Bug 87567

Summary: Toy font face causes cairo_debug_reset_static_data crash.
Product: cairo Reporter: shin1morita
Component: generalAssignee: Chris Wilson <chris>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium CC: ranma42
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: A minimum code which reproduces this.
Proposed fix

Description shin1morita 2014-12-21 21:47:17 UTC
Created attachment 111131 [details]
A minimum code which reproduces this.

Hi team,

When my program calls cairo_debug_reset_static_data, it crashes with assertion failure.

I found it happens after toy font faces are created and destroyed.

I would attach a minimum code which reproduces it.

----
$ make toy CFLAGS=`pkg-config --cflags cairo` LDFLAGS=`pkg-config --libs cairo`
$ ./toy
toy: cairo-hash.c:217: _cairo_hash_table_destroy: Assersion `hash_table->live_entries == 0' failed.
$ pkg-config --modversion cairo
1.14.0
----

Thank you.
Comment 1 Massimo 2014-12-22 09:16:07 UTC
git bisect ends with

337ab1f8d9e29086bfb4001508b28835b41c6390 is the first bad commit
commit 337ab1f8d9e29086bfb4001508b28835b41c6390
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Tue Sep 17 16:28:19 2013 +0100

and that commit introduced in cairo/src/cairo-font-face.c a
function __put () that hardly returns 0, it returns the ref
count before decreasing it (unless it is 1) and is called in 
2 places like this: 

    assert (CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&font_face->ref_count));

...
    if (__put (&font_face->ref_count))
        return;

    if (! font_face->backend->destroy (font_face))
        return;
...

and the second if is not executed even in a single threaded
program
Comment 2 Andrea Canciani 2014-12-22 11:58:30 UTC
Created attachment 111176 [details] [review]
Proposed fix

This seems to be related to the issue I had mentioned here:
http://lists.cairographics.org/archives/cairo/2014-November/025828.html

Thank you for prodding me again, I now have patch which should fix it (i.e. in your reduced case and in the api-special-cases test).
Can you confirm that it also works in more complex scenarios?

In the next couple of days I will be quite busy, but if somebody reviews it, I will push it to master.
Comment 3 shin1morita 2014-12-24 12:48:02 UTC
Thank you for the fix.

It seems ok. At least my code works fine with the proposed fix.

Regards,
Comment 4 Chris Wilson 2015-01-03 13:38:00 UTC
(In reply to Andrea Canciani from comment #2)
> Created attachment 111176 [details] [review] [review]
> Proposed fix
> 
> This seems to be related to the issue I had mentioned here:
> http://lists.cairographics.org/archives/cairo/2014-November/025828.html
> 
> Thank you for prodding me again, I now have patch which should fix it (i.e.
> in your reduced case and in the api-special-cases test).
> Can you confirm that it also works in more complex scenarios?
> 
> In the next couple of days I will be quite busy, but if somebody reviews it,
> I will push it to master.


Yes, looks correct. Thanks.
Comment 5 Andrea Canciani 2015-01-03 14:01:43 UTC
Should be fixed in master by:

commit 02e4efc961be40d266d4df0acaf3271219529017
Author: Andrea Canciani <ranma42@gmail.com>
Date:   Mon Dec 22 12:49:00 2014 +0100

    font: Actually perform destruction of fonts
    
    Commit 337ab1f8d9e29086bfb4001508b28835b41c6390 introduced delayed
    font destruction to overcome a race, but prevented the correct cleanup
    of the font cache.
    
    This caused fonts to stay in the cache and caused a crash in the
    api-special-cases (when running the test suite with -f).
    
    Fixes api-special-cases,
    https://bugs.freedesktop.org/show_bug.cgi?id=87567

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.