Crash when using layer auto-expansion
Environment/Versions
- GIMP version: 2.99 (5c646830)
- Package: Source
- Operating System: Linux
Description of the bug
(Copy of issue from !961 (comment 1800509) ) I had this crash happen twice while testing. I was doing a bunch of painting/undoing/painting again quite quickly (but it's not necessarily a sure reproduction method because it mostly looks like a timing issue).
Anyway this trace is pretty clear that it shows a NULL proj->priv->update_region
inside gimp_projection_flush_whenever()
whereas it tested if (proj->priv->update_region)
just a few lines before. This really really feels like a race condition (the update_region got deleted by another thread in-between these calls) which means that protection is required.
I couldn't help but notice inside gimp_paint_tool_paint_timeout()
that there is a g_mutex_lock (&paint_mutex);
protection, but the mutex is unlocked before you flush the projection. This being said, I am not sure if that's the right mutex to use, because I haven't looked at all at the code in details so I don't know which thread might be responsible for update_region
to get removed.
Reproduction
Is the bug reproducible?
Reproduction steps:
- Create a new (preferably large, like "4K UHD" templage) image
- Create a new layer which does not fully cover the canvas.
- Select paint brush tool and enable expand layer option.
- Try drawing such that the layer will resize.
It might take some time, as the crash is probably due to a race condition according to my limited exploration of the issue.
Expected result:
No crash at all
Actual result:
App sometimes crashes
Additional information
The issue also occurs on the current master branch (5c646830), but stack trace is from older point.
GNU Image Manipulation Program version 2.99.17
git-describe: GIMP_2_99_16-152-g48af90fcf8
Build: unknown rev 0 for linux
# C compiler #
Using built-in specs.
COLLECT_GCC=/usr/bin/cc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/10/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 10.2.1-6' --with-bugurl=file:///usr/share/doc/gcc-10/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-10 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-10-Km9U7s/gcc-10-10.2.1/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-10-Km9U7s/gcc-10-10.2.1/debian/tmp-gcn/usr,hsa --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-mutex
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 10.2.1 20210110 (Debian 10.2.1-6)
# Libraries #
using babl version 0.1.107 (compiled against version 0.1.107)
using GEGL version 0.4.47 (compiled against version 0.4.47)
using GLib version 2.77.0 (compiled against version 2.77.0)
using GdkPixbuf version 2.42.2 (compiled against version 2.42.2)
using GTK+ version 3.24.27 (compiled against version 3.24.27)
using Pango version 1.48.4 (compiled against version 1.50.7)
using Fontconfig version 2.14.2 (compiled against version 2.14.2)
using Cairo version 1.17.9 (compiled against version 1.17.9)
Stacktrace:
# Stack traces obtained from PID 2284 - Thread 2284 #
[New LWP 2285]
[New LWP 2286]
[New LWP 2287]
[New LWP 2288]
[New LWP 2289]
[New LWP 2290]
[New LWP 2291]
[New LWP 2292]
[New LWP 2293]
[New LWP 2294]
[New LWP 2298]
[New LWP 2300]
[New LWP 2301]
[New LWP 2302]
[New LWP 2303]
[New LWP 2304]
[New LWP 2305]
[New LWP 2306]
[New LWP 2308]
[New LWP 3616]
[New LWP 3617]
[New LWP 7664]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
__libc_read (nbytes=255, buf=0x7ffc094eea30, fd=19) at ../sysdeps/unix/sysv/linux/read.c:26
Id Target Id Frame
* 1 Thread 0x7f5709a35f40 (LWP 2284) "gimp-2.99" __libc_read (nbytes=255, buf=0x7ffc094eea30, fd=19) at ../sysdeps/unix/sysv/linux/read.c:26
2 Thread 0x7f570916d700 (LWP 2285) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
3 Thread 0x7f570896c700 (LWP 2286) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
4 Thread 0x7f570816b700 (LWP 2287) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
5 Thread 0x7f570796a700 (LWP 2288) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
6 Thread 0x7f56fffff700 (LWP 2289) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
7 Thread 0x7f5707169700 (LWP 2290) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
8 Thread 0x7f5706968700 (LWP 2291) "worker" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
9 Thread 0x7f5705681700 (LWP 2292) "pool-spawner" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
