After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 317364 - crashes repeatedly on overlong window title
crashes repeatedly on overlong window title
Status: RESOLVED NOTGNOME
Product: pango
Classification: Platform
Component: general
1.10.x
Other Linux
: High critical
: ---
Assigned To: pango-maint
Metacity maintainers list
Depends on:
Blocks:
 
 
Reported: 2005-09-27 18:27 UTC by Christian Persch
Modified: 2005-10-03 18:33 UTC
See Also:
GNOME target: ---
GNOME version: 2.11/2.12

Attachments
testcase (563 bytes, text/plain)
2005-09-27 18:27 UTC, Christian Persch 		Details

Description Christian Persch 2005-09-27 18:27:10 UTC 
Steps to repro:
0) Compile & run the attached testcase

Result:
Watch metacity crash repeatedly until it doesn't respawn anymore.

I filed bug 317362 for gtk to prevent this from happening through
gtk_window_set_title but metacity should be prepared to get this from non-gtk
programs.
Comment 1 Christian Persch 2005-09-27 18:27:27 UTC 
Created attachment 52739 [details]
testcase
Comment 2 Elijah Newren 2005-09-27 19:20:32 UTC 
That _sucks_.  I had to increase the size of the title in the testcase to get
anything bad to happen, but once I did, I wasn't even able to get things going
again from a virtual terminal without killing gnome-session.  I thought I was
going to be able to just kill the bad program and restart metacity from virtual
terminal 1 like I normally do when I wedge Metacity with a bad patch, but
although I got metacity running again it just flat would not respond to any
keyboard or mouse input.

Marking as urgent since 2.12.1 is coming up real soon now...
Comment 3 Rob Adams 2005-09-27 19:34:37 UTC 
Is this a buffer overflow?  Pango b0rking?  What's going wrong here, exactly?
Comment 4 Elijah Newren 2005-09-27 20:00:14 UTC 
From a backtrace, it looks like the pango calls to cairo are b0rking -- drawing
out of bounds or something?  I dunno, but here's the bt:

Program received signal SIGABRT, Aborted.

+ Trace 63236

Thread NaN (LWP 22906)

  • #0 _dl_sysinfo_int80
    from /lib/ld-linux.so.2
  • #1 raise
    from /lib/tls/libc.so.6
  • #2 abort
    from /lib/tls/libc.so.6
  • #3 meta_bug
    at util.c line 359
  • #4 x_error_handler
    at errors.c line 206
  • #5 _XError
    from /usr/X11R6/lib/libX11.so.6
  • #6 _XError
    from /usr/X11R6/lib/libX11.so.6
  • #7 _XError
    from /usr/X11R6/lib/libX11.so.6
  • #8 XRenderCompositeText8
    at Glyph.c line 478
  • #9 pixman_op
    at pixregion.c line 769
  • #10 _cairo_traps_tessellate_rectangle
    at cairo-traps.c line 349
  • #11 _cairo_hull_next_valid
    at cairo-hull.c line 130
  • #12 _cairo_surface_clip_and_composite_trapezoids
    at cairo-gstate.c line 1336
  • #13 _cairo_hull_compute
    at cairo-hull.c line 175
  • #14 _cairo_arc_in_direction
    at cairo-arc.c line 164
  • #15 pango_cairo_renderer_draw_glyphs
    at pangocairo-render.c line 110
  • #16 pango_renderer_draw_glyphs
    at pango-renderer.c line 596
  • #17 pango_cairo_show_glyph_string
    at pangocairo-render.c line 307
  • #18 gdk_pango_renderer_draw_glyphs
    at gdkpango.c line 210
  • #19 pango_renderer_draw_glyphs
    at pango-renderer.c line 596
  • #20 pango_renderer_draw_layout_line
    at pango-renderer.c line 528
  • #21 pango_renderer_draw_layout
    at pango-renderer.c line 182
  • #22 IA__gdk_draw_layout_with_colors
    at gdkpango.c line 989
  • #23 IA__gdk_draw_layout
    at gdkpango.c line 1051
  • #24 meta_draw_op_draw_with_env
    at theme.c line 3490
  • #25 meta_draw_op_list_draw
    at theme.c line 3696
  • #26 meta_draw_op_draw_with_env
    at theme.c line 3507
  • #27 meta_draw_op_list_draw
    at theme.c line 3696
  • #28 meta_frame_style_draw
    at theme.c line 4156
  • #29 meta_theme_draw_frame
    at theme.c line 4845
  • #30 meta_frames_paint_to_drawable
    at frames.c line 2208
  • #31 generate_pixmap
    at frames.c line 1871
  • #32 meta_frames_expose_event
    at frames.c line 1916
  • #33 _gtk_marshal_BOOLEAN__BOXED
    at gtkmarshalers.c line 83
  • #34 g_type_class_meta_marshal
    at gclosure.c line 569
  • #35 IA__g_closure_invoke
    at gclosure.c line 492
  • #36 signal_emit_unlocked_R
    at gsignal.c line 2523
  • #37 IA__g_signal_emit_valist
    at gsignal.c line 2254
  • #38 IA__g_signal_emit
    at gsignal.c line 2288
  • #39 gtk_widget_event_internal
    at gtkwidget.c line 3735
  • #40 IA__gtk_main_do_event
    at gtkmain.c line 1359
  • #41 gdk_window_process_updates_internal
    at gdkwindow.c line 2215
  • #42 IA__gdk_window_process_all_updates
    at gdkwindow.c line 2268
  • #43 gdk_window_update_idle
    at gdkwindow.c line 2136
  • #44 g_idle_dispatch
    at gmain.c line 3813
  • #45 IA__g_main_context_dispatch
    at gmain.c line 1934
  • #46 g_main_context_iterate
    at gmain.c line 2565
  • #47 IA__g_main_loop_run
    at gmain.c line 2769
  • #48 main
    at main.c line 483 






Comment 5


Christian Persch





          2005-09-27 20:15:33 UTC
        



While the pango/cairo crash deserves a fix too, shouldn't metacity simply limit
the length to something sane, like maybe 4k or 8k bytes (nearest utf-8 character
boundary, of course)?






Comment 6


Rob Adams





          2005-09-27 20:33:13 UTC
        



yea you're probably right Elijah; I'll bet that cairo is aborting on some sort
of overflow when we try to draw 20,000 leagues off the screen.

Isn't there a convenient GTK label now that ellipsizes stuff for us
automatically these days?






Comment 7


Sebastien Bacher





          2005-10-01 13:03:33 UTC
        



Seems to be a duplicate of #315070 which has a patch. That could be nice if you
could reply to the comment of the firefox/ubuntu maintainer on the other bug :)






Comment 8


Elijah Newren





          2005-10-01 14:57:34 UTC
        



Since bug 315070 is about doing the sane metacity limit as mentioned by
Christian in comment 5, I'm reassigning this bug with the pango/cairo backtrace
to pango though Owen might tell us we need to refile this upstream...






Comment 9


Behdad Esfahbod





          2005-10-01 16:33:55 UTC
        



Yeah, I think it should go upstream to cairo.






Comment 10


Elijah Newren





          2005-10-01 16:47:31 UTC
        



Okay, filed as https://bugs.freedesktop.org/show_bug.cgi?id=4657 then.






Comment 11


Elijah Newren





          2005-10-03 18:33:21 UTC
        



(A patch in bug 315070 to work around this bug for Metacity has now been
committed, for those interested)