66871 – segmentation fault when using cairo_show_text inside evince backend

Bug 66871 - segmentation fault when using cairo_show_text inside evince backend

Summary: segmentation fault when using cairo_show_text inside evince backend

Status:	RESOLVED MOVED

Alias:	None

Product:	cairo
Classification:	Unclassified
Component:	freetype font backend (show other bugs)
Version:	1.12.14
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium critical
Assignee:	David Turner
QA Contact:	cairo-bugs mailing list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-07-13 08:14 UTC by Hodong Kim
Modified:	2018-08-25 13:31 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
cairo test inside evince backend (21.76 KB, text/plain) 2013-07-13 08:14 UTC, Hodong Kim	Details
gdb log file, gzip compressed data (25.34 KB, application/octet-stream) 2013-07-13 12:14 UTC, Hodong Kim	Details
gdb-log-with-librsvg-01.txt (3.24 KB, text/plain) 2013-07-13 21:14 UTC, Hodong Kim	Details
gdb-log-with-librsvg-02.txt (8.26 KB, text/plain) 2013-07-13 21:15 UTC, Hodong Kim	Details
View All

Description Hodong Kim 2013-07-13 08:14:32 UTC

Created attachment 82377 [details]
cairo test inside evince backend

Hello.

I am developing evince backend for hwp document file.
I want to apply pango layout to evince hwp backend.
I apply pango to evince backend, so that segmentation fault occurs intermittently.
Using gdb, I have found that segmentation fault can occur in cairo_show_glyphs

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2db3f91 in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
(gdb) bt
#0  0x00007ffff2db3f91 in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#1  0x00007ffff2db48fa in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#2  0x00007ffff2db49d9 in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#3  0x00007ffff2db4c84 in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#4  0x00007ffff2db5480 in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#5  0x00007ffff2d6a1ee in FT_Outline_Decompose ()
   from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#6  0x00007ffff2db4035 in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#7  0x00007ffff2db4375 in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#8  0x00007ffff2db3adb in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#9  0x00007ffff2db3c9f in ?? () from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#10 0x00007ffff2d6e705 in FT_Render_Glyph_Internal ()
   from /usr/lib/x86_64-linux-gnu/libfreetype.so.6
#11 0x00007ffff5b30b12 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#12 0x00007ffff5ae3e80 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#13 0x00007ffff5b13326 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#14 0x00007ffff5afc4d3 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#15 0x00007ffff5afc6fe in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#16 0x00007ffff5aac3a1 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#17 0x00007ffff5b15aef in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#18 0x00007ffff5aebb0a in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#19 0x00007ffff5af05f5 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#20 0x00007ffff5af10ec in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
---Type <return> to continue, or q <return> to quit--- 
#21 0x00007ffff5aebb0a in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#22 0x00007ffff5ab4d31 in ?? () from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#23 0x00007ffff5aa78c3 in cairo_show_glyphs ()
   from /usr/lib/x86_64-linux-gnu/libcairo.so.2
#24 0x00007ffff63fe8f5 in ?? ()
   from /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0
#25 0x00007ffff63febc4 in ?? ()
   from /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0
#26 0x00007ffff5daa99d in pango_renderer_draw_glyphs ()
   from /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0


And, I tested sample code using cairo_show_text inside evince backend,
it also makes segmentation fault occurred intermittently.

static void
draw_sample (cairo_t *cr)
{
	cairo_select_font_face (cr, "Sans", CAIRO_FONT_SLANT_NORMAL,
		                           CAIRO_FONT_WEIGHT_BOLD);
	cairo_set_font_size (cr, 20.0);

	cairo_move_to (cr, 10.0, 135.0);
	cairo_show_text (cr, "abcdefghijklm");

	cairo_move_to (cr, 70.0, 165.0);
	cairo_text_path (cr, "nopqrstuvwxyz");
	cairo_set_source_rgb (cr, 0.5, 0.5, 1);
	cairo_fill_preserve (cr);
	cairo_set_source_rgb (cr, 0, 0, 0);
	cairo_set_line_width (cr, 2.56);
	cairo_stroke (cr);

	/* draw helping lines */
	cairo_set_source_rgba (cr, 1, 0.2, 0.2, 0.6);
	cairo_arc (cr, 10.0, 135.0, 5.12, 0, 2*M_PI);
	cairo_close_path (cr);
	cairo_arc (cr, 70.0, 165.0, 5.12, 0, 2*M_PI);
	cairo_fill (cr);
}

/* inside evince backend */
gboolean example_page_render (ExamplePage *page, cairo_t *cr)
{
    g_return_val_if_fail (EXAMPLE_IS_PAGE (page), FALSE);
/*	draw_text (cr);*/
	draw_sample (cr);
	return TRUE;
}

I cannot understand the behavior that when I use pango or cairo_show_text inside evince backend, segmentation fault occurs.

Is it because of fontmap or thread ?
but considering ev_job_render_run (EvJob *job) in libview/ev-jobs.c

    ev_document_fc_mutex_lock ()
    ...
    job_render->surface = ev_document_render (job->document, rc);
    ...
    ev_document_fc_mutex_unlock ()

it might occur in cairo.

