Bug 7953

Summary: Cairo causes GTK2 apps to crash on Solaris 9
Product: cairo Reporter: Leo Zhadanovsky <leozh>
Component: xlib backendAssignee: Carl Worth <cworth>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: blocker    
Priority: highest CC: dberkholz, fred, he, stric
Version: 1.2.4   
Hardware: SPARC   
OS: Solaris   
Whiteboard:
i915 platform: i915 features:

Description Leo Zhadanovsky 2006-08-21 21:15:36 UTC 
This is what happens when I run gtk-demo:
  [1] 0xddb00434(0xdf050, 0x1b0110, 0x1c7750, 0xffbfdb04, 0x1, 0x1), at 0xddb00434
=>[2] _cairo_xlib_surface_show_glyphs(abstract_dst = 0x2a9360, op =
CAIRO_OPERATOR_OVER, src_pattern = 0xffbfdc48, glyphs = 0x2a44b8, num_glyphs =
23, scaled_font = 0x1b0110), line 2823 in "cairo-xlib-surface.c"
  [3] _cairo_surface_show_glyphs(surface = 0x2a9360, op = CAIRO_OPERATOR_OVER,
source = 0xffbfdd30, glyphs = 0x2a44b8, num_glyphs = 23, scaled_font =
0x1b0110), line 1822 in "cairo-surface.c"
  [4] _cairo_gstate_show_glyphs(gstate = 0x2aa8e0, glyphs = 0xffbfde88,
num_glyphs = 23), line 1454 in "cairo-gstate.c"
  [5] cairo_show_glyphs(cr = 0x2a9e10, glyphs = 0xffbfde88, num_glyphs = 23),
line 2539 in "cairo.c"
  [6] pango_cairo_renderer_draw_glyphs(renderer = 0x1e2f70, font = 0x1688e8,
glyphs = 0x29f850, x = 0, y = 0), line 234 in "pangocairo-render.c"
  [7] pango_renderer_draw_glyphs(renderer = 0x1e2f70, font = 0x1688e8, glyphs =
0x29f850, x = 0, y = 0), line 595 in "pango-renderer.c"
  [8] _pango_cairo_do_glyph_string(cr = 0x2a9e10, font = 0x1688e8, glyphs =
0x29f850, do_path = 0), line 440 in "pangocairo-render.c"
  [9] pango_cairo_show_glyph_string(cr = 0x2a9e10, font = 0x1688e8, glyphs =
0x29f850), line 559 in "pangocairo-render.c"
  [10] gdk_pango_renderer_draw_glyphs(renderer = 0x2ab050, font = 0x1688e8,
glyphs = 0x29f850, x = 22528, y = 17408), line 244 in "gdkpango.c"
  [11] pango_renderer_draw_glyphs(renderer = 0x2ab050, font = 0x1688e8, glyphs =
0x29f850, x = 22528, y = 17408), line 595 in "pango-renderer.c"
  [12] pango_renderer_draw_layout_line(renderer = 0x2ab050, line = 0x274180, x =
22528, y = 17408), line 528 in "pango-renderer.c"
  [13] pango_renderer_draw_layout(renderer = 0x2ab050, layout = 0x1da798, x =
22528, y = 4096), line 186 in "pango-renderer.c"
  [14] gdk_draw_layout_with_colors(drawable = 0xfca18, gc = 0x1cd4c0, x = 22, y
= 4, layout = 0x1da798, foreground = (nil), background = (nil)), line 1030 in
"gdkpango.c"
  [15] gdk_draw_layout(drawable = 0xfca18, gc = 0x1cd4c0, x = 22, y = 4, layout
= 0x1da798), line 1092 in "gdkpango.c"
  [16] gtk_default_draw_layout(style = 0x1bd250, window = 0xfca18, state_type =
GTK_STATE_ACTIVE, use_text = 1, area = 0xffbfea40, widget = 0x142020, detail =
0xebe180c0 "cellrenderertext", x = 22, y = 4, layout = 0x1da798), line 5070 in
"gtkstyle.c"
  [17] draw_layout(style = 0x1bd250, window = 0xfca18, state_type =
GTK_STATE_ACTIVE, use_text = 1, area = 0xffbfea40, widget = 0x142020, detail =
0xebe180c0 "cellrenderertext", x = 22, y = 4, layout = 0x1da798), line 2013 in
"clearlooks_style.c"
  [18] gtk_paint_layout(style = 0x1bd250, window = 0xfca18, state_type =
GTK_STATE_ACTIVE, use_text = 1, area = 0xffbfea40, widget = 0x142020, detail =
0xebe180c0 "cellrenderertext", x = 22, y = 4, layout = 0x1da798), line 6345 in
"gtkstyle.c"
  [19] gtk_cell_renderer_text_render(cell = 0x149010, window = 0xfca18, widget =
0x142020, background_area = 0xffbfe9e8, cell_area = 0xffbfe9f8, expose_area =
