Infrequent crash when redrawing the screen with wxWidgets

0

I'm getting a very infrequent ( once every 10-15 days ) crash of my application. Based on the core dump backtrace, its crashing while redrawing the UI during the function cairo_pattern_destroy.

wxWidgets version 2.95 cairo version 1.8.0 Fedora core 10 LXDE windows manager

Here is the full backtrace for one of the crashes. I have 3 of them and they all end at __libc_free in cairo_pattern_destroy. If anyone has any suggestions it would be greatly appreciated.

#0  __libc_free (mem=0x7) at malloc.c:3599
3599      if (chunk_is_mmapped(p))                       /* release mmapped memory. */
(gdb) bt
#0  __libc_free (mem=0x7) at malloc.c:3599
#1  0x00ff76d6 in cairo_pattern_destroy (pattern=0xc7b5088)
    at cairo-pattern.c:738
#2  0x00fe7a5d in _cairo_gstate_fini (gstate=0xd20bc00) at cairo-gstate.c:204
#3  0x00fe7a98 in _cairo_gstate_restore (gstate=0x0, freelist=0xdb2e1f4)
    at cairo-gstate.c:260
#4  0x00fe1ffd in cairo_restore (cr=0xdb2e070) at cairo.c:363
#5  0x07881fe2 in gdk_pango_renderer_draw_glyphs (renderer=0xc50d800, 
    font=0xa29d808, glyphs=0xceed960, x=129024, y=91136) at gdkpango.c:247
#6  0x07d345ea in pango_renderer_draw_glyphs (renderer=0xc50d800, 
    font=0xa29d808, glyphs=0xceed960, x=129024, y=91136)
    at pango-renderer.c:639
#7  0x07d3466e in pango_renderer_default_draw_glyph_item (renderer=0xc50d800, 
    text=0xd411b00 "Pause", glyph_item=0xb2e11d80, x=129024, y=91136)
    at pango-renderer.c:715
#8  0x07d3455a in pango_renderer_draw_glyph_item (renderer=0xc50d800, 
    text=0xd411b00 "Pause", glyph_item=0xb2e11d80, x=129024, y=91136)
    at pango-renderer.c:703
#9  0x07d34dd3 in pango_renderer_draw_layout_line (renderer=0xc50d800, 
    line=0xd242648, x=129024, y=91136) at pango-renderer.c:568
#10 0x07d350e1 in pango_renderer_draw_layout (renderer=0xc50d800, 
    layout=0xd5a5e10, x=129024, y=77824) at pango-renderer.c:192
#11 0x07880f11 in IA__gdk_draw_layout_with_colors (drawable=0xc690580, 
---Type <return> to continue, or q <return> to quit---
    gc=0xa26f050, x=126, y=76, layout=0xd5a5e10, foreground=0x0, 
    background=0x0) at gdkpango.c:951
#12 0x078810c1 in IA__gdk_draw_layout (drawable=0xc690580, gc=0xa26f050, 
    x=126, y=76, layout=0xd5a5e10) at gdkpango.c:1013
#13 0x07a96e92 in gtk_default_draw_layout (style=0xa360500, window=0xc690580, 
    state_type=GTK_STATE_INSENSITIVE, use_text=0, area=0xcdf165c, 
    widget=0xd7afa60, detail=0x7c42081 "label", x=126, y=76, layout=0xda63110)
    at gtkstyle.c:5084
#14 0x07a92fa2 in IA__gtk_paint_layout (style=0xa360500, window=0xc690580, 
    state_type=GTK_STATE_INSENSITIVE, use_text=0, area=0xcdf165c, 
    widget=0xd7afa60, detail=0x7c42081 "label", x=126, y=76, layout=0xda63110)
    at gtkstyle.c:6401
#15 0x07a0ea9c in gtk_label_expose (widget=0xd7afa60, event=0xcdf1650)
    at gtklabel.c:2848
#16 0x07a1e116 in _gtk_marshal_BOOLEAN__BOXED (closure=0xa1daae8, 
    return_value=0xbfae5910, n_param_values=2, param_values=0xdb00740, 
    invocation_hint=0xbfae58fc, marshal_data=0x7a0e990) at gtkmarshalers.c:84
#17 0x05a80959 in g_type_class_meta_marshal (closure=0xa1daae8, 
    return_value=0xbfae5910, n_param_values=2, param_values=0xdb00740, 
    invocation_hint=0xbfae58fc, marshal_data=0xc8) at gclosure.c:878
#18 0x05a82108 in IA__g_closure_invoke (closure=0xa1daae8, 
    return_value=0xbfae5910, n_param_values=2, param_values=0xdb00740, 
    invocation_hint=0xbfae58fc) at gclosure.c:767
---Type <return> to continue, or q <return> to quit---
#19 0x05a982cd in signal_emit_unlocked_R (node=0xa1dabe0, detail=0, 
    instance=0xd7afa60, emission_return=0xbfae5a48, 
    instance_and_params=0xdb00740) at gsignal.c:3282
#20 0x05a99bbb in IA__g_signal_emit_valist (instance=0xd7afa60, signal_id=38, 
    detail=0, var_args=0xbfae5aa0 "�Z��P\026�\f`�z\r�\225�\a`�z\rho\035\n")
    at gsignal.c:2987
#21 0x05a9a1b6 in IA__g_signal_emit (instance=0xd7afa60, signal_id=38, 
    detail=0) at gsignal.c:3034
#22 0x07b333ae in gtk_widget_event_internal (widget=0xd7afa60, event=0xcdf1650)
    at gtkwidget.c:4745
#23 0x079941a3 in IA__gtk_container_propagate_expose (container=0xc050930, 
    child=0xd7afa60, event=0xda6fdf8) at gtkcontainer.c:2687
#24 0x079941d1 in gtk_container_expose_child (child=0xd7afa60, 
    client_data=0xbfae5b68) at gtkcontainer.c:2575
#25 0x0795e61d in gtk_bin_forall (container=0xc050930, include_internals=1, 
    callback=0x79941b0 <gtk_container_expose_child>, callback_data=0xbfae5b68)
    at gtkbin.c:128
#26 0x07994d66 in IA__gtk_container_forall (container=0xc050930, 
