Bug 1188217

Summary: [abrt] R-core: R_AllocStringBuffer(): R killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Milan Bouchet-Valat <nalimilan>
Component: cairoAssignee: Benjamin Otte <otte>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: michel, otte, tcallawa
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/6c183bb9371a2f9a012766758e38ea9d1cbf8506
Whiteboard: abrt_hash:f92d261714c3f22874c9a1306af234c0c6b8e968
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-03 20:19:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Milan Bouchet-Valat 2015-02-02 11:08:39 UTC 
Description of problem:
Fully reproducible crash using odfWeave on a document. I have another version changing only 8 characters which does not crash.

Version-Release number of selected component:
R-core-3.1.2-1.fc21

Additional info:
reporter:       libreport-2.3.0
backtrace_rating: 4
cmdline:        /usr/lib64/R/bin/exec/R
crash_function: R_AllocStringBuffer
executable:     /usr/lib64/R/bin/exec/R
kernel:         3.18.5-200.fc21.x86_64
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #18 R_AllocStringBuffer at memory.c:3786
 #19 print2buff at deparse.c:1246
 #20 deparse2buff at deparse.c:1143
 #21 deparse2 at deparse.c:499
 #22 deparse1WithCutoff at deparse.c:223
 #23 Rf_deparse1 at deparse.c:181
 #24 R_GetTraceback at errors.c:1350
 #25 sigactionSegv at main.c:567
 #27 _fill_xrgb32_lerp_opaque_spans at cairo-image-compositor.c:2249
 #28 blit_a8 at cairo-tor-scan-converter.c:1635
Comment 1 Milan Bouchet-Valat 2015-02-02 11:08:42 UTC 
Created attachment 987058 [details]
File: backtrace
Comment 2 Milan Bouchet-Valat 2015-02-02 11:08:43 UTC 
Created attachment 987059 [details]
File: cgroup
Comment 3 Milan Bouchet-Valat 2015-02-02 11:08:44 UTC 
Created attachment 987060 [details]
File: core_backtrace
Comment 4 Milan Bouchet-Valat 2015-02-02 11:08:45 UTC 
Created attachment 987061 [details]
File: dso_list
Comment 5 Milan Bouchet-Valat 2015-02-02 11:08:47 UTC 
Created attachment 987062 [details]
File: environ
Comment 6 Milan Bouchet-Valat 2015-02-02 11:08:48 UTC 
Created attachment 987063 [details]
File: exploitable
Comment 7 Milan Bouchet-Valat 2015-02-02 11:08:49 UTC 
Created attachment 987064 [details]
File: limits
Comment 8 Milan Bouchet-Valat 2015-02-02 11:08:50 UTC 
Created attachment 987065 [details]
File: maps
Comment 9 Milan Bouchet-Valat 2015-02-02 11:08:51 UTC 
Created attachment 987066 [details]
File: open_fds
Comment 10 Milan Bouchet-Valat 2015-02-02 11:08:52 UTC 
Created attachment 987067 [details]
File: proc_pid_status
Comment 11 Milan Bouchet-Valat 2015-02-02 11:08:53 UTC 
Created attachment 987068 [details]
File: var_log_messages
Comment 12 Milan Bouchet-Valat 2015-02-02 14:26:48 UTC 
Valgrind trace (I couldn't manage to get the cairo symbols even if cairo-debuginfo is installed, any ideas welcome):

