Reasoning:
In `HuffmanTablesSegment` (`src/utils/huffman_utils.h`), `start`
was annotated `WEBP_COUNTED_BY_OR_NULL(size)` as it points to an
allocation of `size` elements. `curr_table` was annotated
`WEBP_UNSAFE_INDEXABLE` because it iterates within `[start, start
+ size)`, a bound that cannot be expressed statically in the struct
without ABI changes. The code manually checks bounds for
`curr_table` (e.g., `src/utils/huffman_utils.c:240-241`). To
support the annotation on `start`, allocation sites in
`VP8LBuildHuffmanTable` and `VP8LHuffmanTablesAllocate`
(`src/utils/huffman_utils.c`) were refactored to assign `start` and
`size` side-by-side, using `WEBP_BIDI_INDEXABLE` local variables to
hold the safe pointer returned by `WebPSafeMalloc`.
`VP8LHuffmanTablesDeallocate` was updated to set `size` to 0 when
`start` is freed.
The `root_table` parameter of `BuildHuffmanTable`
(`src/utils/huffman_utils.c:86`) was annotated `WEBP_BIDI_INDEXABLE` to
accommodate accesses to secondary tables beyond the `root table` size
since with explicitly annotating the local variable `table`
as `WEBP_BIDI_INDEXABLE`, `table` inherits its bounds from `root_table`.
Call sites in `VP8LBuildHuffmanTable`
required `WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` to convert the unsafe
`curr_table` to the safe `root_table`.
The `table` parameter of `ReplicateValue`
(`src/utils/huffman_utils.c:59`) was annotated
`WEBP_COUNTED_BY(end - step + 1)` and the function was refactored to
avoid modifying `end`. Call sites in `BuildHuffmanTable` required
`WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` because the strided access
patterns used for Huffman table construction cannot be statically
verified by the compiler.
Bug: 432511821
Change-Id: I77c5c82ac36bc9bb79cd5119a4113ac5d62af762
Reasoning:
The `palette` parameter in `GetColorPalette` (src/utils/palette.c:100)
was annotated with `WEBP_COUNTED_BY_OR_NULL(MAX_PALETTE_SIZE)` to fix
an array subscript error at src/utils/palette.c:146. This annotation
reflects the function's contract, documented in src/utils/palette.h,
which states that if `palette` is not NULL, it must point to memory
allocated for at least `MAX_PALETTE_SIZE` elements. To make
`MAX_PALETTE_SIZE` visible, `src/webp/format_constants.h` was included
in `src/utils/palette.h`. Consequently, the wrapper function
`WebPGetColorPalette` (src/utils/utils.c:273) and its declaration in
`src/utils/utils.h` were also annotated similarly, requiring the
inclusion of `src/webp/format_constants.h` in `src/utils/utils.h` as
well. This resolved a compilation error caused by the type mismatch
when calling the annotated `GetColorPalette` from `WebPGetColorPalette`.
Bug: 432511821
Change-Id: Iceebf2facf9558dd49889f056f028d9a3fb22d41
Reasoning:
Analysis of `GetLE32` and its called function `GetLE16`
(src/utils/utils.h:95) showed that `GetLE32` requires access to 4
bytes starting from `data`. `GetLE16` accesses 2 bytes.
Therefore, `WEBP_COUNTED_BY(4)` was added to the `data` parameter of
`GetLE32`. Similarly, `WEBP_COUNTED_BY(2)` was added to `GetLE16`.
During this analysis, related functions `GetLE24`, `PutLE16`,
`PutLE24`, and `PutLE32` (src/utils/utils.h lines 99-123) were also
identified as needing similar annotations. They were annotated with
`WEBP_COUNTED_BY(3)`, `WEBP_COUNTED_BY(2)`, `WEBP_COUNTED_BY(3)`, and
`WEBP_COUNTED_BY(4)` respectively, based on the number of bytes they
access or modify.
Bug: 432511821
Change-Id: I5783392bc8dcaa2f346a81928ef496fc52da3a30
Reasoning:
Analysis of `VP8LColorCacheInit`
(src/utils/color_cache_utils.c:29) revealed that `colors` is allocated
using `WebPSafeCalloc` with a size of `1 << hash_bits`. Therefore,
`colors` was annotated with `WEBP_COUNTED_BY_OR_NULL(1u << hash_bits)`.
