Hi, My web browser crashes when i try to watch a youtube video or open certain web pages with any webkit browser(that uses cairo). I found other peoples like me with this bug but i can't found a solution. This error already happened with me while using these web browsers: jumanji, surf, uzbl, vimprobrable2, dwb. And using two diferents linux distributions. Arch Linux and Gentoo, both in the same computer. There is this problem archived on this mailing list http://lists.cairographics.org/archives/cairo/2014-March/025089.html , but the "solution" apresented in the end, as a patch http://lists.cairographics.org/archives/cairo/2014-March/025103.html didn't solved my problem. He says about the patch "This diff avoids the segfault for me, but only papers over the bug..." So it's not the real solution. I posted on Arch Linux and on Gentoo forum, the last have more information. Gentoo forum post: https://forums.gentoo.org/viewtopic-t-995484-start-0-postdays-0-postorder-asc-highlight-.html?sid=c5c15b4431456821dcc93bbbc74b9ace This bug are kiling me, i can't watch any youtube video and lot of times my browser suddenly close. Also the web browsers tha i most like uses cairo. There is the complete message from gdb while run the browser with all dependencies compiled with debug flag. ---gdb.log--- Temporary breakpoint 1 at 0x407750: file jumanji.c, line 687. Starting program: /usr/bin/jumanji warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? Starting program: /usr/bin/jumanji warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? Quit A debugging session is active. Inferior 1 [process 25926] will be killed. Quit anyway? (y or n) Starting program: /usr/bin/jumanji warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New Thread 0x7fffe7271700 (LWP 25999)] [New Thread 0x7fffa6941700 (LWP 26000)] [New Thread 0x7fffa5aec700 (LWP 26001)] [New Thread 0x7fffa52eb700 (LWP 26002)] [New Thread 0x7fffa4acb700 (LWP 26003)] [New Thread 0x7fff97fff700 (LWP 26004)] [New Thread 0x7fff977fe700 (LWP 26005)] [New Thread 0x7fff96ffd700 (LWP 26006)] [New Thread 0x7fff967fc700 (LWP 26007)] [New Thread 0x7fff95ffb700 (LWP 26008)] [New Thread 0x7fff953fa700 (LWP 26009)] [New Thread 0x7fff7bfff700 (LWP 26010)] [New Thread 0x7fff7b7fe700 (LWP 26011)] [New Thread 0x7fff7affd700 (LWP 26012)] [New Thread 0x7fff7a7fc700 (LWP 26013)] [New Thread 0x7fff79ffb700 (LWP 26014)] [Thread 0x7fff953fa700 (LWP 26009) exited] [Thread 0x7fff7b7fe700 (LWP 26011) exited] [Thread 0x7fff7affd700 (LWP 26012) exited] [Thread 0x7fff7a7fc700 (LWP 26013) exited] [Thread 0x7fff79ffb700 (LWP 26014) exited] [New Thread 0x7fff79ffb700 (LWP 26015)] [Thread 0x7fff79ffb700 (LWP 26015) exited] [New Thread 0x7fff79ffb700 (LWP 26017)] [New Thread 0x7fff7a7fc700 (LWP 26018)] [New Thread 0x7fff7affd700 (LWP 26019)] [New Thread 0x7fff7b7fe700 (LWP 26020)] [Thread 0x7fff7a7fc700 (LWP 26018) exited] [Thread 0x7fff7bfff700 (LWP 26010) exited] [New Thread 0x7fff7bfff700 (LWP 26021)] [New Thread 0x7fff7a7fc700 (LWP 26022)] [New Thread 0x7fff5ffff700 (LWP 26023)] [New Thread 0x7fff5f2ab700 (LWP 26024)] [New Thread 0x7fff5eaaa700 (LWP 26025)] [New Thread 0x7fff5e2a9700 (LWP 26026)] [New Thread 0x7fff5daa8700 (LWP 26027)] [New Thread 0x7fff4ffff700 (LWP 26028)] [Thread 0x7fff5e2a9700 (LWP 26026) exited] [New Thread 0x7fff5e2a9700 (LWP 26029)] [Thread 0x7fff5daa8700 (LWP 26027) exited] [Thread 0x7fff79ffb700 (LWP 26017) exited] [Thread 0x7fff5e2a9700 (LWP 26029) exited] [Thread 0x7fff5f2ab700 (LWP 26024) exited] [Thread 0x7fff5e2a9700 (LWP 26029) exited] [Thread 0x7fff5f2ab700 (LWP 26024) exited] [New Thread 0x7fff5f2ab700 (LWP 26030)] [New Thread 0x7fff5e2a9700 (LWP 26031)] [New Thread 0x7fff79ffb700 (LWP 26032)] [New Thread 0x7fff5daa8700 (LWP 26033)] [New Thread 0x7fff4d50b700 (LWP 26034)] [Thread 0x7fff5f2ab700 (LWP 26030) exited] [Thread 0x7fff5daa8700 (LWP 26033) exited] [Thread 0x7fff4ffff700 (LWP 26028) exited] Program received signal SIGSEGV, Segmentation fault. n sweep_line_delete (rectangle=0x7fffffff7a68, sweep=0x7fffffff7780) at cairo-bentley-ottmann-rectangu