Bug 81699

Summary: [need testcase] Segfault sweep_line_delete on video playback (2)
Product: cairo Reporter: Henrique Lengler <henriqueleng>
Component: generalAssignee: Chris Wilson <chris>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: critical    
Priority: high CC: bunk, henriqueleng, marc, sidicas2
Version: 1.12.16   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: quick hack
testcase
alternative solution
proposed patch
cairo script
Crash backtrace

Description Henrique Lengler 2014-07-24 04:52:55 UTC 
Hi,

  My web browser crashes when i try to watch a youtube video or open certain web
pages with any webkit browser(that uses cairo).
  I found other peoples like me with this bug but i can't found a solution.
  This error already happened with me while using these web browsers: jumanji,
surf, uzbl, vimprobrable2, dwb. And using two diferents linux distributions.
Arch Linux and Gentoo, both in the same computer.

There is this problem archived on this mailing list
http://lists.cairographics.org/archives/cairo/2014-March/025089.html , but the
"solution" apresented in the end, as a patch
http://lists.cairographics.org/archives/cairo/2014-March/025103.html
didn't solved my problem. He says about the patch "This diff avoids the segfault
for me, but only papers over the bug..." So it's not the real solution.

I posted on Arch Linux and on Gentoo forum, the last have more information.
Gentoo forum post:
https://forums.gentoo.org/viewtopic-t-995484-start-0-postdays-0-postorder-asc-highlight-.html?sid=c5c15b4431456821dcc93bbbc74b9ace

This bug are kiling me, i can't watch any youtube video and lot of times
my browser suddenly close. Also the web browsers tha i most like uses
cairo.

There is the complete message from gdb while run the browser with all
dependencies compiled with debug flag.

