Bug 10598

Summary: crash when viewing svg file
Product: cairo Reporter: Michael Chudobiak <mjc>
Component: svg backendAssignee: Emmanuel Pacaud <emmanuel.pacaud>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: critical    
Priority: medium CC: bugzi11.fdo.tormod, chris, Christian.Kirbach, marcus
Version: 1.2.6   
Hardware: Other   
OS: Linux (All)   
URL: http://bugzilla.gnome.org/show_bug.cgi?id=424199
Whiteboard:
i915 platform: i915 features:
Attachments: SVG file that causes the crash

Description Michael Chudobiak 2007-04-10 04:53:34 UTC 
gThumb crashes when viewing an svg file, due to a crash in cairo svg rendering.

The original bug reports are here:

http://bugzilla.gnome.org/show_bug.cgi?id=424199 (has svg file)
http://bugzilla.gnome.org/show_bug.cgi?id=428208 (best stacktrace)

The backtrace:

Distribution: Fedora Core release 6 (Zod)
Gnome Release: 2.16.3 2007-01-31 (Red Hat, Inc)
BugBuddy Version: 2.16.0

System: Linux 2.6.19-1.2911.fc6 #1 SMP Sat Feb 10 15:51:47 EST 2007 i686
X Vendor: The XFree86 Project, Inc
X Vendor Release: 40300000
Selinux: No
Accessibility: Disabled

Memory status: size: 133980160 vsize: 0 resident: 133980160 share: 0 rss:
44367872 rss_rlim: 0
CPU usage: start_time: 1176205406 rtime: 0 utime: 260 stime: 0 cutime:233
cstime: 0 timeout: 27 it_real_value: 0 frequency: 0

Backtrace was generated from '/usr/bin/gthumb'

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread -1208346912 (LWP 9727)]
[New Thread -1318589552 (LWP 9745)]
[New Thread -1318061168 (LWP 9744)]
[New Thread -1316156528 (LWP 9743)]
[New Thread -1252689008 (LWP 9735)]
[New Thread -1252160624 (LWP 9734)]
0x00c79402 in __kernel_vsyscall ()
#0  0x00c79402 in __kernel_vsyscall ()
#1  0x00da398e in __lll_mutex_lock_wait () from /lib/libpthread.so.0
#2  0x00d9f7fc in _L_mutex_lock_85 () from /lib/libpthread.so.0
#3  0x00d9f33d in __pthread_mutex_lock (mutex=0x9a19778) at
pthread_mutex_lock.c:81
#4  0x00e30cef in check_thread (data=0x9a19a50) at image-loader.c:731
#5  0x037fca16 in g_timeout_dispatch (source=0x9b1c500, callback=0,
user_data=0x9a19a50) at gmain.c:3422
#6  0x037fc442 in IA__g_main_context_dispatch (context=0x991d660) at
gmain.c:2045
#7  0x037ff41f in g_main_context_iterate (context=0x991d660, block=1,
dispatch=1, self=0x9900f50)
    at gmain.c:2677
#8  0x037ff7c9 in IA__g_main_loop_run (loop=0x9c4b240) at gmain.c:2881
#9  0x0212d4b4 in IA__gtk_main () at gtkmain.c:1148
#10 0x080a65b5 in main (argc=) at main.c:834

