Skip to content

Undefined behavior when encoding AVIF image #2108

New issue
New issue
Open
Open
Undefined behavior when encoding AVIF image#2108
@astral4

Description

@astral4
astral4
opened on Jan 15, 2024

This happens with version 0.24.8. I am using a M1 MacBook Pro with rustc 1.75.0 (82e1608df 2023-12-21).

Running the program that brings up this issue results in zsh: illegal hardware instruction.

Miri output

The output of cargo +nightly miri run (using rustc 1.77.0-nightly (2319be8e2 2024-01-12)) is:

Preparing a sysroot for Miri (target: aarch64-apple-darwin)... done
     Running `/Users/***/.rustup/toolchains/nightly-aarch64-apple-darwin/bin/cargo-miri runner target/miri/aarch64-apple-darwin/debug/image-test`
error: Undefined Behavior: trying to retag from <9426063> for SharedReadOnly permission at alloc2467356[0x4], but that tag does not exist in the borrow stack for this location
   --> /Users/***/.rustup/toolchains/nightly-aarch64-apple-darwin/lib/rustlib/src/rust/library/core/src/slice/raw.rs:102:9
    |
102 |         &*ptr::slice_from_raw_parts(data, len)
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |         |
    |         trying to retag from <9426063> for SharedReadOnly permission at alloc2467356[0x4], but that tag does not exist in the borrow stack for this location
    |         this error occurs as part of retag at alloc2467356[0x0..0xc]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <9426063> was created by a SharedReadOnly retag at offsets [0x0..0x4]
   --> src/main.rs:13:10
    |
13  |     drop(AvifEncoder::new(sink()).write_image(&img, img.width(), img.height(), ColorType::Rgba8));
    |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    = note: BACKTRACE (of the first span):
    = note: inside `std::slice::from_raw_parts::<'_, rgb::RGBA<u8>>` at /Users/***/.rustup/toolchains/nightly-aarch64-apple-darwin/lib/rustlib/src/rust/library/core/src/slice/raw.rs:102:9: 102:47
    = note: inside `<loop9::Triple<rgb::RGBA<u8>> as std::convert::AsRef<[rgb::RGBA<u8>]>>::as_ref` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/loop9-0.1.4/src/lib.rs:25:13: 25:54
    = note: inside `<loop9::Triple<rgb::RGBA<u8>> as std::ops::Deref>::deref` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/loop9-0.1.4/src/lib.rs:35:9: 35:22
    = note: inside `ravif::dirtyalpha::chain::<rgb::RGBA<u8>>` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ravif-0.11.4/src/dirtyalpha.rs:108:5: 108:15
    = note: inside closure at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ravif-0.11.4/src/dirtyalpha.rs:31:12: 31:35
    = note: inside `loop9::loop9::<rgb::RGBA<u8>, {closure@ravif::dirtyalpha::blurred_dirty_alpha::{closure#0}}>` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/loop9-0.1.4/src/lib.rs:115:13: 115:105
    = note: inside `loop9::loop9_img::<rgb::RGBA<u8>, {closure@ravif::dirtyalpha::blurred_dirty_alpha::{closure#0}}>` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/loop9-0.1.4/src/lib.rs:62:5: 62:52
    = note: inside `ravif::dirtyalpha::blurred_dirty_alpha` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ravif-0.11.4/src/dirtyalpha.rs:27:5: 36:7
    = note: inside `ravif::av1encoder::Encoder::convert_alpha` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ravif-0.11.4/src/av1encoder.rs:236:17: 236:47
    = note: inside `ravif::av1encoder::Encoder::encode_rgba` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/ravif-0.11.4/src/av1encoder.rs:188:25: 188:54
    = note: inside `<image::codecs::avif::AvifEncoder<std::io::Sink> as image::ImageEncoder>::write_image` at /Users/***/.cargo/registry/src/index.crates.io-6f17d22bba15001f/image-0.24.8/src/codecs/avif/encoder.rs:118:40: 118:72
note: inside `main`
   --> src/main.rs:13:10
    |
13  |     drop(AvifEncoder::new(sink()).write_image(&img, img.width(), img.height(), ColorType::Rgba8));
    |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error

Reproduction steps

  1. Clone this repository: https://github.com/astral4/image-test
  2. Run cargo run --release

I only observed UB on release builds with panic = "abort" and lto = true, but Miri still reports UB otherwise.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions