17096 – nautilus crashed with SIGSEGV in cairo_surface_get_font_options()

Bug 17096 - nautilus crashed with SIGSEGV in cairo_surface_get_font_options()

Summary: nautilus crashed with SIGSEGV in cairo_surface_get_font_options()

Status:	RESOLVED FIXED

Alias:	None

Product:	cairo
Classification:	Unclassified
Component:	general (show other bugs)
Version:	1.6.4
Hardware:	x86 (IA32) Linux (All)

Importance:	medium normal
Assignee:	Emmanuel Pacaud
QA Contact:	cairo-bugs mailing list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-08-12 13:05 UTC by Pedro Villavicencio
Modified:	2008-10-10 11:06 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Pedro Villavicencio 2008-08-12 13:05:19 UTC

this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/cairo/+bug/256508

".
Thread 3 (process 7638):
#0  0xb8092424 in __kernel_vsyscall ()
#1  0xb73a3392 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2  0xb772913d in g_cond_timed_wait_posix_impl (cond=0x8d365b0, entered_mutex=0x80, abs_time=0x7)
    at /build/buildd/glib2.0-2.17.6/gthread/gthread-posix.c:242
	result = <value optimized out>
	end_time = {tv_sec = 1218329403, tv_nsec = 179362000}
	timed_out = <value optimized out>
	__PRETTY_FUNCTION__ = "g_cond_timed_wait_posix_impl"
#3  0xb75d21f9 in g_async_queue_pop_intern_unlocked (queue=0x8885600, try=<value optimized out>, 
    end_time=0xb6926324) at /build/buildd/glib2.0-2.17.6/glib/gasyncqueue.c:365
	retval = <value optimized out>
	__PRETTY_FUNCTION__ = "g_async_queue_pop_intern_unlocked"
#4  0xb75d22f7 in IA__g_async_queue_timed_pop (queue=0x8885600, end_time=0xb6926324)
    at /build/buildd/glib2.0-2.17.6/glib/gasyncqueue.c:491
	retval = <value optimized out>
	__PRETTY_FUNCTION__ = "IA__g_async_queue_timed_pop"
#5  0xb7624953 in g_thread_pool_thread_proxy (data=0x88c5620)
    at /build/buildd/glib2.0-2.17.6/glib/gthreadpool.c:121
	task = <value optimized out>
	pool = (GRealThreadPool *) 0x0
#6  0xb762334f in g_thread_create_proxy (data=0x88c5698) at /build/buildd/glib2.0-2.17.6/glib/gthread.c:635
	__PRETTY_FUNCTION__ = "g_thread_create_proxy"
#7  0xb739f4ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#8  0xb731c64e in clone () from /lib/tls/i686/cmov/libc.so.6
.
Thread 2 (process 7637):
#0  0xb8092424 in __kernel_vsyscall ()
#1  0xb7311de7 in poll () from /lib/tls/i686/cmov/libc.so.6
#2  0xb75fbd12 in g_main_context_iterate (context=0x8884d90, block=1, dispatch=1, self=0x8855408)
    at /build/buildd/glib2.0-2.17.6/glib/gmain.c:3033
	max_priority = 2147483647
	timeout = 500
	some_ready = <value optimized out>
	nfds = 16
	allocated_nfds = <value optimized out>
	fds = (GPollFD *) 0x8acdde8
	__PRETTY_FUNCTION__ = "g_main_context_iterate"
#3  0xb75fc3a2 in IA__g_main_loop_run (loop=0x88e1278) at /build/buildd/glib2.0-2.17.6/glib/gmain.c:2928
	self = (GThread *) 0x8855408
	__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#4  0xb7a17ce9 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#5  0x080803ab in main (argc=5, argv=0xbfcae824) at nautilus-main.c:581
	kill_shell = 0
	restart_shell = 0
	no_default_window = 0
	browser_window = 0
	no_desktop = 0
	autostart_mode = 0
	startup_id = <value optimized out>
	autostart_id = <value optimized out>
	startup_id_copy = 0x88a4b48 "My Book.volume"
	session_to_load = 0x0
	geometry = (gchar *) 0x0
	remaining = (const gchar **) 0x0
	perform_self_check = 0
	context = <value optimized out>
	application = (NautilusApplication *) 0x8881850
	program = (GnomeProgram *) 0x8868858
	options = {{long_name = 0x8161b5c "check", short_name = 99 'c', flags = 0, arg = G_OPTION_ARG_NONE, 
    arg_data = 0xbfcae6f0, description = 0x8161bcc "Perform a quick set of self-check tests.", 
    arg_description = 0x0}, {long_name = 0x81657cf "geometry", short_name = 103 'g', flags = 0, 
    arg = G_OPTION_ARG_STRING, arg_data = 0xbfcae6f8, 
    description = 0x8161bf8 "Create the initial window with the given geometry.", 
    arg_description = 0x81619e9 "GEOMETRY"}, {long_name = 0x81619f2 "no-default-window", 
