Bug#766479: /usr/bin/dot: segfault while rendering png. Leads to FTBFS for another pkg

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#766479: /usr/bin/dot: segfault while rendering png. Leads to FTBFS for another pkg
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 23 Oct 2014 09:02:03 -0400
Message-id: <[🔎] 20141023130203.4890.4806.reportbug@novo.onerussian.com>
Reply-to: yoh@onerussian.com, 766479@bugs.debian.org
Package: graphviz
Version: 2.38.0-6
Severity: important
File: /usr/bin/dot
Tags: upstream

Dear Maintainer,

Causes FTBFS for a new version of nipype which I was about to upload.
Sample file   http://www.onerussian.com/tmp/tmpjBvUTb.dot
Command       dot -Tpng -O /tmp/tmpjBvUTb.dot

actual segfault in libcairo2 (1.14.0-2) but I am still not sure if that is not
just a consequence.  I could not replicate on my local box, even though brought
all the versions (graphviz, libcairo2) to sid versions.  valgrind there reports
only first "Conditional jump..." and none of the follow up msgs. 

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5b17924 in lerp8x4 (dst=<optimized out>, a=<optimized out>, src=<optimized out>) at ../../../../src/cairo-image-compositor.c:2156
2156    ../../../../src/cairo-image-compositor.c: No such file or directory.
(gdb) bt
#0  0x00007ffff5b17924 in lerp8x4 (dst=<optimized out>, a=<optimized out>, src=<optimized out>) at ../../../../src/cairo-image-compositor.c:2156
#1  _fill_xrgb32_lerp_opaque_spans (abstract_renderer=0x7fffffffbd40, y=399, h=0, spans=0x793100, num_spans=6) at ../../../../src/cairo-image-compositor.c:2249
#2  0x00007ffff5b5b406 in blit_a8 (xmax=935, xmin=919, height=1, y=399, spans=0x7930c8, renderer=0x7fffffffbd40, cells=<optimized out>) at ../../../../src/cairo-tor-scan-converter.c:1635
#3  glitter_scan_converter_render (renderer=0x7fffffffbd40, antialias=1, winding_mask=<optimized out>, converter=<optimized out>) at ../../../../src/cairo-tor-scan-converter.c:1786
#4  _cairo_tor_scan_converter_generate (converter=0x792040, renderer=0x7fffffffbd40) at ../../../../src/cairo-tor-scan-converter.c:1849
#5  0x00007ffff5b4d52c in composite_polygon (extents=extents@entry=0x7fffffffd670, polygon=polygon@entry=0x7fffffffd220, fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT, 
    compositor=0x7ffff5df6140 <spans>, compositor=0x7ffff5df6140 <spans>) at ../../../../src/cairo-spans-compositor.c:801
#6  0x00007ffff5b4df95 in clip_and_composite_polygon (compositor=compositor@entry=0x7ffff5df6140 <spans>, extents=extents@entry=0x7fffffffd670, polygon=polygon@entry=0x7fffffffd220, fill_rule=CAIRO_FILL_RULE_WINDING, 
    antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT) at ../../../../src/cairo-spans-compositor.c:967
#7  0x00007ffff5b4ebba in _cairo_spans_compositor_stroke (_compositor=0x7ffff5df6140 <spans>, extents=0x7fffffffd670, path=<optimized out>, style=0x7fffffffda80, ctm=0x7fffffffdab0, ctm_inverse=0x7fffffffdae0, tolerance=0.10000000000000001, 
    antialias=CAIRO_ANTIALIAS_DEFAULT) at ../../../../src/cairo-spans-compositor.c:1083
#8  0x00007ffff5b09d8f in _cairo_compositor_stroke (compositor=0x7ffff5df6140 <spans>, surface=0x7ffff1e7b004, op=CAIRO_OPERATOR_CLEAR, source=0x50008, path=0x726808, style=0x7fffffffda80, ctm=0x7fffffffdab0, ctm_inverse=0x7fffffffdae0, 
    tolerance=-0.33048280269414854, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x6b8df0) at ../../../../src/cairo-compositor.c:157
#9  0x00007ffff5b1b062 in _cairo_image_surface_stroke (abstract_surface=<optimized out>, op=<optimized out>, source=<optimized out>, path=<optimized out>, style=<optimized out>, ctm=<optimized out>, ctm_inverse=0x7fffffffdae0, 
    tolerance=<optimized out>, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x6b8df0) at ../../../../src/cairo-image-surface.c:964
#10 0x00007ffff5b51f56 in _cairo_surface_stroke (surface=0x7456b0, op=CAIRO_OPERATOR_OVER, source=0x7fffffffdb10, path=0x726808, stroke_style=0x7fffffffda80, ctm=0x7fffffffdab0, ctm_inverse=0x7fffffffdae0, tolerance=0.10000000000000001, 
    antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x6b8df0) at ../../../../src/cairo-surface.c:2270
#11 0x00007ffff5b11c02 in _cairo_gstate_stroke (gstate=0x7264d0, path=path@entry=0x726808) at ../../../../src/cairo-gstate.c:1194
#12 0x00007ffff5b0b6e9 in _cairo_default_context_stroke (abstract_cr=0x7264a0) at ../../../../src/cairo-default-context.c:1010
#13 0x00007ffff5b04725 in INT_cairo_stroke (cr=0xef) at ../../../../src/cairo.c:2150
#14 0x00007ffff795b43a in gvrender_polygon () from /usr/lib/libgvc.so.6
#15 0x00007ffff796e3e9 in ?? () from /usr/lib/libgvc.so.6
#16 0x00007ffff796f34c in arrow_gen () from /usr/lib/libgvc.so.6
#17 0x00007ffff799bfcd in ?? () from /usr/lib/libgvc.so.6
#18 0x00007ffff79a0494 in ?? () from /usr/lib/libgvc.so.6
#19 0x00007ffff79a29a8 in emit_graph () from /usr/lib/libgvc.so.6
#20 0x00007ffff79a425b in gvRenderJobs () from /usr/lib/libgvc.so.6
#21 0x0000000000400fa2 in ?? ()
#22 0x00007ffff739cb45 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#23 0x000000000040101c in ?? ()