0xffbfea40, flags = GTK_CELL_RENDERER_SELECTED), line 1666 in
"gtkcellrenderertext.c"
  [20] gtk_cell_renderer_render(cell = 0x149010, window = 0xfca18, widget =
0x142020, background_area = 0xffbfe9e8, cell_area = 0xffbfe9f8, expose_area =
0xffbfea40, flags = GTK_CELL_RENDERER_SELECTED), line 569 in "gtkcellrenderer.c"
  [21] gtk_tree_view_column_cell_process_action(tree_column = 0x14a860, window =
0xfca18, background_area = 0xffbfecbc, cell_area = 0xffbfecac, flags = 1U,
action = 0, expose_area = 0xffbff4ec, focus_rectangle = (nil), editable_widget =
(nil), event = (nil), path_string = (nil)), line 2774 in "gtktreeviewcolumn.c"
  [22] _gtk_tree_view_column_cell_render(tree_column = 0x14a860, window =
0xfca18, background_area = 0xffbfecbc, cell_area = 0xffbfecac, expose_area =
0xffbff4ec, flags = 1U), line 3108 in "gtktreeviewcolumn.c"
  [23] gtk_tree_view_bin_expose(widget = 0x142020, event = 0xffbff4e0), line
4545 in "gtktreeview.c"
  [24] gtk_tree_view_expose(widget = 0x142020, event = 0xffbff4e0), line 4819 in
"gtktreeview.c"
  [25] _gtk_marshal_BOOLEAN__BOXED(closure = 0x11a8f8, return_value =
0xffbfefc0, n_param_values = 2U, param_values = 0xffbff128, invocation_hint =
0xffbfeff4, marshal_data = 0xebcc7370), line 85 in "gtkmarshalers.c"
  [26] g_type_class_meta_marshal(closure = 0x11a8f8, return_value = 0xffbfefc0,
n_param_values = 2U, param_values = 0xffbff128, invocation_hint = 0xffbfeff4,
marshal_data = 0xc8), line 571 in "gclosure.c"
  [27] g_closure_invoke(closure = 0x11a8f8, return_value = 0xffbfefc0,
n_param_values = 2U, param_values = 0xffbff128, invocation_hint = 0xffbfeff4),
line 494 in "gclosure.c"
  [28] signal_emit_unlocked_R(node = 0x1076c8, detail = 0, instance = 0x142020,
emission_return = 0xffbff0e8, instance_and_params = 0xffbff128), line 2480 in
"gsignal.c"
  [29] g_signal_emit_valist(instance = 0x142020, signal_id = 35U, detail = 0,
var_args = 0xffbff36c), line 2207 in "gsignal.c"
  [30] g_signal_emit(instance = 0x142020, signal_id = 35U, detail = 0, ... =
0xffbff4e0, ...), line 2241 in "gsignal.c"
  [31] gtk_widget_event_internal(widget = 0x142020, event = 0xffbff4e0), line
3901 in "gtkwidget.c"
  [32] gtk_widget_send_expose(widget = 0x142020, event = 0xffbff4e0), line 3738
in "gtkwidget.c"
  [33] gtk_main_do_event(event = 0xffbff4e0), line 1379 in "gtkmain.c"
  [34] gdk_window_process_updates_internal(window = 0xfca18), line 2324 in
"gdkwindow.c"
  [35] gdk_window_process_all_updates(), line 2387 in "gdkwindow.c"
  [36] gtk_container_idle_sizer(data = (nil)), line 1113 in "gtkcontainer.c"
  [37] g_idle_dispatch(source = 0x1c4ba0, callback = 0xeba0bec8 =
&`libgtk-x11-2.0.so.0.1000.2`gtkcontainer.c`gtk_container_idle_sizer(gpointer
data), user_data = (nil)), line 3924 in "gmain.c"
  [38] g_main_dispatch(context = 0xf54a8), line 2045 in "gmain.c"
  [39] g_main_context_dispatch(context = 0xf54a8), line 2594 in "gmain.c"
  [40] g_main_context_iterate(context = 0xf54a8, block = 1, dispatch = 1, self =
0xf4e98), line 2675 in "gmain.c"
  [41] g_main_loop_run(loop = 0x1ca180), line 2879 in "gmain.c"
  [42] gtk_main(), line 1000 in "gtkmain.c"
  [43] main(argc = 1, argv = 0xffbffa3c), line 920 in "main.c"
Comment 1 Frederic Crozat 2006-08-23 00:38:51 UTC 
Confirming : I've got a similar bug report (
http://qa.mandriva.com/show_bug.cgi?id=24298 ) with people doing ssh between an
linux i586 and linux ppc :

