[cairo-bugs] [Bug 30071] New: crash when rendering this svg with librsvg to a pdf or ps or recording surface

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Sep 7 14:39:13 PDT 2010 

https://bugs.freedesktop.org/show_bug.cgi?id=30071

           Summary: crash when rendering this svg with librsvg to a pdf or
                    ps or recording surface
           Product: cairo
           Version: 1.10.1
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
        AssignedTo: cworth at cworth.org
        ReportedBy: chpe at gnome.org
         QAContact: cairo-bugs at cairographics.org


(If you don't have the test file installed locally, you can get it from
http://websvn.kde.org/*checkout*/trunk/KDE/kdegames/libkdegames/carddecks/svg-oxygen-white/oxygen-white.svgz?revision=896352
)

This crash happens with formats pdf, ps (rsvg-convert creates a pdf or ps
surface), but does *not* crash for png (image surface). This is cairo 1.10.0
(git master from today), librsvg git master.

$ ./rsvg-convert --format pdf
/usr/share/kde4/apps/carddecks/svg-oxygen-white/oxygen-white.svgz -o test.pdf

Program received signal SIGSEGV, Segmentation fault.

__memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:160
160        movdqu    (%eax), %xmm0
(gdb) where
#0  __memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:160
#1  0x004441ec in _cairo_surface_snapshot_copy_on_write (surface=0x805aaa8) at
cairo-surface-snapshot.c:140
#2  0x0043c07f in _cairo_surface_detach_snapshot (snapshot=0x805aaa8) at
cairo-surface.c:329
#3  0x0043bfea in _cairo_surface_detach_snapshots (surface=0x805a5c8) at
cairo-surface.c:314
#4  0x0043c9d1 in cairo_surface_finish (surface=0x805a5c8) at
cairo-surface.c:715
#5  0x0043c8f0 in cairo_surface_destroy (surface=0x805a5c8) at
cairo-surface.c:645
#6  0x004296db in _cairo_pattern_fini (pattern=0x805a6f0) at
cairo-pattern.c:346
#7  0x0042a1d3 in cairo_pattern_destroy (pattern=0x805a6f0) at
cairo-pattern.c:828
#8  0x00409fd9 in _cairo_gstate_fini (gstate=0x805bea0) at cairo-gstate.c:229
#9  0x0040a120 in _cairo_gstate_restore (gstate=0x4a7e5c, freelist=0x4a80f0) at
cairo-gstate.c:290
#10 0x003fed87 in cairo_restore (cr=0x4a7e40) at cairo.c:583
#11 0x001400b1 in rsvg_cairo_pop_discrete_layer (ctx=0x851b8b8) at
rsvg-cairo-draw.c:1003
#12 0x0013f0ce in rsvg_cairo_render_path (ctx=0x851b8b8, bpath_def=0x808cfa0)
at rsvg-cairo-draw.c:639
#13 0x0013cc4e in rsvg_render_path (ctx=0x851b8b8, 
    d=0x8059da0 "M 45.70543 501.29736000000003 H 325.28484200000003 A15.247724
15.247724 0 0 1 340.53256599999997 516.54508399999997 V 924.46134600000005
A15.247724 15.247724 0 0 1 325.28484200000003 939.7090700000001"...) at
rsvg-base.c:2067
#14 0x0012f7ff in _rsvg_node_rect_draw (self=0x8106458, ctx=0x851b8b8,
dominate=0) at rsvg-shapes.c:445
#15 0x00130e8a in rsvg_node_draw (self=0x8106458, ctx=0x851b8b8, dominate=0) at
rsvg-structure.c:69
#16 0x00130f35 in _rsvg_node_draw_children (self=0x8105ad8, ctx=0x851b8b8,
dominate=0) at rsvg-structure.c:87
#17 0x00130e8a in rsvg_node_draw (self=0x8105ad8, ctx=0x851b8b8, dominate=0) at
rsvg-structure.c:69
#18 0x001319aa in rsvg_node_svg_draw (self=0x806b8c0, ctx=0x851b8b8,
dominate=0) at rsvg-structure.c:326
#19 0x00130e8a in rsvg_node_draw (self=0x806b8c0, ctx=0x851b8b8, dominate=0) at
rsvg-structure.c:69
#20 0x00140d4a in rsvg_handle_render_cairo_sub (handle=0x8056400, cr=0x4a7e40,
id=0x0) at rsvg-cairo-render.c:234
#21 0x00140da2 in rsvg_handle_render_cairo (handle=0x8056400, cr=0x4a7e40) at
rsvg-cairo-render.c:256
#22 0x0804a06b in main (argc=1, argv=0xbfffead4) at rsvg-convert.c:319


Running under valgrind doesn't crash, but reports this:

==27565== Unaddressable byte(s) found during client check request
==27565==    at 0x427E2C0: _cairo_debug_check_image_surface_is_defined
(cairo-debug.c:125)
==27565==    by 0x42B5749: _cairo_surface_acquire_source_image
(cairo-surface.c:1447)
==27565==    by 0x42BC119: _cairo_surface_snapshot_copy_on_write
(cairo-surface-snapshot.c:125)
==27565==    by 0x42B407E: _cairo_surface_detach_snapshot (cairo-surface.c:329)
==27565==    by 0x42B3FE9: _cairo_surface_detach_snapshots
(cairo-surface.c:314)
==27565==    by 0x42B49D0: cairo_surface_finish (cairo-surface.c:715)
==27565==    by 0x42B48EF: cairo_surface_destroy (cairo-surface.c:645)
==27565==    by 0x42A16DA: _cairo_pattern_fini (cairo-pattern.c:346)
==27565==    by 0x42A21D2: cairo_pattern_destroy (cairo-pattern.c:828)
==27565==    by 0x4281FD8: _cairo_gstate_fini (cairo-gstate.c:229)
==27565==    by 0x428211F: _cairo_gstate_restore (cairo-gstate.c:290)
==27565==    by 0x4276D86: cairo_restore (cairo.c:583)
==27565==    by 0x40390B0: rsvg_cairo_pop_discrete_layer
(rsvg-cairo-draw.c:1003)
==27565==    by 0x40380CD: rsvg_cairo_render_path (rsvg-cairo-draw.c:639)
==27565==    by 0x4035C4D: rsvg_render_path (rsvg-base.c:2067)
==27565==    by 0x40287FE: _rsvg_node_rect_draw (rsvg-shapes.c:445)
==27565==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==27565==    by 0x4029F34: _rsvg_node_draw_children (rsvg-structure.c:87)
==27565==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==27565==    by 0x402A9A9: rsvg_node_svg_draw (rsvg-structure.c:326)
==27565==    by 0x4029E89: rsvg_node_draw (rsvg-structure.c:69)
==27565==    by 0x4039D49: rsvg_handle_render_cairo_sub
(rsvg-cairo-render.c:234)
==27565==    by 0x4039DA1: rsvg_handle_render_cairo (rsvg-cairo-render.c:256)
==27565==    by 0x804A06A: main (rsvg-convert.c:319)
==27565==  Address 0x6c6b028 is not stack'd, malloc'd or (recently) free'd

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the cairo-bugs mailing list