<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - Double free or corruption" href="https://bugs.freedesktop.org/show_bug.cgi?id=104616">104616</a> </td> </tr> <tr> <th>Summary</th> <td>Double free or corruption </td> </tr> <tr> <th>Product</th> <td>cairo </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>freetype font backend </td> </tr> <tr> <th>Assignee</th> <td>david@freetype.org </td> </tr> <tr> <th>Reporter</th> <td>psychon@znc.in </td> </tr> <tr> <th>QA Contact</th> <td>cairo-bugs@cairographics.org </td> </tr></table> <p> <div> <pre>$ (make -j8 && cd test && CAIRO_TEST_TARGET=xcb DISPLAY=:2 ./cairo-test-suite a1-clip-stroke a1-clip-paint) [...] TESTING a1-clip-stroke a1-clip-stroke.xcb.argb32 [0x1]: !!!CRASHED!!! a1-clip-stroke.xcb.rgb24 [0x1]: double free or corruption (out) a1-clip-stroke.xcb.rgb24 [0x1]: !!!CRASHED!!! a1-clip-stroke.xcb-window.rgb24 [0x1]: double free or corruption (out) a1-clip-stroke.xcb-window.rgb24 [0x1]: !!!CRASHED!!! a1-clip-stroke.xcb-window&.rgb24 [0x1]: double free or corruption (out) a1-clip-stroke.xcb-window&.rgb24 [0x1]: !!!CRASHED!!! a1-clip-stroke.xcb-render-0_0.argb32 [0x1]: double free or corruption (out) a1-clip-stroke.xcb-render-0_0.argb32 [0x1]: !!!CRASHED!!! a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]: double free or corruption (out) a1-clip-stroke.xcb-render-0_0.rgb24 [0x1]: !!!CRASHED!!! a1-clip-stroke.xcb-fallback.rgb24 [0x1]: double free or corruption (out) a1-clip-stroke.xcb-fallback.rgb24 [0x1]: !!!CRASHED!!! [...] It does not crash under valgrind. Instead, I get: ==27971== Conditional jump or move depends on uninitialised value(s) ==27971== at 0x4C2DDD1: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27971== by 0x4F472DB: _cairo_ft_options_fini (cairo-ft-font.c:206) ==27971== by 0x4F472DB: _cairo_ft_font_face_destroy (cairo-ft-font.c:3156) ==27971== by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186) ==27971== by 0x4EF1AE4: _cairo_toy_font_face_fini (cairo-toy-font-face.c:216) ==27971== by 0x4EF1AE4: _cairo_toy_font_face_destroy (cairo-toy-font-face.c:371) ==27971== by 0x4E700A5: cairo_font_face_destroy (cairo-font-face.c:186) ==27971== by 0x4E717A9: _cairo_gstate_fini (cairo-gstate.c:197) ==27971== by 0x4E6C549: _cairo_default_context_fini (cairo-default-context.c:75) ==27971== by 0x4E6C549: _cairo_default_context_destroy (cairo-default-context.c:93) ==27971== by 0x1292C7: cairo_test_for_target (cairo-test.c:1414) ==27971== by 0x129FF5: _cairo_test_context_run_for_target (cairo-test.c:1555) ==27971== by 0x1267E7: _cairo_test_runner_draw (cairo-test-runner.c:255) ==27971== by 0x1267E7: main (cairo-test-runner.c:937) ==27971== Git bisect says: commit 37f9a5525da457226317d426e06c55d77da206c1 Author: Matthias Clasen <<a href="mailto:mclasen@redhat.com">mclasen@redhat.com</a>> Date: Fri Jan 5 09:10:32 2018 -0500 Don't leak memory in font options The cairo_font_options_t struct may now contain allocated memory, so call fini whenever we are about to let go of an embedded cairo_font_options_t struct. This is not all that surprising and basically confirms what valgrind already said. However, at this point I'm out of ideas.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the QA Contact for the bug.</li> </ul> </body> </html>