    callback=0x79941b0 <gtk_container_expose_child>, callback_data=0xbfae5b68)
    at gtkcontainer.c:1455
#27 0x07996450 in gtk_container_expose (widget=0xc050930, event=0xda6fdf8)
    at gtkcontainer.c:2598
#28 0x079689b1 in gtk_button_expose (widget=0xc050930, event=0xda6fdf8)
---Type <return> to continue, or q <return> to quit---
    at gtkbutton.c:1348
#29 0x07a1e116 in _gtk_marshal_BOOLEAN__BOXED (closure=0xa1daae8, 
    return_value=0xbfae5d70, n_param_values=2, param_values=0xd6b2140, 
    invocation_hint=0xbfae5d5c, marshal_data=0x7968930) at gtkmarshalers.c:84
#30 0x05a80959 in g_type_class_meta_marshal (closure=0xa1daae8, 
    return_value=0xbfae5d70, n_param_values=2, param_values=0xd6b2140, 
    invocation_hint=0xbfae5d5c, marshal_data=0xc8) at gclosure.c:878
#31 0x05a82108 in IA__g_closure_invoke (closure=0xa1daae8, 
    return_value=0xbfae5d70, n_param_values=2, param_values=0xd6b2140, 
    invocation_hint=0xbfae5d5c) at gclosure.c:767
#32 0x05a982cd in signal_emit_unlocked_R (node=0xa1dabe0, detail=0, 
    instance=0xc050930, emission_return=0xbfae5ea8, 
    instance_and_params=0xd6b2140) at gsignal.c:3282
#33 0x05a99bbb in IA__g_signal_emit_valist (instance=0xc050930, signal_id=38, 
    detail=0, 
    var_args=0xbfae5f00 "\030_�����\r0\t\005\f�\225�\a0\t\005\fho\035\n")
    at gsignal.c:2987
#34 0x05a9a1b6 in IA__g_signal_emit (instance=0xc050930, signal_id=38, 
    detail=0) at gsignal.c:3034
#35 0x07b333ae in gtk_widget_event_internal (widget=0xc050930, event=0xda6fdf8)
    at gtkwidget.c:4745
#36 0x079941a3 in IA__gtk_container_propagate_expose (container=0xc010228, 
    child=0xc050930, event=0xbfae63f4) at gtkcontainer.c:2687
---Type <return> to continue, or q <return> to quit---
#37 0x079941d1 in gtk_container_expose_child (child=0xc050930, 
    client_data=0xbfae5fd8) at gtkcontainer.c:2575
#38 0x079d2f79 in gtk_fixed_forall (container=0xc010228, include_internals=1, 
    callback=0x79941b0 <gtk_container_expose_child>, callback_data=0xbfae5fd8)
    at gtkfixed.c:449
#39 0x07994d66 in IA__gtk_container_forall (container=0xc010228, 
    callback=0x79941b0 <gtk_container_expose_child>, callback_data=0xbfae5fd8)
    at gtkcontainer.c:1455
#40 0x07996450 in gtk_container_expose (widget=0xc010228, event=0xbfae63f4)
    at gtkcontainer.c:2598
#41 0x07a1e116 in _gtk_marshal_BOOLEAN__BOXED (closure=0xa1daae8, 
    return_value=0xbfae61b0, n_param_values=2, param_values=0xd1e88c8, 
    invocation_hint=0xbfae619c, marshal_data=0x79963b0) at gtkmarshalers.c:84
#42 0x05a80959 in g_type_class_meta_marshal (closure=0xa1daae8, 
    return_value=0xbfae61b0, n_param_values=2, param_values=0xd1e88c8, 
    invocation_hint=0xbfae619c, marshal_data=0xc8) at gclosure.c:878
#43 0x05a821db in IA__g_closure_invoke (closure=0xa1daae8, 
    return_value=0xbfae61b0, n_param_values=2, param_values=0xd1e88c8, 
    invocation_hint=0xbfae619c) at gclosure.c:767
#44 0x05a982cd in signal_emit_unlocked_R (node=0xa1dabe0, detail=0, 
    instance=0xc010228, emission_return=0xbfae62e8, 
    instance_and_params=0xd1e88c8) at gsignal.c:3282
#45 0x05a99bbb in IA__g_signal_emit_valist (instance=0xc010228, signal_id=38, 
---Type <return> to continue, or q <return> to quit---
    detail=0, 
    var_args=0xbfae6340 "Xc���c��(\002\001\f�\225�\a(\002\001\fho\035\n")
    at gsignal.c:2987
#46 0x05a9a1b6 in IA__g_signal_emit (instance=0xc010228, signal_id=38, 
    detail=0) at gsignal.c:3034
#47 0x07b333ae in gtk_widget_event_internal (widget=0xc010228, 
    event=0xbfae63f4) at gtkwidget.c:4745
#48 0x07a1821d in IA__gtk_main_do_event (event=0xbfae63f4) at gtkmain.c:1553
#49 0x07892625 in gdk_window_process_updates_internal (window=0xc690580)
    at gdkwindow.c:2598
#50 0x07892c3f in IA__gdk_window_process_all_updates () at gdkwindow.c:2664
#51 0x07994eff in gtk_container_idle_sizer (data=0x0) at gtkcontainer.c:1309
#52 0x078760cb in gdk_threads_dispatch (data=0xc935530) at gdk.c:473
#53 0x066122d1 in g_idle_dispatch (source=0xd663908, callback=0xffffffff, 
    user_data=0xc935530) at gmain.c:4235
#54 0x06614208 in g_main_dispatch () at gmain.c:2144
#55 IA__g_main_context_dispatch (context=0xa1d5508) at gmain.c:2697
#56 0x066178b3 in g_main_context_iterate (context=0xa1d5508, block=1, 
    dispatch=1, self=0xa1ba5e0) at gmain.c:2778
#57 0x06617dd2 in IA__g_main_loop_run (loop=0xbb03cc0) at gmain.c:2986
#58 0x07a18489 in IA__gtk_main () at gtkmain.c:1200
#59 0x006b333d in wxGUIEventLoop::DoRun ()
   from /usr/local/lib/libwx_gtk2u_core-2.9.so.5
wxwidgets
fedora
cairo
asked on Stack Overflow Jul 21, 2014 by Caleb

