4657 – Attempting to draw a ridiculously long title causes a crash

Bug 4657 - Attempting to draw a ridiculously long title causes a crash

Summary: Attempting to draw a ridiculously long title causes a crash

Status:	RESOLVED DUPLICATE of bug 5913

Alias:	None

Product:	cairo
Classification:	Unclassified
Component:	general (show other bugs)
Version:	1.1.1
Hardware:	x86 (IA32) Linux (All)

Importance:	high critical
Assignee:	Carl Worth
QA Contact:	cairo-bugs mailing list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-10-01 09:45 UTC by Elijah Newren
Modified:	2007-12-30 13:48 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Simple testcase program that causes the crash when it is run (583 bytes, text/plain) 2005-10-01 09:46 UTC, Elijah Newren	Details
View All

Description Elijah Newren 2005-10-01 09:45:29 UTC

Originally filed as http://bugzilla.gnome.org/show_bug.cgi?id=317364 (well, also
as 315070 and 317362 in gnome bugzilla):

Summary:
Metacity crashes repeatedly on overlong window title

Steps to reproduce:
0) Compile & run the attached testcase

Result:
Watch metacity crash repeatedly until it doesn't respawn anymore.

Stack trace:
Program received signal SIGABRT, Aborted.
[Switching to Thread -1208088896 (LWP 22906)]
0x003fe7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0  0x003fe7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x00e227d5 in raise () from /lib/tls/libc.so.6
#2  0x00e24149 in abort () from /lib/tls/libc.so.6
#3  0x0808c871 in meta_bug (format=0x6 <Address 0x6 out of bounds>)
    at util.c:359
#4  0x08064280 in x_error_handler (xdisplay=0x95e2210, error=0xbffdb9c0)
    at errors.c:206
#5  0x00d4fe40 in _XError () from /usr/X11R6/lib/libX11.so.6
#6  0x00d50185 in _XError () from /usr/X11R6/lib/libX11.so.6
#7  0x00d50434 in _XError () from /usr/X11R6/lib/libX11.so.6
#8  0x00298685 in XRenderCompositeText8 (dpy=0x95e2210, op=0, src=0, dst=0,
    maskFormat=0x1, xSrc=0, ySrc=0, xDst=10, yDst=0, elts=0xabeff008,
    nelt=2097152) at Glyph.c:478
#9  0x001aae0b in pixman_op (newReg=0xbffed228, reg1=0x9654ba8, reg2=0xb7,
    overlapFunc=0, appendNon1=0, appendNon2=536870912, pOverlap=0x2732c4)
    at pixregion.c:769
#10 0x001a0730 in _cairo_traps_tessellate_rectangle (traps=0x9639230,
    q=0xae900008) at cairo-traps.c:349
#11 0x0019838c in _cairo_hull_next_valid (hull=0xbffed580, num_hull=0,
    index=22906) at cairo-hull.c:130
#12 0x00196ef2 in _cairo_surface_clip_and_composite_trapezoids (
    src=0xbffed590, operator=1671892, dst=0xbffed580, traps=0x9654ba8,
    clip=0xbffed578, antialias=CAIRO_ANTIALIAS_DEFAULT) at cairo-gstate.c:1336
#13 0x001985c6 in _cairo_hull_compute (vertices=0x9655168,
    num_vertices=0xb1101008) at cairo-hull.c:175
#14 0x00193d33 in _cairo_arc_in_direction (cr=0x1982d4,
    xc=-2.272780557885417e-72, yc=1.0361307573072619e-317,
    radius=4.1226168578802075e-304, angle_min=4.4501477170144028e-308,
    angle_max=-1.9274292341986889, dir=3221149352) at cairo-arc.c:164
#15 0x00189184 in pango_cairo_renderer_draw_glyphs (renderer=0x9643040,
    font=0x962c428, glyphs=0x9640098, x=0, y=0) at pangocairo-render.c:110
#16 0x00437738 in pango_renderer_draw_glyphs (renderer=0x9643040,
    font=0x962c428, glyphs=0x9640098, x=0, y=0) at pango-renderer.c:596
#17 0x001895e9 in pango_cairo_show_glyph_string (cr=0x9654dc0, font=0x962c428,
    glyphs=0x9640098) at pangocairo-render.c:307
#18 0x0012b883 in gdk_pango_renderer_draw_glyphs (renderer=0x0,
    font=0x962c428, glyphs=0x9640098, x=96256, y=17408) at gdkpango.c:210
#19 0x00437738 in pango_renderer_draw_glyphs (renderer=0x9642a00,
    font=0x962c428, glyphs=0x9640098, x=96256, y=17408) at pango-renderer.c:596
#20 0x004388bf in pango_renderer_draw_layout_line (renderer=0x9642a00,
    line=0x964e178, x=96256, y=17408) at pango-renderer.c:528
#21 0x00438c1d in pango_renderer_draw_layout (renderer=0x9642a00,
    layout=0x964e178, x=96256, y=4096) at pango-renderer.c:182
#22 0x0012cd1e in IA__gdk_draw_layout_with_colors (drawable=0x96394a0,
    gc=0x9654df8, x=96256, y=4096, layout=0x9654378, foreground=0x0,
    background=0x0) at gdkpango.c:989
#23 0x0012cf98 in IA__gdk_draw_layout (drawable=0x96394a0, gc=0x9654df8, x=94,
    y=4, layout=0x9654378) at gdkpango.c:1051
#24 0x080821a2 in meta_draw_op_draw_with_env (op=0x9602690, widget=0x960b3a8,
    drawable=0x96394a0, clip=0xbffede80, info=0xbffee090, x=25, y=1,
    width=125, height=21, env=0xbffede20) at theme.c:3490
#25 0x080826be in meta_draw_op_list_draw (op_list=0x9600a20, widget=0x960b3a8,
    drawable=0x96394a0, clip=0x1, info=0xbffee090, x=25, y=1, width=125,
    height=21) at theme.c:3696
#26 0x08082146 in meta_draw_op_draw_with_env (op=0x9601448, widget=0x960b3a8,
    drawable=0x96394a0, clip=0xbffedff0, info=0xbffee090, x=25, y=1,
    width=125, height=21, env=0xbffedf90) at theme.c:3507
#27 0x080826be in meta_draw_op_list_draw (op_list=0x96013c0, widget=0x960b3a8,
    drawable=0x96394a0, clip=0x1, info=0xbffee090, x=25, y=1, width=125,
    height=21) at theme.c:3696
#28 0x08082a4b in meta_frame_style_draw (style=0x9604bc8, widget=0x960b3a8,
    drawable=0x96394a0, x_offset=0, y_offset=0, clip=0x0, fgeom=0xbffee1a0,
    client_width=205, client_height=17, title_layout=0x9654378,
    text_height=17, button_states=0xbffee380, mini_icon=0x0, icon=0x0)
    at theme.c:4156
#29 0x08082f96 in meta_theme_draw_frame (theme=0x0, widget=0x960b3a8,
    drawable=0x96394a0, clip=0x0, x_offset=0, y_offset=0,
    type=META_FRAME_TYPE_LAST, flags=3199, client_width=205, client_height=17,
    title_layout=0x9654378, text_height=17, button_layout=0xbffee350,
    button_states=0xbffee380, mini_icon=0x96431a8, icon=0x9651cb8)
    at theme.c:4845
#30 0x08067678 in meta_frames_paint_to_drawable (frames=0x960b3a8,
    frame=0x964cb20, drawable=0x96394a0, region=0x96525f0, x_offset=0,
    y_offset=0) at frames.c:2208
#31 0x080677b9 in generate_pixmap (frames=0x960b3a8, frame=0x964cb20, x=0,
    y=0, width=227, height=22) at frames.c:1871
#32 0x08067c53 in meta_frames_expose_event (widget=0x960b3a8, event=0xbffee9d0)
    at frames.c:1916
#33 0x0075f212 in _gtk_marshal_BOOLEAN__BOXED (closure=0x96060a0,
    return_value=0xbffee650, n_param_values=2, param_values=0xbffee790,
    invocation_hint=0xbffee678, marshal_data=0x80677ec) at gtkmarshalers.c:83
#34 0x002a57ed in g_type_class_meta_marshal (closure=0x96060a0,
    return_value=0xbffee650, n_param_values=2, param_values=0xbffee790,
    invocation_hint=0xbffee678, marshal_data=0x0) at gclosure.c:569
#35 0x002a5539 in IA__g_closure_invoke (closure=0x96060a0,
    return_value=0xbffee650, n_param_values=2, param_values=0xbffee790,
    invocation_hint=0xbffee678) at gclosure.c:492
#36 0x002b7e1c in signal_emit_unlocked_R (node=0x96060f0, detail=0,
    instance=0x960b3a8, emission_return=0xbffee720,
    instance_and_params=0xbffee790) at gsignal.c:2523
#37 0x002b8e91 in IA__g_signal_emit_valist (instance=0x960b3a8, signal_id=0,
    detail=0, var_args=0xbffee920 "8\230`\tH<\203") at
gsignal.c:2254
#38 0x002b93a0 in IA__g_signal_emit (instance=0x960b3a8, signal_id=39,
    detail=0) at gsignal.c:2288
#39 0x00833d9a in gtk_widget_event_internal (widget=0x960b3a8,
    event=0xbffee9d0) at gtkwidget.c:3735
#40 0x0075dfcc in IA__gtk_main_do_event (event=0xbffee9d0) at gtkmain.c:1359
#41 0x0013ada5 in gdk_window_process_updates_internal (window=0x9653c78)
    at gdkwindow.c:2215
#42 0x0013ae86 in IA__gdk_window_process_all_updates () at gdkwindow.c:2268
#43 0x0013af0a in gdk_window_update_idle (data=0x0) at gdkwindow.c:2136
#44 0x00537d04 in g_idle_dispatch (source=0x9617690, callback=0, user_data=0x0)
    at gmain.c:3813
#45 0x00534f19 in IA__g_main_context_dispatch (context=0x95c3a58)
    at gmain.c:1934
#46 0x005367c5 in g_main_context_iterate (context=0x95c3a58, block=1,
    dispatch=1, self=0x95c3880) at gmain.c:2565
#47 0x00536a1c in IA__g_main_loop_run (loop=0x95c3a00) at gmain.c:2769
#48 0x0806e13e in main (argc=1, argv=0xbffeef84) at main.c:483

I'll attach the testcase from that bug report momentarily (note, though, that on
my machine I had to modify the testcase to make the title even longer...)

Comment 1 Elijah Newren 2005-10-01 09:46:42 UTC

Created attachment 3457 [details]
Simple testcase program that causes the crash when it is run

Comment 2 Elijah Newren 2005-10-03 11:18:09 UTC

Note that the patch in http://bugzilla.gnome.org/show_bug.cgi?id=315070 works
around this crash, so the testcase will no longer cause the crash unless you
grab an older version of Metacity (i.e. Metacity < 2.12.1, and CVS older than
2005-10-03).  This makes the priority somewhat lower, but it still seems odd
that pango/cairo would crash so I'll leave it up to you guys to decide what to
do with the bug.  :)

Comment 3 Karl Ostmo 2007-12-30 13:48:10 UTC


*** This bug has been marked as a duplicate of bug 5913 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.