<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)""
href="https://bugs.freedesktop.org/show_bug.cgi?id=91967#c16">Comment # 16</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)""
href="https://bugs.freedesktop.org/show_bug.cgi?id=91967">bug 91967</a>
from <span class="vcard"><a class="email" href="mailto:jskarvad@redhat.com" title="Jaroslav Škarvada <jskarvad@redhat.com>"> <span class="fn">Jaroslav Škarvada</span></a>
</span></b>
<pre>This problem is easy to hit with libwnck3 (because libwnck3 uses cairo, but
AFAIK libwnck2 didn't). It is reproducible if the application is quickly
changing icon. Then there is a race condition when cairo calls XShmGetImage in
cairo-xlib-surface.c:797 but the icon pixmap it is trying to get may not exist
in this time. So the XShmGetImage returns error invalid pixmap, then the
&image->base is destroyed on line 809. So far so good, but the &image->base is
then destroyed again on line 1014 which triggers the assert in
cairo_surface_destroy, because the reference count is 0 (so it would cause
double free). And the application linking with libwnck3 core dumps, here is
example backtrace:
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f67f0e00a98 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
55 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
[Current thread is 1 (Thread 0x7f67f485aa00 (LWP 9784))]
(gdb) bt
#0 0x00007f67f0e00a98 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007f67f0e0269a in __GI_abort () at abort.c:89
#2 0x00007f67f0df9227 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@entry=0x7f67f19997a8 "((*&(&surface->ref_count)->ref_count)
<span class="quote">> 0)", file=file@entry=0x7f67f19996a0 "cairo-surface.c", line=line@entry=953,</span >
function=function@entry=0x7f67f1999bf0 <__PRETTY_FUNCTION__.11260>
"cairo_surface_destroy") at assert.c:92
#3 0x00007f67f0df92d2 in __GI___assert_fail
(assertion=assertion@entry=0x7f67f19997a8
"((*&(&surface->ref_count)->ref_count) > 0)", file=file@entry=0x7f67f19996a0
"cairo-surface.c", line=line@entry=953, function=function@entry=0x7f67f1999bf0
<__PRETTY_FUNCTION__.11260> "cairo_surface_destroy") at assert.c:101
#4 0x00007f67f191ee12 in INT_cairo_surface_destroy
(surface=surface@entry=0x5618d0ca78f0) at cairo-surface.c:953
#5 0x00007f67f194e000 in _get_image_surface
(surface=surface@entry=0x5618d0c7cff0, extents=extents@entry=0x7ffff2922d40,
try_shm=try_shm@entry=1) at cairo-xlib-surface.c:1014
#6 0x00007f67f194ec73 in _cairo_xlib_surface_acquire_source_image
(abstract_surface=0x5618d0c7cff0, image_out=0x7ffff2922e00,
image_extra=<optimized out>) at cairo-xlib-surface.c:1403
#7 0x00007f67f191f6d4 in _cairo_surface_acquire_source_image
(surface=0x5618d0c7cff0, image_out=<optimized out>, image_extra=<optimized
out>) at cairo-surface.c:1973
#8 0x00007f67f18e7e52 in _pixman_image_for_pattern (iy=0x7ffff2922fd0,
ix=0x7ffff2922fc0, sample=0x7ffff2922fd0, extents=0x7ffff292372c,
is_mask=-225298644, pattern=0x7ffff2923770, dst=0xf568971204090700) at
cairo-image-source.c:1377
#9 0x00007f67f18e7e52 in _pixman_image_for_pattern
(dst=dst@entry=0x5618d0ca7760, pattern=pattern@entry=0x7ffff2923770,
is_mask=is_mask@entry=0, extents=extents@entry=0x7ffff292372c,
sample=sample@entry=0x7ffff2923750, tx=tx@entry=0x7ffff2922fc0,
