Bug 14534

Summary: Segfaults when a bunch of fonts placed in ~/.fonts
Product: fontconfig Reporter: Duane Evenson <duane-tech>
Component: fc-cacheAssignee: Keith Packard <keithp>
Status: RESOLVED NOTOURBUG QA Contact:
Severity: normal    
Priority: medium Keywords: have-backtrace
Version: 2.3   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Duane Evenson 2008-02-17 17:02:13 UTC 
After adding a bunch of fonts to my ~/.fonts directory, many programs were reporting segfaults I traced the problem to fontconfig. It seems if the number of fonts in this directory is 4609 or more, fc-cache crashes.
As the number of fonts approaches this number, the program takes exponentially longer to run.

I'm not sure it this is what you want, but executing 
gdb fc-cache
(gdb) run
Starting program: /usr/bin/fc-cache
Reading symbols from shared object read from target memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0xb96000
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0x00dd0a88 in gray_raster_render () from /usr/lib/libfreetype.so.6
(gdb) bt
#0  0x00dd0a88 in gray_raster_render () from /usr/lib/libfreetype.so.6
#1  0x00dd00d2 in gray_raster_render () from /usr/lib/libfreetype.so.6
#2  0x00dd0f07 in gray_raster_render () from /usr/lib/libfreetype.so.6
#3  0x00d962f6 in FT_Load_Glyph () from /usr/lib/libfreetype.so.6
#4  0x00162684 in FcFreeTypeCharIndex () from /usr/lib/libfontconfig.so.1
#5  0x00162c97 in FcFreeTypeCharSetAndSpacing ()
   from /usr/lib/libfontconfig.so.1
#6  0x00164808 in FcFreeTypeQuery () from /usr/lib/libfontconfig.so.1
#7  0x00161d9d in FcFileScanConfig () from /usr/lib/libfontconfig.so.1
#8  0x00162095 in FcDirScanConfig () from /usr/lib/libfontconfig.so.1
#9  0x08048f32 in ?? ()
#10 0x08048fcf in ?? ()
#11 0x080495b4 in ?? ()
#12 0x00bcd4e4 in __libc_start_main () from /lib/libc.so.6
#13 0x08048c91 in ?? ()
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0xdd0a68 to 0xdd0aa8:
0x00dd0a68 <gray_raster_render+14744>:  add    %al,(%eax)
0x00dd0a6a <gray_raster_render+14746>:  add    %al,0x7801e86d(%ebx)
0x00dd0a70 <gray_raster_render+14752>:  push   $0xffffff8b
0x00dd0a72 <gray_raster_render+14754>:  push   %ebp
0x00dd0a73 <gray_raster_render+14755>:  mov    $0xe8241489,%esp
0x00dd0a78 <gray_raster_render+14760>:  push   $0x8bfffc0c
0x00dd0a7d <gray_raster_render+14765>:  dec    %ebp
0x00dd0a7e <gray_raster_render+14766>:  aam    $0xffffff89
0x00dd0a80 <gray_raster_render+14768>:  into
0x00dd0a81 <gray_raster_render+14769>:  add    $0x1,%esi
0x00dd0a84 <gray_raster_render+14772>:  test   $0x8,%al
0x00dd0a86 <gray_raster_render+14774>:  mov    %eax,%edi
0x00dd0a88 <gray_raster_render+14776>:  mov    %al,(%ecx)
0x00dd0a8a <gray_raster_render+14778>:  je     0xdd0acb <gray_raster_render+14843>
0x00dd0a8c <gray_raster_render+14780>:  subl   $0x1,0xffffffe8(%ebp)
0x00dd0a90 <gray_raster_render+14784>:  js     0xdd0adb <gray_raster_render+14859>
0x00dd0a92 <gray_raster_render+14786>:  mov    0xffffffbc(%ebp),%eax
0x00dd0a95 <gray_raster_render+14789>:  mov    %eax,(%esp)
0x00dd0a98 <gray_raster_render+14792>:  call   0xd916e4 <FT_Stream_GetChar@plt>
0x00dd0a9d <gray_raster_render+14797>:  mov    %eax,%edx
---Type <return> to continue, or q <return> to quit---
0x00dd0a9f <gray_raster_render+14799>:  movzbl %al,%eax
0x00dd0aa2 <gray_raster_render+14802>:  lea    (%esi,%eax,1),%eax
0x00dd0aa5 <gray_raster_render+14805>:  cmp    %eax,0xffffffd8(%ebp)
End of assembler dump.
(gdb) info all-registers
eax            0x37     55
ecx            0x0      0
edx            0x37     55
ebx            0xdf8c74 14650484
esp            0xbfc5c270       0xbfc5c270
ebp            0xbfc5c2d8       0xbfc5c2d8
esi            0x1      1
edi            0x37     55
eip            0xdd0a88 0xdd0a88
eflags         0x210246 2163270
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
st0            0        (raw 0x00000000000000000000)
st1            0        (raw 0x00000000000000000000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
---Type <return> to continue, or q <return> to quit---
st7            1        (raw 0x3fff8000000000000000)
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm3           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm4           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm5           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1f80   8064
mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
---Type <return> to continue, or q <return> to quit---
mm2            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm7            {uint64 = 0x8000000000000000, v2_int32 = {0x0, 0x80000000},
  v4_int16 = {0x0, 0x0, 0x0, 0x8000}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x80}}
Comment 1 Keith Packard 2008-02-17 18:21:27 UTC 
The crash is in FreeType, so it's almost certainly some font that FreeType doesn't like. Figure out which font file it is scanning, either building with enough symbols to get the filename out, or just using lsof while the app is stopped at the crash, and then reporting which font causes the crash would help quite a bit. If possible, sending that font to the FreeType folks would help get that library fixed.
Comment 2 Duane Evenson 2008-02-17 21:09:14 UTC 
bugzilla-daemon@freedesktop.org wrote:
> http://bugs.freedesktop.org/show_bug.cgi?id=14534
>
>
> Keith Packard <keithp@keithp.com> changed:
>
>            What    |Removed                     |Added
> ----------------------------------------------------------------------------
>              Status|NEW                         |RESOLVED
>          Resolution|                            |NOTOURBUG
>
>
>
>
> --- Comment #1 from Keith Packard <keithp@keithp.com>  2008-02-17 18:21:27 PST ---
> The crash is in FreeType, so it's almost certainly some font that FreeType
> doesn't like. Figure out which font file it is scanning, either building with
> enough symbols to get the filename out, or just using lsof while the app is
> stopped at the crash, and then reporting which font causes the crash would help
> quite a bit. If possible, sending that font to the FreeType folks would help
> get that library fixed.
>
>
>   
Woohoo. It's great to have access to smart people. That was exactly the 
case, I didn't realize it because there was more than one bad font and 
so removing the first didn't fix the problem. However, with access to an 
expert, I found the problem -- well, actually you found the problem, but 
I did the typing. :) Thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.