    short_name = 110 'n', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0xbfcae708, 
    description = 0x8161c2c "Only create windows for explicitly specified URIs.", arg_description = 0x0}, {
    long_name = 0x8161a04 "no-desktop", short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_NONE, 
    arg_data = 0xbfcae700, 
    description = 0x8161c60 "Do not manage the desktop (ignore the preference set in the preferences dialog).", arg_description = 0x0}, {long_name = 0x81648fe "browser", short_name = 0 '\0', flags = 0, 
    arg = G_OPTION_ARG_NONE, arg_data = 0xbfcae704, description = 0x8161a0f "open a browser window.", 
    arg_description = 0x0}, {long_name = 0x8161b64 "quit", short_name = 113 'q', flags = 0, 
    arg = G_OPTION_ARG_NONE, arg_data = 0xbfcae710, description = 0x8161a26 "Quit Nautilus.", 
    arg_description = 0x0}, {long_name = 0x8161b6b "restart", short_name = 0 '\0', flags = 1, 
    arg = G_OPTION_ARG_NONE, arg_data = 0xbfcae70c, description = 0x8161a35 "Restart Nautilus.", 
    arg_description = 0x0}, {long_name = 0x8166ae8 "", short_name = 0 '\0', flags = 0, 
    arg = G_OPTION_ARG_STRING_ARRAY, arg_data = 0xbfcae6f4, description = 0x0, 
    arg_description = 0x8161a47 "[URI...]"}, {long_name = 0x815e000 "load-session", short_name = 108 'l', 
    flags = 0, arg = G_OPTION_ARG_STRING, arg_data = 0xbfcae6fc, 
    description = 0x8161cb4 "Load a saved session from the specified file. Implies \"--no-default-window\".", 
    arg_description = 0x8161a50 "FILENAME"}, {long_name = 0x0, short_name = 0 '\0', flags = 0, 
    arg = G_OPTION_ARG_NONE, arg_data = 0x0, description = 0x0, arg_description = 0x0}}
.
Thread 1 (process 7671):
#0  *INT_cairo_surface_get_font_options (surface=0xb78086a0, options=0x9688e80)
    at /build/buildd/cairo-1.6.4/src/cairo-surface.c:633
No locals.
#1  0xb7228c00 in _pango_cairo_update_context (cr=0x8e36808, context=0x8dd3cf0)
    at /build/buildd/pango1.0-1.21.3/pango/pangocairo-context.c:104
	info = (PangoCairoContextInfo *) 0x98c9840
	cairo_matrix = {xx = -1.667335739498894e-41, yx = 2.6629322274470552e-267, 
  xy = -4.2458933122252789e-43, yy = 5.6672479863462401e-266, x0 = -4.1600285101525437e-43, 
  y0 = 1.4580379106921624e-267}
	target = (cairo_surface_t *) 0xb78086a0
	pango_matrix = {xx = -9.9323417509544179e-42, xy = 1.4580379094910454e-267, 
  yx = -8.8070004422276986e-42, yy = 2.1927140174974026e-314, x0 = -1.6658621865824984e-41, 
  y0 = 5.6672479902668967e-266}
	current_matrix = <value optimized out>
	merged_options = <value optimized out>
	old_merged_options = <value optimized out>
	changed = <value optimized out>
	identity_matrix = {xx = 1, xy = 0, yx = 0, yy = 1, x0 = 0, y0 = 0}
#2  0xb7ea4586 in rsvg_cairo_create_pango_context (ctx=0x969e878) at rsvg-cairo-draw.c:467
	fontmap = <value optimized out>
	context = (PangoContext *) 0x8dd3cf0
	render = (RsvgCairoRender *) 0x8e9c360
#3  0xb7e9cea4 in rsvg_text_render_text (ctx=0x969e878, text=0x9568440 "", x=0xb21f0d58, y=0xb21f0d50)
    at rsvg-text.c:847
	context = <value optimized out>
	layout = <value optimized out>
	iter = <value optimized out>
	state = (RsvgState *) 0x8b57bd8
	w = <value optimized out>
	h = 21
#4  0xb7e9d2c0 in _rsvg_node_text_type_children (self=0x97ba4f0, ctx=0x969e878, x=0xb21f0d58, y=0xb21f0d50, 
    lastwasspace=0xb21f0d64) at rsvg-text.c:178
	str = (GString *) 0x99fc3d0
	node = (RsvgNode *) 0x97ba760
	i = 0
#5  0xb7e9d60c in _rsvg_node_text_draw (self=0x97ba4f0, ctx=0x969e878, dominate=0) at rsvg-text.c:253
	x = 0
	y = 2
	lastwasspace = 1
#6  0xb7e966e1 in rsvg_node_draw (self=0x9688e80, ctx=0x969e878, dominate=0) at rsvg-structure.c:53
	state = (RsvgState *) 0xb7808ff4
	stacksave = (GSList *) 0x0
#7  0xb7e9693a in _rsvg_node_draw_children (self=0x97b3828, ctx=0x969e878, dominate=0) at rsvg-structure.c:69
	i = 32
#8  0xb7e966e1 in rsvg_node_draw (self=0x9688e80, ctx=0x969e878, dominate=0) at rsvg-structure.c:53
	state = (RsvgState *) 0xb7808ff4
	stacksave = (GSList *) 0x0
#9  0xb7e9693a in _rsvg_node_draw_children (self=0x95513c8, ctx=0x969e878, dominate=0) at rsvg-structure.c:69
