oss-fuzz: SIGSEV in dav1d_ipred_filter_avx2.w32_loop
This bug mirrors [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13141] for wider access. Reproducible only in the oss-fuzz docker image via python infra/helper.py reproduce dav1d dav1d_fuzzer clusterfuzz-testcase-minimized-dav1d_fuzzer-5697181166600192.
Even there the issue does not reproduce always.
gdb --args /out/dav1d/dav1d_fuzzer -runs=200 /out/dav1d/clusterfuzz-testcase-minimized-dav1d_fuzzer-5697181166600192
...
Thread 1 "dav1d_fuzzer" received signal SIGSEGV, Segmentation fault.
0x000000000064fa59 in dav1d_ipred_filter_avx2.w32_loop ()
(gdb) bt
#0 0x000000000064fa59 in dav1d_ipred_filter_avx2.w32_loop ()
#1 0x00000000005deb8a in dav1d_recon_b_intra_8bpc () at ../../src/dav1d/src/recon_tmpl.c:841
#2 0x000000000055f9e9 in decode_b () at ../../src/dav1d/src/decode.c:1175
#3 0x000000000054be0e in decode_sb () at ../../src/dav1d/src/decode.c:2130
#4 0x000000000054ba84 in decode_sb () at ../../src/dav1d/src/decode.c:2088
#5 0x00000000005496ec in dav1d_decode_tile_sbrow () at ../../src/dav1d/src/decode.c:2542
#6 0x00000000005518ec in dav1d_decode_frame () at ../../src/dav1d/src/decode.c:2915
#7 0x0000000000557e5c in dav1d_submit_frame () at ../../src/dav1d/src/decode.c:3373
#8 0x000000000053a3b1 in dav1d_parse_obus () at ../../src/dav1d/src/obu.c:1486
#9 0x0000000000534168 in dav1d_get_picture () at ../../src/dav1d/src/lib.c:367
#10 0x0000000000530a2f in LLVMFuzzerTestOneInput ()
at ../../src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:156
#11 0x00000000006bccb7 in ExecuteCallback () at /src/libfuzzer/FuzzerLoop.cpp:527
#12 0x00000000006869c7 in RunOneTest () at /src/libfuzzer/FuzzerDriver.cpp:286
#13 0x0000000000692364 in FuzzerDriver () at /src/libfuzzer/FuzzerDriver.cpp:714
#14 0x000000000068603d in main () at /src/libfuzzer/FuzzerMain.cpp:19
Warning: the current language does not match this frame.
(gdb) disassemble
Dump of assembler code for function dav1d_ipred_filter_avx2.w32_loop:
0x000000000064fa54 <+0>: vmovq (%rdi,%rcx,4),%xmm9
=> 0x000000000064fa59 <+5>: vpinsrd $0x2,(%rdi,%r8,1),%xmm9,%xmm9
0x000000000064fa60 <+12>: vpalignr $0xc,%ymm0,%ymm9,%ymm9
0x000000000064fa66 <+18>: vpblendd $0xe2,%ymm7,%ymm9,%ymm0
0x000000000064fa6c <+24>: vmovdqa %xmm7,%xmm13
0x000000000064fa70 <+28>: callq 0x64fb80 <dav1d_ipred_filter_avx2.main>
0x000000000064fa75 <+33>: vpblendd $0xf0,%ymm10,%ymm12,%ymm9
0x000000000064fa7b <+39>: vpblendd $0xc0,%ymm6,%ymm12,%ymm12
0x000000000064fa81 <+45>: vpshufd $0xff,%ymm9,%ymm9
0x000000000064fa87 <+51>: vpblendd $0xee,%ymm6,%ymm9,%ymm9
0x000000000064fa8d <+57>: vpblendd $0xc,%ymm7,%ymm9,%ymm10
0x000000000064fa93 <+63>: vpshufb %ymm14,%ymm10,%ymm10
0x000000000064fa98 <+68>: vpshufd $0x0,%ymm10,%ymm6
0x000000000064fa9e <+74>: vpmaddubsw %ymm2,%ymm6,%ymm6
0x000000000064faa3 <+79>: vpshufd $0x55,%ymm10,%ymm9
