<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - A cairo-script triggering a valgrind's invalid read warning"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=82987">82987</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>psychon@znc.in
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>A cairo-script triggering a valgrind's invalid read warning
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>sixtysix@inwind.it
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>xcb backend
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=105142" name="attach_105142" title="cairo script">attachment 105142</a> <a href="attachment.cgi?id=105142&action=edit" title="cairo script">[details]</a></span>
cairo script

valgrind --track-origins=yes util/cairo-script/.libs/csi-replay surf.trace

reports

==27834== Invalid read of size 4
==27834==    at 0x4ED0A3F: _upload_image_inplace
(cairo/src/cairo-xcb-surface-render.c:2811)
==27834==    by 0x4ED1769: _clip_and_composite_boxes
(cairo/src/cairo-xcb-surface-render.c:3109)
==27834==    by 0x4ED402B: _cairo_xcb_render_compositor_fill
(cairo/src/cairo-xcb-surface-render.c:3848)
==27834==    by 0x4E5CA36: _cairo_compositor_fill
(cairo/src/cairo-compositor.c:203)
==27834==    by 0x4ECA08D: _cairo_xcb_surface_fill
(cairo/src/cairo-xcb-surface.c:1013)
==27834==    by 0x4EA1D13: _cairo_surface_fill (cairo/src/cairo-surface.c:2315)
==27834==    by 0x4EA1D13: _cairo_surface_fill (cairo/src/cairo-surface.c:2315)
==27834==    by 0x4E6443B: _cairo_gstate_fill (cairo/src/cairo-gstate.c:1317)
==27834==    by 0x4E5DFE8: _cairo_default_context_fill
(cairo/src/cairo-default-context.c:1055)
==27834==    by 0x4E579D4: cairo_fill (cairo/src/cairo.c:2205)
==27834==    by 0x4C1BC5A: _do_cairo_op
(cairo/util/cairo-script/cairo-script-operators.c:581)
==27834==    by 0x4C1A865: csi_object_execute
(cairo/util/cairo-script/cairo-script-objects.c:631)
==27834==    by 0x4C28A47: token_end.isra.13
(cairo/util/cairo-script/cairo-script-scanner.c:165)
==27834==    by 0x4C2944F: _scan_file
(cairo/util/cairo-script/cairo-script-scanner.c:1092)
==27834==    by 0x4C29DB5: _csi_scan_file
(cairo/util/cairo-script/cairo-script-scanner.c:1406)
==27834==    by 0x4C1A8E3: csi_object_execute
(cairo/util/cairo-script/cairo-script-objects.c:636)
==27834==    by 0x4C197A7: cairo_script_interpreter_run
(cairo/util/cairo-script/cairo-script-interpreter.c:562)
==27834==    by 0x40102E: main (cairo/util/cairo-script/csi-replay.c:355)
==27834==  Address 0x596e524 is 20 bytes after a block of size 352 alloc'd
==27834==    at 0x4A0645D: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27834==    by 0x4EA75BC: cairo_surface_create_for_rectangle
(cairo/src/cairo-surface-subsurface.c:465)
==27834==    by 0x4C23F3E: _subsurface
(cairo/util/cairo-script/cairo-script-operators.c:5731)
==27834==    by 0x4C1A865: csi_object_execute
(cairo/util/cairo-script/cairo-script-objects.c:631)
==27834==    by 0x4C28A47: token_end.isra.13
(cairo/util/cairo-script/cairo-script-scanner.c:165)
==27834==    by 0x4C2944F: _scan_file
(cairo/util/cairo-script/cairo-script-scanner.c:1092)
==27834==    by 0x4C29DB5: _csi_scan_file
(cairo/util/cairo-script/cairo-script-scanner.c:1406)
==27834==    by 0x4C1A8E3: csi_object_execute
(cairo/util/cairo-script/cairo-script-objects.c:636)
==27834==    by 0x4C197A7: cairo_script_interpreter_run
(cairo/util/cairo-script/cairo-script-interpreter.c:562)
==27834==    by 0x40102E: main (cairo/util/cairo-script/csi-replay.c:355)

cairo configured with (at least): --enable-xlib-xcb --enable-valgrind=no
csi-replay.c patched so that SINGLE_SURFACE is #defined 0

The problem seems to be that _upload_image_inplace
(src/cairo-xcb-surface-render.c:2804) casts pattern->surface to an 
image_surface, which is not always right, even if

pattern->surface->type == CAIRO_SURFACE_TYPE_IMAGE


It seems that none of the tests in test/*.c exercises that code path
with pattern->surface->backend->type == CAIRO_SURFACE_TYPE_SUBSURFACE


from a quick reading of the code I'd say a possible alternative is
to cast the result of:

_cairo_pattern_get_source (pattern, NULL);
 or
_cairo_surface_get_source (pattern->surface, NULL);

instead of pattern->surface.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>