https://bugzilla.novell.com/show_bug.cgi?id=223794 ------- Comment #1 from amantia@kde.org 2006-11-26 15:53 MST ------- This starts to be interesting and challenging. I did several tests in the following order: - disabled SUSE's patches to fontconfig: still crashes - compared SUSE's version of fontconfig with Fedora's version: they are the same - recompiled ImageMagick using SUSE's spec file, but taking the latest official sources (6.3.0-6, from 24/11/2006): still crashes - created a small C test file: doesn't crash. What? ;-) - moved around the code in my application until I found that it crashes only if it after some Qt method calls, namely QLabel->setAlignment. I run it in valgrind as well, just to complicate my life and spend some more hours with debugging. Valgrind indicates use of uninitialized value in libXft, originating from QLabel::setAlignment! So I tried to fix that (seems to be x86_64 specific bug in libXft, due to suspicious pointer mangling), but wasn't sure how to do it. Anyway, I got rid of that code, and valgrind did not complain anymore about this error, but the crash remained. :-( Here I am now, clueless how to continue and unsure where is the bug: ImageMagick, fontconfig, libXft or Qt. I still suspect libXft, but please reassign the bug to the one you think has the biggest experience in this field. I created a smaller application showing the bug, i'll soon attach it. Here is the valgrind log for the example application: valgrind ./imagemagickcrash ==21220== Memcheck, a memory error detector. ==21220== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al. ==21220== Using LibVEX rev 1658, a library for dynamic binary translation. ==21220== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP. ==21220== Using valgrind-3.2.2.SVN, a dynamic binary instrumentation framework. ==21220== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al. ==21220== For more details, rerun with: -v ==21220== ==21220== Invalid read of size 8 ==21220== at 0x69CAEA2: __strcpy_chk (in /lib64/libc-2.5.so) ==21220== by 0x5EB67F3: store_to_database (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB6A0E: f_newline (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB71B5: _XlcCreateLocaleDataBase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB591: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB9729: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB1F5: _XlcCreateLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EDBA3F: _XlcUtf8Loader (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC2812: _XOpenLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC28CA: _XrmInitParseInfo (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EACAEF: NewDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EAE2AD: XrmGetStringDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== Address 0x9C64708 is 16 bytes inside a block of size 18 alloc'd ==21220== at 0x4C22889: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==21220== by 0x5EB6CA1: f_default (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB71B5: _XlcCreateLocaleDataBase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB591: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB9729: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB1F5: _XlcCreateLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EDBA3F: _XlcUtf8Loader (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC2812: _XOpenLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC28CA: _XrmInitParseInfo (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EACAEF: NewDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EAE2AD: XrmGetStringDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5E887AB: XGetDefault (in /usr/lib64/libX11.so.6.2.0) ==21220== ==21220== Invalid read of size 8 ==21220== at 0x69CAE79: __strcpy_chk (in /lib64/libc-2.5.so) ==21220== by 0x5EB67F3: store_to_database (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB6A0E: f_newline (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB71B5: _XlcCreateLocaleDataBase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB591: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB9729: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB1F5: _XlcCreateLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EDBA3F: _XlcUtf8Loader (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC2812: _XOpenLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC28CA: _XrmInitParseInfo (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EACAEF: NewDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EAE2AD: XrmGetStringDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== Address 0x9C648A0 is 8 bytes inside a block of size 12 alloc'd ==21220== at 0x4C22889: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==21220== by 0x5EB6CA1: f_default (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB71B5: _XlcCreateLocaleDataBase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB591: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB9729: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB1F5: _XlcCreateLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EDBA3F: _XlcUtf8Loader (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC2812: _XOpenLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC28CA: _XrmInitParseInfo (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EACAEF: NewDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EAE2AD: XrmGetStringDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5E887AB: XGetDefault (in /usr/lib64/libX11.so.6.2.0) ==21220== ==21220== Invalid read of size 8 ==21220== at 0x69CAE50: __strcpy_chk (in /lib64/libc-2.5.so) ==21220== by 0x5EB67F3: store_to_database (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB6A0E: f_newline (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB71B5: _XlcCreateLocaleDataBase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB591: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB9729: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB1F5: _XlcCreateLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EDBA3F: _XlcUtf8Loader (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC2812: _XOpenLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC28CA: _XrmInitParseInfo (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EACAEF: NewDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EAE2AD: XrmGetStringDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== Address 0x9C64A28 is 0 bytes inside a block of size 4 alloc'd ==21220== at 0x4C22889: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==21220== by 0x5EB6CA1: f_default (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB71B5: _XlcCreateLocaleDataBase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB591: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EB9729: initialize (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EBB1F5: _XlcCreateLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EDBA3F: _XlcUtf8Loader (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC2812: _XOpenLC (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EC28CA: _XrmInitParseInfo (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EACAEF: NewDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5EAE2AD: XrmGetStringDatabase (in /usr/lib64/libX11.so.6.2.0) ==21220== by 0x5E887AB: XGetDefault (in /usr/lib64/libX11.so.6.2.0) ==21220== ==21220== Use of uninitialised value of size 8 ==21220== at 0x92D77B1: XftFontOpenInfo (xftfreetype.c:806) ==21220== by 0x92D7FED: XftFontOpenPattern (xftfreetype.c:1091) ==21220== by 0x5522B4F: loadEngine(QFont::Script, QFontPrivate const*, QFontDef const&, QtFontFamily*, QtFontFoundry*, QtFontStyle*, QtFontSize*, QtFontEncoding*, bool) (qfontdatabase_x11.cpp:1647) ==21220== by 0x5523653: QFontDatabase::findFont(QFont::Script, QFontPrivate const*, QFontDef const&, int) (qfontdatabase.cpp:1142) ==21220== by 0x54B50D8: QFontPrivate::load(QFont::Script) (qfont_x11.cpp:420) ==21220== by 0x54B5512: QFontMetrics::width(QChar) const (qfontdata_p.h:152) ==21220== by 0x560358E: QLabel::sizeForWidth(int) const (qfontmetrics.h:80) ==21220== by 0x5603B55: QLabel::minimumSizeHint() const (qlabel.cpp:638) ==21220== by 0x5603C7B: QLabel::sizeHint() const (qlabel.cpp:623) ==21220== by 0x5603D10: QLabel::setAlignment(int) (qlabel.cpp:439) ==21220== by 0x401260: main (imagemagickcrash.cpp:36) ==21220== ==21220== Use of uninitialised value of size 8 ==21220== at 0x92D7AD8: XftFontOpenInfo (xftfreetype.c:974) ==21220== by 0x92D7FED: XftFontOpenPattern (xftfreetype.c:1091) ==21220== by 0x5522B4F: loadEngine(QFont::Script, QFontPrivate const*, QFontDef const&, QtFontFamily*, QtFontFoundry*, QtFontStyle*, QtFontSize*, QtFontEncoding*, bool) (qfontdatabase_x11.cpp:1647) ==21220== by 0x5523653: QFontDatabase::findFont(QFont::Script, QFontPrivate const*, QFontDef const&, int) (qfontdatabase.cpp:1142) ==21220== by 0x54B50D8: QFontPrivate::load(QFont::Script) (qfont_x11.cpp:420) ==21220== by 0x54B5512: QFontMetrics::width(QChar) const (qfontdata_p.h:152) ==21220== by 0x560358E: QLabel::sizeForWidth(int) const (qfontmetrics.h:80) ==21220== by 0x5603B55: QLabel::minimumSizeHint() const (qlabel.cpp:638) ==21220== by 0x5603C7B: QLabel::sizeHint() const (qlabel.cpp:623) ==21220== by 0x5603D10: QLabel::setAlignment(int) (qlabel.cpp:439) ==21220== by 0x401260: main (imagemagickcrash.cpp:36) imagemagickcrash: fccache.c:412: FcCacheFini: Assertion `fcCacheChains[i] == ((void *)0)' failed. ==21220== ==21220== ERROR SUMMARY: 93 errors from 5 contexts (suppressed: 4 from 3) ==21220== malloc/free: in use at exit: 2,696,538 bytes in 9,698 blocks. ==21220== malloc/free: 85,372 allocs, 75,674 frees, 9,349,823 bytes allocated. ==21220== For counts of detected errors, rerun with: -v ==21220== searching for pointers to 9,698 not-freed blocks. ==21220== checked 40,947,400 bytes. ==21220== ==21220== LEAK SUMMARY: ==21220== definitely lost: 4,513 bytes in 89 blocks. ==21220== possibly lost: 0 bytes in 0 blocks. ==21220== still reachable: 2,692,025 bytes in 9,609 blocks. ==21220== suppressed: 0 bytes in 0 blocks. ==21220== Use --leak-check=full to see details of leaked memory. The interesting part is XftFontOpenInfo (xftfreetype.c:806) and XftFontOpenInfo (xftfreetype.c:974) Both are referring to the "bucket" variable, but actually the uninitialized variable error is due to "fi->hash" (the hash part). This is set between lines 712-721: hash = 0; hashp = (FcChar32 *) fi + 1; nhash = (sizeof (XftFontInfo) / sizeof (FcChar32)) - 1; while (nhash--) hash += *hashp++; fi->hash = hash; I think the error comes from wrong assumption of the pointer sizes on 64bit, but I am unsure how to do this right, and even what it want to do (possibly store the sum of pointer addresses from the XftFontInfo structure except the address of the hash variable itself). My workaround was to always set fi->hash to 0 and comment out the above lines. This silences the error, but the crash remains indicating that there is some more memory corruption there. Somewhat suspicious is the usage of "bucket"in line 805: bucket = &info->fontHash[fi->hash % XFT_NUM_FONT_HASH]; Here info->fontHash[fi->hash % XFT_NUM_FONT_HASH] is 0... The beginning of the valgrind log seems to be harmless for this case, as it is there without the setAlignment call as well (and without that call the application doesn't crash). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.