lar.c:567 567 cairo-bentley-ottmann-rectangular.c: Arquivo ou diretório não encontrado. #0 0x00007ffff202f052 in sweep_line_delete (rectangle=0x7fffffff7a68, sweep=0x7fffffff7780) at cairo-bentley-ottmann-rect angular.c:567 #1 _cairo_bentley_ottmann_tessellate_rectangular (rectangles=rectangles@entry=0x7fffffff7950, num_rectangles=num_rectangl es@entry=3, fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, do_traps=do_traps@entry=0, container=container@entry=0x7fff ffff8a50) at cairo-bentley-ottmann-rectangular.c:659 #2 0x00007ffff202f945 in _cairo_bentley_ottmann_tessellate_boxes (in=in@entry=0x7fffffff8ca0, fill_rule=fill_rule@entry=C AIRO_FILL_RULE_WINDING, out=out@entry=0x7fffffff8a50) at cairo-bentley-ottmann-rectangular.c:877 #3 0x00007ffff208fb84 in fixup_unbounded (extents=extents@entry=0x7fffffff9e40, boxes=boxes@entry=0x7fffffff93b0, composi tor=0x7ffff2319940 <compositor.16699>) at cairo-traps-compositor.c:885 #4 0x00007ffff2090a6b in composite_aligned_boxes (boxes=0x7fffffff93b0, extents=0x7fffffff9e40, compositor=0x7ffff2319940 <compositor.16699>) at cairo-traps-compositor.c:1298 #5 clip_and_composite_boxes (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, extents=extents@entry=0x7ffff fff9e40, boxes=boxes@entry=0x7fffffff93b0) at cairo-traps-compositor.c:1774 #6 0x00007ffff2090e2d in clip_and_composite_polygon (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, exten ts=extents@entry=0x7fffffff9e40, polygon=polygon@entry=0x7fffffff9a20, antialias=antialias@entry=CAIRO_ANTIALIAS_NONE, fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, curvy=<optimized out>) at cairo-traps-compositor.c:1562 #7 0x00007ffff20915bc in _cairo_traps_compositor_fill (_compositor=0x7ffff2319940 <compositor.16699>, extents=0x7fffffff9 e40, path=0xc45708, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_NONE) at c airo-traps-compositor.c:2250 #8 0x00007ffff203b7ea in _cairo_compositor_fill (compositor=0x7ffff2319940 <compositor.16699>, surface=0xe71a00, op=op@en try=CAIRO_OPERATOR_IN, source=source@entry=0x7ffff20e5b60 <_cairo_pattern_white>, path=path@entry=0xc45708, fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=antialias@entry=CAIRO_ANTI ALIAS_NONE, clip=clip@entry=0xa40040) at cairo-compositor.c:203 #9 0x00007ffff20ab9b8 in _cairo_xlib_surface_fill (_surface=0xe71a00, op=CAIRO_OPERATOR_IN, source=0x7ffff20e5b60 <_cairo _pattern_white>, path=0xc45708, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=<optimized out>, antialias=CAIRO_ANTIALIAS_NO NE, clip=0xa40040) at cairo-xlib-surface.c:1646 #10 0x00007ffff207ed0c in _cairo_surface_fill (surface=0xe71a00, op=CAIRO_OPERATOR_IN, source=0x7ffff20e5b60 <_cairo_patte rn_white>, path=0xc45708, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_NONE , clip=0xa40040) at cairo-surface.c:2255 #11 0x00007ffff2039c2f in _cairo_clip_combine_with_surface (clip=0xa40040, dst=dst@entry=0xe71a00, dst_x=<optimized out>, dst_y=<optimized out>) at cairo-clip-surface.c:78 #12 0x00007ffff208f857 in create_composite_mask (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, dst=<optim ized out>, draw_closure=draw_closure@entry=0x7fffffffb170, draw_func=draw_func@entry=0x7ffff208e5e0 <composite_boxes>, mas k_func=mask_func@entry=0x0, extents=extents@entry=0x7fffffffb590) at cairo-traps-compositor.c:500 #13 0x00007ffff20900ef in clip_and_composite_with_mask (src_y=0, src_x=0, src=0xc54510, op=CAIRO_OPERATOR_OVER, draw_closu re=0x7fffffffb170, mask_func=0x0, draw_func=0x7ffff208e5e0 <composite_boxes>, extents=0x7fffffffb590, compositor=0x7ffff23 19940 <compositor.16699>) at cairo-traps-compositor.c:546 #14 clip_and_composite (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, extents=extents@entry=0x7fffffffb59 0, draw_func=draw_func@entry=0x7ffff208e5e0 <composite_boxes>, mask_func=mask_func@entry=0x0, draw_closure=draw_closure@en try=0x7fffffffb170, need_clip=2) at cairo-traps-compositor.c:1036 #15 0x00007ffff20905d9 in clip_and_composite_boxes (compositor=compositor@entry=0x7ffff2319940 <compositor.16699>, extents =extents@entry=0x7fffffffb590, boxes=boxes@entry=0x7fffffffb170) at cairo-traps-compositor.c:1779 #16 0x00007ffff2091647 in _cairo_traps_compositor_fill (_compositor=0x7ffff2319940 <compositor.16699>, extents=0x7fffffffb 590, path=0xd5e2d8, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT) at cairo-traps-compositor.c:2219 #17 0x00007ffff203b7ea in _cairo_compositor_fill (compositor=0x7ffff2319940 <compositor.16699>, surface=0x813a60, op=op@en try=CAIRO_OPERATOR_OVER, source=source@entry=0x7fffffffb9a0, path=path@entry=0xd5e2d8, fill_rule=fill_rule@entry=CAIRO_FIL L_RULE_WINDING, tolerance=0.10000000000000001, antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT, clip=clip@entry=0xd2c800) at cairo-c ompositor.c:203 #18 0x00007ffff20ab9b8 in _cairo_xlib_surface_fill (_surface=0x813a60, op=CAIRO_OPERATOR_OVER, source=0x7fffffffb9a0, path =0xd5e2d8, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=<optimized out>, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0xd2c800) at cairo-xlib-surface.c:1646 #19 0x00007ffff207ed0c in _cairo_surface_fill (surface=0x813a60, op=CAIRO_OPERATOR_OVER, source=0x7fffffffb9a0, path=0xd5e 2d8, fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0xd2c800) a t cairo-surface.c:2255 #20 0x00007ffff2043574 in _cairo_gstate_fill (gstate=0xdcc180, path=path@entry=0xd5e2d8) at cairo-gstate.c:1308 #21 0x00007ffff203d094 in _cairo_default_context_fill (abstract_cr=0xd5df70) at cairo-default-context.c:1058 #22 0x00007ffff20363d5 in cairo_fill (cr=0xd5df70) at cairo.c:2201 #23 0x00007ffff4d91b76 in fillRectWithColor (color=..., rect=..., cr=0xd5df70) at Source/WebCore/platform/graphics/cairo/G raphicsContextCairo.cpp:78 #24 fillRectWithColor (color=..., rect=..., cr=0xd5df70) at Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cp p:233 #25 WebCore::GraphicsContext::drawRect (this=this@entry=0x7fffffffdf30, rect=...) at Source/WebCore/platform/graphics/cair o/GraphicsContextCairo.cpp:243 #26 0x00007ffff5463890 in WebCore::RenderBoxModelObject::drawBoxSideFromPath (this=this@entry=0x7fff940d5bc8, graphicsCont ext=graphicsContext@entry=0x7fffffffdf30, borderRect=..., borderPath=..., edges=edges@entry=0x7fffffffc010, thickness=<opt #26 0x00007ffff5463890 in WebCore::RenderBoxModelObject::drawBoxSideFromPath (this=this@entry=0x7fff940d5bc8, graphicsCont ext=graphicsContext@entry=0x7fffffffdf30, borderRect=..., borderPath=..., edges=edges@entry=0x7fffffffc010, thickness=<opt imized out>, drawThickness=<optimized out>, side=side@entry=WebCore::BSLeft, style=style@entry=0x7fff94415420, color=..., borderSty le=<optimized out>, bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBleedBackgroundOverBorder, includeLogicalLeftEdge=includeLogicalLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRightEdge@entry=true) at Source/WebCore/rendering/RenderBoxModelObject.cpp:2261 #27 0x00007ffff5464495 in WebCore::RenderBoxModelObject::paintOneBorderSide (this=this@entry=0x7fff940d5bc8, graphicsConte xt=graphicsContext@entry=0x7fffffffdf30, style=style@entry=0x7fff94415420, outerBorder=..., innerBorder=..., sideRect=..., side=side@entry=WebCore::BSLeft, adjacentSide1=adjacentSide1@entry=WebCore::BSTop, adjacentSide2=adjacentSide2@entry=W ebCore::BSBottom, edges=edges@entry=0x7fffffffc010, path=0x7fffffffbde0, bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBleedBackgroundOverBorder, includeLogicalLeftEdge=includeLogica lLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRightEdge@entry=true, antialias=antialias@entry=true, overrideColor=overrideColor@entry=0x0) at Source/WebCore/rendering/RenderBoxModelObject.cpp:1819 #28 0x00007ffff5464d30 in WebCore::RenderBoxModelObject::paintBorderSides (this=this@entry=0x7fff940d5bc8, graphicsContext =graphicsContext@entry=0x7fffffffdf30, style=style@entry=0x7fff94415420, outerBorder=..., innerBorder=..., innerBorderAdju stment=..., edges=edges@entry=0x7fffffffc010, edgeSet=edgeSet@entry=15, bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBle edBackgroundOverBorder, includeLogicalLeftEdge=includeLogicalLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRi ghtEdge@entry=true, antialias=true, overrideColor=overrideColor@entry=0x0) at Source/WebCore/rendering/RenderBoxModelObject.cpp:1894 #29 0x00007ffff5466f2b in WebCore::RenderBoxModelObject::paintBorder (this=this@entry=0x7fff940d5bc8, info=..., rect=..., style=0x7fff94415420, bleedAvoidance=bleedAvoidance@entry=WebCore::BackgroundBleedBackgroundOverBorder, includeLogicalLeft Edge=4, includeLogicalLeftEdge@entry=true, includeLogicalRightEdge=includeLogicalRightEdge@entry=true) at Source/WebCore/rende ring/RenderBoxModelObject.cpp:2109 #30 0x00007ffff545b657 in WebCore::RenderBox::paintBoxDecorations (this=0x7fff940d5bc8, paintInfo=..., paintOffset=...) at Source/WebCore/rendering/RenderBox.cpp:1192 #31 0x00007ffff541d3c7 in WebCore::RenderBlock::paintObject (this=0x7fff940d5bc8, paintInfo=..., paintOffset=...) at Sourc e/WebCore/rendering/RenderBlock.cpp:3299 #32 0x00007ffff5404351 in WebCore::RenderBlock::paint (this=0x7fff940d5bc8, paintInfo=..., paintOffset=...) at Source/WebC ore/rendering/RenderBlock.cpp:3019 #33 0x00007ffff54c35b2 in WebCore::RenderLayer::paintBackgroundForFragments (this=this@entry=0x7fff793b8ee8, layerFragment s=..., context=context@entry=0x7fffffffdf30, transparencyLayerContext=transparencyLayerContext@entry=0x7fffffffdf30, trans parencyPaintDirtyRect=..., haveTransparency=haveTransparency@entry=false, localPaintingInfo=..., paintBehavior=paintBehavior@entry=0, subtreePain tRootForRenderer=subtreePaintRootForRenderer@entry=0x0) at Source/WebCore/rendering/RenderLayer.cpp:4118 #34 0x00007ffff54ceb7b in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff793b8ee8, context=context@entry= 0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3875 #35 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff793b8ee8, context=c ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp p:3649 #36 0x00007ffff54ceecf in WebCore::RenderLayer::paintLayerByApplyingTransform (this=this@entry=0x7fff793b8ee8, context=con text@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224, translationOffset=...) at Source/WebCore/ren dering/RenderLayer.cpp:3951 #37 0x00007ffff54cf612 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff793b8ee8, context=context@entry=0x7fffff ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3622 #38 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971 #39 WebCore::RenderLayer::paintList (this=0x7fff94152678, list=0x7fff5f362230, context=0x7fffffffdf30, paintingInfo=..., p aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954 #40 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff94152678, context=context@entry= 0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896 #41 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff94152678, context=c ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp p:3649 #42 0x00007ffff54ceecf in WebCore::RenderLayer::paintLayerByApplyingTransform (this=this@entry=0x7fff94152678, context=con text@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224, translationOffset=...) at Source/WebCore/ren dering/RenderLayer.cpp:3951 #43 0x00007ffff54cf612 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff94152678, context=context@entry=0x7fffff ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3622 #44 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971 #45 WebCore::RenderLayer::paintList (this=0x7fff94152340, list=0x7fff5f3623c0, context=0x7fffffffdf30, paintingInfo=..., p aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954 #46 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff94152340, context=context@entry= 0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896 #47 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff94152340, context=c ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp p:3649 #48 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff94152340, context=context@entry=0x7fffff ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3631 #49 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971 #50 WebCore::RenderLayer::paintList (this=0x7fff940d58c8, list=0x7fff5f3622e0, context=0x7fffffffdf30, paintingInfo=..., p aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954 #51 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff940d58c8, context=context@entry= 0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896 #52 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff940d58c8, context=c ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp p:3649 #53 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff940d58c8, context=context@entry=0x7fffff ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3631 #54 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971 #55 WebCore::RenderLayer::paintList (this=0x7fff951c5350, list=0x7fff7937c0d0, context=0x7fffffffdf30, paintingInfo=..., p aintFlags=224) a#55 WebCore::RenderLayer::paintList (this=0x7fff951c5350, list=0x7fff7937c0d0, context=0x7fffffffdf30, paintingInfo=..., p aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954 #56 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff951c5350, context=context@entry= 0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896 #57 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff951c5350, context=c ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cp p:3649 #58 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff951c5350, context=context@entry=0x7fffff ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=224) at Source/WebCore/rendering/RenderLayer.cpp:3631 #59 0x00007ffff54d03aa in paintList (paintFlags=<optimized out>, paintingInfo=..., context=<optimized out>, list=<optimize d out>, this=<optimized out>) at Source/WebCore/rendering/RenderLayer.cpp:3971 #60 WebCore::RenderLayer::paintList (this=0x7fff951c5178, list=0x7fff94ef4fe0, context=0x7fffffffdf30, paintingInfo=..., p aintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3954 #61 0x00007ffff54ce4c6 in WebCore::RenderLayer::paintLayerContents (this=this@entry=0x7fff951c5178, context=context@entry= 0x7fffffffdf30, paintingInfo=..., paintFlags=224) at Source/WebCore/rendering/RenderLayer.cpp:3896 #62 0x00007ffff54cecb5 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=this@entry=0x7fff951c5178, context=c ontext@entry=0x7fffffffdf30, paintingInfo=..., paintFlags=paintFlags@entry=0) at Source/WebCore/rendering/RenderLayer.cpp: 3649 #63 0x00007ffff54cf530 in WebCore::RenderLayer::paintLayer (this=this@entry=0x7fff951c5178, context=context@entry=0x7fffff ffdf30, paintingInfo=..., paintFlags=paintFlags@entry=0) at Source/WebCore/rendering/RenderLayer.cpp:3631 #64 0x00007ffff54d05f0 in WebCore::RenderLayer::paint (this=this@entry=0x7fff951c5178, context=context@entry=0x7fffffffdf3 0, damageRect=..., paintBehavior=0, subtreePaintRoot=subtreePaintRoot@entry=0x0, region=region@entry=0x0, paintFlags=paint Flags@entry=0) at Source/WebCore/rendering/RenderLayer.cpp:3441 #65 0x00007ffff539ea3d in WebCore::FrameView::paintContents (this=0x7fffe69aba00, p=0x7fffffffdf30, rect=...) at Source/We bCore/page/FrameView.cpp:3564 #66 0x00007ffff5a40bd6 in paint (rect=..., context=0x7fffffffdf30, this=0x7fffe69aba00) at Source/WebCore/platform/ScrollV iew.cpp:1102 #67 WebCore::ScrollView::paint (this=0x7fffe69aba00, context=0x7fffffffdf30, rect=...) at Source/WebCore/platform/ScrollVi ew.cpp:1071 #68 0x00007ffff4c9b663 in paintWebView (dirtyRegion=..., frame=0x7fffe6988c00, webView=0x7ca2c0) at Source/WebKit/gtk/WebC oreSupport/ChromeClientGtk.cpp:562 #69 WebKit::ChromeClient::paint (this=0x7c89f0) at Source/WebKit/gtk/WebCoreSupport/ChromeClientGtk.cpp:605 #70 0x00007ffff4d8e420 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x7fffe699bbe0) at Source/WebCore/platform /ThreadTimers.cpp:129 #71 0x00007ffff4da0a62 in WebCore::timeout_cb () at Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49 #72 0x00007ffff69902ab in g_timeout_dispatch (source=source@entry=0x7aef10, callback=<optimized out>, user_data=<optimized out>) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/glib/gmain.c:4451 #73 0x00007ffff698f715 in g_main_dispatch (context=0x6767b0) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/ glib/gmain.c:3066 #74 g_main_context_dispatch (context=context@entry=0x6767b0) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/ glib/gmain.c:3642 #75 0x00007ffff698fa58 in g_main_context_iterate (context=0x6767b0, block=block@entry=1, dispatch=dispatch@entry=1, self=< optimized out>) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/glib/gmain.c:3713 #76 0x00007ffff698feaa in g_main_loop_run (loop=0x7bec50) at /var/tmp/portage/dev-libs/glib-2.38.2-r1/work/glib-2.38.2/gli b/gmain.c:3907 #77 0x00007ffff766a905 in gtk_main () at gtkmain.c:1158 #78 0x0000000000407795 in main (argc=1, argv=0x7fffffffe388) at jumanji.c:699 A debugging session is active. Inferior 1 [process 25969] will be killed. Quit anyway? (y or n) ---gdb.log---
Created attachment 104383 [details] [review] quick hack The problem here seems to be that with small areas to fill the boxes tessellator receives empty boxes which are evidently unexpected. The attached patch is derived going one step back to the source of these empty boxes, a comment there seems to imply a choice to mimic pixman. Obviously the real problem could be earlier than there. A different solution could be to impose a minimum 1 width/height for the boxes generated.
Created attachment 104551 [details] [review] testcase I cairo-traced a visit to youtube using 'surf' and reduced the trace to the minimum still reproducing the crash in the form of a cairo test-suite C file. So, after applying the patch and running make -C test, if you execute the test with: > CAIRO_TEST_TARGET=xlib gdb -ex r -ex bt --args test/.libs/cairo-test-suite sweep-line-delete you'll have a similar backtrace to the one in the bug report.
(In reply to comment #2) > Created attachment 104551 [details] [review] [review] > testcase > > I cairo-traced a visit to youtube using 'surf' and reduced the trace > to the minimum still reproducing the crash in the form of a > cairo test-suite C file. Would it be ok with you if this test case were included with Cairo? Would the following license header be suitable? Do you want some copyright notice to be included? Which one? /* * Permission is hereby granted, free of charge, to any person * obtaining a copy of this software and associated documentation * files (the "Software"), to deal in the Software without * restriction, including without limitation the rights to use, copy, * modify, merge, publish, distribute, sublicense, and/or sell copies * of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */
Created attachment 104568 [details] [review] alternative solution An alternative patch that would make the rectangular tessellator work also with empty boxes, so intrinsically safe also for other (future) callers. Obviously only valid if I understood what it's doing and it is possible to effectively ignore empty boxes. > Would it be ok with you if this test case were included with Cairo? Would the > following license header be suitable? Do you want some copyright notice to be > included? Which one? it is ok with me, it is suitable, don't want any copyright notice, whatever.
Hi Massimo. Looks like you last patch with only 3 lines of code solved the problem! I applied here and no more segfault. How i don't understand and i know nothing about cairo, i don't know if what this patch do is the right thing or if is safe use it. All i know it is that it solved, i think. Should i mark as solved? I apllyied here and (In reply to comment #4) > Created attachment 104568 [details] [review] [review] > alternative solution > > An alternative patch that would make the rectangular tessellator > work also with empty boxes, so intrinsically safe also for > other (future) callers. > > Obviously only valid if I understood what it's doing and it > is possible to effectively ignore empty boxes. > > > Would it be ok with you if this test case were included with Cairo? Would the > following license header be suitable? Do you want some copyright notice to be > included? Which one? > > it is ok with me, it is suitable, don't want any copyright notice, whatever.