	i = 16
#10 0xb7e966e1 in rsvg_node_draw (self=0x9688e80, ctx=0x969e878, dominate=0) at rsvg-structure.c:53
	state = (RsvgState *) 0xb7808ff4
	stacksave = (GSList *) 0x0
#11 0xb7e971da in rsvg_node_svg_draw (self=0x8de8e50, ctx=0x969e878, dominate=0) at rsvg-structure.c:309
	state = <value optimized out>
	affine = {0.99999999999998979, 0, 0, 1.0000000001779179, 0, 0}
	affine_old = {0.14562002275312855, 0, 0, 0.14562002275312855, 0, 0}
	affine_new = {0.14562002275312705, 0, 0, 0.14562002277903696, 0, 0}
	i = 8
	nx = 0
	ny = 0
	nw = 878.90999999999099
	nh = 878.916425156375
#12 0xb7e966e1 in rsvg_node_draw (self=0x9688e80, ctx=0x969e878, dominate=0) at rsvg-structure.c:53
	state = (RsvgState *) 0xb7808ff4
	stacksave = (GSList *) 0x0
#13 0xb7ea4abf in rsvg_handle_render_cairo_sub (handle=0x8dd1ea0, cr=0x8e36808, id=0x0)
    at rsvg-cairo-render.c:228
	drawsub = (RsvgNode *) 0x8b572c8
	__PRETTY_FUNCTION__ = "rsvg_handle_render_cairo_sub"
#14 0xb7ea501e in rsvg_handle_get_pixbuf_sub (handle=0x8dd1ea0, id=0x0) at rsvg.c:100
	dimensions = {width = 128, height = 128, em = 879, ex = 879}
	output = <value optimized out>
	surface = (cairo_surface_t *) 0x90d7250
	cr = (cairo_t *) 0x8e36808
	rowstride = 512
	__PRETTY_FUNCTION__ = "rsvg_handle_get_pixbuf_sub"
#15 0xb7ea50f5 in rsvg_handle_get_pixbuf (handle=0x8dd1ea0) at rsvg.c:133
No locals.
#16 0xb45bcaea in gdk_pixbuf__svg_image_stop_load (data=0x8e624e0, error=0xb21f11d8) at io-svg.c:154
	pixbuf = <value optimized out>
#17 0xb7814467 in IA__gdk_pixbuf_loader_close (loader=0x8e35810, error=0x0)
    at /build/buildd/gtk+2.0-2.13.6/gdk-pixbuf/gdk-pixbuf-loader.c:724
	tmp = (GError *) 0x0
	priv = (GdkPixbufLoaderPrivate *) 0x8e9bf30
	retval = 1
	__PRETTY_FUNCTION__ = "IA__gdk_pixbuf_loader_close"
#18 0xb7e260b8 in gnome_gdk_pixbuf_new_from_uri_at_scale (uri=0x8e0eee8 "file:///tmp/output-13437-z14.svg", 
    width=128, height=128, preserve_aspect_ratio=1) at gnome-vfs-util.c:231
	result = GNOME_VFS_OK
	buffer = ">\n         <text x=\"1263.548\" y=\"981.392052543109\" k=\"name\" class=\"place-caption locality-caption\">Obernberg</text>\n         <text x=\"503.789000000001\" y=\"664.527611808224\" k=\"name\" class=\"caption-cas"...
	bytes_read = <value optimized out>
	loader = (GdkPixbufLoader *) 0x8e35810
	pixbuf = <value optimized out>
	animation = <value optimized out>
	iter = (GdkPixbufAnimationIter *) 0x80
	info = {width = 128, height = 128, input_width = 879, input_height = 879, preserve_aspect_ratio = 1}
	file = (GFile *) 0x8de8f80
	file_input_stream = (GFileInputStream *) 0x8dda2f0
	__PRETTY_FUNCTION__ = "gnome_gdk_pixbuf_new_from_uri_at_scale"
#19 0xb7e151dc in gnome_thumbnail_factory_generate_thumbnail (factory=0x8e03e40, 
    uri=0x8e0eee8 "file:///tmp/output-13437-z14.svg", mime_type=0x8e37010 "image/svg+xml")
    at gnome-thumbnail.c:660
	pixbuf = (GdkPixbuf *) 0x0
	scaled = <value optimized out>
	tmp_pixbuf = <value optimized out>
	expanded_script = 0x0
	width = <value optimized out>
	height = <value optimized out>
	size = 128
	original_width = -1207245208
	original_height = -1306582272
	dimension = "\\ÑÜ·ô_\030\b\000\000\000"
	scale = 0
	exit_status = 5
	tmpname = 0x8186a9c "\020Pá·Z\\\006\bj\\\006\bz\\\006\b\212\\\006\b\232\\\006\bª\\\006\b`3j·Ê\\\006\bÚ\\\006\bàÝm·ú\\\006\b\n]\006\b\032]\006\b*]\006\bàÆ¥·J]\006\bZ]\006\bÀÝ\207·P&¡·0\n\206·\232]\006\bª]\006\bº]\006\bÊ]\006\bP\026¶·ê]\006\bú]\006\b\n^\006\b\200Ð\207·*^\006\bÐÛ¶·Ð)\225·Z^\006\bàý^·\220»o·\212^\006\b\232^\006\b \207a·°g_·Ê^\006\bÐ=¶·ê^\006\bú^\006\bp\vH·"
	__PRETTY_FUNCTION__ = "gnome_thumbnail_factory_generate_thumbnail"
#20 0x0814c27e in thumbnail_thread_start (data=0x0) at nautilus-thumbnails.c:981
	info = (NautilusThumbnailInfo *) 0x8ddafe8
	pixbuf = (GdkPixbuf *) 0x0
	current_orig_mtime = 1218328193
	current_time = 1218329387
	__PRETTY_FUNCTION__ = "thumbnail_thread_start"
#21 0xb739f4ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#22 0xb731c64e in clone () from /lib/tls/i686/cmov/libc.so.6"

