Ubuntu
libcairo package

[apport] evolution crashed with SIGSEGV during print

Bug #83744 reported by Charles
2
Affects Status Importance Assigned to Milestone
libcairo
Fix Released
Critical
libcairo (Ubuntu)
Fix Released
Medium
Ubuntu Desktop Bugs

Bug Description

Binary package hint: evolution

When I select to print a message, Evolution crashes. I just can see the printing dialog to appear.

ProblemType: Crash
CrashCounter: 1
Date: Wed Feb 7 12:59:41 2007
Dependencies:

DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/bin/evolution
InterpreterPath: /usr/bin/evolution-2.10
Package: evolution 2.9.6-0ubuntu1
ProcCmdline: evolution --component=mail
ProcCwd: /home/cbovy
ProcEnviron:
 SHELL=/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
 LANG=en_US.UTF-8
Signal: 11
SourcePackage: evolution
StacktraceTop:
 ?? () from /usr/lib/libcairo.so.2
 ?? ()
 ?? ()
 ?? ()
 ?? () from /usr/lib/libgthread-2.0.so.0
Uname: Linux radiation 2.6.20-5-generic #2 SMP Sat Jan 6 14:50:47 UTC 2007 i686 GNU/Linux
UserGroups: adm admin audio cdrom dialout dip floppy lpadmin plugdev scanner scard video

Revision history for this message
Charles (charles-bovy) wrote :
Revision history for this message
In , Sebastien Bacher (seb128) wrote :

That bug has been opened on https://launchpad.net/bugs/83744

"Binary package hint: evolution

When I select to print a message, Evolution crashes. I just can see the printing dialog to appear.
...
"

Debug backtrace for the crash:

711 cairo_matrix_transform_point (&gstate->target->device_transform_inverse, x, y);
(gdb) bt full
#0 0xb75e53bd in _cairo_gstate_backend_to_user (gstate=0x0, x=0xbfc9e508, y=0xbfc9e500)
    at /build/buildd/libcairo-1.3.12/src/cairo-gstate.c:711
No locals.
#1 0xb75ddd38 in *INT_cairo_get_current_point (cr=0x87c7dc0, x_ret=0x85238b8, y_ret=0x85238c0)
    at /build/buildd/libcairo-1.3.12/src/cairo.c:2828
        status = <value optimized out>
        x_fixed = 31928960
        y_fixed = 52340096
        x = 487.197265625
        y = 798.646484375
#2 0xb7684dab in _pango_cairo_do_glyph_string (cr=0x87c7dc0, font=0x85d2348, glyphs=0x8885120, do_path=0)
    at /build/buildd/pango1.0-1.15.5/./pango/pangocairo-render.c:482
        free_renderer = <value optimized out>
        crenderer = (PangoCairoRenderer *) 0x8523890
#3 0xb74cc060 in draw_glyphs (painter=0x88021f0, x=5648, y=11280, item=0x879b8a0, glyphs=0x8885120, fg=0x0, bg=0x0)
    at htmlprinter.c:632
        printer = (HTMLPrinter *) 0x88021f0
        print_x = 23.515625
        print_y = 11.015625
        log_rect = {x = 0, y = -11264, width = 439296, height = 14336}
        properties = {underline = 0, strikethrough = 0, fg_color = 0xb1e5663c, bg_color = 0x0}
        cr = (cairo_t *) 0x87c7dc0
#4 0xb74c9229 in html_painter_draw_glyphs (painter=0x88021f0, x=5648, y=11280, item=0x879b8a0, glyphs=0x8885120, fg=0x0,
    bg=0x0) at htmlpainter.c:637
No locals.
#5 0xb74e0b2d in draw (o=0x87b6d00, p=0x88021f0, x=-528, y=5104, width=525594, height=799744, tx=5648, ty=16)
    at htmltextslave.c:789
        owner = (HTMLText *) 0xb1e4d8a0
        paint = {x = 0, y = 5104, width = 439296, height = 9232}
#6 0xb74c4172 in html_object_draw (o=0x87b6d00, p=0x88021f0, x=-528, y=5104, width=525594, height=799744, tx=5648, ty=16)
    at htmlobject.c:1042
No locals.
#7 0xb74911b6 in draw (o=0xb1e4d7c8, p=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648, ty=-1468400)
    at htmlclue.c:268
        obj = (HTMLObject *) 0x87b6d00
#8 0xb74950f1 in draw (self=0xb1e4d7c8, painter=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648,
    ty=-1468400) at htmlclueflow.c:1371
No locals.
#9 0xb74c4172 in html_object_draw (o=0xb1e4d7c8, p=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648,
    ty=-1468400) at htmlobject.c:1042
No locals.
#10 0xb74911b6 in draw (o=0xb1e41300, p=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648, ty=-1468400)
    at htmlclue.c:268
        obj = (HTMLObject *) 0xb1e4d7c8
...

