[cairo-bugs] [Bug 91967] Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)"

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue May 24 08:25:28 UTC 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=91967

--- Comment #16 from Jaroslav Škarvada <jskarvad at redhat.com> ---
This problem is easy to hit with libwnck3 (because libwnck3 uses cairo, but
AFAIK libwnck2 didn't). It is reproducible if the application is quickly
changing icon. Then there is a race condition when cairo calls XShmGetImage in
cairo-xlib-surface.c:797 but the icon pixmap it is trying to get may not exist
in this time. So the XShmGetImage returns error invalid pixmap, then the
&image->base is destroyed on line 809. So far so good, but the &image->base is
then destroyed again on line 1014 which triggers the assert in
cairo_surface_destroy, because the reference count is 0 (so it would cause
double free). And the application linking with libwnck3 core dumps, here is
example backtrace:

Program terminated with signal SIGABRT, Aborted.
#0  0x00007f67f0e00a98 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
55        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
[Current thread is 1 (Thread 0x7f67f485aa00 (LWP 9784))]
(gdb) bt
#0  0x00007f67f0e00a98 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f67f0e0269a in __GI_abort () at abort.c:89
#2  0x00007f67f0df9227 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion at entry=0x7f67f19997a8 "((*&(&surface->ref_count)->ref_count)
> 0)", file=file at entry=0x7f67f19996a0 "cairo-surface.c", line=line at entry=953,
function=function at entry=0x7f67f1999bf0 <__PRETTY_FUNCTION__.11260>
"cairo_surface_destroy") at assert.c:92
#3  0x00007f67f0df92d2 in __GI___assert_fail
(assertion=assertion at entry=0x7f67f19997a8
"((*&(&surface->ref_count)->ref_count) > 0)", file=file at entry=0x7f67f19996a0
"cairo-surface.c", line=line at entry=953, function=function at entry=0x7f67f1999bf0
<__PRETTY_FUNCTION__.11260> "cairo_surface_destroy") at assert.c:101
#4  0x00007f67f191ee12 in INT_cairo_surface_destroy
(surface=surface at entry=0x5618d0ca78f0) at cairo-surface.c:953
#5  0x00007f67f194e000 in _get_image_surface
(surface=surface at entry=0x5618d0c7cff0, extents=extents at entry=0x7ffff2922d40,
try_shm=try_shm at entry=1) at cairo-xlib-surface.c:1014
#6  0x00007f67f194ec73 in _cairo_xlib_surface_acquire_source_image
(abstract_surface=0x5618d0c7cff0, image_out=0x7ffff2922e00,
image_extra=<optimized out>) at cairo-xlib-surface.c:1403
#7  0x00007f67f191f6d4 in _cairo_surface_acquire_source_image
(surface=0x5618d0c7cff0, image_out=<optimized out>, image_extra=<optimized
out>) at cairo-surface.c:1973
#8  0x00007f67f18e7e52 in _pixman_image_for_pattern (iy=0x7ffff2922fd0,
ix=0x7ffff2922fc0, sample=0x7ffff2922fd0, extents=0x7ffff292372c,
is_mask=-225298644, pattern=0x7ffff2923770, dst=0xf568971204090700) at
cairo-image-source.c:1377
#9  0x00007f67f18e7e52 in _pixman_image_for_pattern
(dst=dst at entry=0x5618d0ca7760, pattern=pattern at entry=0x7ffff2923770,
is_mask=is_mask at entry=0, extents=extents at entry=0x7ffff292372c,
sample=sample at entry=0x7ffff2923750, tx=tx at entry=0x7ffff2922fc0,
ty=0x7ffff2922fd0) at cairo-image-source.c:1538
#10 0x00007f67f18e893e in _cairo_image_source_create_for_pattern
