Bug 30071

Summary: crash when rendering this svg with librsvg to a pdf or ps or recording surface
Product: cairo Reporter: Christian Persch (GNOME) <chpe>
Component: generalAssignee: Carl Worth <cworth>
Status: RESOLVED INVALID QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium    
Version: 1.10.1   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: minimally reduced svg file

Description Christian Persch (GNOME) 2010-09-07 14:39:12 UTC 
(If you don't have the test file installed locally, you can get it from http://websvn.kde.org/*checkout*/trunk/KDE/kdegames/libkdegames/carddecks/svg-oxygen-white/oxygen-white.svgz?revision=896352 )

This crash happens with formats pdf, ps (rsvg-convert creates a pdf or ps surface), but does *not* crash for png (image surface). This is cairo 1.10.0 (git master from today), librsvg git master.

$ ./rsvg-convert --format pdf /usr/share/kde4/apps/carddecks/svg-oxygen-white/oxygen-white.svgz -o test.pdf

Program received signal SIGSEGV, Segmentation fault.

__memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:160
160		movdqu	(%eax), %xmm0
(gdb) where
#0  __memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:160
#1  0x004441ec in _cairo_surface_snapshot_copy_on_write (surface=0x805aaa8) at cairo-surface-snapshot.c:140
#2  0x0043c07f in _cairo_surface_detach_snapshot (snapshot=0x805aaa8) at cairo-surface.c:329
#3  0x0043bfea in _cairo_surface_detach_snapshots (surface=0x805a5c8) at cairo-surface.c:314
#4  0x0043c9d1 in cairo_surface_finish (surface=0x805a5c8) at cairo-surface.c:715
#5  0x0043c8f0 in cairo_surface_destroy (surface=0x805a5c8) at cairo-surface.c:645
#6  0x004296db in _cairo_pattern_fini (pattern=0x805a6f0) at cairo-pattern.c:346
#7  0x0042a1d3 in cairo_pattern_destroy (pattern=0x805a6f0) at cairo-pattern.c:828
#8  0x00409fd9 in _cairo_gstate_fini (gstate=0x805bea0) at cairo-gstate.c:229
#9  0x0040a120 in _cairo_gstate_restore (gstate=0x4a7e5c, freelist=0x4a80f0) at cairo-gstate.c:290
#10 0x003fed87 in cairo_restore (cr=0x4a7e40) at cairo.c:583
#11 0x001400b1 in rsvg_cairo_pop_discrete_layer (ctx=0x851b8b8) at rsvg-cairo-draw.c:1003
#12 0x0013f0ce in rsvg_cairo_render_path (ctx=0x851b8b8, bpath_def=0x808cfa0) at rsvg-cairo-draw.c:639
#13 0x0013cc4e in rsvg_render_path (ctx=0x851b8b8, 
    d=0x8059da0 "M 45.70543 501.29736000000003 H 325.28484200000003 A15.247724 15.247724 0 0 1 340.53256599999997 516.54508399999997 V 924.46134600000005 A15.247724 15.247724 0 0 1 325.28484200000003 939.7090700000001"...) at rsvg-base.c:2067
#14 0x0012f7ff in _rsvg_node_rect_draw (self=0x8106458, ctx=0x851b8b8, dominate=0) at rsvg-shapes.c:445
#15 0x00130e8a in rsvg_node_draw (self=0x8106458, ctx=0x851b8b8, dominate=0) at rsvg-structure.c:69
#16 0x00130f35 in _rsvg_node_draw_children (self=0x8105ad8, ctx=0x851b8b8, dominate=0) at rsvg-structure.c:87
#17 0x00130e8a in rsvg_node_draw (self=0x8105ad8, ctx=0x851b8b8, dominate=0) at rsvg-structure.c:69
#18 0x001319aa in rsvg_node_svg_draw (self=0x806b8c0, ctx=0x851b8b8, dominate=0) at rsvg-structure.c:326
#19 0x00130e8a in rsvg_node_draw (self=0x806b8c0, ctx=0x851b8b8, dominate=0) at rsvg-structure.c:69
#20 0x00140d4a in rsvg_handle_render_cairo_sub (handle=0x8056400, cr=0x4a7e40, id=0x0) at rsvg-cairo-render.c:234
#21 0x00140da2 in rsvg_handle_render_cairo (handle=0x8056400, cr=0x4a7e40) at rsvg-cairo-render.c:256
#22 0x0804a06b in main (argc=1, argv=0xbfffead4) at rsvg-convert.c:319


Running under valgrind doesn't crash, but reports this:

==27565== Unaddressable byte(s) found during client check request
==27565==    at 0x427E2C0: _cairo_debug_check_image_surface_is_defined (cairo-debug.c:125)
==27565==    by 0x42B5749: _cairo_surface_acquire_source_image (cairo-surface.c:1447)
==27565==    by 0x42BC119: _cairo_surface_snapshot_copy_on_write (cairo-surface-snapshot.c:125)
==27565==    by 0x42B407E: _cairo_surface_detach_snapshot (cairo-surface.c:329)
==27565==    by 0x42B3FE9: _cairo_surface_detach_snapshots (cairo-surface.c:314)
==27565==    by 0x42B49D0: cairo_surface_finish (cairo-surface.c:715)
==27565==    by 0x42B48EF: cairo_surface_destroy (cairo-surface.c:645)
==27565==    by 0x42A16DA: _cairo_pattern_fini (cairo-pattern.c:346)
==27565==    by 0x42A21D2: cairo_pattern_destroy (cairo-pattern.c:828)
==27565==    by 0x4281FD8: _cairo_gstate_fini (cairo-gstate.c:229)
==27565==    by 0x428211F: _cairo_gstate_restore (cairo-gstate.c:290)
==27565==    by 0x4276D86: cairo_restore (cairo.c:583)
==27565==    by 0x40390B0: rsvg_cairo_pop_discrete_layer (rsvg-cairo-draw.c:1003)
==27565==    by 0x40380CD: rsvg_cairo_render_path (rsvg-cairo-draw.c:639)
==27565==    by 0x4035C4D: rsvg_render_path (rsvg-base.c:2067)
==27565==    by 0x40287FE: _rsvg_node_rect_draw (rsvg-shapes.c:445)
==27565==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==27565==    by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87)
==27565==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==27565==    by 0x402A9A9: rsvg_node_svg_draw (rsvg-structure.c:326)
==27565==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==27565==    by 0x4039D49: rsvg_handle_render_cairo_sub (rsvg-cairo-render.c:234)
==27565==    by 0x4039DA1: rsvg_handle_render_cairo (rsvg-cairo-render.c:256)
==27565==    by 0x804A06A: main (rsvg-convert.c:319)
==27565==  Address 0x6c6b028 is not stack'd, malloc'd or (recently) free'd
Comment 1 Christian Persch (GNOME) 2010-09-07 15:17:06 UTC 
Created attachment 38534 [details]
minimally reduced svg file
Comment 2 Christian Persch (GNOME) 2010-10-13 04:41:46 UTC 
Turns out this was a rsvg bug after all; now fixed with this commit: http://git.gnome.org/browse/librsvg/commit/?id=02a38df61976f6bbd1e5d2555a182e0a1411de57 .

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.