[cairo-bugs] [Bug 104616] New: Double free or corruption

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat Jan 13 13:46:06 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=104616

            Bug ID: 104616
           Summary: Double free or corruption
           Product: cairo
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: freetype font backend
          Assignee: david at freetype.org
          Reporter: psychon at znc.in
        QA Contact: cairo-bugs at cairographics.org

$ (make -j8 && cd test && CAIRO_TEST_TARGET=xcb DISPLAY=:2 ./cairo-test-suite
a1-clip-stroke a1-clip-paint)
[...]
TESTING a1-clip-stroke
a1-clip-stroke.xcb.argb32 [0x1]:        !!!CRASHED!!!
a1-clip-stroke.xcb.rgb24 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb.rgb24 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb-window.rgb24 [0x1]:  double free or corruption (out)
a1-clip-stroke.xcb-window.rgb24 [0x1]:  !!!CRASHED!!!
a1-clip-stroke.xcb-window&.rgb24 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb-window&.rgb24 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb-render-0_0.argb32 [0x1]:     double free or corruption (out)
a1-clip-stroke.xcb-render-0_0.argb32 [0x1]:     !!!CRASHED!!!
a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]:      double free or corruption (out)
a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]:      !!!CRASHED!!!
a1-clip-stroke.xcb-fallback.rgb24 [0x1]:        double free or corruption (out)
a1-clip-stroke.xcb-fallback.rgb24 [0x1]:        !!!CRASHED!!!
[...]

It does not crash under valgrind. Instead, I get:

==27971== Conditional jump or move depends on uninitialised value(s)
==27971==    at 0x4C2DDD1: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27971==    by 0x4F472DB: _cairo_ft_options_fini (cairo-ft-font.c:206)
==27971==    by 0x4F472DB: _cairo_ft_font_face_destroy (cairo-ft-font.c:3156)
==27971==    by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186)
==27971==    by 0x4EF1AE4: _cairo_toy_font_face_fini
(cairo-toy-font-face.c:216)
==27971==    by 0x4EF1AE4: _cairo_toy_font_face_destroy
(cairo-toy-font-face.c:371)
==27971==    by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186)
==27971==    by 0x4E717A9: _cairo_gstate_fini (cairo-gstate.c:197)
==27971==    by 0x4E6C549: _cairo_default_context_fini
(cairo-default-context.c:75)
==27971==    by 0x4E6C549: _cairo_default_context_destroy
(cairo-default-context.c:93)
==27971==    by 0x1292C7: cairo_test_for_target (cairo-test.c:1414)
==27971==    by 0x129FF5: _cairo_test_context_run_for_target
(cairo-test.c:1555)
==27971==    by 0x1267E7: _cairo_test_runner_draw (cairo-test-runner.c:255)
==27971==    by 0x1267E7: main (cairo-test-runner.c:937)
==27971== 

Git bisect says:

commit 37f9a5525da457226317d426e06c55d77da206c1
Author: Matthias Clasen <mclasen at redhat.com>
Date:   Fri Jan 5 09:10:32 2018 -0500

    Don't leak memory in font options

    The cairo_font_options_t struct may now contain allocated
    memory, so call fini whenever we are about to let go of an
    embedded cairo_font_options_t struct.

This is not all that surprising and basically confirms what valgrind already
said. However, at this point I'm out of ideas.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20180113/cd41cfaf/attachment.html>

More information about the cairo-bugs mailing list