(dst=0x5618d0ca7760, pattern=0x7ffff2923770, is_mask=0, extents=0x7ffff292372c,
sample=0x7ffff2923750, src_x=0x7ffff2922fc0, src_y=0x7ffff2922fd0) at
cairo-image-source.c:1583
#11 0x00007f67f191c151 in clip_and_composite_boxes (boxes=0x7ffff2923460,
extents=0x7ffff29236f0, compositor=0x7f67f1bd6b60 <spans>) at
cairo-spans-compositor.c:678
#12 0x00007f67f191c151 in clip_and_composite_boxes
(compositor=compositor at entry=0x7f67f1bd6b60 <spans>,
extents=extents at entry=0x7ffff29236f0, boxes=boxes at entry=0x7ffff2923460)
    at cairo-spans-compositor.c:882
#13 0x00007f67f191c75e in clip_and_composite_boxes (compositor=0x7f67f1bd6b60
<spans>, extents=0x7ffff29236f0, boxes=0x7ffff2923460) at
cairo-spans-compositor.c:901
#14 0x00007f67f191ca79 in _cairo_spans_compositor_mask
(_compositor=0x7f67f1bd6b60 <spans>, extents=0x7ffff29236f0) at
cairo-spans-compositor.c:999
#15 0x00007f67f18d7429 in _cairo_compositor_paint (compositor=0x7f67f1bd6b60
<spans>, surface=0x5618d0ca7760, op=<optimized out>, source=<optimized out>,
clip=<optimized out>)
    at cairo-compositor.c:65
#16 0x00007f67f191f8b1 in _cairo_surface_paint (surface=0x5618d0ca7760,
op=CAIRO_OPERATOR_OVER, source=0x7ffff2923a30, clip=0x0) at
cairo-surface.c:2117
#17 0x00007f67f18df285 in _cairo_gstate_paint (gstate=0x5618d0a72e30) at
cairo-gstate.c:1067
#18 0x00007f67f18d1ea5 in INT_cairo_paint (cr=<optimized out>) at cairo.c:2003
#19 0x00007f67f4308ad0 in try_pixmap_and_mask
(screen=screen at entry=0x5618d08ba8b0, src_pixmap=src_pixmap at entry=48251092,
src_mask=src_mask at entry=48251093, iconp=iconp at entry=0x7ffff2923cd8,
ideal_width=ideal_width at entry=32, ideal_height=ideal_height at entry=32,
mini_iconp=0x7ffff2923ce0, ideal_mini_width=16, ideal_mini_height=16) at
xutils.c:1832
#20 0x00007f67f4309fa4 in _wnck_read_icons (ideal_mini_height=16,
ideal_mini_width=16, mini_iconp=0x7ffff2923ce0, ideal_height=32,
ideal_width=32, iconp=0x7ffff2923cd8, src_mask=48251093, src_pixmap=48251092,
screen=0x5618d08ba8b0) at xutils.c:2228
#21 0x00007f67f4309fa4 in _wnck_read_icons (screen=0x5618d08ba8b0,
xwindow=xwindow at entry=48235980, icon_cache=icon_cache at entry=0x5618d0a90340,
iconp=iconp at entry=0x7ffff2923cd8, ideal_width=ideal_width at entry=32,
ideal_height=ideal_height at entry=32, mini_iconp=0x7ffff2923ce0,
ideal_mini_width=16, ideal_mini_height=16) at xutils.c:2232
#22 0x00007f67f42ff90f in get_icons (window=window at entry=0x5618d0b18100
[WnckWindow]) at window.c:2109
#23 0x00007f67f43004af in force_update_now (window=0x5618d0b18100 [WnckWindow])
at window.c:3273
#24 0x00007f67f430175a in update_idle (data=0x5618d0b18100) at window.c:3301
#25 0x00007f67f1c22e3a in g_main_context_dispatch (context=0x5618d08bf460) at
gmain.c:3154
#26 0x00007f67f1c22e3a in g_main_context_dispatch
(context=context at entry=0x5618d08bf460) at gmain.c:3769
#27 0x00007f67f1c231d0 in g_main_context_iterate (context=0x5618d08bf460,
block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at
gmain.c:3840
#28 0x00007f67f1c234f2 in g_main_loop_run (loop=0x5618d0a896d0) at gmain.c:4034
#29 0x00007f67f3bc4325 in gtk_main () at gtkmain.c:1241
#30 0x00005618cfe959ef in main (argc=2, argv=0x7ffff2923ff8) at main.c:6027

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20160524/f44d7a86/attachment.html>

More information about the cairo-bugs mailing list