---gdb.log---

Temporary breakpoint 1 at 0x407750: file jumanji.c, line 687.
Starting program: /usr/bin/jumanji
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Starting program: /usr/bin/jumanji
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Quit
A debugging session is active.
        Inferior 1 [process 25926] will be killed.
Quit anyway? (y or n) Starting program: /usr/bin/jumanji
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffe7271700 (LWP 25999)]
[New Thread 0x7fffa6941700 (LWP 26000)]
[New Thread 0x7fffa5aec700 (LWP 26001)]
[New Thread 0x7fffa52eb700 (LWP 26002)]
[New Thread 0x7fffa4acb700 (LWP 26003)]
[New Thread 0x7fff97fff700 (LWP 26004)]
[New Thread 0x7fff977fe700 (LWP 26005)]
[New Thread 0x7fff96ffd700 (LWP 26006)]
[New Thread 0x7fff967fc700 (LWP 26007)]
[New Thread 0x7fff95ffb700 (LWP 26008)]
[New Thread 0x7fff953fa700 (LWP 26009)]
[New Thread 0x7fff7bfff700 (LWP 26010)]
[New Thread 0x7fff7b7fe700 (LWP 26011)]
[New Thread 0x7fff7affd700 (LWP 26012)]
[New Thread 0x7fff7a7fc700 (LWP 26013)]
[New Thread 0x7fff79ffb700 (LWP 26014)]
[Thread 0x7fff953fa700 (LWP 26009) exited]
[Thread 0x7fff7b7fe700 (LWP 26011) exited]
[Thread 0x7fff7affd700 (LWP 26012) exited]
[Thread 0x7fff7a7fc700 (LWP 26013) exited]
[Thread 0x7fff79ffb700 (LWP 26014) exited]
[New Thread 0x7fff79ffb700 (LWP 26015)]
[Thread 0x7fff79ffb700 (LWP 26015) exited]
[New Thread 0x7fff79ffb700 (LWP 26017)]
[New Thread 0x7fff7a7fc700 (LWP 26018)]
[New Thread 0x7fff7affd700 (LWP 26019)]
[New Thread 0x7fff7b7fe700 (LWP 26020)]
[Thread 0x7fff7a7fc700 (LWP 26018) exited]
[Thread 0x7fff7bfff700 (LWP 26010) exited]
[New Thread 0x7fff7bfff700 (LWP 26021)]
[New Thread 0x7fff7a7fc700 (LWP 26022)]
[New Thread 0x7fff5ffff700 (LWP 26023)]
[New Thread 0x7fff5f2ab700 (LWP 26024)]
[New Thread 0x7fff5eaaa700 (LWP 26025)]
[New Thread 0x7fff5e2a9700 (LWP 26026)]
[New Thread 0x7fff5daa8700 (LWP 26027)]
[New Thread 0x7fff4ffff700 (LWP 26028)]
[Thread 0x7fff5e2a9700 (LWP 26026) exited]
[New Thread 0x7fff5e2a9700 (LWP 26029)]
[Thread 0x7fff5daa8700 (LWP 26027) exited]
[Thread 0x7fff79ffb700 (LWP 26017) exited]
[Thread 0x7fff5e2a9700 (LWP 26029) exited]
[Thread 0x7fff5f2ab700 (LWP 26024) exited]
[Thread 0x7fff5e2a9700 (LWP 26029) exited]
[Thread 0x7fff5f2ab700 (LWP 26024) exited]
[New Thread 0x7fff5f2ab700 (LWP 26030)]
[New Thread 0x7fff5e2a9700 (LWP 26031)]
[New Thread 0x7fff79ffb700 (LWP 26032)]
[New Thread 0x7fff5daa8700 (LWP 26033)]
[New Thread 0x7fff4d50b700 (LWP 26034)]
[Thread 0x7fff5f2ab700 (LWP 26030) exited]
[Thread 0x7fff5daa8700 (LWP 26033) exited]
[Thread 0x7fff4ffff700 (LWP 26028) exited]
Program received signal SIGSEGV, Segmentation fault.
n sweep_line_delete (rectangle=0x7fffffff7a68, sweep=0x7fffffff7780) at cairo-bentley-ottmann-rectangu
lar.c:567
567     cairo-bentley-ottmann-rectangular.c: Arquivo ou diretório não encontrado.
#0  0x00007ffff202f052 in sweep_line_delete (rectangle=0x7fffffff7a68, sweep=0x7fffffff7780) at cairo-bentley-ottmann-rect
angular.c:567
#1  _cairo_bentley_ottmann_tessellate_rectangular (rectangles=rectangles@entry=0x7fffffff7950, num_rectangles=num_rectangl
es@entry=3, fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, do_traps=do_traps@entry=0, container=container@entry=0x7fff
ffff8a50)
    at cairo-bentley-ottmann-rectangular.c:659
#2  0x00007ffff202f945 in _cairo_bentley_ottmann_tessellate_boxes (in=in@entry=0x7fffffff8ca0, fill_rule=fill_rule@entry=C
AIRO_FILL_RULE_WINDING, out=out@entry=0x7fffffff8a50) at cairo-bentley-ottmann-rectangular.c:877
#3  0x00007ffff208fb84 in fixup_unbounded (extents=extents@entry=0x7fffffff9e40, boxes=boxes@entry=0x7fffffff93b0, composi
tor=0x7ffff2319940 <compositor.16699>) at cairo-traps-compositor.c:885
#4  0x00007ffff2090a6b in composite_aligned_boxes (boxes=0x7fffffff93b0, extents=0x7fffffff9e40, compositor=0x7ffff2319940
 <compositor.16699>) at cairo-traps-compositor.c:1298
#5  clip_and_composite_boxes (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, extents=extents@entry=0x7ffff
fff9e40, boxes=boxes@entry=0x7fffffff93b0) at cairo-traps-compositor.c:1774
#6  0x00007ffff2090e2d in clip_and_composite_polygon (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, exten
ts=extents@entry=0x7fffffff9e40, polygon=polygon@entry=0x7fffffff9a20, antialias=antialias@entry=CAIRO_ANTIALIAS_NONE,
    fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, curvy=<optimized out>) at cairo-traps-compositor.c:1562
#7  0x00007ffff20915bc in _cairo_traps_compositor_fill (_compositor=0x7ffff2319940 <compositor.16699>, extents=0x7fffffff9
e40, path=0xc45708, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_NONE) at c
airo-traps-compositor.c:2250
#8  0x00007ffff203b7ea in _cairo_compositor_fill (compositor=0x7ffff2319940 <compositor.16699>, surface=0xe71a00, op=op@en
try=CAIRO_OPERATOR_IN, source=source@entry=0x7ffff20e5b60 <_cairo_pattern_white>, path=path@entry=0xc45708,
    fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=antialias@entry=CAIRO_ANTI