To support this, `WebPSafeCalloc` (src/utils/utils.h:59,
src/utils/utils.c:214) was annotated to return
`WEBP_SIZED_BY_OR_NULL(nmemb * size)`. Since `WebPSafeCalloc` returns a
local pointer that defaults to unsafe when bounds safety is suppressed,
`WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` was used on the return value
(src/utils/utils.c:222). Similarly, `VP8LColorCacheInit` required
`WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` when assigning the allocated pointer
to the struct field (src/utils/color_cache_utils.c:47). Finally,
`VP8LColorCacheInit` and `VP8LColorCacheClear` were modified to perform
side-by-side assignments to `colors` and `hash_bits` as required by the
`WEBP_COUNTED_BY_OR_NULL` annotation, using self-assignment for
`hash_bits` when necessary to maintain functional equivalence with the
original code.
Bug: 432511821
Change-Id: I63cb46909d883a2e8932043ac3117b05b37e8d40
Import bounds_safety.h across all of webputils, with one exception being
dsp.h, since it's imported by webputils.h in one place. Also prepend
WEBP_ASSUME_UNSAFE_INDEXABLE_ABI to every webputil file to indicate to
the compiler that every pointer should be treated as __unsafe_indexable.
We also need to replace memcpy/memset/memmove with the unsafe variants
WEBP_UNSAFE_*, as memcpy/memset/memmove require bounded/sized pointers.
With this change, all of libwebputils (and libwebp) should build with
-DWEBP_ENABLE_FBOUNDS_SAFETY=true
Change-Id: Iad87be0455182d534c074ef6dc1a30fa66b74b6c
(Debian clang-format version 19.1.7 (3+build4)) with `--style=Google`.
Manual changes:
* clang-format disabled around macros with stringification (mostly
assembly)
* some inline assembly strings were adjusted to avoid awkward line
breaks
* trailing commas, `//` or suffixes (`ull`) added to help array
formatting
* thread_utils.c: parameter comments were changed to the more common
/*...=*/ style to improve formatting
The automatically generated code under swig/ was skipped.
Bug: 433996651
Change-Id: Iea3f24160d78d2a2653971cdf13fa932e47ff1b3
this fixes runtime warnings with clang -fsanitize=integer when using the
WEBP_ALIGN_CST constant in WEBP_ALIGN:
implicit conversion from type 'int' of value -32 (32-bit, signed) to
type 'unsigned int' changed the value to 4294967264 (32-bit, unsigned)
Bug: b/229626362
Change-Id: I524d80e620b9869de4e6d322b7de6ffa1ec8657f
and use it in calls containing _mm_cvtsi32_si128; this calls
WebPUint32ToMem, but corrects the type to avoid runtime warnings with
clang -fsanitize=integer of the form:
implicit conversion from type 'int' of value -1904123502 (32-bit,
signed) to type 'uint32_t' (aka 'unsigned int') changed the value to
2390843794 (32-bit, unsigned)
Bug: b/229626362
Change-Id: I20545e822d8045fa44f688241879206055a0a148
and use it with calls to _mm_cvtsi32_si128 and _mm_set_epi32; this calls
WebPMemToUint32, but corrects the type to avoid runtime warnings with
clang -fsanitize=integer of the form:
implicit conversion from type 'uint32_t' (aka 'unsigned int') of value
2155905152 (32-bit, unsigned) to type 'int' changed the value to
-2139062144 (32-bit, signed)
Bug: b/229626362
Change-Id: I50101ba2b46dfaa852f02d46830f3511c80b02d9
similar to '* const', __restrict needs to be included in the
declaration to avoid warnings like:
src\dsp\alpha_processing.c(429): warning C4028: formal parameter 1
different from declaration
this change also moves WEBP_RESTRICT to dsp.h to avoid a circular
dependency between it and utils.h which already includes dsp.h
Change-Id: Ib070d358a372e76fae4be5445ab288940b9baac0
Marking the `VP8BitReader` as `__restrict__` helps the compiler generate
better code avoiding issues related to aliasing (re-loads/stores).
