[cairo] GIMP crashing with GTKDFB

Attilio Fiandrotti attilio.fiandrotti at gmail.com
Wed Oct 4 07:55:06 PDT 2006 

Hi

Today i ran into a crash while testing the GIMP in a DirectFrameBuffer 
environment.
I was using GTK+ from cvs HEAD, cairo 1.4.2 and DFB 0.9.25.1 and i 
repeated tests rendering on both SDL and fb with the same result.
I can easily reproduce this bug it by closing the fonts window just 
after GIMP has started.
I never ran into this before, i don't even know if this is really
related to cairodfb or gtkdfb or dfb or what else, but for sure it's a
crasher, at least on my system.
I wonder if this crash can be due to something in the gtk or glib core 
that causes crashes like [1].
Attached to this mail are some debugging informations, please ask if you
need more debug datas.

cheers

Attilio

[1] http://bugzilla.gnome.org/show_bug.cgi?id=357611

-------------- next part --------------
*** glibc detected *** corrupted double-linked list: 0xa77264f8 ***

Program received signal SIGABRT, Aborted.
[Switching to Thread -1492587776 (LWP 4565)]
0xffffe410 in __kernel_vsyscall ()


(gdb) i threads
  4 Thread -1518273616 (LWP 4570)  0xffffe410 in __kernel_vsyscall ()
  3 Thread -1505510480 (LWP 4569)  0xffffe410 in __kernel_vsyscall ()
  2 Thread -1496679504 (LWP 4568)  0xffffe410 in __kernel_vsyscall ()
* 1 Thread -1492587776 (LWP 4565)  0xffffe410 in __kernel_vsyscall ()