==20951== Invalid read of size 4
==20951==    at 0x3229A36590: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A7A1B5: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A6C2DB: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A6CD44: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A6D969: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A28AEE: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A39DC1: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A70D05: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A30961: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A2A448: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A23484: cairo_stroke (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3FB96A613F: clipPolygon (engine.c:1080)
==20951==  Address 0x1307c0b0 is 0 bytes after a block of size 1,806,336 alloc'd
==20951==    at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20951==    by 0x3FC7419C39: create_bits (pixman-bits-image.c:935)
==20951==    by 0x3FC7419C39: _pixman_bits_image_init (pixman-bits-image.c:955)
==20951==    by 0x3FC7419CEA: create_bits_image_internal (pixman-bits-image.c:1005)
==20951==    by 0x3229A3A406: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x139E19DB: X11_Open (devX11.c:1653)
==20951==    by 0x139E253B: X11DeviceDriver (devX11.c:2799)
==20951==    by 0x139E2B9A: Rf_addX11Device (devX11.c:3106)
==20951==    by 0x139E2B9A: in_do_X11 (devX11.c:3214)
==20951==    by 0x3FB9696B0F: do_External (dotcode.c:527)
==20951==    by 0x3FB96C4231: bcEval (eval.c:4760)
==20951==    by 0x3FB96CE47F: Rf_eval (eval.c:560)
==20951==    by 0x3FB96D436F: Rf_applyClosure (eval.c:1044)
==20951==    by 0x3FB96CE555: Rf_eval (eval.c:676)
==20951== 
==20951== Invalid write of size 4
==20951==    at 0x3229A36684: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A7A1B5: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A6C2DB: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A6CD44: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A6D969: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A28AEE: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A39DC1: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A70D05: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A30961: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A2A448: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3229A23484: cairo_stroke (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x3FB96A613F: clipPolygon (engine.c:1080)
==20951==  Address 0x1307c0b0 is 0 bytes after a block of size 1,806,336 alloc'd
==20951==    at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20951==    by 0x3FC7419C39: create_bits (pixman-bits-image.c:935)
==20951==    by 0x3FC7419C39: _pixman_bits_image_init (pixman-bits-image.c:955)
==20951==    by 0x3FC7419CEA: create_bits_image_internal (pixman-bits-image.c:1005)
==20951==    by 0x3229A3A406: ??? (in /usr/lib64/libcairo.so.2.11400.0)
==20951==    by 0x139E19DB: X11_Open (devX11.c:1653)
==20951==    by 0x139E253B: X11DeviceDriver (devX11.c:2799)
==20951==    by 0x139E2B9A: Rf_addX11Device (devX11.c:3106)
==20951==    by 0x139E2B9A: in_do_X11 (devX11.c:3214)
==20951==    by 0x3FB9696B0F: do_External (dotcode.c:527)
==20951==    by 0x3FB96C4231: bcEval (eval.c:4760)
==20951==    by 0x3FB96CE47F: Rf_eval (eval.c:560)
==20951==    by 0x3FB96D436F: Rf_applyClosure (eval.c:1044)
==20951==    by 0x3FB96CE555: Rf_eval (eval.c:676)
==20951== 