Thread 6 (Thread -1252160624 (LWP 9734)):
#0  0x00c79402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00da4cbb in waitpid () from /lib/libpthread.so.0
No symbol table info available.
#2  0x02459cf6 in libgnomeui_segv_handle (signum=6) at gnome-ui-init.c:870
        estatus = 29156194
        sa = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask
= {__val = {3042796064, 
      0, 0, 42233907, 29156194, 42239212, 29321448, 42242476, 29487233,
42243675, 29653524, 3042795880, 
      79228173, 1869, 0, 0, 0, 0, 42211898, 28662052, 42221258, 28826218,
42228603, 28990940, 42233907, 
      29156194, 0, 0, 0, 0, 3042796328, 2491416576}}, sa_flags = 1074222420,
sa_restorer = 0x2847033}
        pid = 0
        in_segv = 1
#3  <signal handler called>
No symbol table info available.
#4  0x00c79402 in __kernel_vsyscall ()
No symbol table info available.
#5  0x00151d40 in *__GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = <value optimized out>
        pid = 2498548
        selftid = 9734
#6  0x00153591 in *__GI_abort () at abort.c:88
        act = {__sigaction_handler = {sa_handler = 0x263120 <main_arena>, 
    sa_sigaction = 0x263120 <main_arena>}, sa_mask = {__val = {162726616,
2498548, 2502944, 163952328, 
      162726608, 1642190, 2502944, 108, 2498548, 108, 163952328, 3042797000,
1598317, 162726616, 
      162726616, 107, 163952328, 0, 107, 4222451712, 162726616, 162726717,
162726616, 162726616, 
      162726723, 1632417, 162726616, 162726916, 0, 0, 0, 0}}, sa_flags = 0,
sa_restorer = 0x73256020}
        sigs = {__val = {32, 0 <repeats 31 times>}}
#7  0x0014b38b in *__GI___assert_fail (assertion=0x4bd1070 "i <
pen->num_vertices", 
    file=0x4bd1064 "cairo-pen.c", line=323, function=0x4bd10a0
"_cairo_pen_find_active_cw_vertex_index")
    at assert.c:78
        buf = 0x9c5b6c8 ""
        errstr = "Unexpected error.\n"
#8  0x04b8c16f in _cairo_pen_find_active_cw_vertex_index (pen=0xb55d67a4,
slope=0xb55d66d0, 
    active=0xb55d66d8) at cairo-pen.c:323
        i = 4
        __PRETTY_FUNCTION__ = "_cairo_pen_find_active_cw_vertex_index"
#9  0x04b8a9f4 in _cairo_stroker_add_cap (stroker=0xb55d678c, f=0xb55d6700) at
cairo-path-stroke.c:385
        i = <value optimized out>
        stop = <value optimized out>
        slope = {dx = 20, dy = -10642879}
        tri = {{x = 0, y = 0}, {x = 0, y = 0}, {x = 0, y = 0}}
        pen = (cairo_pen_t *) 0xb55d67a4
        start = <value optimized out>
        status = <value optimized out>
#10 0x04b8ac65 in _cairo_stroker_add_leading_cap (stroker=0x0, face=<value
optimized out>)
    at cairo-path-stroke.c:456
        reversed = {ccw = {x = 42244184, y = 29794954}, point = {x = 42244184,
y = 29794954}, cw = {
    x = 42244184, y = 29794954}, dev_vector = {dx = 20, dy = -10642879},
usr_vector = {
    x = 1.9109012527931071e-06, y = -0.99999999999817424}}
#11 0x04b8ac95 in _cairo_stroker_add_caps (stroker=0xb55d678c) at
cairo-path-stroke.c:488
        status = <value optimized out>
#12 0x04b8af1a in _cairo_path_fixed_stroke_to_traps (path=0x9c67a68,
stroke_style=0x9d09758, 
    ctm=0x9d097f4, ctm_inverse=0x9d09824, tolerance=0.10000000000000001,
traps=0xb55d6884)
    at cairo-path-stroke.c:1005
        status = CAIRO_STATUS_SUCCESS
        stroker = {style = 0x9d09758, ctm = 0x9d097f4, ctm_inverse = 0x9d09824, 
  tolerance = 0.10000000000000001, traps = 0xb55d6884, pen = {radius = 0, 
    tolerance = 0.10000000000000001, vertices = 0x9b2d460, num_vertices = 4},
current_point = {
    x = 42243675, y = 29653524}, first_point = {x = 42244184, y = 29794954},
has_sub_path = 0, 
  has_current_face = 1, current_face = {ccw = {x = 42243675, y = 29653524},
point = {x = 42243675, 
      y = 29653524}, cw = {x = 42243675, y = 29653524}, dev_vector = {dx =
76695, dy = 10642593}, 
    usr_vector = {x = 0.0073278287515938199, y = 0.99997315110246199}},
has_first_face = 1, 
  first_face = {ccw = {x = 42244184, y = 29794954}, point = {x = 42244184, y =
29794954}, cw = {
      x = 42244184, y = 29794954}, dev_vector = {dx = -20, dy = 10642879},
usr_vector = {
      x = -1.9109012527931071e-06, y = 0.99999999999817424}}, dashed = 0,
dash_index = 0, 
  dash_on = -1345029298, dash_remain = 5.2995795623450048e-315}
#13 0x04b84db7 in _cairo_gstate_stroke_extents (gstate=0x9d09748,
path=0x9c67a68, x1=0xb55d6978, 
    y1=0xb55d6980, x2=0xb55d6988, y2=0xb55d6990) at cairo-gstate.c:1056
        status = 79146852
        traps = {traps = 0x0, num_traps = 0, traps_size = 0, extents = {p1 = {x
= 2147418112, 
      y = 2147418112}, p2 = {x = -2147483648, y = -2147483648}}}
        extents = {p1 = {x = 164682544, y = 0}, p2 = {x = 1, y = 1}}
#14 0x04b7ffb2 in cairo_stroke_extents (cr=0x9c67a60, x1=0xb55d6978, y1=0x2606,
x2=0x6, y2=0xb55d6990)
    at cairo.c:2021
No locals.
#15 0x009c6b14 in rsvg_cairo_render_path (ctx=0x9b1d768, bpath_def=0x9b302c0)
at rsvg-cairo-draw.c:546
        sb = {x = 71.980259794366702, y = -1.3969901333541941, w =
575.82484947592877, 
  h = 575.82195093494511, virgin = 1, affine = {1.005657, 0, 0, 1.022627,
-6.8746500000000026, 
    161.63940000000002}}
        state = (RsvgState *) 0x9d29868
        cr = (cairo_t *) 0x9c67a60
        bpath = <value optimized out>
        i = 6
        need_tmpbuf = 0
        bbox = {x = 71.980259794366702, y = -1.3969901333541992, w =
575.82484947592877, 
  h = 575.82195093494511, virgin = 0, affine = {1.005657, 0, 0, 1.022627,
-6.8746500000000026, 
    161.63940000000002}}
#16 0x009c19ce in rsvg_render_path (ctx=0x9b1d768, 
    d=0x9d16e48 "M 647.80511,286.51260 A 287.91339,287.91339 0 1 1
647.79738,284.40230")
    at rsvg-base.c:1639
        bpath_def = (RsvgBpathDef *) 0x9b302c0
#17 0x009b747b in rsvg_node_path_draw (self=0x9d16c30, ctx=0x9b1d768,
dominate=0) at rsvg-shapes.c:61
No locals.
#18 0x009b9fee in rsvg_node_draw (self=0x6, ctx=0x9b1d768, dominate=0) at
rsvg-structure.c:54
        stacksave = (GSList *) 0x0
#19 0x009ba2aa in _rsvg_node_draw_children (self=0x9d0a618, ctx=0x9b1d768,
dominate=0)
    at rsvg-structure.c:73
        i = 2
#20 0x009b9fee in rsvg_node_draw (self=0x6, ctx=0x9b1d768, dominate=0) at
rsvg-structure.c:54
        stacksave = (GSList *) 0x0
#21 0x009ba2aa in _rsvg_node_draw_children (self=0x9c67cf0, ctx=0x9b1d768,
dominate=0)
    at rsvg-structure.c:73
        i = 2
#22 0x009b9fee in rsvg_node_draw (self=0x6, ctx=0x9b1d768, dominate=0) at
rsvg-structure.c:54
        stacksave = (GSList *) 0x0
#23 0x009baaff in rsvg_node_svg_draw (self=0x9b20fa0, ctx=0x9b1d768,
dominate=0) at rsvg-structure.c:346
        state = <value optimized out>
        affine = {1, 0, 0, 1, 0, 0}
        affine_old = {1, 0, 0, 1, 0, 0}
        affine_new = {1, 0, 0, 1, 0, 0}
        i = 5
        nx = 0
        ny = 0
        nw = 744.09447999999998
        nh = 1052.3622
#24 0x009b9fee in rsvg_node_draw (self=0x6, ctx=0x9b1d768, dominate=0) at
rsvg-structure.c:54
        stacksave = (GSList *) 0x0
#25 0x009c72d7 in rsvg_handle_render_cairo_sub (handle=0x9c53558, cr=0x9c67a60,
id=0x0)
    at rsvg-cairo-render.c:161
        drawsub = (RsvgNode *) 0x9d29020
        __PRETTY_FUNCTION__ = "rsvg_handle_render_cairo_sub"
#26 0x009c777e in rsvg_handle_get_pixbuf_sub (handle=0x9c53558, id=0x0) at
rsvg.c:101
        dimensions = {width = 744, height = 1052, em = 744, ex = 1052}
        output = <value optimized out>
        surface = (cairo_surface_t *) 0x9c67978
        cr = (cairo_t *) 0x9c67a60
        rowstride = 2976
        __PRETTY_FUNCTION__ = "rsvg_handle_get_pixbuf_sub"
#27 0x009c7855 in rsvg_handle_get_pixbuf (handle=0x9c53558) at rsvg.c:135
No locals.
#28 0x00527bc7 in gdk_pixbuf__svg_image_stop_load (data=0x9c5cca0,
error=0xb55d8368) at io-svg.c:154
        pixbuf = <value optimized out>
#29 0x03d8611d in _gdk_pixbuf_generic_image_load (module=0x9939700,
f=0xb1705680, error=0xb55d8368)
    at gdk-pixbuf-io.c:810
        buffer =
"e-width:0.00000000;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4.0000000;stroke-dashoffset:1.8218375;stroke-opacity:1.0000000\"
transform=\"translate(24.42309,273.6212)\"/>\n      <path d"...
        length = <value optimized out>
        pixbuf = (GdkPixbuf *) 0x0
        animation = <value optimized out>
        context = (gpointer) 0x9c5cca0
        locked = 1
#30 0x03d87114 in IA__gdk_pixbuf_new_from_file (
    filename=0xb1706950
"/fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg", 
    error=0xb55d8368) at gdk-pixbuf-io.c:902
        pixbuf = <value optimized out>
        f = (FILE *) 0xb1705680
        buffer = "<?xml version=\"1.0\" encoding=\"UTF-8\"
standalone=\"no\"?>\n<!-- Created with Inkscape (http://www.inkscape.org/)
--><svg height=\"1052.3622\" id=\"svg1\" version=\"1.0\" width=\"744.09448\"
x=\"0.00000000\" xmlns=\""...
        image_module = (GdkPixbufModule *) 0x9939700
        display_name = (
    gchar *) 0xb17067d8
"/fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg"
        __PRETTY_FUNCTION__ = "IA__gdk_pixbuf_new_from_file"
#31 0x00e12b62 in gth_pixbuf_new_from_uri (
    uri=0xb1706a10
"/fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg",
error=0xb55d8368, 
    requested_width_if_used=128, requested_height_if_used=128,
mime_type=0x9b7f5a0 "image/svg+xml")
    at file-utils.c:2763
        pixbuf = (GdkPixbuf *) 0xb1706a10
        local_file = 0xb1706950
"/fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg"
#32 0x00e146a4 in gth_pixbuf_animation_new_from_uri (
    filename=0xb1702218
"file:///fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg", 
    error=0xb55d8368, requested_width_if_used=128,
requested_height_if_used=128, factory=0x9af9f80, 
    mime_type=0x9b7f5a0 "image/svg+xml") at file-utils.c:2832
        local_uri = 0xb1706a10
"/fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg"
        animation = <value optimized out>
        pixbuf = <value optimized out>
        local_file = 0xb1705060
"/fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg"
#33 0x00e44ed6 in thumb_loader (
    path=0xb1702218
"file:///fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg", 
    mime_type=0x9b7f5a0 "image/svg+xml", error=0xb55d8368, data=0x9af9eb0) at
thumb-loader.c:239
No locals.
#34 0x00e311f1 in load_image_thread (thread_data=0x9b020b0) at
image-loader.c:639
        path = 0xb1702218
"file:///fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg"
        exit_thread = <value optimized out>
        priv = (ImageLoaderPrivateData *) 0x9b03168
        animation = (GdkPixbufAnimation *) 0x0
        error = (GError *) 0x0
#35 0x0381a29f in g_thread_create_proxy (data=0x9afda48) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#36 0x00d9d3db in start_thread (arg=0xb55d8b90) at pthread_create.c:296
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = (struct pthread *) 0xb55d8b90
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {14335988, 0, 4001536,
-1252162408, 1293221335, 
        -124736065}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, 
      cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
#37 0x001f626e in clone () from /lib/libc.so.6
        fstab_state = {fs_fp = 0x0, fs_buffer = 0x0, fs_mntres = {mnt_fsname =
0x0, mnt_dir = 0x0, 
    mnt_type = 0x0, mnt_opts = 0x0, mnt_freq = 0, mnt_passno = 0}, fs_ret =
{fs_spec = 0x0, 
    fs_file = 0x0, fs_vfstype = 0x0, fs_mntops = 0x0, fs_type = 0x0, fs_freq =
0, fs_passno = 0}}
        __elf_set___libc_subfreeres_element_fstab_free__ = (const void *)
0x234160