ALIAS_NONE, clip=clip@entry=0xa40040) at cairo-compositor.c:203
#9  0x00007ffff20ab9b8 in _cairo_xlib_surface_fill (_surface=0xe71a00, op=CAIRO_OPERATOR_IN, source=0x7ffff20e5b60 <_cairo
_pattern_white>, path=0xc45708, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=<optimized out>, antialias=CAIRO_ANTIALIAS_NO
NE, clip=0xa40040)
    at cairo-xlib-surface.c:1646
#10 0x00007ffff207ed0c in _cairo_surface_fill (surface=0xe71a00, op=CAIRO_OPERATOR_IN, source=0x7ffff20e5b60 <_cairo_patte
rn_white>, path=0xc45708, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_NONE
, clip=0xa40040)
    at cairo-surface.c:2255
#11 0x00007ffff2039c2f in _cairo_clip_combine_with_surface (clip=0xa40040, dst=dst@entry=0xe71a00, dst_x=<optimized out>,
dst_y=<optimized out>) at cairo-clip-surface.c:78
#12 0x00007ffff208f857 in create_composite_mask (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, dst=<optim
ized out>, draw_closure=draw_closure@entry=0x7fffffffb170, draw_func=draw_func@entry=0x7ffff208e5e0 <composite_boxes>, mas
k_func=mask_func@entry=0x0,
    extents=extents@entry=0x7fffffffb590) at cairo-traps-compositor.c:500
#13 0x00007ffff20900ef in clip_and_composite_with_mask (src_y=0, src_x=0, src=0xc54510, op=CAIRO_OPERATOR_OVER, draw_closu
re=0x7fffffffb170, mask_func=0x0, draw_func=0x7ffff208e5e0 <composite_boxes>, extents=0x7fffffffb590, compositor=0x7ffff23
19940 <compositor.16699>)
    at cairo-traps-compositor.c:546
#14 clip_and_composite (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, extents=extents@entry=0x7fffffffb59
0, draw_func=draw_func@entry=0x7ffff208e5e0 <composite_boxes>, mask_func=mask_func@entry=0x0, draw_closure=draw_closure@en
try=0x7fffffffb170,
    need_clip=2) at cairo-traps-compositor.c:1036
#15 0x00007ffff20905d9 in clip_and_composite_boxes (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, extents
=extents@entry=0x7fffffffb590, boxes=boxes@entry=0x7fffffffb170) at cairo-traps-compositor.c:1779
#16 0x00007ffff2091647 in _cairo_traps_compositor_fill (_compositor=0x7ffff2319940 <compositor.16699>, extents=0x7fffffffb
590, path=0xd5e2d8, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT)
    at cairo-traps-compositor.c:2219
#17 0x00007ffff203b7ea in _cairo_compositor_fill (compositor=0x7ffff2319940 <compositor.16699>, surface=0x813a60, op=op@en
try=CAIRO_OPERATOR_OVER, source=source@entry=0x7fffffffb9a0, path=path@entry=0xd5e2d8, fill_rule=fill_rule@entry=CAIRO_FIL
L_RULE_WINDING,
    tolerance=0.10000000000000001, antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT, clip=clip@entry=0xd2c800) at cairo-c
ompositor.c:203
#18 0x00007ffff20ab9b8 in _cairo_xlib_surface_fill (_surface=0x813a60, op=CAIRO_OPERATOR_OVER, source=0x7fffffffb9a0, path
=0xd5e2d8, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=<optimized out>, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0xd2c800)
    at cairo-xlib-surface.c:1646
#19 0x00007ffff207ed0c in _cairo_surface_fill (surface=0x813a60, op=CAIRO_OPERATOR_OVER, source=0x7fffffffb9a0, path=0xd5e
2d8, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0xd2c800) a
t cairo-surface.c:2255
#20 0x00007ffff2043574 in _cairo_gstate_fill (gstate=0xdcc180, path=path@entry=0xd5e2d8) at cairo-gstate.c:1308
#21 0x00007ffff203d094 in _cairo_default_context_fill (abstract_cr=0xd5df70) at cairo-default-context.c:1058
#22 0x00007ffff20363d5 in cairo_fill (cr=0xd5df70) at cairo.c:2201
#23 0x00007ffff4d91b76 in fillRectWithColor (color=..., rect=..., cr=0xd5df70) at Source/WebCore/platform/graphics/cairo/G
raphicsContextCairo.cpp:78
#24 fillRectWithColor (color=..., rect=..., cr=0xd5df70) at Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cp
p:233
#25 WebCore::GraphicsContext::drawRect (this=this@entry=0x7fffffffdf30, rect=...) at Source/WebCore/platform/graphics/cair
o/GraphicsContextCairo.cpp:243
#26 0x00007ffff5463890 in WebCore::RenderBoxModelObject::drawBoxSideFromPath (this=this@entry=0x7fff940d5bc8, graphicsCont
ext=graphicsContext@entry=0x7fffffffdf30, borderRect=..., borderPath=..., edges=edges@entry=0x7fffffffc010, thickness=<opt
#26 0x00007ffff5463890 in WebCore::RenderBoxModelObject::drawBoxSideFromPath (this=this@entry=0x7fff940d5bc8, graphicsCont
ext=graphicsContext@entry=0x7fffffffdf30, borderRect=..., borderPath=..., edges=edges@entry=0x7fffffffc010, thickness=<opt
imized out>,
    drawThickness=<optimized out>, side=side@entry=WebCore::BSLeft, style=style@entry=0x7fff94415420, color=..., borderSty
le=<optimized out>, bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBleedBackgroundOverBorder,
    includeLogicalLeftEdge=includeLogicalLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRightEdge@entry=true)
at Source/WebCore/rendering/RenderBoxModelObject.cpp:2261
#27 0x00007ffff5464495 in WebCore::RenderBoxModelObject::paintOneBorderSide (this=this@entry=0x7fff940d5bc8, graphicsConte
xt=graphicsContext@entry=0x7fffffffdf30, style=style@entry=0x7fff94415420, outerBorder=..., innerBorder=..., sideRect=...,