copy of bug report 

still crashing, here the backtrace with cairo-debug:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223092528 (LWP 7978)]
0xb786827a in _cairo_xlib_surface_show_glyphs (abstract_dst=0x8914b90,
op=CAIRO_OPERATOR_OVER, src_pattern=0xbff39e08, glyphs=0x8915c08,
    num_glyphs=8, scaled_font=0x876adf8) at cairo-xlib-surface.c:2455
2455                    n[3] = d[0];
(gdb) bt
#0  0xb786827a in _cairo_xlib_surface_show_glyphs (abstract_dst=0x8914b90,
op=CAIRO_OPERATOR_OVER, src_pattern=0xbff39e08,
    glyphs=0x8915c08, num_glyphs=8, scaled_font=0x876adf8) at
cairo-xlib-surface.c:2455
#1  0xb784c5ba in _cairo_surface_show_glyphs (surface=0x8914b90,
op=CAIRO_OPERATOR_OVER, source=0xbff39f1c, glyphs=0x8915c08,
    num_glyphs=8, scaled_font=0x876adf8) at cairo-surface.c:1820
#2  0xb784039d in _cairo_gstate_show_glyphs (gstate=0x8915a90,
glyphs=0xbff39fe8, num_glyphs=8) at cairo-gstate.c:1449
#3  0xb783a873 in cairo_show_glyphs (cr=0x8914ca8, glyphs=0xbff39fe8,
num_glyphs=8) at cairo.c:2539
#4  0xb78e3590 in pango_cairo_show_glyph_string () from
/usr/lib/libpangocairo-1.0.so.0