Thread 5 (Thread -1252689008 (LWP 9735)):
#0  0x00c79402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00da11a6 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
No symbol table info available.
#2  0x00e31179 in load_image_thread (thread_data=0x99f5b00) at
image-loader.c:619
        path = 0x80c2a6c "\001"
        exit_thread = <value optimized out>
        priv = (ImageLoaderPrivateData *) 0x9b32400
        animation = (GdkPixbufAnimation *) 0xda07c0
        error = (GError *) 0x0
#3  0x0381a29f in g_thread_create_proxy (data=0x9b32520) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#4  0x00d9d3db in start_thread (arg=0xb5557b90) at pthread_create.c:296
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = (struct pthread *) 0xb5557b90
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {14335988, 0, 4001536,
-1252690792, 1293684183, 
        -124736065}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, 
      cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
#5  0x001f626e in clone () from /lib/libc.so.6
        fstab_state = {fs_fp = 0x0, fs_buffer = 0x0, fs_mntres = {mnt_fsname =
0x0, mnt_dir = 0x0, 
    mnt_type = 0x0, mnt_opts = 0x0, mnt_freq = 0, mnt_passno = 0}, fs_ret =
{fs_spec = 0x0, 
    fs_file = 0x0, fs_vfstype = 0x0, fs_mntops = 0x0, fs_type = 0x0, fs_freq =
0, fs_passno = 0}}
        __elf_set___libc_subfreeres_element_fstab_free__ = (const void *)
0x234160