    side=side@entry=WebCore::BSLeft, adjacentSide1=adjacentSide1@entry=WebCore::BSTop, adjacentSide2=adjacentSide2@entry=W
ebCore::BSBottom, edges=edges@entry=0x7fffffffc010, path=0x7fffffffbde0,
    bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBleedBackgroundOverBorder, includeLogicalLeftEdge=includeLogica
lLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRightEdge@entry=true, antialias=antialias@entry=true,
    overrideColor=overrideColor@entry=0x0) at Source/WebCore/rendering/RenderBoxModelObject.cpp:1819
#28 0x00007ffff5464d30 in WebCore::RenderBoxModelObject::paintBorderSides (this=this@entry=0x7fff940d5bc8, graphicsContext
=graphicsContext@entry=0x7fffffffdf30, style=style@entry=0x7fff94415420, outerBorder=..., innerBorder=..., innerBorderAdju
stment=...,
    edges=edges@entry=0x7fffffffc010, edgeSet=edgeSet@entry=15, bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBle
edBackgroundOverBorder, includeLogicalLeftEdge=includeLogicalLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRi
ghtEdge@entry=true,
    antialias=true, overrideColor=overrideColor@entry=0x0) at Source/WebCore/rendering/RenderBoxModelObject.cpp:1894
#29 0x00007ffff5466f2b in WebCore::RenderBoxModelObject::paintBorder (this=this@entry=0x7fff940d5bc8, info=..., rect=...,
style=0x7fff94415420, bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBleedBackgroundOverBorder, includeLogicalLeft
Edge=4,
    includeLogicalLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRightEdge@entry=true) at Source/WebCore/rende
ring/RenderBoxModelObject.cpp:2109
#30 0x00007ffff545b657 in WebCore::RenderBox::paintBoxDecorations (this=0x7fff940d5bc8, paintInfo=..., paintOffset=...) at
 Source/WebCore/rendering/RenderBox.cpp:1192
#31 0x00007ffff541d3c7 in WebCore::RenderBlock::paintObject (this=0x7fff940d5bc8, paintInfo=..., paintOffset=...) at Sourc
e/WebCore/rendering/RenderBlock.cpp:3299
#32 0x00007ffff5404351 in WebCore::RenderBlock::paint (this=0x7fff940d5bc8, paintInfo=..., paintOffset=...) at Source/WebC
ore/rendering/RenderBlock.cpp:3019
#33 0x00007ffff54c35b2 in WebCore::RenderLayer::paintBackgroundForFragments (this=this@entry=0x7fff793b8ee8, layerFragment
s=..., context=context@entry=0x7fffffffdf30, transparencyLayerContext=transparencyLayerContext@entry=0x7fffffffdf30, trans
parencyPaintDirtyRect=...,
    haveTransparency=haveTransparency@entry=false, localPaintingInfo=..., paintBehavior=paintBehavior@entry=0, subtreePain
tRootForRenderer=subtreePaintRootForRenderer@entry=0x0) at Source/WebCore/rendering/RenderLayer.cpp:4118
#34 0x00007ffff54ceb7b in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff793b8ee8, context=context@entry=
0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3875
#35 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff793b8ee8, context=c
ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp
p:3649
#36 0x00007ffff54ceecf in WebCore::RenderLayer::paintLayerByApplyingTransform (this=this@entry=0x7fff793b8ee8, context=con
text@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224, translationOffset=...) at Source/WebCore/ren
dering/RenderLayer.cpp:3951
#37 0x00007ffff54cf612 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff793b8ee8, context=context@entry=0x7fffff
ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3622
#38 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize
d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971
#39 WebCore::RenderLayer::paintList (this=0x7fff94152678, list=0x7fff5f362230, context=0x7fffffffdf30, paintingInfo=..., p
aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954
#40 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff94152678, context=context@entry=
0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896
#41 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff94152678, context=c
ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp
p:3649
#42 0x00007ffff54ceecf in WebCore::RenderLayer::paintLayerByApplyingTransform (this=this@entry=0x7fff94152678, context=con
text@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224, translationOffset=...) at Source/WebCore/ren
dering/RenderLayer.cpp:3951
#43 0x00007ffff54cf612 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff94152678, context=context@entry=0x7fffff
ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3622
#44 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize
d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971
#45 WebCore::RenderLayer::paintList (this=0x7fff94152340, list=0x7fff5f3623c0, context=0x7fffffffdf30, paintingInfo=..., p
aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954
#46 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff94152340, context=context@entry=
0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896
#47 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff94152340, context=c
ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp
p:3649
#48 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff94152340, context=context@entry=0x7fffff
ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3631
#49 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize
d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971
#50 WebCore::RenderLayer::paintList (this=0x7fff940d58c8, list=0x7fff5f3622e0, context=0x7fffffffdf30, paintingInfo=..., p
aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954
#51 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff940d58c8, context=context@entry=
0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896
#52 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff940d58c8, context=c
ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp
p:3649
#53 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff940d58c8, context=context@entry=0x7fffff
ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3631
#54 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize
d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971
#55 WebCore::RenderLayer::paintList (this=0x7fff951c5350, list=0x7fff7937c0d0, context=0x7fffffffdf30, paintingInfo=..., p
aintFlags=224) a#55 WebCore::RenderLayer::paintList (this=0x7fff951c5350, list=0x7fff7937c0d0, context=0x7fffffffdf30, paintingInfo=..., p
aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954
#56 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff951c5350, context=context@entry=
0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896
#57 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff951c5350, context=c
ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp
p:3649
#58 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff951c5350, context=context@entry=0x7fffff
ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3631
#59 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize
d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971
#60 WebCore::RenderLayer::paintList (this=0x7fff951c5178, list=0x7fff94ef4fe0, context=0x7fffffffdf30, paintingInfo=..., p
aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954
#61 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff951c5178, context=context@entry=
0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896
#62 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff951c5178, context=c
ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=0) at Source/WebCore/rendering/RenderLayer.cpp:
3649
#63 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff951c5178, context=context@entry=0x7fffff
ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=0) at Source/WebCore/rendering/RenderLayer.cpp:3631
#64 0x00007ffff54d05f0 in WebCore::RenderLayer::paint (this=this@entry=0x7fff951c5178, context=context@entry=0x7fffffffdf3
0, damageRect=..., paintBehavior=0, subtreePaintRoot=subtreePaintRoot@entry=0x0, region=region@entry=0x0, paintFlags=paint
Flags@entry=0)
    at Source/WebCore/rendering/RenderLayer.cpp:3441
#65 0x00007ffff539ea3d in WebCore::FrameView::paintContents (this=0x7fffe69aba00, p=0x7fffffffdf30, rect=...) at Source/We
bCore/page/FrameView.cpp:3564
#66 0x00007ffff5a40bd6 in paint (rect=..., context=0x7fffffffdf30, this=0x7fffe69aba00) at Source/WebCore/platform/ScrollV
iew.cpp:1102
#67 WebCore::ScrollView::paint (this=0x7fffe69aba00, context=0x7fffffffdf30, rect=...) at Source/WebCore/platform/ScrollVi
ew.cpp:1071
#68 0x00007ffff4c9b663 in paintWebView (dirtyRegion=..., frame=0x7fffe6988c00, webView=0x7ca2c0) at Source/WebKit/gtk/WebC
oreSupport/ChromeClientGtk.cpp:562
#69 WebKit::ChromeClient::paint (this=0x7c89f0) at Source/WebKit/gtk/WebCoreSupport/ChromeClientGtk.cpp:605
#70 0x00007ffff4d8e420 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x7fffe699bbe0) at Source/WebCore/platform
/ThreadTimers.cpp:129
#71 0x00007ffff4da0a62 in WebCore::timeout_cb () at Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49
#72 0x00007ffff69902ab in g_timeout_dispatch (source=source@entry=0x7aef10, callback=<optimized out>, user_data=<optimized
 out>) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/glib/gmain.c:4451
#73 0x00007ffff698f715 in g_main_dispatch (context=0x6767b0) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/
glib/gmain.c:3066
#74 g_main_context_dispatch (context=context@entry=0x6767b0) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/
glib/gmain.c:3642
#75 0x00007ffff698fa58 in g_main_context_iterate (context=0x6767b0, block=block@entry=1, dispatch=dispatch@entry=1, self=<
optimized out>) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/glib/gmain.c:3713
#76 0x00007ffff698feaa in g_main_loop_run (loop=0x7bec50) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/gli
b/gmain.c:3907
#77 0x00007ffff766a905 in gtk_main () at gtkmain.c:1158
#78 0x0000000000407795 in main (argc=1, argv=0x7fffffffe388) at jumanji.c:699
A debugging session is active.
        Inferior 1 [process 25969] will be killed.
Quit anyway? (y or n)