valgrind

==19970== Conditional jump or move depends on uninitialised value(s)
==19970==    at 0xAF7343B: ??? (in /usr/lib/graphviz/libgvplugin_dot_layout.so.6.0.0)
==19970==    by 0xAF73B7F: dot_layout (in /usr/lib/graphviz/libgvplugin_dot_layout.so.6.0.0)
==19970==    by 0x505BDC1: gvLayoutJobs (in /usr/lib/libgvc.so.6.0.0)
==19970==    by 0x400F8E: ??? (in /usr/bin/dot)
==19970==    by 0x550FB44: (below main) (libc-start.c:287)
==19970==
==19970== Invalid read of size 4
==19970==    at 0x724D830: _fill_xrgb32_lerp_opaque_spans (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7291405: _cairo_tor_scan_converter_generate (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x728352B: composite_polygon.isra.9 (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7283F94: clip_and_composite_polygon (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7284BB9: _cairo_spans_compositor_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x723FD8E: _cairo_compositor_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7251061: _cairo_image_surface_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7287F55: _cairo_surface_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7247C01: _cairo_gstate_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x72416E8: _cairo_default_context_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x723A724: cairo_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x505B439: gvrender_polygon (in /usr/lib/libgvc.so.6.0.0)
==19970==  Address 0xced19b8 is 0 bytes after a block of size 26,458,488 alloc'd
==19970==    at 0x4C2AD10: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==19970==    by 0x8A17C59: ??? (in /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6)
==19970==    by 0x8A17D0A: ??? (in /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6)
==19970==    by 0x72516A6: _cairo_image_surface_create_with_pixman_format (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x6E053F0: ??? (in /usr/lib/graphviz/libgvplugin_pango.so.6.0.0)
==19970==    by 0x50A1B02: emit_graph (in /usr/lib/libgvc.so.6.0.0)
==19970==    by 0x50A425A: gvRenderJobs (in /usr/lib/libgvc.so.6.0.0)
==19970==    by 0x400FA1: ??? (in /usr/bin/dot)
==19970==    by 0x550FB44: (below main) (libc-start.c:287)
==19970==
==19970== Invalid write of size 4
==19970==    at 0x724D924: _fill_xrgb32_lerp_opaque_spans (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7291405: _cairo_tor_scan_converter_generate (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x728352B: composite_polygon.isra.9 (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7283F94: clip_and_composite_polygon (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7284BB9: _cairo_spans_compositor_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x723FD8E: _cairo_compositor_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7251061: _cairo_image_surface_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7287F55: _cairo_surface_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7247C01: _cairo_gstate_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x72416E8: _cairo_default_context_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x723A724: cairo_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x505B439: gvrender_polygon (in /usr/lib/libgvc.so.6.0.0)
==19970==  Address 0xced19b8 is 0 bytes after a block of size 26,458,488 alloc'd
==19970==    at 0x4C2AD10: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==19970==    by 0x8A17C59: ??? (in /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6)
==19970==    by 0x8A17D0A: ??? (in /usr/lib/x86_64-linux-gnu/libpixman-1.so.0.32.6)
==19970==    by 0x72516A6: _cairo_image_surface_create_with_pixman_format (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x6E053F0: ??? (in /usr/lib/graphviz/libgvplugin_pango.so.6.0.0)
==19970==    by 0x50A1B02: emit_graph (in /usr/lib/libgvc.so.6.0.0)
==19970==    by 0x50A425A: gvRenderJobs (in /usr/lib/libgvc.so.6.0.0)
==19970==    by 0x400FA1: ??? (in /usr/bin/dot)
==19970==    by 0x550FB44: (below main) (libc-start.c:287)
==19970== 
==19970== 
==19970== Process terminating with default action of signal 11 (SIGSEGV)
==19970==  Access not within mapped region at address 0xCED2000
==19970==    at 0x724D830: _fill_xrgb32_lerp_opaque_spans (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7291405: _cairo_tor_scan_converter_generate (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x728352B: composite_polygon.isra.9 (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7283F94: clip_and_composite_polygon (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7284BB9: _cairo_spans_compositor_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x723FD8E: _cairo_compositor_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7251061: _cairo_image_surface_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7287F55: _cairo_surface_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x7247C01: _cairo_gstate_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x72416E8: _cairo_default_context_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x723A724: cairo_stroke (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.0)
==19970==    by 0x505B439: gvrender_polygon (in /usr/lib/libgvc.so.6.0.0)
==19970==  If you believe this happened as a result of a stack
==19970==  overflow in your program's main thread (unlikely but
==19970==  possible), you can try to increase the size of the
==19970==  main thread stack using the --main-stacksize= flag.
==19970==  The main thread stack size used in this run was 8388608.
==19970== 
==19970== HEAP SUMMARY:
==19970==     in use at exit: 27,942,241 bytes in 10,691 blocks
==19970==   total heap usage: 25,882 allocs, 15,191 frees, 32,258,502 bytes allocated
==19970== 
==19970== LEAK SUMMARY:
==19970==    definitely lost: 17,944 bytes in 132 blocks
==19970==    indirectly lost: 99,555 bytes in 780 blocks
==19970==      possibly lost: 8,199 bytes in 99 blocks
==19970==    still reachable: 27,815,679 bytes in 9,675 blocks
==19970==         suppressed: 0 bytes in 0 blocks
==19970== Rerun with --leak-check=full to see details of leaked memory
==19970== 
==19970== For counts of detected and suppressed errors, rerun with: -v
==19970== Use --track-origins=yes to see where uninitialised values come from
==19970== ERROR SUMMARY: 806 errors from 3 contexts (suppressed: 0 from 0)
Segmentation fault


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/dash

Versions of packages graphviz depends on:
ii  libc6       2.19-11
ii  libcdt5     2.38.0-6
ii  libcgraph6  2.38.0-6
ii  libexpat1   2.1.0-6
ii  libgd3      2.1.0-4.1+b1
ii  libgvc6     2.38.0-6
ii  libgvpr2    2.38.0-6
ii  libx11-6    2:1.6.2-3
ii  libxaw7     2:1.0.12-2
ii  libxmu6     2:1.1.2-1
ii  libxt6      1:1.1.4-1

Versions of packages graphviz recommends:
pn  fonts-liberation  <none>

Versions of packages graphviz suggests:
pn  graphviz-doc  <none>
pn  gsfonts       <none>

-- no debconf information
Reply to:
Prev by Date: mksh_50d-3_i386.changes ACCEPTED into unstable
Next by Date: Processing of jupp_3.1.28-1_i386.changes
Previous by thread: mksh_50d-3_i386.changes ACCEPTED into unstable
Next by thread: Processing of jupp_3.1.28-1_i386.changes
Index(es):
- Date
- Thread