Thread 4 (Thread -1316156528 (LWP 9743)):
#0  0x00c79402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00da398e in __lll_mutex_lock_wait () from /lib/libpthread.so.0
No symbol table info available.
#2  0x00d9f7fc in _L_mutex_lock_85 () from /lib/libpthread.so.0
No symbol table info available.
#3  0x00d9f33d in __pthread_mutex_lock (mutex=0xe65560) at
pthread_mutex_lock.c:81
        ignore1 = <value optimized out>
        ignore2 = <value optimized out>
        oldval = <value optimized out>
        retval = <value optimized out>
#4  0x00e31361 in load_image_thread (thread_data=0x9a19a50) at
image-loader.c:634
        path = 0x9c4fb10
"file:///fileserver/mjcfiles/eraseme/svg/blue_eye_kilian_valkhof_.svg"
        exit_thread = <value optimized out>
        priv = (ImageLoaderPrivateData *) 0x9bb30e0
        animation = <value optimized out>
        error = (GError *) 0x0
#5  0x0381a29f in g_thread_create_proxy (data=0x9bb31e0) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#6  0x00d9d3db in start_thread (arg=0xb18d0b90) at pthread_create.c:296
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = (struct pthread *) 0xb18d0b90
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {14335988, 0, 4001536,
-1316158312, 1237614039, 
        -124736065}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, 
      cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
#7  0x001f626e in clone () from /lib/libc.so.6
        fstab_state = {fs_fp = 0x0, fs_buffer = 0x0, fs_mntres = {mnt_fsname =
0x0, mnt_dir = 0x0, 
    mnt_type = 0x0, mnt_opts = 0x0, mnt_freq = 0, mnt_passno = 0}, fs_ret =
{fs_spec = 0x0, 
    fs_file = 0x0, fs_vfstype = 0x0, fs_mntops = 0x0, fs_type = 0x0, fs_freq =
0, fs_passno = 0}}
        __elf_set___libc_subfreeres_element_fstab_free__ = (const void *)
0x234160