---gdb.log---
Comment 1 Massimo 2014-08-10 17:40:40 UTC 
Created attachment 104383 [details] [review]
quick hack

The problem here seems to be that with small areas to fill
the boxes tessellator receives empty boxes which are
evidently unexpected. The attached patch is derived going
one step back to the source of these empty boxes,
a comment there seems to imply a choice to mimic pixman.    

Obviously the real problem could be earlier than there.

A different solution could be to impose a minimum 1 width/height
for the boxes generated.
Comment 2 Massimo 2014-08-13 09:34:53 UTC 
Created attachment 104551 [details] [review]
testcase

I cairo-traced a visit to youtube using 'surf' and reduced the trace
to the minimum still reproducing the crash in the form of a
cairo test-suite C file.

So, after applying the patch and running make -C test, if you
execute the test with:

> CAIRO_TEST_TARGET=xlib gdb -ex r -ex bt --args test/.libs/cairo-test-suite sweep-line-delete

you'll have a similar backtrace to the one in the bug report.
Comment 3 Uli Schlachter 2014-08-13 11:23:46 UTC 
(In reply to comment #2)
> Created attachment 104551 [details] [review] [review]
> testcase
> 
> I cairo-traced a visit to youtube using 'surf' and reduced the trace
> to the minimum still reproducing the crash in the form of a
> cairo test-suite C file.

Would it be ok with you if this test case were included with Cairo? Would the following license header be suitable? Do you want some copyright notice to be included? Which one?

/*
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use, copy,
 * modify, merge, publish, distribute, sublicense, and/or sell copies
 * of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
Comment 4 Massimo 2014-08-13 15:14:16 UTC 
Created attachment 104568 [details] [review]
alternative solution

An alternative patch that would make the rectangular tessellator
work also with empty boxes, so intrinsically safe also for
other (future) callers. 

Obviously only valid if I understood what it's doing and it
is possible to effectively ignore empty boxes. 

> Would it be ok with you if this test case were included with Cairo? Would the > following license header be suitable? Do you want some copyright notice to be > included? Which one?

it is ok with me, it is suitable, don't want any copyright notice, whatever.
Comment 5 Henrique Lengler 2014-08-16 04:39:09 UTC 
Hi Massimo. Looks like you last patch with only 3 lines of code solved the problem!
I applied here and no more segfault.
How i don't understand and i know nothing about cairo, i don't know if what this patch do is the right thing or if is safe use it. All i know it is that it solved, i think.

Should i mark as solved?

I apllyied here and 
(In reply to comment #4)
> Created attachment 104568 [details] [review] [review]
> alternative solution
> 
> An alternative patch that would make the rectangular tessellator
> work also with empty boxes, so intrinsically safe also for
> other (future) callers. 
> 
> Obviously only valid if I understood what it's doing and it
> is possible to effectively ignore empty boxes. 
> 
> > Would it be ok with you if this test case were included with Cairo? Would the > following license header be suitable? Do you want some copyright notice to be > included? Which one?
> 
> it is ok with me, it is suitable, don't want any copyright notice, whatever.
Comment 6 Massimo 2014-08-16 17:36:32 UTC 
(In reply to comment #5)
> Hi Massimo. Looks like you last patch with only 3 lines of code solved the
> problem!
> I applied here and no more segfault.
> How i don't understand and i know nothing about cairo, i don't know if what
> this patch do is the right thing or if is safe use it. All i know it is that
> it solved, i think.
>

To me it seems correct and safe, it only drops empty
boxes from the list of boxes to be tessellated. 

Empty boxes do not alter the insideness of any pixel
because if a ray from the pixel intersects the top edge
it also intersects the bottom edge, one from the left
and the other from the right, so it should be correct
for both (EVEN_ODD, WINDING) fill rules that cairo implements. 

OTOH these empty boxes are problematic as they possibly
lead to a segfault.

It is possible that there are better places to discard
these boxes.

> Should i mark as solved?

I'm not a cairo developer, but I'd say not until a fix
has been included in the official source tree. So people
experiencing the same problem can find a solution and report
shortcomings. 

There are already many duplicates in many 
distribution/application/library bugzilla
Comment 7 Chris Wilson 2014-08-21 08:36:39 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > Hi Massimo. Looks like you last patch with only 3 lines of code solved the
> > problem!
> > I applied here and no more segfault.
> > How i don't understand and i know nothing about cairo, i don't know if what
> > this patch do is the right thing or if is safe use it. All i know it is that
> > it solved, i think.
> >
> 
> To me it seems correct and safe, it only drops empty
> boxes from the list of boxes to be tessellated. 

It is. Could you please write a nice commit log, adding

Reported-by: Henrique Lengler <henriqueleng@openmailbox.org>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81699

and submit. Ideally we would love to have a test case to hit this problem as well. If you can capture it using cairo-trace that would be a good start.
 
