Bug 20445

Summary: FcStrCaseWalkerNext causes segfault with DUMA
Product: fontconfig Reporter: Myckel Habets <myckel>
Component: libraryAssignee: Keith Packard <keithp>
Status: RESOLVED WONTFIX QA Contact: Behdad Esfahbod <freedesktop>
Severity: normal    
Priority: medium CC: andris.zeila, bugs.freedesktop, freedesktop
Version: 2.6   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Myckel Habets 2009-03-03 13:36:02 UTC 
I linked DUMA (http://duma.sourceforge.net/) against Galculator (http://galculator.sourceforge.net/) and ran the program. At startup Galculator segfaulted. Loaded the core in gdb and got this (partial) backtrace:

Core was generated by `galculator'.
Program terminated with signal 11, Segmentation fault.
[New process 8873]
#0  0xb7625b31 in FcStrCaseWalkerNext (w=0xbfef3560) at fcstr.c:160
160	fcstr.c: No such file or directory.
	in fcstr.c
(gdb) backtrace
#0  0xb7625b31 in FcStrCaseWalkerNext (w=0xbfef3560) at fcstr.c:160
#1  0xb7625e0d in IA__FcStrCmpIgnoreCase (s1=0xaf1c5ff2 "Luxi Sans", s2=0x6b06967a <Address 0x6b06967a out of bounds>)
    at fcstr.c:225
#2  0xb7614f03 in FcConfigCompareValue (left_o=0xaf1c7ff0, op=FcOpEqual, right_o=0xbfef3684) at fccfg.c:702
#3  0xb7615d9c in IA__FcConfigSubstituteWithPat (config=0xaf1cdfbc, p=0xaf0ffff0, p_pat=0x0, kind=FcMatchPattern)
    at fccfg.c:1107
#4  0xb76162e5 in IA__FcConfigSubstitute (config=0x0, p=0xaf0ffff0, kind=FcMatchPattern) at fccfg.c:1531
#5  0xb7a6a9c6 in pango_cairo_fc_font_map_context_substitute (fcfontmap=0xb67a8e00, context=0xb202bfb0, pattern=0xaf0ffff0)
    at pangocairo-fcfontmap.c:87
#6  0xb75bbea9 in pango_fc_default_substitute (fontmap=0xb67a8e00, context=0xb202bfb0, pattern=0xbfef3560)
    at pangofc-fontmap.c:978
#7  0xb75be289 in pango_fc_font_map_load_fontset (fontmap=0xb67a8e00, context=0xb202bfb0, desc=0xaf4c7f00, 
    language=0xaf244ff5) at pangofc-fontmap.c:1069
#8  0xb7a3c4a0 in pango_font_map_load_fontset (fontmap=0xb67a8e00, context=0xb202bfb0, desc=0xaf4c7f00, language=0xaf244ff5)
    at pango-fontmap.c:107
#9  0xb75be695 in pango_fc_font_map_load_font (fontmap=0xb67a8e00, context=0xb202bfb0, description=0xaf4c7f00)
    at pangofc-fontmap.c:1152
#10 0xb7a3c529 in pango_font_map_load_font (fontmap=0xb67a8e00, context=0xb202bfb0, desc=0xaf4c7f00) at pango-fontmap.c:64
#11 0xb7a3aad9 in pango_context_load_font (context=0xb202bfb0, desc=0xaf4c7f00) at pango-context.c:292
#12 0xb7a408ed in pango_layout_get_empty_extents_at_index (layout=0xb6524db0, index=0, logical_rect=0xbfef3a18)
    at pango-layout.c:4333

The line that DUMA sees as an error is this:

    r = *w->src++;

As I have little knowledge about C programming, I'm not able to provide a patch or more information about what is going wrong here. I'm willing to provide more information when needed.

Regards,

Myckel
Comment 1 Andris Zeila 2009-10-28 05:59:04 UTC 
I had a headache some time ago trying to understand what's wrong.

This happens when an unaligned memory address is returned by DUMA memory allocation functions. Because the lowest bit is set fonconfig interprets such pointers as offsets and processes them accordingly. 

As a workaround you can force duma memory alignment with DUMA_ALIGNMENT=2. This will ensure that no duma returned pointers will have lowest bit set. But it will make unprotected a single byte after allocations of odd number of bytes.

Still although the reported segfault is 'false positive', using the lowest bit of memory pointers as a flag results in problems with various debugging tools.
Comment 2 Behdad Esfahbod 2009-10-28 10:23:47 UTC 
Well, malloc is supposed to returned aligned memory, so what DUMA is doing is a hack to begin with.  But yes, I agree that what fontconfig is doing is also a hack.  I don't see anything to fix here, but good to know what was going on.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.