Change-Id: Ib7178f57e27e5f40572efc3e567cdf994ea6d928
no change in object code
from clang-7 -fsanitize=implicit-integer-truncation
implicit conversion from type 'int' of value 39736 (32-bit, signed) to type 'uint8_t' (aka 'unsigned char') changed the value to 56 (8-bit, unsigned)
Change-Id: I0ecf24c5b1b11e056c58b3b85ea529c30cdadf57
this can result in an alignment hint on arm causing a SIGBUS. casting
the input ptr to anything aside from its type is unnecessary for memcpy
and is contrary to the intent of this function.
Change-Id: I9a4d3f4be90f80cd8c3e96ccbe557e51e34cf7a5
including the type in the macro doesn't bring much benefit to ordering,
current platforms work with a prefix, this would be insufficient if the
attribute needed to follow the function prototype. this form makes it
easier to override on the command line.
BUG=webp:355
Change-Id: Iba41ec0bb319403054be0e899c4cc472dd932fd9
30% faster on x86, 5% faster on N5.
New generic function: WebPLog2FloorC()
This function is called as fallback for BitsLog2Floor() when there's
no clz() available.
Change-Id: Ica15c6092112e514c0e200fab89c434de48d4b19
MAX_COLOR_COUNT was just a synonym and its use in the header was a bit
strange given the visibility of that define.
Change-Id: I536964ddc14a0c48263191b6afb80695b5a038e6
This was defined (slightly differently) at two places. Created a common
method and moved to utils/utils.[hc].
Change-Id: I66c3ac6dea24e0cd2c0eaa5440f3142b4dbbe23b
This reverts commit 169004b1d5.
this changes the ABI, so should bump versions and add a note to NEWS
when we're ready to expose it
Change-Id: Ic5bbd0aee2b6fd0f9d438a9effedf22fe0cec4bf
This was defined (slightly differently) at two places. Created a common
method and moved to utils/utils.[hc].
Change-Id: I19adc9c48f2a4e2ec9d995e78add6f25172774c2
add WEBP_UBSAN_IGNORE_UNDEF to WebPMemToUint32() / WebPUint32ToMem()
when WEBP_FORCE_ALIGNED is unset
Change-Id: I726b2e708ce29681584eb10c8874d5cf1e798756
Note that ALIGN_CST is still kept different in dec/frame.c for now,
because the values is 31 there, not 15. We might re-unite these two
later.
Change-Id: Ibbee607fac4eef02f175b56f0bb0ba359fda3b87
_BitScanReverse() takes an unsigned long*
http://msdn.microsoft.com/en-us/library/fbxyd7zd.aspx
fixes:
C4057: 'function': 'unsigned long *' differs in indirection to slightly
different base types from 'uint32_t *'
fixes issue #253
Change-Id: I0101ef7be18c7ed188b35e9b17e7f71290953786
there's still some malloc/free in the external example
This is an encoder API change because of the introduction
of WebPMemoryWriterClear() for symmetry reasons.
The MemoryWriter object should probably go in examples/ instead
of being in the main lib, though.
mux_types.h stil contain some inlined free()/malloc() that are
harder to remove (we need to put them in the libwebputils lib
and make sure link is ok). Left as a TODO for now.
Also: WebPDecodeRGB*() function are still returning a pointer
that needs to be free()'d. We should call WebPSafeFree() on
these, but it means exposing the whole mechanism. TODO(later).
Change-Id: Iad2c9060f7fa6040e3ba489c8b07f4caadfab77b
rather than symlink the webm/vpx terms, use the same header as libvpx to
reference in-tree files
based on the discussion in:
https://codereview.chromium.org/12771026/
Change-Id: Ia3067ecddefaa7ee01550136e00f7b3f086d4af4
- Separate out mux.h and demux.h
- muxtypes.h: new header for data types common to mux/demux
- Move some misc read/write utilities to utils/utils.h
- Remove some duplicate methods.
- Separate out mux/demux libraries
Change-Id: If9b9569b10d55d922ad9317ef51710544315d6de