> Empty boxes do not alter the insideness of any pixel
> because if a ray from the pixel intersects the top edge
> it also intersects the bottom edge, one from the left
> and the other from the right, so it should be correct
> for both (EVEN_ODD, WINDING) fill rules that cairo implements. 
> 
> OTOH these empty boxes are problematic as they possibly
> lead to a segfault.
> 
> It is possible that there are better places to discard
> these boxes.

That's my only worry, I am trying to remember all the call paths that enter here and why we have empty boxes in the first place. In this case, the empty boxes seem to be part of the clip, which is worrisome. All the zero height boxes should have been prefiltered...

diff --git a/src/cairo-boxes.c b/src/cairo-boxes.c
index 63b68dd..90afdbd 100644
--- a/src/cairo-boxes.c
+++ b/src/cairo-boxes.c
@@ -139,6 +139,8 @@ _cairo_boxes_add_internal (cairo_boxes_t *boxes,
     if (unlikely (boxes->status))
        return;
 
+    assert(box->x2 > box->x1 && box->y2 > box->y1);
+
     chunk = boxes->tail;
     if (unlikely (chunk->count == chunk->size)) {
        int size;

So yes, this suggests a far deeper problem than just the tesselate failure.
Comment 8 Massimo 2014-08-21 15:20:51 UTC 
Created attachment 105050 [details] [review]
proposed patch
Comment 9 Massimo 2014-08-21 15:22:45 UTC 
Created attachment 105051 [details]
cairo script

This is the minimum cairo-trace/script that I obtained.

To crash it I compiled util/cairo-script/csi-replay.c after
changing the #define SINGLE_SURFACE to 0

To derive a test case from it probably it is possible
to use a smaller surface size.

Enabling xlib-xcb prevents the crash, probably another code path
is executed. (Valgrind (--enable-valgrind=no) reports an invalid 
read though)
Comment 10 Uli Schlachter 2014-08-23 11:43:01 UTC 
(In reply to comment #7)
[...]
> That's my only worry, I am trying to remember all the call paths that enter
> here and why we have empty boxes in the first place. In this case, the empty
> boxes seem to be part of the clip, which is worrisome. All the zero height
> boxes should have been prefiltered...
> 
> diff --git a/src/cairo-boxes.c b/src/cairo-boxes.c
> index 63b68dd..90afdbd 100644
> --- a/src/cairo-boxes.c
> +++ b/src/cairo-boxes.c
> @@ -139,6 +139,8 @@ _cairo_boxes_add_internal (cairo_boxes_t *boxes,
>      if (unlikely (boxes->status))
>         return;
>  
> +    assert(box->x2 > box->x1 && box->y2 > box->y1);
> +
>      chunk = boxes->tail;
>      if (unlikely (chunk->count == chunk->size)) {
>         int size;
> 
> So yes, this suggests a far deeper problem than just the tesselate failure.

I guess you meant this: assert(box->p2.x > box->p1.x && box->p2.y > box->p1.y); 

That assert triggers for 61 test cases in the test suite. Most of these are due to boxes likes this (this code appears in different places inside of cairo, e.g.  _cairo_xcb_surface_fixup_unbounded_boxes and the span compositor's fixup_unbounded_boxes):

    box.p1.x = _cairo_fixed_from_int (extents->unbounded.x + extents->unbounded.width);
    box.p1.y = _cairo_fixed_from_int (extents->unbounded.y);
    box.p2.x = _cairo_fixed_from_int (extents->unbounded.x);
    box.p2.y = _cairo_fixed_from_int (extents->unbounded.y + extents->unbounded.height);

I guess that means that this code is wrong and should be fixed? Perhaps we should even commit this assert to cairo?

At least I didn't find anything generating zero-height boxes.

List of tests: big-empty-box big-empty-triangle big-little-box bug-40410 bug-bo-collins bug-bo-rectangular clip-complex-bug61492 clip-complex-shape-eo-aa clip-complex-shape-eo-mono clip-fill clip-fill-eo-unbounded clip-fill-nz-unbounded clip-group-shapes-unaligned-rectangles clip-mixed-antialias clip-nesting clip-operator clip-shape clip-stroke-unbounded clip-text clip-twice copy-disjoint fill-disjoint get-path-extents hatchings image-surface-source mask operator operator-alpha operator-alpha-alpha paint-with-alpha-clip-mask pdf-surface-source ps-surface-source random-clip record-paint-alpha-clip-mask record-self-intersecting record1414x-self-intersecting record2x-self-intersecting record90-self-intersecting recordflip-self-intersecting rectilinear-fill rotated-clip self-copy self-copy-overlap self-intersecting subsurface-image-repeat subsurface-modify-child subsurface-modify-parent subsurface-pad subsurface-reflect subsurface-repeat surface-pattern-operator svg-surface-source text-glyph-range tighten-bounds trap-clip unantialiased-shapes unbounded-operator white-in-noop xcb-surface-source xlib-surface-source zero-mask

Oh and the assert does not trigger for the test case attached to this bug report (except for the "test-traps" (pseudo-)backend, which doesn't count, I guess). But that test case doesn't crash here either...?
Comment 11 Chris Wilson 2014-08-23 13:16:42 UTC 
Hmm, nope. We only reject the empty boxes, but allow negative boxes to represent counter winding. That's cunning.