ty=0x7ffff2922fd0) at cairo-image-source.c:1538
#10 0x00007f67f18e893e in _cairo_image_source_create_for_pattern
(dst=0x5618d0ca7760, pattern=0x7ffff2923770, is_mask=0, extents=0x7ffff292372c,
sample=0x7ffff2923750, src_x=0x7ffff2922fc0, src_y=0x7ffff2922fd0) at
cairo-image-source.c:1583
#11 0x00007f67f191c151 in clip_and_composite_boxes (boxes=0x7ffff2923460,
extents=0x7ffff29236f0, compositor=0x7f67f1bd6b60 <spans>) at
cairo-spans-compositor.c:678
#12 0x00007f67f191c151 in clip_and_composite_boxes
(compositor=compositor@entry=0x7f67f1bd6b60 <spans>,
extents=extents@entry=0x7ffff29236f0, boxes=boxes@entry=0x7ffff2923460)
at cairo-spans-compositor.c:882
#13 0x00007f67f191c75e in clip_and_composite_boxes (compositor=0x7f67f1bd6b60
<spans>, extents=0x7ffff29236f0, boxes=0x7ffff2923460) at
cairo-spans-compositor.c:901
#14 0x00007f67f191ca79 in _cairo_spans_compositor_mask
(_compositor=0x7f67f1bd6b60 <spans>, extents=0x7ffff29236f0) at
cairo-spans-compositor.c:999
#15 0x00007f67f18d7429 in _cairo_compositor_paint (compositor=0x7f67f1bd6b60
<spans>, surface=0x5618d0ca7760, op=<optimized out>, source=<optimized out>,
clip=<optimized out>)
at cairo-compositor.c:65
#16 0x00007f67f191f8b1 in _cairo_surface_paint (surface=0x5618d0ca7760,
op=CAIRO_OPERATOR_OVER, source=0x7ffff2923a30, clip=0x0) at
cairo-surface.c:2117
#17 0x00007f67f18df285 in _cairo_gstate_paint (gstate=0x5618d0a72e30) at
cairo-gstate.c:1067
#18 0x00007f67f18d1ea5 in INT_cairo_paint (cr=<optimized out>) at cairo.c:2003
#19 0x00007f67f4308ad0 in try_pixmap_and_mask
(screen=screen@entry=0x5618d08ba8b0, src_pixmap=src_pixmap@entry=48251092,
src_mask=src_mask@entry=48251093, iconp=iconp@entry=0x7ffff2923cd8,
ideal_width=ideal_width@entry=32, ideal_height=ideal_height@entry=32,
mini_iconp=0x7ffff2923ce0, ideal_mini_width=16, ideal_mini_height=16) at
xutils.c:1832
#20 0x00007f67f4309fa4 in _wnck_read_icons (ideal_mini_height=16,
ideal_mini_width=16, mini_iconp=0x7ffff2923ce0, ideal_height=32,
ideal_width=32, iconp=0x7ffff2923cd8, src_mask=48251093, src_pixmap=48251092,
screen=0x5618d08ba8b0) at xutils.c:2228
#21 0x00007f67f4309fa4 in _wnck_read_icons (screen=0x5618d08ba8b0,
xwindow=xwindow@entry=48235980, icon_cache=icon_cache@entry=0x5618d0a90340,
iconp=iconp@entry=0x7ffff2923cd8, ideal_width=ideal_width@entry=32,
ideal_height=ideal_height@entry=32, mini_iconp=0x7ffff2923ce0,
ideal_mini_width=16, ideal_mini_height=16) at xutils.c:2232
#22 0x00007f67f42ff90f in get_icons (window=window@entry=0x5618d0b18100
[WnckWindow]) at window.c:2109
#23 0x00007f67f43004af in force_update_now (window=0x5618d0b18100 [WnckWindow])
at window.c:3273
#24 0x00007f67f430175a in update_idle (data=0x5618d0b18100) at window.c:3301
#25 0x00007f67f1c22e3a in g_main_context_dispatch (context=0x5618d08bf460) at
gmain.c:3154
#26 0x00007f67f1c22e3a in g_main_context_dispatch
(context=context@entry=0x5618d08bf460) at gmain.c:3769
#27 0x00007f67f1c231d0 in g_main_context_iterate (context=0x5618d08bf460,
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at
gmain.c:3840
#28 0x00007f67f1c234f2 in g_main_loop_run (loop=0x5618d0a896d0) at gmain.c:4034
#29 0x00007f67f3bc4325 in gtk_main () at gtkmain.c:1241
#30 0x00005618cfe959ef in main (argc=2, argv=0x7ffff2923ff8) at main.c:6027</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>