from gdb on the frame 1:

(gdb) p *cr
$1 = {ref_count = 1, status = CAIRO_STATUS_INVALID_RESTORE, path = {op_buf_head = 0x886f9f0, op_buf_tail = 0x886f9f0,
    arg_buf_head = 0x888e598, arg_buf_tail = 0x888e598, last_move_point = {x = 31928960, y = 52340096}, current_point = {
      x = 31928960, y = 52340096}, has_current_point = 1, has_curve_to = 0}, gstate = 0x0}

Revision history for this message
Daniel Holbach (dholbach) wrote :

Thread 1 (process 19061):
#0 0xb75e53bd in _cairo_gstate_backend_to_user (gstate=0x0, x=0xbfc9e508, y=0xbfc9e500) at /build/buildd/libcairo-1.3.12/src/cairo-gstate.c:711
No locals.
#1 0xb75ddd38 in *INT_cairo_get_current_point (cr=0x87c7dc0, x_ret=0x85238b8, y_ret=0x85238c0) at /build/buildd/libcairo-1.3.12/src/cairo.c:2828
        status = <value optimized out>
        x_fixed = 31928960
        y_fixed = 52340096
        x = 487.197265625
        y = 798.646484375
#2 0xb7684dab in ?? () from /usr/lib/libpangocairo-1.0.so.0

Revision history for this message
Daniel Holbach (dholbach) wrote :

In #1:
(gdb) print cr->gstate
$1 = (cairo_gstate_t *) 0x0
(gdb)

_cairo_gstate_backend_to_user (cairo_gstate_t *gstate, double *x, double *y) can't deal with that.

Unfortunately I can't get debug symbols for /usr/lib/libpangocairo-1.0.so.0 so I can't find out if it's a cairo or pango problem.

Which version of libpango1.0-0 do you have? Is this reproducible?

Changed in evolution:
importance: Undecided → Medium
status: Unconfirmed → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

I've opened a bug on libcairo about that: https://bugs.freedesktop.org/show_bug.cgi?id=9906

Changed in evolution:
assignee: nobody → desktop-bugs
Revision history for this message
Sebastien Bacher (seb128) wrote :

Debug backtrace:

711 cairo_matrix_transform_point (&gstate->target->device_transform_inverse, x, y);
(gdb) bt full
#0 0xb75e53bd in _cairo_gstate_backend_to_user (gstate=0x0, x=0xbfc9e508, y=0xbfc9e500)
    at /build/buildd/libcairo-1.3.12/src/cairo-gstate.c:711
No locals.
#1 0xb75ddd38 in *INT_cairo_get_current_point (cr=0x87c7dc0, x_ret=0x85238b8, y_ret=0x85238c0)
    at /build/buildd/libcairo-1.3.12/src/cairo.c:2828
        status = <value optimized out>
        x_fixed = 31928960
        y_fixed = 52340096
        x = 487.197265625
        y = 798.646484375
#2 0xb7684dab in _pango_cairo_do_glyph_string (cr=0x87c7dc0, font=0x85d2348, glyphs=0x8885120, do_path=0)
    at /build/buildd/pango1.0-1.15.5/./pango/pangocairo-render.c:482
        free_renderer = <value optimized out>
        crenderer = (PangoCairoRenderer *) 0x8523890
#3 0xb74cc060 in draw_glyphs (painter=0x88021f0, x=5648, y=11280, item=0x879b8a0, glyphs=0x8885120, fg=0x0, bg=0x0)
    at htmlprinter.c:632
        printer = (HTMLPrinter *) 0x88021f0
        print_x = 23.515625
        print_y = 11.015625
        log_rect = {x = 0, y = -11264, width = 439296, height = 14336}
        properties = {underline = 0, strikethrough = 0, fg_color = 0xb1e5663c, bg_color = 0x0}
        cr = (cairo_t *) 0x87c7dc0
#4 0xb74c9229 in html_painter_draw_glyphs (painter=0x88021f0, x=5648, y=11280, item=0x879b8a0, glyphs=0x8885120, fg=0x0,
    bg=0x0) at htmlpainter.c:637
No locals.
#5 0xb74e0b2d in draw (o=0x87b6d00, p=0x88021f0, x=-528, y=5104, width=525594, height=799744, tx=5648, ty=16)
    at htmltextslave.c:789
        owner = (HTMLText *) 0xb1e4d8a0
        paint = {x = 0, y = 5104, width = 439296, height = 9232}
#6 0xb74c4172 in html_object_draw (o=0x87b6d00, p=0x88021f0, x=-528, y=5104, width=525594, height=799744, tx=5648, ty=16)
    at htmlobject.c:1042
No locals.
#7 0xb74911b6 in draw (o=0xb1e4d7c8, p=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648, ty=-1468400)
    at htmlclue.c:268
        obj = (HTMLObject *) 0x87b6d00
#8 0xb74950f1 in draw (self=0xb1e4d7c8, painter=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648,
    ty=-1468400) at htmlclueflow.c:1371
No locals.
#9 0xb74c4172 in html_object_draw (o=0xb1e4d7c8, p=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648,
    ty=-1468400) at htmlobject.c:1042
No locals.
#10 0xb74911b6 in draw (o=0xb1e41300, p=0x88021f0, x=-528, y=1473520, width=525594, height=799744, tx=5648, ty=-1468400)
    at htmlclue.c:268
        obj = (HTMLObject *) 0xb1e4d7c8

From gdb on the frame1:

(gdb) p *cr
$1 = {ref_count = 1, status = CAIRO_STATUS_INVALID_RESTORE, path = {op_buf_head = 0x886f9f0, op_buf_tail = 0x886f9f0,
    arg_buf_head = 0x888e598, arg_buf_tail = 0x888e598, last_move_point = {x = 31928960, y = 52340096}, current_point = {
      x = 31928960, y = 52340096}, has_current_point = 1, has_curve_to = 0}, gstate = 0x0}

Bug Watch Updater (bug-watch-updater)
Changed in libcairo:
status: Unknown → Confirmed
Revision history for this message
Charles (charles-bovy) wrote :

I'm using:

ii libcairo-perl 1.01-1 Perl interface to the Cairo graphics library
ii libcairo2 1.3.12-0ubuntu1 The Cairo 2D vector graphics library
ii libcairo2-dev 1.3.12-0ubuntu1 Development files for the Cairo 2D graphics
ii libcairomm-1.0-1 1.2.0-0ubuntu1 C++ wrappers for Cairo (shared libraries)
ii libmono-cairo1.0-cil 1.2.2.1-1ubuntu2 Mono Cairo library
ii libmono-cairo2.0-cil 1.2.2.1-1ubuntu2 Mono Cairo library
ii python-cairo 1.2.0-1build1 Python bindings for the Cairo vector graphic

Revision history for this message
In , Carl Worth (cworth) wrote :