(In reply to comment #5) > Hi Massimo. Looks like you last patch with only 3 lines of code solved the > problem! > I applied here and no more segfault. > How i don't understand and i know nothing about cairo, i don't know if what > this patch do is the right thing or if is safe use it. All i know it is that > it solved, i think. > To me it seems correct and safe, it only drops empty boxes from the list of boxes to be tessellated. Empty boxes do not alter the insideness of any pixel because if a ray from the pixel intersects the top edge it also intersects the bottom edge, one from the left and the other from the right, so it should be correct for both (EVEN_ODD, WINDING) fill rules that cairo implements. OTOH these empty boxes are problematic as they possibly lead to a segfault. It is possible that there are better places to discard these boxes. > Should i mark as solved? I'm not a cairo developer, but I'd say not until a fix has been included in the official source tree. So people experiencing the same problem can find a solution and report shortcomings. There are already many duplicates in many distribution/application/library bugzilla
(In reply to comment #6) > (In reply to comment #5) > > Hi Massimo. Looks like you last patch with only 3 lines of code solved the > > problem! > > I applied here and no more segfault. > > How i don't understand and i know nothing about cairo, i don't know if what > > this patch do is the right thing or if is safe use it. All i know it is that > > it solved, i think. > > > > To me it seems correct and safe, it only drops empty > boxes from the list of boxes to be tessellated. It is. Could you please write a nice commit log, adding Reported-by: Henrique Lengler <henriqueleng@openmailbox.org> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81699 and submit. Ideally we would love to have a test case to hit this problem as well. If you can capture it using cairo-trace that would be a good start. > Empty boxes do not alter the insideness of any pixel > because if a ray from the pixel intersects the top edge > it also intersects the bottom edge, one from the left > and the other from the right, so it should be correct > for both (EVEN_ODD, WINDING) fill rules that cairo implements. > > OTOH these empty boxes are problematic as they possibly > lead to a segfault. > > It is possible that there are better places to discard > these boxes. That's my only worry, I am trying to remember all the call paths that enter here and why we have empty boxes in the first place. In this case, the empty boxes seem to be part of the clip, which is worrisome. All the zero height boxes should have been prefiltered... diff --git a/src/cairo-boxes.c b/src/cairo-boxes.c index 63b68dd..90afdbd 100644 --- a/src/cairo-boxes.c +++ b/src/cairo-boxes.c @@ -139,6 +139,8 @@ _cairo_boxes_add_internal (cairo_boxes_t *boxes, if (unlikely (boxes->status)) return; + assert(box->x2 > box->x1 && box->y2 > box->y1); + chunk = boxes->tail; if (unlikely (chunk->count == chunk->size)) { int size; So yes, this suggests a far deeper problem than just the tesselate failure.
Created attachment 105050 [details] [review] proposed patch
Created attachment 105051 [details] cairo script This is the minimum cairo-trace/script that I obtained. To crash it I compiled util/cairo-script/csi-replay.c after changing the #define SINGLE_SURFACE to 0 To derive a test case from it probably it is possible to use a smaller surface size. Enabling xlib-xcb prevents the crash, probably another code path is executed. (Valgrind (--enable-valgrind=no) reports an invalid read though)
(In reply to comment #7) [...] > That's my only worry, I am trying to remember all the call paths that enter > here and why we have empty boxes in the first place. In this case, the empty > boxes seem to be part of the clip, which is worrisome. All the zero height > boxes should have been prefiltered... > > diff --git a/src/cairo-boxes.c b/src/cairo-boxes.c > index 63b68dd..90afdbd 100644 > --- a/src/cairo-boxes.c > +++ b/src/cairo-boxes.c > @@ -139,6 +139,8 @@ _cairo_boxes_add_internal (cairo_boxes_t *boxes, > if (unlikely (boxes->status)) > return; > > + assert(box->x2 > box->x1 && box->y2 > box->y1); > + > chunk = boxes->tail; > if (unlikely (chunk->count == chunk->size)) { > int size; > > So yes, this suggests a far deeper problem than just the tesselate failure. I guess you meant this: assert(box->p2.x > box->p1.x && box->p2.y > box->p1.y); That assert triggers for 61 test cases in the test suite. Most of these are due to boxes likes this (this code appears in different places inside of cairo, e.g. _cairo_xcb_surface_fixup_unbounded_boxes and the span compositor's fixup_unbounded_boxes): box.p1.x = _cairo_fixed_from_int (extents->unbounded.x + extents->unbounded.width); box.p1.y = _cairo_fixed_from_int (extents->unbounded.y); box.p2.x = _cairo_fixed_from_int (extents->unbounded.x); box.p2.y = _cairo_fixed_from_int (extents->unbounded.y + extents->unbounded.height); I guess that means that this code is wrong and should be fixed? Perhaps we should even commit this assert to cairo? At least I didn't find anything generating zero-height boxes. List of tests: big-empty-box big-empty-triangle big-little-box bug-40410 bug-bo-collins bug-bo-rectangular clip-complex-bug61492 clip-complex-shape-eo-aa clip-complex-shape-eo-mono clip-fill clip-fill-eo-unbounded clip-fill-nz-unbounded clip-group-shapes-unaligned-rectangles clip-mixed-antialias clip-nesting clip-operator clip-shape clip-stroke-unbounded clip-text clip-twice copy-disjoint fill-disjoint get-path-extents hatchings image-surface-source mask operator operator-alpha operator-alpha-alpha paint-with-alpha-clip-mask pdf-surface-source ps-surface-source random-clip record-paint-alpha-clip-mask record-self-intersecting record1414x-self-intersecting record2x-self-intersecting record90-self-intersecting recordflip-self-intersecting rectilinear-fill rotated-clip self-copy self-copy-overlap self-intersecting subsurface-image-repeat subsurface-modify-child subsurface-modify-parent subsurface-pad subsurface-reflect subsurface-repeat surface-pattern-operator svg-surface-source text-glyph-range tighten-bounds trap-clip unantialiased-shapes unbounded-operator white-in-noop xcb-surface-source xlib-surface-source zero-mask Oh and the assert does not trigger for the test case attached to this bug report (except for the "test-traps" (pseudo-)backend, which doesn't count, I guess). But that test case doesn't crash here either...?
