GNOME Bugzilla – Bug 586814
Crashes related to fontmap destruction after upgrade
Last modified: 2009-07-18 04:30:40 UTC
Something has changed for the worse between 1.22.1 and 1.24.2 with respect to fontmap destruction. For the non-gui applications that come with Gnumeric we are seeing reports of crashes when Gnumeric releases its fontmap. See http://bugzilla.gnome.org/show_bug.cgi?id=586328#c5 Upcoming simple program shows the following problem which may or may not be the same. ==12073== Invalid read of size 4 ==12073== at 0x47CD3B6: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1800.2) ==12073== by 0x457C790: pango_fc_font_map_shutdown (in /usr/lib/libpangoft2-1.0.so.0.2400.2) ==12073== by 0x457C831: (within /usr/lib/libpangoft2-1.0.so.0.2400.2) ==12073== by 0x45C57E5: (within /usr/lib/libpangocairo-1.0.so.0.2400.2) ==12073== by 0x4764EF2: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1800.2) ==12073== by 0x804890F: gnm_font_shutdown (ppp.c:39) ==12073== by 0x80489EC: main (ppp.c:51) ==12073== Address 0x4e533f8 is 8 bytes inside a block of size 16 free'd ==12073== at 0x4026BFA: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==12073== by 0x47E4045: g_free (in /usr/lib/libglib-2.0.so.0.1800.2) ==12073== by 0x47CD76A: (within /usr/lib/libglib-2.0.so.0.1800.2) ==12073== by 0x47CE6B3: (within /usr/lib/libglib-2.0.so.0.1800.2) ==12073== by 0x457D0E1: (within /usr/lib/libpangoft2-1.0.so.0.2400.2) ==12073== by 0x457D120: (within /usr/lib/libpangoft2-1.0.so.0.2400.2) ==12073== by 0x47CD3B5: g_hash_table_foreach (in /usr/lib/libglib-2.0.so.0.1800.2) ==12073== by 0x457C790: pango_fc_font_map_shutdown (in /usr/lib/libpangoft2-1.0.so.0.2400.2) ==12073== by 0x457C831: (within /usr/lib/libpangoft2-1.0.so.0.2400.2) ==12073== by 0x45C57E5: (within /usr/lib/libpangocairo-1.0.so.0.2400.2) ==12073== by 0x4764EF2: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1800.2) ==12073== by 0x804890F: gnm_font_shutdown (ppp.c:39)
Created attachment 137286 [details] Test program # gcc -Wall -O2 `pkg-config --cflags --libs glib-2.0 gobject-2.0 gthread-2.0 gtk+-2.0` -g ppp.c #G_SLICE=always-malloc valgrind ./a.out
Can't reproduce. Can you look inside a bit?
1. pango_fc_font_map_shutdown calls g_hash_table_foreach (priv->font_hash, (GHFunc) shutdown_font, fcfontmap); 2. shutdown_font calls _pango_fc_font_map_remove. 3. _pango_fc_font_map_remove calls g_hash_table_remove (priv->font_hash, key); ...if I follow the code right. You are not supposed to much with a GHashTable while your are walking over it. Actual behaviuour is address dependent since pango_fc_font_key_hash depends on the address of key->pattern. Thus it's not a big surprise that you cannot reproduce with the exact example that trips me. Suggestion: use g_hash_table_get_values.
Ok, I've pushed a fix to master. Please test and reopen.
Hmm... While that does fix the problem reported here, it looks like there are more problems. I'll investigate a file a report.
Created attachment 137347 [details] [review] Further patch needed This patch prevents Bad Things Happening[tm] when the fontmap clears weak references. ==29877== Invalid write of size 4 ==29877== at 0x50E07D9: g_nullify_pointer (in /usr/lib/libglib-2.0.so.0.1800.2) ==29877== by 0x5035680: (within /usr/lib/libgobject-2.0.so.0.1800.2) ==29877== by 0x5098715: g_datalist_id_set_data_full (in /usr/lib/libglib-2.0.so.0.1800.2) ==29877== by 0x5035CD8: (within /usr/lib/libgobject-2.0.so.0.1800.2) ==29877== by 0x5035E57: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1800.2) ==29877== by 0x4145FB2: gnm_font_shutdown (style.c:407) ==29877== by 0x40DC5A4: gnm_shutdown (libgnumeric.c:336) ==29877== by 0x804AE7A: main (ssconvert.c:610)
Pushed a slightly modified version. Please test. And thanks for catching these.
*** Bug 585806 has been marked as a duplicate of this bug. ***
I believe the fix for this bug caused this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=503792 to appear when running firefox. Also see gnome bug 588063.