Description of problem: Fully reproducible crash using odfWeave on a document. I have another version changing only 8 characters which does not crash. Version-Release number of selected component: R-core-3.1.2-1.fc21 Additional info: reporter: libreport-2.3.0 backtrace_rating: 4 cmdline: /usr/lib64/R/bin/exec/R crash_function: R_AllocStringBuffer executable: /usr/lib64/R/bin/exec/R kernel: 3.18.5-200.fc21.x86_64 runlevel: N 5 type: CCpp uid: 1000 Truncated backtrace: Thread no. 1 (10 frames) #18 R_AllocStringBuffer at memory.c:3786 #19 print2buff at deparse.c:1246 #20 deparse2buff at deparse.c:1143 #21 deparse2 at deparse.c:499 #22 deparse1WithCutoff at deparse.c:223 #23 Rf_deparse1 at deparse.c:181 #24 R_GetTraceback at errors.c:1350 #25 sigactionSegv at main.c:567 #27 _fill_xrgb32_lerp_opaque_spans at cairo-image-compositor.c:2249 #28 blit_a8 at cairo-tor-scan-converter.c:1635
Created attachment 987058 [details] File: backtrace
Created attachment 987059 [details] File: cgroup
Created attachment 987060 [details] File: core_backtrace
Created attachment 987061 [details] File: dso_list
Created attachment 987062 [details] File: environ
Created attachment 987063 [details] File: exploitable
Created attachment 987064 [details] File: limits
Created attachment 987065 [details] File: maps
Created attachment 987066 [details] File: open_fds
Created attachment 987067 [details] File: proc_pid_status
Created attachment 987068 [details] File: var_log_messages
Valgrind trace (I couldn't manage to get the cairo symbols even if cairo-debuginfo is installed, any ideas welcome): ==20951== Invalid read of size 4 ==20951== at 0x3229A36590: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A7A1B5: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A6C2DB: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A6CD44: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A6D969: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A28AEE: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A39DC1: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A70D05: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A30961: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A2A448: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A23484: cairo_stroke (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3FB96A613F: clipPolygon (engine.c:1080) ==20951== Address 0x1307c0b0 is 0 bytes after a block of size 1,806,336 alloc'd ==20951== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==20951== by 0x3FC7419C39: create_bits (pixman-bits-image.c:935) ==20951== by 0x3FC7419C39: _pixman_bits_image_init (pixman-bits-image.c:955) ==20951== by 0x3FC7419CEA: create_bits_image_internal (pixman-bits-image.c:1005) ==20951== by 0x3229A3A406: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x139E19DB: X11_Open (devX11.c:1653) ==20951== by 0x139E253B: X11DeviceDriver (devX11.c:2799) ==20951== by 0x139E2B9A: Rf_addX11Device (devX11.c:3106) ==20951== by 0x139E2B9A: in_do_X11 (devX11.c:3214) ==20951== by 0x3FB9696B0F: do_External (dotcode.c:527) ==20951== by 0x3FB96C4231: bcEval (eval.c:4760) ==20951== by 0x3FB96CE47F: Rf_eval (eval.c:560) ==20951== by 0x3FB96D436F: Rf_applyClosure (eval.c:1044) ==20951== by 0x3FB96CE555: Rf_eval (eval.c:676) ==20951== ==20951== Invalid write of size 4 ==20951== at 0x3229A36684: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A7A1B5: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A6C2DB: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A6CD44: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A6D969: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A28AEE: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A39DC1: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A70D05: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A30961: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A2A448: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3229A23484: cairo_stroke (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x3FB96A613F: clipPolygon (engine.c:1080) ==20951== Address 0x1307c0b0 is 0 bytes after a block of size 1,806,336 alloc'd ==20951== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==20951== by 0x3FC7419C39: create_bits (pixman-bits-image.c:935) ==20951== by 0x3FC7419C39: _pixman_bits_image_init (pixman-bits-image.c:955) ==20951== by 0x3FC7419CEA: create_bits_image_internal (pixman-bits-image.c:1005) ==20951== by 0x3229A3A406: ??? (in /usr/lib64/libcairo.so.2.11400.0) ==20951== by 0x139E19DB: X11_Open (devX11.c:1653) ==20951== by 0x139E253B: X11DeviceDriver (devX11.c:2799) ==20951== by 0x139E2B9A: Rf_addX11Device (devX11.c:3106) ==20951== by 0x139E2B9A: in_do_X11 (devX11.c:3214) ==20951== by 0x3FB9696B0F: do_External (dotcode.c:527) ==20951== by 0x3FB96C4231: bcEval (eval.c:4760) ==20951== by 0x3FB96CE47F: Rf_eval (eval.c:560) ==20951== by 0x3FB96D436F: Rf_applyClosure (eval.c:1044) ==20951== by 0x3FB96CE555: Rf_eval (eval.c:676) ==20951== *** caught segfault *** address 0x13197000, cause 'invalid permissions' Traceback: 1: plot.xy(xy.coords(x, y), type = type, ...) 2: lines.default(as.numeric(substr(names(coefsFhypo.bioent), 12, 15)) + 5, coefsFhypo.bioent, type = "b", lty = "solid", pch = 23, bg = "dark grey", lwd = 2) 3: lines(as.numeric(substr(names(coefsFhypo.bioent), 12, 15)) + 5, coefsFhypo.bioent, type = "b", lty = "solid", pch = 23, bg = "dark grey", lwd = 2) 4: eval(expr, envir, enclos) 5: eval(expr, .GlobalEnv) 6: withVisible(eval(expr, .GlobalEnv)) 7: doTryCatch(return(expr), name, parentenv, handler) 8: tryCatchOne(expr, names, parentenv, handlers[[1L]]) 9: tryCatchList(expr, classes, parentenv, handlers) 10: tryCatch(expr, error = function(e) { call <- conditionCall(e) if (!is.null(call)) { if (identical(call[[1L]], quote(doTryCatch))) call <- sys.call(-4L) dcall <- deparse(call)[1L] prefix <- paste("Error in", dcall, ": ") LONG <- 75L msg <- conditionMessage(e) sm <- strsplit(msg, "\n")[[1L]] w <- 14L + nchar(dcall, type = "w") + nchar(sm[1L], type = "w") if (is.na(w)) w <- 14L + nchar(dcall, type = "b") + nchar(sm[1L], type = "b") if (w > LONG) prefix <- paste0(prefix, "\n ") } else prefix <- "Error : " msg <- paste0(prefix, conditionMessage(e), "\n") .Internal(seterrmessage(msg[1L])) if (!silent && identical(getOption("show.error.messages"), TRUE)) { cat(msg, file = stderr()) .Internal(printDeferredWarnings()) } invisible(structure(msg, class = "try-error", condition = e))}) 11: try(withVisible(eval(expr, .GlobalEnv)), silent = TRUE) 12: RweaveEvalWithOpt(ce, options) 13: driver$runcode(drobj, chunk, chunkopts) 14: Sweave(file = rnwFileName, output = "content_1.xml", quiet = !control$verbose, driver = RweaveOdf(), control = control, encoding = "UTF-8") 15: odfWeave("CRASH - Mauvais.odt", "CRASH - Mauvais.out.odt")
Filed upstream at https://bugs.r-project.org/bugzilla3/show_bug.cgi?id=16182
I'm not able to reproduce the crash with R built from source, both for 3.1.2 and R-devel from SVN. I've checked X11.options() are all the same, including type="cairo". Any ideas about what the different might be?
Actually I'm now able to reproduce the crash with upstream sources too (I needed to enable Pango). I've posted a reproducer there.
I can't reproduce your crash with the R packages in Fedora 21 (x86_64), even with your reproducer from the upstream bug. Your traceback goes through: cairo_stroke (in /usr/lib64/libcairo.so.2.11400.0) The latest cairo package for Fedora 21 is cairo-1.13.1-0.4.git337ab1f.fc21, which has: /usr/lib64/libcairo.so.2.11301.0 I tried updating to the cairo in updates-testing (1.14.0-1.fc21) which has /usr/lib64/libcairo.so.2.11400.0, but I still couldn't get it to crash with your reproducer code. I'm not sure what's different between us. :/ The only thing I can think of is that there is a known crasher in Cairo 1.14.0 that is fixed in rawhide, but not yet in any update (testing or stable) for Fedora. You might try that and see if it resolves the issue on your end: http://koji.fedoraproject.org/koji/buildinfo?buildID=608012
Actually, looking at the upstream patch, I think there is a good chance that fix will resolve your crash: http://cgit.freedesktop.org/cairo/patch/src/cairo-image-compositor.c?id=5c82d91a5e15d29b1489dcb413b24ee7fdf59934
Ah, I'm really lucky that you're also a Cairo expert. Indeed, cairo-1.14.0-2.fc22 fixed it! So this is a +1 to backport the fix to F21. :-) The history of this fix is quite intriguing to me, as it appears to have been identified in late November, and nothing happened since then? Maybe it would be worth that I send an e-mail to the list so that they know several people are affected?
*** This bug has been marked as a duplicate of bug 1183242 ***