Hmm, nope. We only reject the empty boxes, but allow negative boxes to represent counter winding. That's cunning. Ok, found the problem. It's the traps-to-boxes routine that doesn't prefilter zero height traps/boxes.
commit 13a09526d2120c244471e03b6ae979016ef88e83 Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Sat Aug 23 14:16:55 2014 +0100 traps,xcb: Prefilter zero-area boxes when converting traps The rectangular tesselation routines rely on the presuming that all the boxes it has to handle are already filtered to remove empty boxes. << /width 800 /height 600 >> surface context 0.0848671 0 0 0.0848671 39.907812 5.608896 matrix transform 8 0 m 12.417969 0 16 3.582031 16 8 c 16 12.417969 12.417969 16 8 16 c 3.582031 16 0 12.417969 0 8 c 0 3.582031 3.582031 0 8 0 c h clip 16 0 m 8 8 l 16 16 l h clip 0 0 16 16 rectangle fill Triggers the error given a traps tesselator like cairo-xlib. Reported-by: Henrique Lengler <henriqueleng@openmailbox.org> Analyzed-by: Massimo <sixtysix@inwind.it> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81699 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Fixed, but leaving open to add the testcase.
*** Bug 72244 has been marked as a duplicate of this bug. ***
*** Bug 76272 has been marked as a duplicate of this bug. ***
Created attachment 105218 [details] Crash backtrace Hi Chris, thanks for the fix, it greatly increased stability. But unfortunately sometimes there are still crashes. Attached is a backtrace for the following (this is Debian 1.12.16-2 plus commit 13a09526 from master): Program received signal SIGSEGV, Segmentation fault. 0x00007ffff2cb0f98 in sweep_line_delete_edge (edge=0x7fffffff7b00, sweep=0x7fffffff77f0) at /tmp/cairo-1.12.16/src/cairo-bentley-ottmann-rectangular.c:558 558 edge->next->prev = edge->prev;
/me hangs head in shame commit a5f51588afd9d5629b03297eb29ff46350b6ba50 Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Mon Aug 25 08:55:24 2014 +0100 traps,xcb: Set the box count after filtering After converting, the number of boxes should only count the number of non-zero boxes and forget about the zero-sized boxes we skipped over. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=81699 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Hi Chris, thanks a lot, it no longer crashes for me. Can these commits also go to the 1.12 branch?
Cherry-picked 28 commits into the 1.12 branch. I just did a quick search through the git history since 1.12 was branched off master (just after 1.12.16) and took everything which sounded harmless enough. These two commits are commit 3bb80aa2c3f97c071f434e0fbb6704fbef963352 and commit 4b65497231d1859e03762949896da94ffde389b on the branch.
CONFIRMING for cairo v1.13.1 $ cat /etc/system-release && uname -a Fedora release 20 (Heisenbug) Linux localhost.localdomain 3.17.7-200.fc20.x86_64 #1 SMP Wed Dec 17 03:35:33 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux $ yum info installed cairo Loaded plugins: langpacks, priorities, refresh-packagekit Installed Packages Name : cairo Arch : x86_64 Version : 1.13.1 Release : 0.1.git337ab1f.fc20 Size : 1.7 M Repo : installed From repo : fedora Summary : A 2D graphics library URL : http://cairographics.org License : LGPLv2 or MPLv1.1
If I understand correctly, this issue has been resolved as of the two commits mentioned by Uli in comment #18, which I've confirmed are included in trunk. If there are other related changes needed (e.g. test cases?) please re-open and clarify what the remaining tasks are.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.