(In reply to comment #0)
> (gdb) p *cr
> $1 = {ref_count = 1, status = CAIRO_STATUS_INVALID_RESTORE, path = {op_buf_head
> = 0x886f9f0, op_buf_tail = 0x886f9f0,
> arg_buf_head = 0x888e598, arg_buf_tail = 0x888e598, last_move_point = {x =
> 31928960, y = 52340096}, current_point = {
> x = 31928960, y = 52340096}, has_current_point = 1, has_curve_to = 0},
> gstate = 0x0}

This part is very interesting. If you've hit an INVALID_RESTORE case then cairo_t should shut down and you shouldn't be able to get it to do anything after that anymore, (and especially not crash).

Could you break on _cairo_error which should show you where the INVALID_RESTORE is first happening, and then step through to see how you're getting from there to the crash?

Thanks,

-Carl

Revision history for this message
Sebastien Bacher (seb128) wrote :

Do you still get that problem?

Comment from upstream:

"(In reply to comment #0)
> (gdb) p *cr
> $1 = {ref_count = 1, status = CAIRO_STATUS_INVALID_RESTORE, path = {op_buf_head
> = 0x886f9f0, op_buf_tail = 0x886f9f0,
> arg_buf_head = 0x888e598, arg_buf_tail = 0x888e598, last_move_point = {x =
> 31928960, y = 52340096}, current_point = {
> x = 31928960, y = 52340096}, has_current_point = 1, has_curve_to = 0},
> gstate = 0x0}

This part is very interesting. If you've hit an INVALID_RESTORE case then
cairo_t should shut down and you shouldn't be able to get it to do anything
after that anymore, (and especially not crash).

Could you break on _cairo_error which should show you where the INVALID_RESTORE
is first happening, and then step through to see how you're getting from there
to the crash?

Thanks,

-Carl"

Revision history for this message
Charles (charles-bovy) wrote :

It seems that the problem is solved after a update using apt-get. I'll close the bug.

Revision history for this message
In , Carl Worth (cworth) wrote :

(In reply to comment #1)
> Could you break on _cairo_error which should show you where the INVALID_RESTORE
> is first happening, and then step through to see how you're getting from there
> to the crash?

Oh, never mind. It's clear enough from the existing backtrace already. Any INVALID_RESTORE condition was leaving a NULL gstate and almost any cairo_get_* call would dererference that and trigger the crash.

I augmented cairo's test suite to exercise the crash, then I fixed the bug.

You can see the commit I just pushed out here:

http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=6da7f140334835be9a972db75de78d99b8bd24b1

This is currently available in cairo 1.3.15 as made available in git, and will be pushed out very shortly in the cairo 1.4 release.

Meanwhile, there's still a bug in evolution somewhere that's leading to the INVALID_RESTORE in the first place, (that is, calling cairo_restore without a matching call to cairo_save). This fix will prevent the crash, and will instead replace it with cairo simply refusing to draw anything after the invalid restore state. So you'll still want to fix that.

-Carl

Revision history for this message
In , Sebastien Bacher (seb128) wrote :

Thank you for fixing the bug Carl. I didn't update the bug with the informations you asked for because the Ubuntu bug submitter didn't reply to that question, he updated the bug to say it works fine for him now though which means the evolution hackers probably also fixed their part of the bug

Revision history for this message
Sebastien Bacher (seb128) wrote :

The cairo bug is fixed upstream now

Changed in libcairo:
status: Confirmed → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in libcairo:
status: Confirmed → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

This upload fixes the bug:

 libcairo (1.4.2-0ubuntu1) feisty; urgency=low
 .
   * New upstream version:
     - fix "evolution crashed with SIGSEGV during print" (Ubuntu: #83744)
     - fix "gnome-panel crashes in _cairo_pen_find_active_cw_vertex_index()
       when opening menu" (Ubuntu: #88605)
   * debian/patches/01_fix_directfb_build.dpatch:
     - dropped, fixed with the new version

Changed in libcairo:
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in libcairo:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.