Thread 3 (Thread -1318061168 (LWP 9744)):
#0  0x00c79402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00da11a6 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
No symbol table info available.
#2  0x00e31179 in load_image_thread (thread_data=0x9a19a20) at
image-loader.c:619
        path = 0x9c86350 "\030¹\221\t\003"
        exit_thread = <value optimized out>
        priv = (ImageLoaderPrivateData *) 0x9bb8630
        animation = (GdkPixbufAnimation *) 0x9d0ccd0
        error = (GError *) 0x0
#3  0x0381a29f in g_thread_create_proxy (data=0x9a1ae40) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#4  0x00d9d3db in start_thread (arg=0xb16ffb90) at pthread_create.c:296
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = (struct pthread *) 0xb16ffb90
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {14335988, 0, 4001536,
-1318062952, 1227263447, 
        -124736065}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, 
      cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
#5  0x001f626e in clone () from /lib/libc.so.6
        fstab_state = {fs_fp = 0x0, fs_buffer = 0x0, fs_mntres = {mnt_fsname =
0x0, mnt_dir = 0x0, 
    mnt_type = 0x0, mnt_opts = 0x0, mnt_freq = 0, mnt_passno = 0}, fs_ret =
{fs_spec = 0x0, 
    fs_file = 0x0, fs_vfstype = 0x0, fs_mntops = 0x0, fs_type = 0x0, fs_freq =
0, fs_passno = 0}}
        __elf_set___libc_subfreeres_element_fstab_free__ = (const void *)
0x234160

Thread 2 (Thread -1318589552 (LWP 9745)):
#0  0x00c79402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00da11a6 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
No symbol table info available.
#2  0x00e31179 in load_image_thread (thread_data=0x9a19810) at
image-loader.c:619
        path = 0x80c2a6c "\001"
        exit_thread = <value optimized out>
        priv = (ImageLoaderPrivateData *) 0x9bb8e28
        animation = (GdkPixbufAnimation *) 0xda07c0
        error = (GError *) 0x0
#3  0x0381a29f in g_thread_create_proxy (data=0x9bb90a0) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#4  0x00d9d3db in start_thread (arg=0xb167eb90) at pthread_create.c:296
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = (struct pthread *) 0xb167eb90
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {14335988, 0, 4001536,
-1318591336, 1227791831, 
        -124736065}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0},
data = {prev = 0x0, 
      cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
#5  0x001f626e in clone () from /lib/libc.so.6
        fstab_state = {fs_fp = 0x0, fs_buffer = 0x0, fs_mntres = {mnt_fsname =
0x0, mnt_dir = 0x0, 
    mnt_type = 0x0, mnt_opts = 0x0, mnt_freq = 0, mnt_passno = 0}, fs_ret =
{fs_spec = 0x0, 
    fs_file = 0x0, fs_vfstype = 0x0, fs_mntops = 0x0, fs_type = 0x0, fs_freq =
0, fs_passno = 0}}
        __elf_set___libc_subfreeres_element_fstab_free__ = (const void *)
0x234160

Thread 1 (Thread -1208346912 (LWP 9727)):
#0  0x00c79402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00da398e in __lll_mutex_lock_wait () from /lib/libpthread.so.0
No symbol table info available.
#2  0x00d9f7fc in _L_mutex_lock_85 () from /lib/libpthread.so.0
No symbol table info available.
#3  0x00d9f33d in __pthread_mutex_lock (mutex=0x9a19778) at
pthread_mutex_lock.c:81
        ignore1 = <value optimized out>
        ignore2 = <value optimized out>
        oldval = <value optimized out>
        retval = <value optimized out>
#4  0x00e30cef in check_thread (data=0x9a19a50) at image-loader.c:731
        il = <value optimized out>
        done = <value optimized out>
        error = <value optimized out>
        loader_done = <value optimized out>
        priv = (ImageLoaderPrivateData *) 0x9bb30e0
#5  0x037fca16 in g_timeout_dispatch (source=0x9b1c500, callback=0,
user_data=0x9a19a50) at gmain.c:3422
No locals.
#6  0x037fc442 in IA__g_main_context_dispatch (context=0x991d660) at
gmain.c:2045
No locals.
#7  0x037ff41f in g_main_context_iterate (context=0x991d660, block=1,
dispatch=1, self=0x9900f50)
    at gmain.c:2677
        got_ownership = <value optimized out>
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = <value optimized out>
        allocated_nfds = <value optimized out>
        fds = (GPollFD *) 0x9c5a1a0
        __PRETTY_FUNCTION__ = "g_main_context_iterate"
#8  0x037ff7c9 in IA__g_main_loop_run (loop=0x9c4b240) at gmain.c:2881
        got_ownership = 14283488
        self = (GThread *) 0x9900f50
        __PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#9  0x0212d4b4 in IA__gtk_main () at gtkmain.c:1148
        tmp_list = (GList *) 0x0
        functions = (GList *) 0x0
        init = (GtkInitFunction *) 0xbf832054
        loop = (GMainLoop *) 0x9c4b240
#10 0x080a65b5 in main (argc=) at main.c:834
No locals.
#0  0x00c79402 in __kernel_vsyscall ()
Comment 1 Michael Chudobiak 2007-04-10 04:54:15 UTC 
Created attachment 9555 [details]
SVG file that causes the crash
Comment 2 Christian Kirbach 2007-07-01 03:35:48 UTC 
see also http://bugzilla.gnome.org/show_bug.cgi?id=452601#stacktrace

