Closed Bug 429678 Opened 12 years ago Closed 12 years ago
Crash [@ _cairo
_surface _set _clip _path _recursive] with failed printing of outset border with transparency
944 bytes, text/html
947 bytes, text/html
9.49 KB, text/plain
2.51 KB, patch
|Details | Diff | Splinter Review|
See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges. This seems to have regressed between 2008-03-31 and 2008-04-01: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-03-31+04&maxdate=2008-04-01+15&cvsroot=%2Fcvsroot Not sure what could have caused it.
http://crash-stats.mozilla.com/report/index/798518f5-0d4e-11dd-9d76-001321b13766 0 xul.dll _cairo_surface_set_clip_path_recursive mozilla/gfx/cairo/cairo/src/cairo-surface.c:1904 1 xul.dll _cairo_surface_set_clip_path mozilla/gfx/cairo/cairo/src/cairo-surface.c:1947 2 xul.dll _cairo_surface_set_clip mozilla/gfx/cairo/cairo/src/cairo-surface.c:2033 3 xul.dll _cairo_pdf_surface_emit_meta_surface mozilla/gfx/cairo/cairo/src/cairo-pdf-surface.c:1549 4 xul.dll nsFileOutputStream::Write mozilla/netwerk/base/src/nsFileStreams.cpp:414 5 xul.dll nsBufferedOutputStream::Release mozilla/security/manager/boot/src/nsEntropyCollector.cpp:61 6 xul.dll write_func mozilla/gfx/thebes/src/gfxPDFSurface.cpp:54 7 firefox.exe _IsNonwritableInCurrentImage 8 kernel32.dll GetCodePageFileInfo
Attachment #316440 - Attachment description: testcase, using enhanced privileges → Windows testcase, using enhanced privileges (overwrites C:\\test.pdf)
The first testcase triggers an unrelated crash on Linux: bug 429707.
Same as the first testcase except for the filename.
OS: Windows XP → All
Version: unspecified → Trunk
Oops, yeah, I forgot to mention about the windows specific filewrite.
_cairo_meta_surface_replay_internal() is setting the clip to a local stack variable: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/gfx/cairo/cairo/src/cairo-meta-surface.c&rev=1.30&root=/cvsroot&mark=691#652 and then returns with that clip still in place so at a later point we're using random data from the stack as clip data.
This fixes the crash for me on Linux.
Mats, you really should subscribe to the cairo list with all the patches to it you've been doing :) Take a look at the thread starting at http://lists.cairographics.org/archives/cairo/2008-April/013813.html
Flags: blocking1.9? → blocking1.9+
Mats, you might want to submit that patch to the list and see what they say.
Assignee: nobody → mats.palmgren
Whiteboard: [sg:critical?] → [sg:critical?][have patch]
While we should push this up stream, is the patch something we could take now, and then once it gets into Cairo proper, revert in a dot release? Not optimal I know, but we gotta get the RC out the door.
It's fixed in Cairo now: http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=ea6dbfd36f2182fda16cb82bca92007e0f7b8d77;hp=a2c4fd057217b70c74a66076acc4f42f676192ae Vlad, will you merge that directly? or should I make a matching patch?
I can pull it in later this morning. (Doing it now, actually.)
Checked in from upstream patch.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Crash Signature: [@ _cairo_surface_set_clip_path_recursive]
You need to log in before you can comment on or make changes to this bug.