[cairo-bugs] [Bug 91967] Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)"
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue May 31 13:37:51 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=91967
--- Comment #28 from Jaroslav Škarvada <jskarvad at redhat.com> ---
Created attachment 124212
--> https://bugs.freedesktop.org/attachment.cgi?id=124212&action=edit
Proposed fix
Drawable may be destroyed/invalidated asynchronously before control flow
reaches _get_image_surface function or at any time the code from
_get_image_surface is executed - this may lead to undesired effects like double
free (which is prevented by assert), X server errors, crashes. The failing path
is e.g. the following:
- XShmGetImage @797 fails because the drawable doesn't exist
- cairo_surface_destroy @809 destroys the image (now there is no image)
- it tries XGetImage @818, but fails so it sets surface->use_pixmap =
CAIRO_ASSUME_PIXMAP (it wrongly suppose the surface is a window)
- now it tries to create pixmap @827, but it fails because the drawable doesn't
exist
- the check @879 passes and sets the error to CAIRO_STATUS_NO_MEMORY (which is
probably not the correct error, but that's not the main problem)
- the control flow is redirected to the BAIL @881
- the BAIL code started @1007
- it checks ximage and destroys it if it exists @1008
- the status is CAIRO_STATUS_NO_MEMORY so the check @1013 passed
- boom! the image is destroyed second time @1014
I think the main problem is that the two BAIL jumps (@848 and @881) doesn't
count with the fact that there is no image at the moment. The rest of the BAIL
jumps are OK, because there is already some image created.
The attached patch is my attempt to fix the problem. Not the most elegant
approach, but it seems to work for me. It also adds X error NOOP handler to X
calls which may fail due to the non-existent drawable/pixmap not to SIGTRAP the
code. With the patch applied the attached reproducer doesn't fail.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20160531/edc59fed/attachment.html>
More information about the cairo-bugs
mailing list