0x000000000064faa9 <+85>: vpmaddubsw %ymm3,%ymm9,%ymm9
0x000000000064faae <+90>: vpaddw %ymm1,%ymm6,%ymm6
0x000000000064fab2 <+94>: vpaddw %ymm6,%ymm9,%ymm6
0x000000000064fab6 <+98>: vpshufd $0xaa,%ymm10,%ymm9
0x000000000064fabc <+104>: vpmaddubsw %ymm4,%ymm9,%ymm9
0x000000000064fac1 <+109>: vpaddw %ymm6,%ymm9,%ymm6
0x000000000064fac5 <+113>: vpshufd $0xff,%ymm10,%ymm9
0x000000000064facb <+119>: vpmaddubsw %ymm5,%ymm9,%ymm9
0x000000000064fad0 <+124>: vpaddw %ymm6,%ymm9,%ymm6
0x000000000064fad4 <+128>: vpsraw $0x4,%ymm6,%ymm6
0x000000000064fad9 <+133>: vpermq $0x4e,%ymm6,%ymm9
0x000000000064fadf <+139>: vpackuswb %ymm9,%ymm6,%ymm6
0x000000000064fae4 <+144>: vpblendd $0x30,%ymm6,%ymm12,%ymm12
0x000000000064faea <+150>: vpermd %ymm12,%ymm11,%ymm9
0x000000000064faef <+155>: vpblendd $0xc,%xmm7,%xmm13,%xmm12
0x000000000064faf5 <+161>: vmovdqa %xmm9,(%rdi)
0x000000000064faf9 <+165>: vextracti128 $0x1,%ymm9,(%rdi,%rsi,1)
0x000000000064fb00 <+172>: lea (%rdi,%rsi,2),%rdi
0x000000000064fb04 <+176>: sub $0x2,%r9d
0x000000000064fb08 <+180>: jg 0x64fa54 <dav1d_ipred_filter_avx2.w32_loop>
0x000000000064fb0e <+186>: vpblendd $0x4,%xmm10,%xmm6,%xmm7
0x000000000064fb14 <+192>: vpshufd $0x4e,%xmm7,%xmm7
0x000000000064fb19 <+197>: vpshufb -0x14c(%rax),%xmm7,%xmm7
0x000000000064fb22 <+206>: vpshufd $0x0,%xmm7,%xmm0
0x000000000064fb27 <+211>: vpmaddubsw %xmm2,%xmm0,%xmm0
0x000000000064fb2c <+216>: vpshufd $0x55,%xmm7,%xmm9
0x000000000064fb31 <+221>: vpmaddubsw %xmm3,%xmm9,%xmm9
0x000000000064fb36 <+226>: vpaddw %xmm1,%xmm0,%xmm0
0x000000000064fb3a <+230>: vpaddw %xmm0,%xmm9,%xmm0
0x000000000064fb3e <+234>: vpshufd $0xaa,%xmm7,%xmm9
0x000000000064fb43 <+239>: vpmaddubsw %xmm4,%xmm9,%xmm9
0x000000000064fb48 <+244>: vpaddw %xmm0,%xmm9,%xmm0
0x000000000064fb4c <+248>: vpshufd $0xff,%xmm7,%xmm9
0x000000000064fb51 <+253>: vpmaddubsw %xmm5,%xmm9,%xmm9
0x000000000064fb56 <+258>: vpaddw %xmm0,%xmm9,%xmm0
0x000000000064fb5a <+262>: vpsraw $0x4,%xmm0,%xmm0
0x000000000064fb5f <+267>: vpackuswb %xmm0,%xmm0,%xmm0
0x000000000064fb63 <+271>: vpblendd $0xc,%xmm0,%xmm6,%xmm6
0x000000000064fb69 <+277>: vshufps $0x88,%xmm6,%xmm12,%xmm0
0x000000000064fb6e <+282>: vshufps $0xdd,%xmm6,%xmm12,%xmm6
0x000000000064fb73 <+287>: vmovdqa %xmm0,(%rdi)
0x000000000064fb77 <+291>: vmovdqa %xmm6,(%rdi,%rsi,1)
0x000000000064fb7c <+296>: vzeroupper
0x000000000064fb7f <+299>: retq
End of assembler dump.
(gdb) info registers
rax 0x7bfd3c 8125756
rbx 0x64f570 6616432
rcx 0xffe 4094
rdx 0x7ffff7f5049a 140737353417882
rsi 0x1000 4096
rdi 0x7ffff1e74710 140737251854096
rbp 0x7fffffffd4f0 0x7fffffffd4f0
rsp 0x7fffffffd078 0x7fffffffd078
r8 0x4ffc 20476
r9 0x2 2
r10 0x1 1
r11 0xd 13
r12 0x20 32
r13 0x18 24
r14 0x20 32
r15 0xe0 224
rip 0x64fa59 0x64fa59 <dav1d_ipred_filter_avx2.w32_loop+5>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0clusterfuzz-testcase-minimized-dav1d_fuzzer-5697181166600192