo zip zlib zvbi" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" CAMERAS="canon casio fuji kodak" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nv nvidia vesa"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 James Brown 2007-08-19 13:39:53 UTC

Created attachment 128587 [details]
Backtrace of first segfault

Comment 2 James Brown 2007-08-19 13:40:10 UTC

Created attachment 128588 [details]
Backtrace of second segfault

Comment 3 James Brown 2007-08-19 13:41:41 UTC

Err... Ignore the LDFLAGS="-Wl,-O1" part... For a second, I thought it was an
LDFLAGS-induced problem, but it didn't turn out to be.

Comment 4 SpanKY gentoo-dev

2007-08-20 00:37:47 UTC

so rebuild it with simple CFLAGS: -O0 -pipe

Comment 5 James Brown 2007-08-20 14:55:39 UTC

Okay, more information:

CFLAGS="-O0 -pipe" also does not work.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47484115313040 (LWP 31697)]
0x00002b2fc00981fa in H�U�H�M�L�E�H�}� () from /usr/lib/libpng12.so.0
(gdb) bt
#0  0x00002b2fc00981fa in H�U�H�M�L�E�H�}� () from /usr/lib/libpng12.so.0
Cannot access memory at address 0x11

Is this something to do with the NX bit on amd64 processors? That's just a stab in the dark, of course, but there is definitely something weird going on with memory access...

Comment 6 Christoph Mende (RETIRED) gentoo-dev

2007-08-20 15:40:00 UTC

I've tried several combinations of CFLAGS now, some seem to work, some don't, however this are the CFLAGS that do work (add -march=native -pipe everywhere):
-O3
-O2
-O1
-O0 -fomit-frame-pointer
-Os -falign-functions
whereas the following do not work:
-O0
-Os
-Os -fomit-frame-pointer

Comment 7 Christoph Mende (RETIRED) gentoo-dev

2007-08-20 15:45:50 UTC

uhm, small correction, -Os -fomit-frame-pointer seems to work now, even though I'm pretty sure it didn't work on my first attempt - may be my broken brain though

Comment 8 James Brown 2007-08-20 16:09:57 UTC

Created attachment 128698 [details]
Backtrace of segfault with -Os -falign-functions

The -Os -falign-functions version did not work for me. Nor did -Os with all of the -fblah flags that the gcc manpage said -Os removed from -O2. Which is sort of... odd... I'm attaching another backtrace (with gqview as the invoking program, if it matters), in case it is useful to anybody.

Comment 9 James Brown 2007-08-20 16:13:00 UTC

Hmm. Could this be related to bug #189433 ? It's interesting that there's another bug filed against the same version of libpng and with problems in the same file (pnggccrd.c)...

Comment 10 Christoph Mende (RETIRED) gentoo-dev

2007-08-20 17:12:56 UTC

Well yeah, my libpng compiled with -Os -fomit-frame-pointer stopped working a few minutes after I posted this too, so anything with -Os seems complete random, whereas -O2 seemed pretty stable over the last hour

Comment 11 Ferris McCormick (RETIRED) gentoo-dev

2007-08-20 18:04:58 UTC

With -O2 it is stable enough for me, but in some cases, colors are messed up (perhaps related to libsdl?).  Video driver is x11-drivers/nvidia-drivers-100.14.09  (as a base line, libpng-1.1.18-r1 is fine).
(As a very quick check, compare the table in the foobillard game.)

Comment 12 SpanKY gentoo-dev

2007-08-20 19:12:05 UTC

backtraces on optimized code is useless

either build it with -g -ggdb -O0 w/out stripping or dont bother

Comment 13 James Brown 2007-08-20 19:21:31 UTC

Created attachment 128708 [details]
Backtrace of segfault with -O0

...As you wish, SpanKY. As you can see, -O0 provides no more useful information, and the problem is with optimizations. But whatever, here it is...

Comment 14 Martijn Berger 2007-08-22 19:53:45 UTC

I got the same problem although i cant reproduce it with compiles made with -O0 or -O2 for me it only segfaults with -Os. That is with gcc 4.1.2 and gcc 4.2.0.
libpng versions prior to 1.2.19 are fine when compiles with -Os on my system

Comment 15 James Brown 2007-08-22 20:15:06 UTC

Just out of curiosity, what binutils version are you using?