I don't know why. Is it a bug ?


To test libexample and evince-sample-backend please follow the below steps.

Step 1. Downloads the attachment and extract.

evince-sample-backend and libexample will be created.

Step 2. compile and install libexample

cd libexample
./autogen.sh
make
sudo make install
sudo ldconfig
cd ..

Step 3. compile and install evince-sample-backend

cd evince-sample-backend
./autogen.sh
make
sudo make install
sudo ldconfig

Step 4. open the any text file from the terminal with evince many times.
Try many times.

$ evince any.txt


My current environment:
debian wheezy
evince          3.4.0-3.1
libfreetype6    2.4.9-1.1(I also tested 2.5.0)
libpango1.0-0   1.30.0-1 (I also tested 1.30.0 / 1.32.5 / 1.34.1 / 1.35.0)
libcairo2       1.12.2-3 (I also tested 1.12.14)

Comment 1 Hodong Kim 2013-07-13 08:20:52 UTC

Attachment is not plain text but tar.gz file.

Downloads attachment for test using wget -O option

wget -O cairo-test-inside-evince-backend.tar.gz https://bugs.freedesktop.org/attachment.cgi?id=82377

Comment 2 Uli Schlachter 2013-07-13 09:24:02 UTC

First of, urgh. Secondly, not much problems with the attached .tar.gz. However, during compilation I got a compiler warning:

example-page.c:36:1: warning: 'draw_text' defined but not used [-Wunused-function]

The call to this function was commented out. Re-adding it causes crashes. However, my crash backtraces look different than Kim's (and I hit a deadlock once where two threads concurrently called FT_Render_Glyph_Internal() and apparently didn't get out of FT_Outline_Decompose()...).

My crashes always go through this path:

sample_document_render -> ... -> pango_renderer_draw_{layout,glyphs} -> ... -> cairo_show_glpyhs on an image surface -> ...  -> _cairo_scaled_glyph_lookup -> _cairo_ft_scaled_glyph_init -> FT_Load_Glyph -> some missing symbols -> TT_RunIns

At the same time, another thread does the same through gtk_widget_get_preferred_size() and lots of missing symbols:

pango_shape_full -> cairo_scaled_font_glyph_extents -> _cairo_scaled_glyph_lookup -> [same path as above]

(However, there are also runs where this second thread is in pango_itemize_with_base_dir -> FcConfigSubstituteWithPat or in cairo_image_surface_create()...)


Anyone got some ideas?

Debian sid here,
evince          3.4.0-3.1+b1
libfreetype6    2.4.9-1.1
libpango1.0-0   1.32.5-5+b1
libcairo2       1.12.14-96-g2cc353c, built with --enable-xcb (also happens with 1.12.14-4, but I don't have debug symbols from debian installed)

Comment 3 Hodong Kim 2013-07-13 12:14:29 UTC

Created attachment 82389 [details]
gdb log file, gzip compressed data

gdb log file with thread apply all bt full option
The uncompressed gdb.txt file size is large, you can search the word "SIG".

Comment 4 Hodong Kim 2013-07-13 21:13:19 UTC

Librsvg uses pango for text rendering.
I have tested with librsvg inside evince sample backend.
It also occurs segmentation fault.


configure.ac:

PKG_CHECK_MODULES(EXAMPLE, [pangocairo librsvg-2.0])


example-page.c:

#include <librsvg/rsvg.h>
#include <librsvg/rsvg-cairo.h>

static void
draw_svg(cairo_t *cr)
{
    GError *error = NULL;
    RsvgHandle *handle;

    rsvg_set_default_dpi (72.0);
    handle = rsvg_handle_new_from_file ("/home/cogniti/projects/libexample/sample.svg", &error);
    if (error != NULL)
        printf (error->message);

    rsvg_handle_render_cairo (handle, cr);
}

gboolean example_page_render (ExamplePage *page, cairo_t *cr)
{
    g_return_val_if_fail (EXAMPLE_IS_PAGE (page), FALSE);
/*  draw_text (cr);*/
/*  draw_sample (cr);*/
    draw_svg(cr);
    return TRUE;
}


sample.svg:

<svg xmlns="http://www.w3.org/2000/svg" version="1.1">
  <text x="10" y="20" style="fill:black;">"The quick brown fox jumps over the lazy dog" is an English-language pangram—a phrase
    <tspan x="10" y="45">that contains all of the letters of the English alphabet. It has been used to test typewriters and computer keyboards,</tspan>
    <tspan x="10" y="70">and in other applications involving all of the letters in the English alphabet. Owing to its brevity and coherence,</tspan>
    <tspan x="10" y="95">it has become widely known.</tspan>
  </text>
</svg>

Comment 5 Hodong Kim 2013-07-13 21:14:45 UTC

Created attachment 82394 [details]
gdb-log-with-librsvg-01.txt

Comment 6 Hodong Kim 2013-07-13 21:15:10 UTC

Created attachment 82395 [details]
gdb-log-with-librsvg-02.txt

Comment 7 Behdad Esfahbod 2013-07-15 19:58:47 UTC

Please try with latest fontconfig, cairo, and pango as only that combination is thread-safe.