 *** caught segfault ***
address 0x13197000, cause 'invalid permissions'

Traceback:
 1: plot.xy(xy.coords(x, y), type = type, ...)
 2: lines.default(as.numeric(substr(names(coefsFhypo.bioent), 12,     15)) + 5, coefsFhypo.bioent, type = "b", lty = "solid", pch = 23,     bg = "dark grey", lwd = 2)
 3: lines(as.numeric(substr(names(coefsFhypo.bioent), 12, 15)) +     5, coefsFhypo.bioent, type = "b", lty = "solid", pch = 23,     bg = "dark grey", lwd = 2)
 4: eval(expr, envir, enclos)
 5: eval(expr, .GlobalEnv)
 6: withVisible(eval(expr, .GlobalEnv))
 7: doTryCatch(return(expr), name, parentenv, handler)
 8: tryCatchOne(expr, names, parentenv, handlers[[1L]])
 9: tryCatchList(expr, classes, parentenv, handlers)
10: tryCatch(expr, error = function(e) {    call <- conditionCall(e)    if (!is.null(call)) {        if (identical(call[[1L]], quote(doTryCatch)))             call <- sys.call(-4L)        dcall <- deparse(call)[1L]        prefix <- paste("Error in", dcall, ": ")        LONG <- 75L        msg <- conditionMessage(e)        sm <- strsplit(msg, "\n")[[1L]]        w <- 14L + nchar(dcall, type = "w") + nchar(sm[1L], type = "w")        if (is.na(w))             w <- 14L + nchar(dcall, type = "b") + nchar(sm[1L],                 type = "b")        if (w > LONG)             prefix <- paste0(prefix, "\n  ")    }    else prefix <- "Error : "    msg <- paste0(prefix, conditionMessage(e), "\n")    .Internal(seterrmessage(msg[1L]))    if (!silent && identical(getOption("show.error.messages"),         TRUE)) {        cat(msg, file = stderr())        .Internal(printDeferredWarnings())    }    invisible(structure(msg, class = "try-error", condition = e))})
11: try(withVisible(eval(expr, .GlobalEnv)), silent = TRUE)
12: RweaveEvalWithOpt(ce, options)
13: driver$runcode(drobj, chunk, chunkopts)
14: Sweave(file = rnwFileName, output = "content_1.xml", quiet = !control$verbose,     driver = RweaveOdf(), control = control, encoding = "UTF-8")
15: odfWeave("CRASH - Mauvais.odt", "CRASH - Mauvais.out.odt")
Comment 13 Milan Bouchet-Valat 2015-02-02 14:47:54 UTC 
Filed upstream at https://bugs.r-project.org/bugzilla3/show_bug.cgi?id=16182
Comment 14 Milan Bouchet-Valat 2015-02-02 16:13:25 UTC 
I'm not able to reproduce the crash with R built from source, both for 3.1.2 and R-devel from SVN. I've checked X11.options() are all the same, including type="cairo". Any ideas about what the different might be?
Comment 15 Milan Bouchet-Valat 2015-02-03 13:32:01 UTC 
Actually I'm now able to reproduce the crash with upstream sources too (I needed to enable Pango). I've posted a reproducer there.
Comment 16 Tom "spot" Callaway 2015-02-03 18:27:54 UTC 
I can't reproduce your crash with the R packages in Fedora 21 (x86_64), even with your reproducer from the upstream bug.

Your traceback goes through:

 cairo_stroke (in /usr/lib64/libcairo.so.2.11400.0)

The latest cairo package for Fedora 21 is cairo-1.13.1-0.4.git337ab1f.fc21, which has: /usr/lib64/libcairo.so.2.11301.0

I tried updating to the cairo in updates-testing (1.14.0-1.fc21) which has /usr/lib64/libcairo.so.2.11400.0, but I still couldn't get it to crash with your reproducer code.

I'm not sure what's different between us. :/ The only thing I can think of is that there is a known crasher in Cairo 1.14.0 that is fixed in rawhide, but not yet in any update (testing or stable) for Fedora. You might try that and see if it resolves the issue on your end:

http://koji.fedoraproject.org/koji/buildinfo?buildID=608012
Comment 17 Tom "spot" Callaway 2015-02-03 18:29:35 UTC 
Actually, looking at the upstream patch, I think there is a good chance that fix will resolve your crash:

http://cgit.freedesktop.org/cairo/patch/src/cairo-image-compositor.c?id=5c82d91a5e15d29b1489dcb413b24ee7fdf59934
Comment 18 Milan Bouchet-Valat 2015-02-03 20:15:37 UTC 
Ah, I'm really lucky that you're also a Cairo expert. Indeed, cairo-1.14.0-2.fc22 fixed it!

So this is a +1 to backport the fix to F21. :-)

The history of this fix is quite intriguing to me, as it appears to have been identified in late November, and nothing happened since then? Maybe it would be worth that I send an e-mail to the list so that they know several people are affected?
Comment 19 Milan Bouchet-Valat 2015-02-03 20:19:09 UTC 

*** This bug has been marked as a duplicate of bug 1183242 ***