Crash on recursive mask which refers to itself
Bug #190130 reported by
Lubomir Rintel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Inkscape |
Fix Released
|
High
|
Unassigned |
Bug Description
Inkscape dumps core when attempting to open 384637-1.svg from Firefox crash tests. Traces back somewhere to boehm-gc.
Related branches
Changed in inkscape: | |
importance: | Undecided → High |
status: | New → Confirmed |
tags: | added: crash |
Changed in inkscape: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
(gdb) bt stack_inner (arg=0x4ebfc80, limit=0x7fffc13 47d20 <Address 0x7fffc1347d20 out of bounds>) at misc.c:243 stack_inner (arg=0x4ebfc80, limit=0x7fffc13 47d20 <Address 0x7fffc1347d20 out of bounds>) at misc.c:245 object. h:115 stack_inner( void *arg, ptr_t limit) sizeof( word)); stack_inner( arg, limit);
#0 0x0000003d10c178b6 in GC_clear_
#1 0x0000003d10c178cb in GC_clear_
#2 0x0000003d10c1794b in GC_clear_stack (arg=0x4ebfc80) at misc.c:291
#3 0x00000000007d93c1 in NRObject::alloc (type=7) at ./gc-core.h:74
#4 0x00000000004b307d in sp_shape_show (item=0x1800060, arena=0x1186f00) at libnr/nr-
#5 0x00000000004976b8 in sp_item_invoke_show (item=0x1800060, arena=0x1186f00, key=84190, flags=2) at sp-item.cpp:964
#6 0x000000000049bda8 in sp_mask_show (mask=0x17fd840, arena=0x1186f00, key=84190) at sp-mask.cpp:318
#7 0x0000000000497852 in sp_item_invoke_show (item=0x1800060, arena=0x1186f00, key=<value optimized out>, flags=<value optimized out>) at sp-item.cpp:1001
#8 0x000000000049bda8 in sp_mask_show (mask=0x17fd840, arena=0x1186f00, key=84187) at sp-mask.cpp:318
#9 0x0000000000497852 in sp_item_invoke_show (item=0x1800060, arena=0x1186f00, key=<value optimized out>, flags=<value optimized out>) at sp-item.cpp:1001
#10 0x000000000049bda8 in sp_mask_show (mask=0x17fd840, arena=0x1186f00, key=84184) at sp-mask.cpp:318
#11 0x0000000000497852 in sp_item_invoke_show (item=0x1800060, arena=0x1186f00, key=<value optimized out>, flags=<value optimized out>) at sp-item.cpp:1001
#12 0x000000000049bda8 in sp_mask_show (mask=0x17fd840, arena=0x1186f00, key=84181) at sp-mask.cpp:318
#13 0x0000000000497852 in sp_item_invoke_show (item=0x1800060, arena=0x1186f00, key=<value optimized out>, flags=<value optimized out>) at sp-item.cpp:1001
#14 0x000000000049bda8 in sp_mask_show (mask=0x17fd840, arena=0x1186f00, key=84178) at sp-mask.cpp:318
#15 0x0000000000497852 in sp_item_invoke_show (item=0x1800060, arena=0x1186f00, key=<value optimized out>, flags=<value optimized out>) at sp-item.cpp:1001
#16 0x000000000049bda8 in sp_mask_show (mask=0x17fd840, arena=0x1186f00, key=84175) at sp-mask.cpp:318
...
(gdb) l
238 /*ARGSUSED*/
239 void * GC_clear_
240 {
241 word dummy[CLEAR_SIZE];
242
243 BZERO(dummy, CLEAR_SIZE*
244 if ((ptr_t)(dummy) COOLER_THAN limit) {
245 (void) GC_clear_
246 }
247 /* Make sure the recursive call is not a tail call, and the bzero */
(gdb)