(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xa7620821 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xa7621fb9 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xa7655c4a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6
#4  0xa765bc9c in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6
#5  0xa765db78 in free () from /lib/tls/i686/cmov/libc.so.6
#6  0xa765f83f in malloc () from /lib/tls/i686/cmov/libc.so.6
#7  0xa793338b in _cairo_path_arg_buf_create () at cairo-path.c:462
#8  0xa7933203 in _cairo_path_fixed_add (path=0x8b38208, op=CAIRO_PATH_OP_MOVE_TO, points=0xaff09dec, num_points=1)
    at cairo-path.c:384
#9  0xa7932dce in _cairo_path_fixed_move_to (path=0x8b38208, x=0, y=0) at cairo-path.c:187
#10 0xa79281da in *INT_cairo_move_to (cr=0x8b38200, x=0, y=0) at cairo.c:1209
#11 0xa7928933 in cairo_rectangle (cr=0x8b38200, x=0, y=0, width=238, height=176) at cairo.c:1611
#12 0xa7a045c3 in IA__gdk_cairo_rectangle (cr=0x6, rectangle=0x0) at gdkcairo.c:90
#13 0xa7c32b05 in gtk_default_draw_focus (style=0xa4f80f00, window=0x8b2e2c0, state_type=GTK_STATE_NORMAL, area=0xaff0a76c,
    widget=0x87a28c0, detail=0x0, x=1, y=1, width=236, height=174) at gtkstyle.c:4586
#14 0xa7c2b799 in IA__gtk_paint_focus (style=0xa4f80f00, window=0x8b2e2c0, state_type=GTK_STATE_NORMAL, area=0xaff0a76c,
    widget=0x87a28c0, detail=0x0, x=1, y=1, width=236, height=174) at gtkstyle.c:6196
#15 0xa7cc1ca4 in gtk_tree_view_expose (widget=0x87a28c0, event=0xaff0a760) at gtktreeview.c:4005
#16 0xa7bae90a in _gtk_marshal_BOOLEAN__BOXED (closure=0x83b3e80, return_value=0xaff0a3a0, n_param_values=2,
    param_values=0xaff0a47c, invocation_hint=0xaff0a38c, marshal_data=0xa7cc0180) at gtkmarshalers.c:84
#17 0xa7872fe9 in g_type_class_meta_marshal (closure=0x83b3e80, return_value=0xaff0a3a0, n_param_values=2,
    param_values=0xaff0a47c, invocation_hint=0xaff0a38c, marshal_data=0xc8) at gclosure.c:567
#18 0xa7874a2b in IA__g_closure_invoke (closure=0x83b3e80, return_value=0xaff0a3a0, n_param_values=2,
    param_values=0xaff0a47c, invocation_hint=0xaff0a38c) at gclosure.c:490
#19 0xa788560f in signal_emit_unlocked_R (node=0x83b3f70, detail=0, instance=0x87a28c0, emission_return=0xaff0a63c,
    instance_and_params=0xaff0a47c) at gsignal.c:2476
#20 0xa78862a8 in IA__g_signal_emit_valist (instance=0x87a28c0, signal_id=36, detail=0,
---Type <return> to continue, or q <return> to quit---
    var_args=0xaff0a6c0 "ØŠð¯`§ð¯À(z\bDåͧÀ(z\b\210ý:\b") at gsignal.c:2207
#21 0xa7886679 in IA__g_signal_emit (instance=0x87a28c0, signal_id=36, detail=0) at gsignal.c:2241
#22 0xa7cd9394 in gtk_widget_event_internal (widget=0x87a28c0, event=0xaff0a760) at gtkwidget.c:3911
#23 0xa7ba7fee in IA__gtk_main_do_event (event=0xaff0a760) at gtkmain.c:1380
#24 0xa7a358f2 in gdk_window_impl_directfb_process_updates (paintable=0x8b2e318, update_children=1)
    at gdkwindow-directfb.c:2903
#25 0xa7a1e337 in IA__gdk_window_process_updates (window=0x8b2e2c0, update_children=1) at gdkwindow.c:2425
#26 0xa7a35dc9 in gdk_window_update_idle (data=0x0) at gdkwindow-directfb.c:90
#27 0xa77faa31 in g_idle_dispatch (source=0x8d2dcb8, callback=0x6, user_data=0x0) at gmain.c:3926
#28 0xa77fc7b1 in IA__g_main_context_dispatch (context=0x83a0188) at gmain.c:2045
#29 0xa77ff826 in g_main_context_iterate (context=0x83a0188, block=1, dispatch=1, self=0x83bbfb8) at gmain.c:2677
#30 0xa77ffbe7 in IA__g_main_loop_run (loop=0x8a80e70) at gmain.c:2881
#31 0x080630b1 in app_run (full_prog_name=0x0, gimp_argc=0, gimp_argv=0xaff0ab38, alternate_system_gimprc=0x0,
    alternate_gimprc=0x0, session_name=0x0, batch_interpreter=0x0, batch_commands=0x0, no_interface=0, no_data=0,
    no_fonts=0, no_splash=0, be_verbose=0, use_shm=0, use_cpu_accel=6, console_messages=0,
    stack_trace_mode=GIMP_STACK_TRACE_NEVER, pdb_compat_mode=GIMP_PDB_COMPAT_OFF) at app_procs.c:376
#32 0x080639fc in main (argc=1, argv=0xaff0ab34) at main.c:473