1 Answer

1

This is an old question, so no one may actually be interested in the answer. I ran into this on an older version of Fedora 10 LXDE, with a very similar stack trace, and a crash in the same place. This turns out to be a design problem with Cairo 1.8.0.

Looking a frame 1 in my case, I see the following code:

734     i = solid_pattern_cache.size++ %
735         ARRAY_LENGTH (solid_pattern_cache.patterns);
736     /* swap an old pattern for this 'cache-hot' pattern */
737     if (solid_pattern_cache.patterns[i])
738         free (solid_pattern_cache.patterns[i]);
739 
740     solid_pattern_cache.patterns[i] = (cairo_solid_pattern_t *) pattern;

They are using a counter with modular arithmetic to form the index into a fixed size cache. The counter is declared as a signed integer:

(gdb) ptype solid_pattern_cache
type = struct {
    cairo_solid_pattern_t *patterns[4];
    int size;
}

In my case, the counter has overflowed, resulting in a negative index into the cache. This results in attempting to free a random address.

(gdb) p solid_pattern_cache
$2 = {patterns = {0xb441b5e0, 0xb4983688, 0xb495bf58, 0xb3978388}, 
  size = -2147483644}

(gdb) p /x solid_pattern_cache.size
$4 = 0x80000004

It's not clear to me why an unsigned counter was not used instead.

answered on Stack Overflow Jul 16, 2019 by Tom

User contributions licensed under CC BY-SA 3.0