Bug 104616 - Double free or corruption
Summary: Double free or corruption
Status: RESOLVED MOVED
Alias: None
Product: cairo
Classification: Unclassified
Component: freetype font backend (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Matthias Clasen
QA Contact: cairo-bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-13 13:46 UTC by Uli Schlachter
Modified: 2018-08-25 13:54 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Uli Schlachter 2018-01-13 13:46:06 UTC 
$ (make -j8 && cd test && CAIRO_TEST_TARGET=xcb DISPLAY=:2 ./cairo-test-suite a1-clip-stroke a1-clip-paint)
[...]
TESTING a1-clip-stroke
a1-clip-stroke.xcb.argb32 [0x1]:	!!!CRASHED!!!
a1-clip-stroke.xcb.rgb24 [0x1]:	double free or corruption (out)
a1-clip-stroke.xcb.rgb24 [0x1]:	!!!CRASHED!!!
a1-clip-stroke.xcb-window.rgb24 [0x1]:	double free or corruption (out)
a1-clip-stroke.xcb-window.rgb24 [0x1]:	!!!CRASHED!!!
a1-clip-stroke.xcb-window&.rgb24 [0x1]:	double free or corruption (out)
a1-clip-stroke.xcb-window&.rgb24 [0x1]:	!!!CRASHED!!!
a1-clip-stroke.xcb-render-0_0.argb32 [0x1]:	double free or corruption (out)
a1-clip-stroke.xcb-render-0_0.argb32 [0x1]:	!!!CRASHED!!!
a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]:	double free or corruption (out)
a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]:	!!!CRASHED!!!
a1-clip-stroke.xcb-fallback.rgb24 [0x1]:	double free or corruption (out)
a1-clip-stroke.xcb-fallback.rgb24 [0x1]:	!!!CRASHED!!!
[...]

It does not crash under valgrind. Instead, I get:

==27971== Conditional jump or move depends on uninitialised value(s)
==27971==    at 0x4C2DDD1: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27971==    by 0x4F472DB: _cairo_ft_options_fini (cairo-ft-font.c:206)
==27971==    by 0x4F472DB: _cairo_ft_font_face_destroy (cairo-ft-font.c:3156)
==27971==    by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186)
==27971==    by 0x4EF1AE4: _cairo_toy_font_face_fini (cairo-toy-font-face.c:216)
==27971==    by 0x4EF1AE4: _cairo_toy_font_face_destroy (cairo-toy-font-face.c:371)
==27971==    by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186)
==27971==    by 0x4E717A9: _cairo_gstate_fini (cairo-gstate.c:197)
==27971==    by 0x4E6C549: _cairo_default_context_fini (cairo-default-context.c:75)
==27971==    by 0x4E6C549: _cairo_default_context_destroy (cairo-default-context.c:93)
==27971==    by 0x1292C7: cairo_test_for_target (cairo-test.c:1414)
==27971==    by 0x129FF5: _cairo_test_context_run_for_target (cairo-test.c:1555)
==27971==    by 0x1267E7: _cairo_test_runner_draw (cairo-test-runner.c:255)
==27971==    by 0x1267E7: main (cairo-test-runner.c:937)
==27971== 

Git bisect says:

commit 37f9a5525da457226317d426e06c55d77da206c1
Author: Matthias Clasen <mclasen@redhat.com>
Date:   Fri Jan 5 09:10:32 2018 -0500

    Don't leak memory in font options
    
    The cairo_font_options_t struct may now contain allocated
    memory, so call fini whenever we are about to let go of an
    embedded cairo_font_options_t struct.

This is not all that surprising and basically confirms what valgrind already said. However, at this point I'm out of ideas.
Comment 1 GitLab Migration User 2018-08-25 13:54:10 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/256.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.