It seems to be specifically related to arch, as the distant compter is an i586
and the client a ppc:
2411        /* flip formats around */
2412        switch (scaled_glyph->surface->format) {
...
2440        case CAIRO_FORMAT_ARGB32:
2441            if (_native_byte_order_lsb() != (ImageByteOrder (dpy) ==
LSBFirst)) {
2442                unsigned int    c = glyph_surface->stride *
glyph_surface->height;
2443                unsigned char   *d;
2444                unsigned char   *new, *n;
2445
2446                new = malloc (c);
2447                if (new == NULL) {
2448                    status = CAIRO_STATUS_NO_MEMORY;
2449                    goto BAIL;
2450                }
2451                n = new;
2452                d = data;
2453                while ((c -= 4) >= 0)
2454                {
2455                    n[3] = d[0];
2456                    n[2] = d[1];
2457                    n[1] = d[2];
2458                    n[0] = d[3];
2459                    d += 4;
2460                    n += 4;
2461                }
2462                data = new;
2463            }
2464            break;
2465        case CAIRO_FORMAT_RGB24:
2466        default:
2467            ASSERT_NOT_REACHED;
2468            break;
2469        }

btw, I don't understand the content of the var "c" which is supposed to be an
interger:

(gdb) p c
$1 = {mmx_4x00ff = 71777214294589695, mmx_4x0080 = 36029346783166592,
mmx_565_rgb = 2130307907615,
  mmx_565_unpack_multiplier = 567003842624, mmx_565_r = 1065151889408,
mmx_565_g = 16515072, mmx_565_b = 248,
  mmx_mask_0 = 18446744073709486080, mmx_mask_1 = 18446744069414649855,
mmx_mask_2 = 18446462603027808255, mmx_mask_3 = 281474976710655,
  mmx_full_alpha = 71776119061217280, mmx_ffff0000ffff0000 =
18446462603027742720, mmx_0000ffff00000000 = 281470681743360,
  mmx_000000000000ffff = 65535}
Comment 2 Behdad Esfahbod 2006-08-28 11:49:30 UTC 
2442                unsigned int    c = glyph_surface->stride *
glyph_surface->height;
2443                unsigned char   *d;
2444                unsigned char   *new, *n;
2445
2446                new = malloc (c);
2447                if (new == NULL) {
2448                    status = CAIRO_STATUS_NO_MEMORY;
2449                    goto BAIL;
2450                }
2451                n = new;
2452                d = data;
2453                while ((c -= 4) >= 0)
2454                {
2455                    n[3] = d[0];
2456                    n[2] = d[1];
2457                    n[1] = d[2];
2458                    n[0] = d[3];
2459                    d += 4;
2460                    n += 4;
2461                }
2462                data = new;

Since c is unsigned, ((c -= 4) >= 0) is ALWAYS true.  Compiling with -Wextra
says so too:

cairo-xlib-surface.c:880: warning: comparison of unsigned expression >= 0 is
always true
cairo-xlib-surface.c:2453: warning: comparison of unsigned expression >= 0 is
always true
Comment 3 Carl Worth 2006-08-28 19:04:11 UTC 
I've now pushed Behdad's fix for this bug out:

http://gitweb.freedesktop.org/?p=cairo;a=commit;h=1b7ced6614d809262cca08e7c5141b7ce740bfca

Though it might still be nice for someone to rewrite this code to use a more
conventional/safer loop style.

-Carl
Comment 4 Behdad Esfahbod 2006-08-28 19:34:15 UTC 
Ok, I rewrote the loop:

 
http://gitweb.freedesktop.org/?p=cairo;a=commit;h=b6e5f2b0fef00352930dfcc47a13f330a13b1d68

Please test.
Comment 5 Leo Zhadanovsky 2006-08-29 14:17:05 UTC 
(In reply to comment #3)
> I've now pushed Behdad's fix for this bug out:
> 
>
http://gitweb.freedesktop.org/?p=cairo;a=commit;h=1b7ced6614d809262cca08e7c5141b7ce740bfca
> 
> Though it might still be nice for someone to rewrite this code to use a more
> conventional/safer loop style.
> 
> -Carl
> 


Ok, this worked, thanks!
Comment 6 Behdad Esfahbod 2006-09-22 10:46:48 UTC 
*** Bug 8398 has been marked as a duplicate of this bug. ***
Comment 7 Behdad Esfahbod 2006-09-26 15:20:59 UTC 
*** Bug 8429 has been marked as a duplicate of this bug. ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.