[cairo-bugs] [Bug 104616] New: Double free or corruption
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sat Jan 13 13:46:06 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=104616
Bug ID: 104616
Summary: Double free or corruption
Product: cairo
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: freetype font backend
Assignee: david at freetype.org
Reporter: psychon at znc.in
QA Contact: cairo-bugs at cairographics.org
$ (make -j8 && cd test && CAIRO_TEST_TARGET=xcb DISPLAY=:2 ./cairo-test-suite
a1-clip-stroke a1-clip-paint)
[...]
TESTING a1-clip-stroke
a1-clip-stroke.xcb.argb32 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb.rgb24 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb.rgb24 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb-window.rgb24 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb-window.rgb24 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb-window&.rgb24 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb-window&.rgb24 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb-render-0_0.argb32 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb-render-0_0.argb32 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]: !!!CRASHED!!!
a1-clip-stroke.xcb-fallback.rgb24 [0x1]: double free or corruption (out)
a1-clip-stroke.xcb-fallback.rgb24 [0x1]: !!!CRASHED!!!
[...]
It does not crash under valgrind. Instead, I get:
==27971== Conditional jump or move depends on uninitialised value(s)
==27971== at 0x4C2DDD1: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27971== by 0x4F472DB: _cairo_ft_options_fini (cairo-ft-font.c:206)
==27971== by 0x4F472DB: _cairo_ft_font_face_destroy (cairo-ft-font.c:3156)
==27971== by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186)
==27971== by 0x4EF1AE4: _cairo_toy_font_face_fini
(cairo-toy-font-face.c:216)
==27971== by 0x4EF1AE4: _cairo_toy_font_face_destroy
(cairo-toy-font-face.c:371)
==27971== by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186)
==27971== by 0x4E717A9: _cairo_gstate_fini (cairo-gstate.c:197)
==27971== by 0x4E6C549: _cairo_default_context_fini
(cairo-default-context.c:75)
==27971== by 0x4E6C549: _cairo_default_context_destroy
(cairo-default-context.c:93)
==27971== by 0x1292C7: cairo_test_for_target (cairo-test.c:1414)
==27971== by 0x129FF5: _cairo_test_context_run_for_target
(cairo-test.c:1555)
==27971== by 0x1267E7: _cairo_test_runner_draw (cairo-test-runner.c:255)
==27971== by 0x1267E7: main (cairo-test-runner.c:937)
==27971==
Git bisect says:
commit 37f9a5525da457226317d426e06c55d77da206c1
Author: Matthias Clasen <mclasen at redhat.com>
Date: Fri Jan 5 09:10:32 2018 -0500
Don't leak memory in font options
The cairo_font_options_t struct may now contain allocated
memory, so call fini whenever we are about to let go of an
embedded cairo_font_options_t struct.
This is not all that surprising and basically confirms what valgrind already
said. However, at this point I'm out of ideas.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20180113/cd41cfaf/attachment.html>
More information about the cairo-bugs
mailing list