(gdb) f 20
#20 0xa78862a8 in IA__g_signal_emit_valist (instance=0x87a28c0, signal_id=36, detail=0,
    var_args=0xaff0a6c0 "ØŠð¯`§ð¯À(z\bDåͧÀ(z\b\210ý:\b") at gsignal.c:2207
2207    gsignal.c: No such file or directory.
        in gsignal.c
(gdb) p var_args
$1 = 0xaff0a6c0 "ØŠð¯`§ð¯À(z\bDåͧÀ(z\b\210ý:\b"
(gdb) f 7
#7  0xa793338b in _cairo_path_arg_buf_create () at cairo-path.c:462
462         arg_buf = malloc (sizeof (cairo_path_arg_buf_t));
(gdb) p arg_buf
$2 = (cairo_path_arg_buf_t *) 0x8b493e8
(gdb) p *arg_buf
$3 = {num_points = 1, points = {{x = 146054656, y = 265}, {x = 146032960, y = 146032960}, {x = 146032960, y = 266}, {
      x = 146032992, y = 146032992}, {x = 146032992, y = 267}, {x = 146033024, y = 146033024}, {x = 146033024, y = 268}, {
      x = 146033056, y = 146033056}, {x = 0, y = 0}, {x = 33, y = 146006624}, {x = 1634495599, y = 1852793632}, {
      x = 1836019232, y = 774778469}, {x = 1629511936, y = 1819635310}, {x = 17, y = 146007480}, {x = 1953718640, y = 101},
    {x = 49, y = 145993712}, {x = 1819043171, y = 1634476129}, {x = 1869767456, y = 1869377390}, {x = 543254887,
      y = 1970171489}, {x = 1835101292, y = 1769238117}, {x = 146055424, y = 48}, {x = 49, y = 146052552}, {x = 0, y = 0}, {
      x = 0, y = 0}, {x = 0, y = 0}, {x = 0, y = 0}, {x = 0, y = 0}, {x = 25, y = 146017800}, {x = 1718968877,
      y = 762471782}, {x = 1970169197, y = 0}, {x = 41, y = 146049776}, {x = -1484297536, y = 146011576}, {x = -1484297168,
      y = 145965344}, {x = -1481976656, y = 145965344}, {x = -1481976656, y = 0}, {x = 41, y = 146057712}, {
      x = -1484297536, y = 145987688}, {x = -1484297168, y = 145965344}, {x = -1481976656, y = 145965344}, {
      x = -1481976656, y = 145973272}, {x = 41, y = 146052352}, {x = -1484297536, y = 145987056}, {x = -1484297168,
      y = 145965344}, {x = -1481976656, y = 145965344}, {x = -1481976656, y = 145973552}, {x = 41, y = 146052392}, {
      x = -1484297536, y = 145986896}, {x = -1484297168, y = 145965344}, {x = -1481976656, y = 145965344}, {
      x = -1481976656, y = 145969200}, {x = 41, y = 146052432}, {x = -1484297536, y = 145986976}, {x = -1484297168,
      y = 145965344}, {x = -1481976656, y = 145965344}, {x = -1481976656, y = 145985232}, {x = 41, y = 146057592}, {
      x = -1484297536, y = 145988008}, {x = -1484297168, y = 145965344}, {x = -1481976656, y = 145965344}, {
      x = -1481976656, y = 146039552}, {x = 49, y = 146051912}, {x = -1484297536, y = 145987768}, {x = -1484297168,
      y = 145965344}, {x = -1481976656, y = 145965344}}, next = 0xa7aad4b0, prev = 0x8b38df8}


------------ valgrind output ------------ 

==4577== Invalid free() / delete / delete[]
==4577==    at 0x401D139: free (vg_replace_malloc.c:233)
==4577==    by 0x46E5BD0: g_free (gmem.c:187)
==4577==    by 0x8123F6C: gimp_dockable_destroy (gimpdockable.c:245)
==4577==    by 0x4687EBA: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==4577==    by 0x4678FE8: g_type_class_meta_marshal (gclosure.c:567)
==4577==    by 0x467AB1B: g_closure_invoke (gclosure.c:490)
==4577==    by 0x468B775: signal_emit_unlocked_R (gsignal.c:2554)
==4577==    by 0x468C4C8: g_signal_emit_valist (gsignal.c:2197)
==4577==    by 0x468C678: g_signal_emit (gsignal.c:2241)
==4577==    by 0x42B173B: gtk_object_dispose (gtkobject.c:418)
==4577==    by 0x43BFF11: gtk_widget_dispose (gtkwidget.c:6883)
==4577==    by 0x467CCFA: g_object_unref (gobject.c:1757)
==4577==  Address 0x8C935A0 is 0 bytes inside a block of size 10 free'd
==4577==    at 0x401D139: free (vg_replace_malloc.c:233)
==4577==    by 0x46E5BD0: g_free (gmem.c:187)
==4577==    by 0x8123F82: gimp_dockable_destroy (gimpdockable.c:251)
==4577==    by 0x4687EBA: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==4577==    by 0x4678FE8: g_type_class_meta_marshal (gclosure.c:567)
==4577==    by 0x467AB1B: g_closure_invoke (gclosure.c:490)
==4577==    by 0x468B775: signal_emit_unlocked_R (gsignal.c:2554)
==4577==    by 0x468C4C8: g_signal_emit_valist (gsignal.c:2197)
==4577==    by 0x468C678: g_signal_emit (gsignal.c:2241)
==4577==    by 0x42B173B: gtk_object_dispose (gtkobject.c:418)
==4577==    by 0x43BFF11: gtk_widget_dispose (gtkwidget.c:6883)
==4577==    by 0x467D0D0: g_object_run_dispose (gobject.c:570)

More information about the cairo mailing list