Bug 219005

Summary: OOo crash during _cairo_bentley_ottmann_tessellate_polygon
Product: [Fedora] Fedora Reporter: Darwin H. Webb <thethirddoorontheleft>
Component: cairoAssignee: Behdad Esfahbod <behdad>
Status: CLOSED INSUFFICIENT_DATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: caolanm, cworth, triage
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-06 21:02:37 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
OOCACL-crash.txt
none
mapped stack
none
Patch to dump all tessellated polygons into a file none

Description Darwin H. Webb 2006-12-08 20:52:51 EST 
Description of problem:
OOCALC crahed popup text attached

Version-Release number of selected component (if applicable):
openoffice.org-calc-2.1.0-6.5

How reproducible:
dont know

Steps to Reproduce:
1. =IF($A2=$A1,$A2)  #trying to input a dup value check. It crashed when I was
in a lower level formula gui.
2.
3.
  
Actual results:
crashed

Expected results:
error, burp, blink, beep - but no crash.

Additional info:
Attached crash dump report
Comment 1 Darwin H. Webb 2006-12-08 20:52:51 EST 
Created attachment 143201 [details]
OOCACL-crash.txt
Comment 2 Caolan McNamara 2006-12-09 12:26:06 EST 
looks like the crash took place in cairo from drawing some widget.

Do you have any way to reproduce this ?
Comment 3 Darwin H. Webb 2006-12-10 12:58:14 EST 
I tried today and the spreadsheet was recovered with data intact.
I re-entered the fomula with the function gui and it worked.

I had updated the next days devel rawhide 11/09/06 so I can't varify it.
Close this bug and if it happens again I'll add a comment. 

thanks,

Darwin
Comment 4 Caolan McNamara 2006-12-11 05:02:46 EST 
Created attachment 143275 [details]
mapped stack

stack mapped back to source lines
Comment 5 Caolan McNamara 2006-12-11 05:06:26 EST 
Here's the crashing bit of the stack, there's an awful lot of cairo stack here
before the crash.

method _cairo_bentley_ottmann_tessellate_polygon at...
file:line of /usr/src/debug/cairo-1.3.6/src/cairo-bentley-ottmann.c:777
method _cairo_path_fixed_fill_to_traps at...
file:line of /usr/src/debug/cairo-1.3.6/src/cairo-path-fill.c:197
method _cairo_clip_clip at...
file:line of /usr/src/debug/cairo-1.3.6/src/cairo-clip.c:489
method _cairo_gstate_clip at...
file:line of /usr/src/debug/cairo-1.3.6/src/cairo-gstate.c:1149
method *INT_cairo_clip_preserve at...
file:line of /usr/src/debug/cairo-1.3.6/src/cairo.c:2194
method ge_gdk_drawable_to_cairo at...
file:line of ./cairo-support.c:240
method clearlooks_style_draw_handle at...
file:line of src/clearlooks_style.c:324
method IA__gtk_paint_handle at...
file:line of /usr/src/debug/gtk+-2.10.6/gtk/gtkstyle.c:6272
Comment 6 M Joonas Pihlaja 2006-12-13 17:08:23 EST 
Created attachment 143565 [details]
Patch to dump all tessellated polygons into a file

Could you apply the attached patch, rerun the crashing example, and return the
last few logged polygons from /tmp/polygon.log?  Hopefully this would lead to a
smaller example for closer study.

Cheers,

Joonas
Comment 7 Carl Worth 2007-03-26 11:17:53 EDT 
Here's what I could find by poking around the ClearLooks code, (or rather, the
gtk-engines code as the crash doesn't appear to be coming from any
clearlooks-specific code).

Here's the function of interest:

cairo_t *
ge_gdk_drawable_to_cairo (GdkDrawable  *window, GdkRectangle *area)
{
        cairo_t *cr;

        g_return_val_if_fail (window != NULL, NULL);

        cr = (cairo_t*) gdk_cairo_create (window);
        cairo_set_line_width (cr, 1.0);
        cairo_set_line_cap (cr, CAIRO_LINE_CAP_SQUARE);
        cairo_set_line_join (cr, CAIRO_LINE_JOIN_MITER);

        if (area)
        {
                cairo_rectangle (cr, area->x, area->y, area->width, area->height);
                cairo_clip_preserve (cr);
                cairo_new_path (cr);
        }

        return cr;
}

So that suggests that the path that triggers the bug could be nothing other than
a single integer rectangle. That's actually a rather surprising thing to be
tripping up the tessellator.

And meanwhile, it occurs to me that we did an optimization for single-rectangle
path fills, but perhaps that missed single-rectangle path clips. I'll take a
look at that now.

In the meantime, if anybody manages to reproduce this, that would be great. (But
 from what I've seen here, it seems it didn't have anything to do with
OpenOffice.org at all, but perhaps just some particular expose-event rectangle
that managed to hit a bug).

Joonas, care to take a pass through the tessellator looking for something that
could go wrong if given a degenerate rectangle of some sort?

-Carl
Comment 8 Carl Worth 2007-03-26 11:36:56 EDT 
(In reply to comment #7)
> And meanwhile, it occurs to me that we did an optimization for single-rectangle
> path fills, but perhaps that missed single-rectangle path clips. I'll take a
> look at that now.

I checked now, and confirmed that the optimization does in fact apply to both
cairo_fill() and cairo_clip(). This optimization did not exist in any 1.3.x
snapshot of cairo, but is in place for cairo 1.4.0 and beyond.

And what the optimization does is to entirely bypass
_cairo_bentley_ottmann_tessellate_polygon whenever the path is nothing but a
single, axis-aligned rectangle.

So, I think that as of cairo 1.4.x the original bug should not be reproducible.
But I'd still very much like to find a polygon that triggers the failure in the
tessellator so that we can fix it.

-Carl
Comment 9 Bug Zapper 2008-04-03 14:46:38 EDT 
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 10 Bug Zapper 2008-05-06 21:02:36 EDT 
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp