When using spicec, I occasionnally get the warning below from libjpeg-turbo: ==13781== Invalid read of size 8 ==13781== at 0x308722E4F4: ??? (in /usr/lib64/libjpeg.so.62.0.0) ==13781== by 0xE29B7FF: ??? ==13781== by 0x308722E56A: ??? (in /usr/lib64/libjpeg.so.62.0.0) ==13781== by 0x308721E1F4: merged_2v_upsample (jdmerge.c:183) ==13781== by 0x308721A123: process_data_simple_main (jdmainct.c:369) ==13781== by 0x308721564D: jpeg_read_scanlines (jdapistd.c:175) ==13781== by 0x49D9B4: MJpegDecoder::decode_data(unsigned char*, unsigned long) (mjpeg_decoder.cpp:237) ==13781== by 0x475DE8: VideoStream::maintenance() (display_channel.cpp:398) ==13781== by 0x475FDF: VideoStream::handle_update_mark(unsigned long) (display_channel.cpp:439) ==13781== by 0x47A8C4: DisplayChannel::on_streams_trigger() (display_channel.cpp:1725) ==13781== by 0x4761D9: StreamsTrigger::on_event() (display_channel.cpp:484) ==13781== by 0x40B124: EventSources::Trigger::action() (event_sources_p.cpp:193) ==13781== by 0x40ABF4: EventSources::wait_events(int) (event_sources_p.cpp:121) ==13781== by 0x4A664C: ProcessLoop::run() (process_loop.cpp:281) ==13781== by 0x4BE3C1: RedChannel::run() (red_channel.cpp:491) ==13781== by 0x4BDA4F: RedChannel::worker_main(void*) (red_channel.cpp:340) ==13781== by 0x4C36B30: start_thread (pthread_create.c:305) ==13781== by 0x30756DFD2C: clone (clone.S:115) ==13781== Address 0xf41ce78 is 1,160 bytes inside a block of size 1,164 alloc'd ==13781== at 0x4A0649D: malloc (vg_replace_malloc.c:236) ==13781== by 0x49AA57: spice_malloc (mem.c:88) ==13781== by 0x49D987: MJpegDecoder::decode_data(unsigned char*, unsigned long) (mjpeg_decoder.cpp:236) ==13781== by 0x475DE8: VideoStream::maintenance() (display_channel.cpp:398) ==13781== by 0x475FDF: VideoStream::handle_update_mark(unsigned long) (display_channel.cpp:439) ==13781== by 0x47A8C4: DisplayChannel::on_streams_trigger() (display_channel.cpp:1725) ==13781== by 0x4761D9: StreamsTrigger::on_event() (display_channel.cpp:484) ==13781== by 0x40B124: EventSources::Trigger::action() (event_sources_p.cpp:193) ==13781== by 0x40ABF4: EventSources::wait_events(int) (event_sources_p.cpp:121) ==13781== by 0x4A664C: ProcessLoop::run() (process_loop.cpp:281) ==13781== by 0x4BE3C1: RedChannel::run() (red_channel.cpp:491) ==13781== by 0x4BDA4F: RedChannel::worker_main(void*) (red_channel.cpp:340) ==13781== by 0x4C36B30: start_thread (pthread_create.c:305) ==13781== by 0x30756DFD2C: clone (clone.S:115) ==13781== It's trying to read 4 bytes outside of the buffer I allocated to read 1 scanline: while (_y < _height) { free(_scanline); _scanline = (uint8_t *)spice_malloc(_cinfo.output_width * _cinfo.output_components * sizeof(JSAMPLE)); res = jpeg_read_scanlines(&_cinfo, &_scanline, 1); if (res == 0) { break; } convert_scanline(); _y++; } _cinfo.output_width is 388, _cinfo.output_components is 3. The only similar backtrace I could find on google is http://code.google.com/p/chromium/issues/detail?id=72399 , but when I tried to rebuild the sources with their patch applied, it didn't compile. Let me know if you need any additional information/investigation done to help figure out why this invalid read is happening.
I get a similar problem when valgrinding LibreOffice (its chart2/qa/unoapi test triggers this) on Fedora 15 x86_64, Invalid read of size 8 at ??? (in jsimd_idct_islow_sse2 assembler code) by jsimd_idct_islow (.../libjpeg-turbo-1.1.1/simd/jsimd_x86_64.c:662) by jsimd_ycc_rgb_convert (.../libjpeg-turbo-1.1.1/simd/jsimd_x86_64.c:133) by sep_upsample (.../libjpeg-turbo-1.1.1/jdsample.c:132) by process_data_simple_main (.../libjpeg-turbo-1.1.1/jdmainct.c:369) by jpeg_read_scanlines (.../libjpeg-turbo-1.1.1/jdapistd.c:175) by ReadJPEG (.../libreoffice/core/svtools/source/filter/jpeg/jpegc.c:196) Address 0x241290c4 is 26,692 bytes inside a block of size 26,696 alloc'd at malloc (.../valgrind/trunk/coregrind/m_replacemalloc/vg_replace_malloc.c:263) by rtl_allocateMemory_SYSTEM (.../libreoffice/core/sal/rtl/source/alloc_global.c:278) by rtl_allocateMemory (.../libreoffice/core/sal/rtl/source/alloc_global.c:308) by JPEGReader::CreateBitmap(void*) (.../libreoffice/core/svtools/source/filter/jpeg/jpeg.cxx:403) by ReadJPEG (.../libreoffice/core/svtools/source/filter/jpeg/jpegc.c:158) This appears to be benign, the jsimd_idct_islow_sse2 assembler code apparently reading 8-byte-sized chunks and thus including 4 bytes past the end of the buffer, for a buffer whose length is a multiple of 4 but not of 8. If I manually change the malloc size by +4, this valgrind error goes (naturally) away and valgrind also does not complain about use of uninitialized memory afterwards, so the way jsimd_idct_islow_sse2 uses the excess 4 bytes appears to indeed be harmless.
In my opinion this is only cosmetic issue and doesn't cause any real problem/crash. I opened following ticket in upstream: https://sourceforge.net/tracker/?func=detail&aid=3436130&group_id=303195&atid=1278158 I'm closing this ticket. If upstream decides that this issue should be fixed, fix will be included into Fedora when upstream releases new tarball.
(In reply to comment #1) > I get a similar problem when valgrinding LibreOffice (its chart2/qa/unoapi > test triggers this) on Fedora 15 x86_64, Is it difficult to reproduce this test? I tried, but gave up after ~15 minutes.
Re comment #3, . Env.Host.sh cd chart2 VALGRIND=memcheck make -r "${WORKDIR?}"/JunitTest/chart2_unoapi/done should suffice to reproduce it from within a LibreOffice build, but the valgrind run can indeed take quite a while.