Comment 8 Hodong Kim 2013-09-01 06:44:36 UTC

Segfault occurs rarely with

libpango1.0-dev                       1.34.1-0ubuntu1~13.04~ricotz1
libcairo2-dev                         1.12.14-4
libfontconfig1-dev                    2.10.93-0ubuntu1~raring1
libfreetype6-dev                      2.4.9-1.1

than before.

*** longjmp causes uninitialized stack frame ***: evince terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb68addc5]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x103c8a)[0xb68adc8a]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__longjmp_chk+0x4b)[0xb68adbfb]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x5a43f)[0xb672a43f]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x5ad53)[0xb672ad53]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x5b084)[0xb672b084]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x5b531)[0xb672b531]
/usr/lib/i386-linux-gnu/libfreetype.so.6(FT_Outline_Decompose+0x3f5)[0xb66ddae5]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x5a4a3)[0xb672a4a3]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x5a7a4)[0xb672a7a4]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x59e5e)[0xb6729e5e]
/usr/lib/i386-linux-gnu/libfreetype.so.6(+0x5a03a)[0xb672a03a]
/usr/lib/i386-linux-gnu/libfreetype.so.6(FT_Render_Glyph_Internal+0xac)[0xb66e251c]
/usr/lib/i386-linux-gnu/libfreetype.so.6(FT_Render_Glyph+0x3d)[0xb66e25bd]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0xc50db)[0xb6ebd0db]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x682ac)[0xb6e602ac]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x9f46f)[0xb6e9746f]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x8289e)[0xb6e7a89e]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x84a71)[0xb6e7ca71]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x84d11)[0xb6e7cd11]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x24506)[0xb6e1c506]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0xa397c)[0xb6e9b97c]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x7145b)[0xb6e6945b]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x76aa6)[0xb6e6eaa6]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x779ed)[0xb6e6f9ed]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x7145b)[0xb6e6945b]
/usr/lib/i386-linux-gnu/libcairo.so.2(+0x2ed19)[0xb6e26d19]
/usr/lib/i386-linux-gnu/libcairo.so.2(cairo_show_glyphs+0x3e)[0xb6e16cae]
/usr/lib/i386-linux-gnu/libpangocairo-1.0.so.0(+0x73f1)[0xb6f913f1]
/usr/lib/i386-linux-gnu/libpangocairo-1.0.so.0(+0x7754)[0xb6f91754]
/usr/lib/i386-linux-gnu/libpango-1.0.so.0(pango_renderer_draw_glyphs+0x4e)[0xb6f3a1ce]
/usr/lib/i386-linux-gnu/libpangocairo-1.0.so.0(pango_cairo_show_glyph_string+0xe6)[0xb6f91a76]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x1c8e3c)[0xb71ffe3c]
/usr/lib/i386-linux-gnu/libpango-1.0.so.0(pango_renderer_draw_glyphs+0x4e)[0xb6f3a1ce]
/usr/lib/i386-linux-gnu/libpango-1.0.so.0(pango_renderer_draw_glyph_item+0x56)[0xb6f3a2c6]
/usr/lib/i386-linux-gnu/libpango-1.0.so.0(pango_renderer_draw_layout_line+0x61e)[0xb6f3ae1e]
/usr/lib/i386-linux-gnu/libpango-1.0.so.0(pango_renderer_draw_layout+0x102)[0xb6f3b0a2]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x1c9013)[0xb7200013]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x211f0f)[0xb7248f0f]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x26e3c5)[0xb72a53c5]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(gtk_render_layout+0x152)[0xb7259622]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0xd4ec8)[0xb710bec8]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(gtk_cell_renderer_render+0x12c)[0xb7101edc]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0xc1168)[0xb70f8168]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0xc3979)[0xb70fa979]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(gtk_cell_area_foreach_alloc+0x124)[0xb70f4234]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0xc053f)[0xb70f753f]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(gtk_cell_area_render+0x13c)[0xb70f451c]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0xd6e01)[0xb710de01]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x18c9d0)[0xb71c39d0]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x2d20a0)[0xb73090a0]
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0(+0xc077)[0xb6c4a077]
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0(+0xd84a)[0xb6c4b84a]
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0(g_signal_emit_valist+0x4b7)[0xb6c64237]
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0(g_signal_emit+0x33)[0xb6c64dd3]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x2e4efe)[0xb731befe]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(gtk_container_propagate_draw+0x22b)[0xb712c35b]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0xe9429)[0xb7120429]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x18c9d0)[0xb71c39d0]
/usr/lib/i386-linux-gnu/libgtk-3.so.0(+0x2d20a0)[0xb73090a0]
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0(+0xc077)[0xb6c4a077]
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0(+0xd84a)[0xb6c4b84a]
/usr/lib/i386-linux-gnu/libgobject-2.0.so.0(g_signal_emit_valist+0x4b7)[0xb6c64237]

Comment 9 GitLab Migration User 2018-08-25 13:31:20 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/46.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.