Bug 54822 - crash in cairo-tor-scan-converter while opening a pdf
crash in cairo-tor-scan-converter while opening a pdf
Product: cairo
Classification: Unclassified
Component: general
All Linux (All)
: medium normal
Assigned To: Carl Worth
cairo-bugs mailing list
: 56698 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2012-09-12 17:13 UTC by Riccardo Magliocchetti
Modified: 2012-11-02 22:17 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

The result of _cairo_debug_print_polygon(). (27.78 KB, text/plain)
2012-09-14 08:52 UTC, Uli Schlachter

Note You need to log in before you can comment on or make changes to this bug.
Description Riccardo Magliocchetti 2012-09-12 17:13:23 UTC
This file [1] makes evince crash in cairo. Debian sid with cairo 1.12.2-2 and evince 3.4.0-3.

[1] http://kernsec.org/files/LinuxSecuritySummit2012_rpm.pdf

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xef6ffb70 (LWP 10039)]
full_row (mask=4294967295, coverages=0xf5ffcbac, active=0xf5ffcb3c)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1358
1358	/build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c: File o directory non esistente.
(gdb) bt full
#0  full_row (mask=4294967295, coverages=0xf5ffcbac, active=0xf5ffcb3c)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1358
        right = 0x0
        winding = 36752
        left = 0xf5ffcad4
#1  glitter_scan_converter_render (renderer=0xef6fd1ac, antialias=1, 
    winding_mask=4294967295, converter=0xf5ffc394)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1713
        do_full_row = 1
        j = 4
        ymax_i = <optimized out>
        xmin_i = 81
        active = 0xf5ffcb3c
        ymin_i = <optimized out>
        h = <optimized out>
        polygon = 0xf5ffc394
        buckets = {0x0 <repeats 15 times>}
        i = <optimized out>
        xmax_i = 97
        coverages = 0xf5ffcbac
#2  _cairo_tor_scan_converter_generate (converter=0xf5ffc388, 
---Type <return> to continue, or q <return> to quit---
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-tor-scan-converter.c:1809
        self = 0xef6fd1ac
        status = <optimized out>
#3  0xf7722a15 in composite_polygon (extents=extents@entry=0xef6fe210, 
    compositor=<error reading variable: Unhandled dwarf expression opcode 0xfa>, compositor=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-spans-compositor.c:716
        renderer = {base = {status = 3221996115, destroy = 0x3eb82b6a, 
            render_rows = 0xf76ed850 <_inplace_spans>, finish = 0}, 
          data = "\020\342o\357D`\022=\003\302\v\300 \000\000\000`\362u\357h\367u\357\350\362\361\365\000\000\000\000\000\000\000\000\217\261\303'\017\205ɿ\225^\254/\035X\335?\301\361h\347\v", '\000' <repeats 14 times>, "\005\341\366ÿBXp\367\364\217|\367H\322o\357H\322o\357\244\327o\357O]p\367\\\325o\357H\322o\357\003\000\000\000\260\357p\367\\\325o\357\f\335o\357p\322oﻻ\273\273\000\000\000\000\000\022\254?\322Q\000\000\016/\000\000[`\000\000\231.\000\000\211.\000\000$.\000\000.\000\000\000\024\000\000\000\351\363wM\364\217|\367\344\177\223V\000\000\000\000$`\000\000\236\364p\367\260\325o\357\212(\000\000\022)\000\000\377\377\37---Type <return> to continue, or q <return> to quit---
7\377W^\"\367.a\"\367\000\373\377\377M[p\367\370\331o\357[`\000\000\000Q\000\000\000a\000\000\212(\000\000\022)\000\000[`\000\000\320'\000\000 \324o\357@g\327?\303.\000\000dR\000\000\000Q\000\000C/\000\000\000a\000\000\320'\000\000\000]\372\377\377\377\377\377\005>"...}
        converter = 0xf5ffc388
        needs_clip = 0
        status = <optimized out>
#4  0xf77234ff in clip_and_composite_polygon (
    polygon=0xef6fde08, extents=0xef6fe210, compositor=0xf77c9880)
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-spans-compositor.c:880
        status = <optimized out>
#5  clip_and_composite_polygon (compositor=0xf77c9880, extents=0xef6fe210, 
    polygon=0xef6fde08, fill_rule=CAIRO_FILL_RULE_WINDING, 
    at /build/buildd-cairo_1.12.2-2-i386-1cmzkR/cairo-1.12.2/src/cairo-spans-compositor.c:819
        status = 36752
Comment 1 Uli Schlachter 2012-09-14 08:51:13 UTC
The file loads fine here. I have to zoom out to make it crash. The crash is a NULL pointer dereference in dec(), the struct edge *e argument is NULL.

git bisect unhelpfully points at the new compositor architecture (Why does that commit remove asserts from the scan converter?):

git bisect start
# good: [0540bf384aed344899417d3b0313bd6704679c1c] ps: improve formatting of fallback image comment
git bisect good 0540bf384aed344899417d3b0313bd6704679c1c
# bad: [65a954d5bab9ab6fed15bd98b7018aca2fc50107] test-surfaces: compilation fixes
git bisect bad 65a954d5bab9ab6fed15bd98b7018aca2fc50107
# skip: [af9fbd176b145f042408ef5391eef2a51d7531f8] Introduce a new compositor architecture
git bisect skip af9fbd176b145f042408ef5391eef2a51d7531f8

_cairo_debug_print_polygon() against the polygon that causes this produces something which doesn't look correct in show-polygon, which means the error might be elsewhere.
Comment 2 Uli Schlachter 2012-09-14 08:52:03 UTC
Created attachment 67144 [details]
The result of _cairo_debug_print_polygon().
Comment 3 Chris Wilson 2012-09-14 09:09:29 UTC
Because the asserts were a crutch and implied the code was buggy. :-p
Comment 4 Chris Wilson 2012-09-27 14:32:32 UTC
commit 797441093a8346003552e0cf89aef2a644ff53ab
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Sep 27 15:21:42 2012 +0100

    tor: Fudge the edge if it is projected into a point
    If we generate an edge (through polygon-intersect) where its end-points
    lie outside the line definition then it is possible for that line to be
    degenerate under sample grid projection. Apply a fudge factor to prevent
    explosions as otherwise we reject an edge whose height is not strictly
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=54822
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Comment 5 Chris Wilson 2012-11-02 22:17:16 UTC
*** Bug 56698 has been marked as a duplicate of this bug. ***