SVG file:

http://launchpadlibrarian.net/16728228/output-7043-z15.svg

Thanks,

Comment 1 Chris Wilson 2008-08-12 13:33:33 UTC

My educated guess is that 0xb78086a0 is an error surface, on which we attempt to initialize the font_options, hence the SIGSEGV.

Can you test this? (If I am right, you still won't see the desired result but the crash should be resolved.)

commit c73b3e43e120065e40d8fc48c9bdbd88ebe8ab40
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Tue Aug 12 21:21:20 2008 +0100

    [cairo-surface] Check for the error surface in _get_font_options()
    
    cairo_surface_get_font_options() has the side effect of initialising the
    font options on the surface, but fails to check that the surface is
    valid first. Therefore if we are passed a read-only error object, we will
    trigger a segmentation fault.
    
    Most likely this is the bug behind:
    http://bugs.freedesktop.org/show_bug.cgi?id=17096.

Comment 2 John Clemens 2008-09-12 15:48:57 UTC

Verified that the above patch fixed the problem in that it at least prevents the segfault and the thumbnail even works.

Verified by compiling the cairo from the commit just before this one, and then running firefox with the compiled library LD_LIBRARY_PATH'd in.  doing File->Open File, and navigating to the directory with the bad file.  With the commit before this, firefox crashes.. with this fix, it works. 

So, this fixes the bug in cairo, but should error surfaces be getting down this far? i.e., does this point to another bug in librsvg or pango?

Thanks for the fix.

Comment 3 Chris Wilson 2008-10-10 11:06:00 UTC

Given the identification that it was indeed an error surface that we tried to write to, it is indicative that the caller could check for an error early (if they so desire) although they are free to just check for any errors after all the operations are completion.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.