429678 - Crash [@ _cairo_surface_set_clip_path_recursive] with failed printing of outset border with transparency

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Martijn Wargers (dead)]

Attachment: Windows testcase, using enhanced privileges (overwrites C:\\test.pdf)

See testcase, you need to download the testcase to your computer, because of the use of enhanced privileges.

This seems to have regressed between 2008-03-31 and 2008-04-01:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-03-31+04&maxdate=2008-04-01+15&cvsroot=%2Fcvsroot
Not sure what could have caused it.

Comment 1

[Martijn Wargers (dead)]

http://crash-stats.mozilla.com/report/index/798518f5-0d4e-11dd-9d76-001321b13766
0  	xul.dll  	_cairo_surface_set_clip_path_recursive  	 mozilla/gfx/cairo/cairo/src/cairo-surface.c:1904
1 	xul.dll 	_cairo_surface_set_clip_path 	mozilla/gfx/cairo/cairo/src/cairo-surface.c:1947
2 	xul.dll 	_cairo_surface_set_clip 	mozilla/gfx/cairo/cairo/src/cairo-surface.c:2033
3 	xul.dll 	_cairo_pdf_surface_emit_meta_surface 	mozilla/gfx/cairo/cairo/src/cairo-pdf-surface.c:1549
4 	xul.dll 	nsFileOutputStream::Write 	mozilla/netwerk/base/src/nsFileStreams.cpp:414
5 	xul.dll 	nsBufferedOutputStream::Release 	mozilla/security/manager/boot/src/nsEntropyCollector.cpp:61
6 	xul.dll 	write_func 	mozilla/gfx/thebes/src/gfxPDFSurface.cpp:54
7 	firefox.exe 	_IsNonwritableInCurrentImage 	
8 	kernel32.dll 	GetCodePageFileInfo 	

Comment 2

[Mats Palmgren (inactive)]

The first testcase triggers an unrelated crash on Linux: bug 429707.

Comment 3

[Mats Palmgren (inactive)]

Attachment: Linux testcase, using enhanced privileges (overwrites /tmp/test.pdf)

Same as the first testcase except for the filename.

Comment 4

[Mats Palmgren (inactive)]

Attachment: crash stack, Linux debug build

Comment 5

[Martijn Wargers (dead)]

Oops, yeah, I forgot to mention about the windows specific filewrite.

Comment 6

[Mats Palmgren (inactive)]

_cairo_meta_surface_replay_internal() is setting the clip to a local
stack variable:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/gfx/cairo/cairo/src/cairo-meta-surface.c&rev=1.30&root=/cvsroot&mark=691#652
and then returns with that clip still in place so at a later point we're
using random data from the stack as clip data.

Comment 7

[Mats Palmgren (inactive)]

Attachment: Like so?

This fixes the crash for me on Linux.

Comment 8

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Mats, you really should subscribe to the cairo list with all the patches to it you've been doing :)  Take a look at the thread starting at http://lists.cairographics.org/archives/cairo/2008-April/013813.html

Comment 9

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Mats, you might want to submit that patch to the list and see what they say.

Comment 10

[Damon Sicore (:damons)]

While we should push this up stream, is the patch something we could take now, and then once it gets into Cairo proper, revert in a dot release?  Not optimal I know, but we gotta get the RC out the door.

Comment 11

[Mats Palmgren (inactive)]

It's fixed in Cairo now:
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=ea6dbfd36f2182fda16cb82bca92007e0f7b8d77;hp=a2c4fd057217b70c74a66076acc4f42f676192ae

Vlad, will you merge that directly? or should I make a matching patch?

Comment 12

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

I can pull it in later this morning.  (Doing it now, actually.)

Comment 13

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Checked in from upstream patch.