Comment 16 Martijn Berger 2007-08-22 20:17:30 UTC

binutils 2.17.50.0.18

Comment 17 SpanKY gentoo-dev

2007-08-25 15:26:10 UTC

someone post a .png that is causing a crash ... 1.2.19 + pngviewing works on my amd64 machine

also, try doing:
CPPFLAGS="-DPNG_NO_MMX_CODE" emerge libpng

if that fails, you could also try 1.2.20rc1 posted here:
http://sourceforge.net/project/showfiles.php?group_id=5624

Comment 18 Rickard Närström 2007-08-25 16:21:33 UTC

How about images in libpng's self tests:
----
/bin/sh ./libtool --mode=link --tag=CC x86_64-pc-linux-gnu-gcc  -Os -fomit-frame-pointer -march=native -pipe  -Wl,-O1 -Wl,--as-needed -o pngtest  pngtest.o libpng12.la -lz -lm
x86_64-pc-linux-gnu-gcc -Os -fomit-frame-pointer -march=native -pipe -Wl,-O1 -Wl,--as-needed -o .libs/pngtest pngtest.o  ./.libs/libpng12.so -lz -lm
creating pngtest
make[1]: Leaving directory `/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19'
make  check-TESTS
make[1]: Entering directory `/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19'
Testing libpng version 1.2.19
   with zlib   version 1.2.3

 libpng version 1.2.19 - August 18, 2007
   Copyright (c) 1998-2007 Glenn Randers-Pehrson
   Copyright (c) 1996-1997 Andreas Dilger
   Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
 library (10219): libpng version 1.2.19 - August 18, 2007
     (PNGGCRD x86_64, PIC)
 pngtest (10219): libpng version 1.2.19 - August 18, 2007
 png_sizeof(png_struct)=1240, png_sizeof(png_info)=464
./test-pngtest.sh: line 3:  9826 Segmentation fault      ./pngtest ${srcdir}/pngtest.png
FAIL: test-pngtest.sh
========================================================
1 of 1 tests failed
Please report to png-mng-implement@lists.sourceforge.net
========================================================
make[1]: *** [check-TESTS] Error 1
make[1]: Leaving directory `/var/tmp/paludis/media-libs/libpng-1.2.19/work/libpng-1.2.19'
make: *** [check-am] Error 2
----

Comment 19 SpanKY gentoo-dev

2007-08-25 16:33:22 UTC

passed tests on my machine

ive added USE=mmx to the build which will do the CPPFLAGS="-DPNG_NO_MMX_CODE" automatically so people can work around this with USE=-mmx

Comment 20 Michał Bartoszkiewicz 2007-08-25 23:39:45 UTC

It crashes for me at:
(gdb) bt
#0  0x00002aaaaabf63f3 in sub_go () at pnggccrd.c:5137
Cannot access memory at address 0x13

Code around 0x00002aaaaabf63f3 is:
0x00002aaaaabf63ef <sub_go+10>: sub    %edx,%ecx
0x00002aaaaabf63f1 <sub_go+12>: mov    %ebp,%eax
0x00002aaaaabf63f3 <sub_go+14>: mov    %ecx,0xffffffffffffffd4(%rbp)
0x00002aaaaabf63f6 <sub_go+17>: mov    %rdi,0xffffffffffffffe8(%rbp)

"mov %ebp,%eax" is the last line of the asm block in pnggccrd.c:5137-5187.
The asm block clobbers the value of the %ebp register, which causes a segfault when gcc tries to load a variable from stack using it. The block contains _CLOBBER_ebp (which expands to ,"%ebp") in the clobber list, but gcc seems to ignore it. The solution would be to define SAVE_ebp and RESTORE_ebp on x86-64 (like it is used on x86).

Comment 21 Priit Laes (IRC: plaes) 2007-09-19 14:00:29 UTC

The MMX code has been removed from 1.2.20 version (due to the problems like these..)
So this can be marked as a depending on bug 192119

Comment 22 SpanKY gentoo-dev

2007-09-20 05:34:11 UTC

should be fixed with libpng-1.2.20