nautilus: cairo-pen.c:323: _cairo_pen_find_active_cw_vertex_index: Assertion `i
< pen->num_vertices' failed.

could this be a bug in librsvg?


#7  0x4732338b in *__GI___assert_fail (
    assertion=0x47ecc070 "i < pen->num_vertices", 
    file=0x47ecc064 "cairo-pen.c", line=323, 
    function=0x47ecc0a0 "_cairo_pen_find_active_cw_vertex_index")
    at assert.c:78
        buf = 0x93b6ec0 "ØØè?<<<<<<ì?"
        errstr = "Unexpected error.\n"
#8  0x47e8716f in _cairo_pen_find_active_cw_vertex_index (pen=0xb5dfd834, 
    slope=0xb5dfd760, active=0xb5dfd768) at cairo-pen.c:323
        i = 4
        __PRETTY_FUNCTION__ = "_cairo_pen_find_active_cw_vertex_index"
#9  0x47e859f4 in _cairo_stroker_add_cap (stroker=0xb5dfd81c, f=0xb5dfd790)
    at cairo-path-stroke.c:385
        i = <value optimized out>
        stop = <value optimized out>
        slope = {dx = 37079, dy = -37273}
        tri = {{x = 5311777, y = 2414207}, {x = 37079, y = 37274}, {
    x = -88568302, y = 1072078999}}
        pen = (cairo_pen_t *) 0xb5dfd834
        start = <value optimized out>
        status = <value optimized out>
#10 0x47e85c65 in _cairo_stroker_add_leading_cap (stroker=0x0, 
    face=<value optimized out>) at cairo-path-stroke.c:456
        reversed = {ccw = {x = 5348856, y = 2376934}, point = {x = 5348856, 
    y = 2376934}, cw = {x = 5348856, y = 2376934}, dev_vector = {dx = 37079, 
    dy = -37273}, usr_vector = {x = 0.70711320477456541, 
    y = -0.70710035754017508}}
#11 0x47e85c95 in _cairo_stroker_add_caps (stroker=0xb5dfd81c)
    at cairo-path-stroke.c:488
        status = <value optimized out>
#12 0x47e85f1a in _cairo_path_fixed_stroke_to_traps (path=0x91986c8, 
    stroke_style=0x93b6990, ctm=0x93b6a2c, ctm_inverse=0x93b6a5c, 
    tolerance=0.10000000000000001, traps=0xb5dfd914)
    at cairo-path-stroke.c:1005
        status = CAIRO_STATUS_SUCCESS
        stroker = {style = 0x93b6990, ctm = 0x93b6a2c, 
  ctm_inverse = 0x93b6a5c, tolerance = 0.10000000000000001, 
  traps = 0xb5dfd914, pen = {radius = -0, tolerance = 0.10000000000000001, 
    vertices = 0x93b5bd8, num_vertices = 4}, current_point = {x = 5348856, 
    y = 2451481}, first_point = {x = 5348856, y = 2376934}, has_sub_path = 1, 
  has_current_face = 1, current_face = {ccw = {x = 5348856, y = 2451481}, 
    point = {x = 5348856, y = 2451481}, cw = {x = 5348856, y = 2451481}, 
    dev_vector = {dx = 37079, dy = 37274}, usr_vector = {
      x = 0.70710371941499006, y = 0.70710984294484758}}, has_first_face = 1, 
  first_face = {ccw = {x = 5348856, y = 2376934}, point = {x = 5348856, 
      y = 2376934}, cw = {x = 5348856, y = 2376934}, dev_vector = {
      dx = -37079, dy = 37273}, usr_vector = {x = -0.70711320477456541, 
      y = 0.70710035754017508}}, dashed = 0, dash_index = 3226480967, 
  dash_on = 1195614196, dash_remain = 7.9165322551249684e-265}
#13 0x47e7fdb7 in _cairo_gstate_stroke_extents (gstate=0x93b6980, 
    path=0x91986c8, x1=0xb5dfda08, y1=0xb5dfda10, x2=0xb5dfda18, 
    y2=0xb5dfda20) at cairo-gstate.c:1056
        status = 3051346236
        traps = {traps = 0x93b8000, num_traps = 2, traps_size = 32, 
  extents = {p1 = {x = 5311777, y = 2376934}, p2 = {x = 5348856, 
      y = 2451481}}}
        extents = {p1 = {x = -1891783525, y = 1094890508}, p2 = {
    x = -1243621024, y = 5348856}}
#14 0x47e7afb2 in cairo_stroke_extents (cr=0x91986c0, x1=0xb5dfda08, 
    y1=0x11d4, x2=0x6, y2=0xb5dfda20) at cairo.c:2021
No locals.
#15 0x4672fb14 in rsvg_cairo_render_path (ctx=0x919b5b8, bpath_def=0x93b4790)
    at rsvg-cairo-draw.c:546
        sb = {x = 3.4542216629796162e-313, y = 1.8884829227941214e+35, w = 0, 
  h = 2.712707690888975e-314, virgin = 1, affine = {0.56577866123872023, 0, 
    0, 0.56874918932402085, 81.051291316319919, 36.837876467866657}}
        state = (RsvgState *) 0x91bcd78
        cr = (cairo_t *) 0x91986c0
        bpath = <value optimized out>
        i = 4
        need_tmpbuf = 0
        bbox = {x = 5.2998088236266445e-315, y = 5.2762970911146811e+36, 
  w = 0, h = 1, virgin = 1, affine = {0.56577866123872023, 0, 0, 
    0.56874918932402085, 81.051291316319919, 36.837876467866657}}
#16 0x4672a9ce in rsvg_render_path (ctx=0x919b5b8, 
    d=0x91d70b0 "M 1 -1 L 0 0 L 1 1 ") at rsvg-base.c:1639
        bpath_def = (RsvgBpathDef *) 0x93b4790
#17 0x4672047b in rsvg_node_path_draw (self=0x91d6e98, ctx=0x919b5b8, 
    dominate=0) at rsvg-shapes.c:61
No locals.
#18 0x46722fee in rsvg_node_draw (self=0x6, ctx=0x919b5b8, dominate=0)
    at rsvg-structure.c:54
        stacksave = (GSList *) 0x0
#19 0x467232aa in _rsvg_node_draw_children (self=0x91d69a8, ctx=0x919b5b8, 
    dominate=1) at rsvg-structure.c:73
        i = 2
#20 0x46722fee in rsvg_node_draw (self=0x6, ctx=0x919b5b8, dominate=1)
    at rsvg-structure.c:54
        stacksave = (GSList *) 0x0
#21 0x46723ed3 in rsvg_node_use_draw (self=0x91d7ed0, ctx=0x919b5b8, 
    dominate=0) at rsvg-structure.c:230
        child = (RsvgNode *) 0x91d69a8
        state = (RsvgState *) 0x91bc530
        affine = {1, 0, 0, 1, 0, 0}
        x = 0
        y = 0
        w = 0
        h = 0
#22 0x46722fee in rsvg_node_draw (self=0x6, ctx=0x919b5b8, dominate=0)
    at rsvg-structure.c:54
        stacksave = (GSList *) 0x0
#23 0x4671ebae in rsvg_marker_render (self=0x91d74f8, x=0, 
    y=396.85000000000002, orient=0, linewidth=1.2, ctx=0x919b5b8)
    at rsvg-marker.c:180
        affine = {0.18250924556087747, 0, 0, 0.18346748042710348, 
  81.051291316319919, 36.837876467866657}
        taffine = {1, 0, 0, 1, -0, -0}
        i = 2
        rotation = 0
        state = <value optimized out>
Comment 3 Chris Wilson 2008-01-11 08:30:42 UTC 
*** Bug 11493 has been marked as a duplicate of this bug. ***
Comment 4 Chris Wilson 2008-01-11 08:31:06 UTC 
This was fixed by Carl Worth in commit 448c9314252bba779194d2b01950b8738b26fd13.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.