Ok, found the problem. It's the traps-to-boxes routine that doesn't prefilter zero height traps/boxes.
Comment 12 Chris Wilson 2014-08-23 13:22:14 UTC 
commit 13a09526d2120c244471e03b6ae979016ef88e83
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Aug 23 14:16:55 2014 +0100

    traps,xcb: Prefilter zero-area boxes when converting traps
    
    The rectangular tesselation routines rely on the presuming that all the
    boxes it has to handle are already filtered to remove empty boxes.
    
    << /width 800 /height 600 >> surface context
    0.0848671 0 0 0.0848671 39.907812 5.608896 matrix transform
    8 0 m 12.417969 0 16 3.582031 16 8 c 16 12.417969 12.417969 16 8 16 c
    3.582031 16 0 12.417969 0 8 c 0 3.582031 3.582031 0 8 0 c h
    clip
    16 0 m 8 8 l 16 16 l h
    clip
    0 0 16 16 rectangle
    fill
    
    Triggers the error given a traps tesselator like cairo-xlib.
    
    Reported-by: Henrique Lengler <henriqueleng@openmailbox.org>
    Analyzed-by: Massimo <sixtysix@inwind.it>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81699
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>


Fixed, but leaving open to add the testcase.
Comment 13 Uli Schlachter 2014-08-23 13:36:10 UTC 
*** Bug 72244 has been marked as a duplicate of this bug. ***
Comment 14 Uli Schlachter 2014-08-23 13:38:17 UTC 
*** Bug 76272 has been marked as a duplicate of this bug. ***
Comment 15 Adrian Bunk 2014-08-25 07:45:19 UTC 
Created attachment 105218 [details]
Crash backtrace

Hi Chris,

thanks for the fix, it greatly increased stability.

But unfortunately sometimes there are still crashes.

Attached is a backtrace for the following (this is Debian 1.12.16-2 plus commit 13a09526 from master):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2cb0f98 in sweep_line_delete_edge (edge=0x7fffffff7b00, 
    sweep=0x7fffffff77f0)
    at /tmp/cairo-1.12.16/src/cairo-bentley-ottmann-rectangular.c:558
558         edge->next->prev = edge->prev;
Comment 16 Chris Wilson 2014-08-25 07:58:15 UTC 
/me hangs head in shame

commit a5f51588afd9d5629b03297eb29ff46350b6ba50
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Mon Aug 25 08:55:24 2014 +0100

    traps,xcb: Set the box count after filtering
    
    After converting, the number of boxes should only count the number of
    non-zero boxes and forget about the zero-sized boxes we skipped over.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81699
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Comment 17 Adrian Bunk 2014-08-26 15:19:08 UTC 
Hi Chris,

thanks a lot, it no longer crashes for me.

Can these commits also go to the 1.12 branch?
Comment 18 Uli Schlachter 2014-08-27 09:09:19 UTC 
Cherry-picked 28 commits into the 1.12 branch. I just did a quick search through the git history since 1.12 was branched off master (just after 1.12.16) and took everything which sounded harmless enough.

These two commits are commit 3bb80aa2c3f97c071f434e0fbb6704fbef963352 and commit 4b65497231d1859e03762949896da94ffde389b on the branch.
Comment 19 Andrei ILIE 2015-01-22 15:21:07 UTC 
CONFIRMING for cairo v1.13.1

$ cat /etc/system-release && uname -a
Fedora release 20 (Heisenbug)
Linux localhost.localdomain 3.17.7-200.fc20.x86_64 #1 SMP Wed Dec 17 03:35:33 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ yum info installed cairo
Loaded plugins: langpacks, priorities, refresh-packagekit
Installed Packages
Name        : cairo
Arch        : x86_64
Version     : 1.13.1
Release     : 0.1.git337ab1f.fc20
Size        : 1.7 M
Repo        : installed
From repo   : fedora
Summary     : A 2D graphics library
URL         : http://cairographics.org
License     : LGPLv2 or MPLv1.1
Comment 20 Bryce Harrington 2015-06-29 19:38:06 UTC 
If I understand correctly, this issue has been resolved as of the two commits mentioned by Uli in comment #18, which I've confirmed are included in trunk.

If there are other related changes needed (e.g. test cases?) please re-open and clarify what the remaining tasks are.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.