10 Thread 0x7f5704e80700 (LWP 2293) "gmain" 0x00007f570d6f496f in __GI___poll (fds=0x5573f00325d0, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
11 Thread 0x7f56ff7fe700 (LWP 2294) "gdbus" 0x00007f570d6f496f in __GI___poll (fds=0x7f56a400c750, nfds=4, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
12 Thread 0x7f56fe282700 (LWP 2298) "async" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
13 Thread 0x7f56fd122700 (LWP 2300) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f0353568) at ../sysdeps/nptl/futex-internal.h:186
14 Thread 0x7f56fcf21700 (LWP 2301) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f0354c3c) at ../sysdeps/nptl/futex-internal.h:186
15 Thread 0x7f56fcd20700 (LWP 2302) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f0354ca8) at ../sysdeps/nptl/futex-internal.h:186
16 Thread 0x7f56fcb1f700 (LWP 2303) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f0354d18) at ../sysdeps/nptl/futex-internal.h:186
17 Thread 0x7f56fc91e700 (LWP 2304) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f032e73c) at ../sysdeps/nptl/futex-internal.h:186
18 Thread 0x7f56fc71d700 (LWP 2305) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f032e778) at ../sysdeps/nptl/futex-internal.h:186
19 Thread 0x7f56fc51c700 (LWP 2306) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f032e7e8) at ../sysdeps/nptl/futex-internal.h:186
20 Thread 0x7f56fc31b700 (LWP 2308) "gimp-2.99" futex_wait_cancelable (private=0, expected=0, futex_word=0x5573f032e858) at ../sysdeps/nptl/futex-internal.h:186
21 Thread 0x7f56f4aa2700 (LWP 3616) "swap writer" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
22 Thread 0x7f56f52a3700 (LWP 3617) "paint" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
23 Thread 0x7f565a409700 (LWP 7664) "pool-gimp-2.99" syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#0 __libc_read (nbytes=255, buf=0x7ffc094eea30, fd=19) at ../sysdeps/unix/sysv/linux/read.c:26
resultvar = 18446744073709551104
sc_cancel_oldtype = 0
__arg3 = <optimized out>
_a2 = <optimized out>
sc_ret = <optimized out>
__value = <optimized out>
__arg1 = <optimized out>
_a3 = <optimized out>
resultvar = <optimized out>
resultvar = <optimized out>
__arg2 = <optimized out>
_a1 = <optimized out>
#1 __libc_read (fd=19, buf=buf@entry=0x7ffc094eea30, nbytes=nbytes@entry=255) at ../sysdeps/unix/sysv/linux/read.c:24
No locals.
#2 0x00007f570f1c24ec in gimp_stack_trace_print (prog_name=0x7ffc094eea30 "\002", stream=stream@entry=0x5573f74c7140, trace=trace@entry=0x0) at ../../../../../../../dev/src/gimp/libgimpbase/gimputils.c:1394
status = 0
stack_printed = 0
gtrace = 0x0
gimp_pid = "2284\000U\000\000\001\000\000\000\000\000\000"
buffer = "\002\000\000\000\000\000\000\000\240\366N\t\374\177\000\000\300\336[\367sU\000\000#\306\036\017W\177\000\000\005", '\000' <repeats 15 times>, "\005\000\000\000\000\000\000\000\310\317\032\017W\177\000\000p\356N\t\374\177\000\000\212\066\037\017W\177\000\000@qL\367sU\000\000\t", '\000' <repeats 15 times>, "@qL\367sU\000\000\300\266\027\360sU\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\200\221 \017W\177\000\000\377\377\377\377", '\000' <repeats 12 times>, "\070\241`\rW\177\000\000\200\037\000\000\377\377\000\000\350\224 \017W\177\000\000\000\000\000\000\000\000\000\000PB\350\357sU\000\000"...
read_n = <optimized out>
sync_fd = {16, 17}
out_fd = {19, 20}
fork_pid = <optimized out>
pid = 2284
eintr_count = 0
tid = <optimized out>
#3 0x00005573ef42bf40 in gimp_eek (reason=reason@entry=0x5573ef706b99 "fatal error", message=0x7ffc094eeed0 "0", use_handler=use_handler@entry=1) at ../../../../../../../dev/src/gimp/app/errors.c:355
fd = 0x5573f74c7140
has_backtrace = 1
pid = "2284\000\000\000\000\000\000\000\000\005\000\000"
gimpdebug = 0x5573ef706bb0 "/home/jehan/.local/share/crossroad/roads/native/gimp/libexec/gimp-debug-tool-2.99"
args = {0x5573ef706bb0 "/home/jehan/.local/share/crossroad/roads/native/gimp/libexec/gimp-debug-tool-2.99", 0x5573f017b6c0 "app/gimp-2.99", 0x7ffc094eeec0 "2284", 0x5573ef706b99 "fatal error", 0x5573f7399544 "Segmentation fault", 0x5573f017a420 "/home/jehan/.config/GIMP/2.99/CrashLog/gimp-crash-1690475204.txt", 0x0, 0x7ffc094eeed0 "0", 0x0}
timestamp = "0\000\000\000\374\177\000\000\021\000\000\000\000\000\000"
config = <optimized out>
eek_handled = 0
debug_policy = GIMP_DEBUG_POLICY_WARNING
iter = <optimized out>
num_idx = <optimized out>
i = 0
#4 0x00005573ef42c368 in gimp_fatal_error (message=<optimized out>) at ../../../../../../../dev/src/gimp/app/errors.c:206
No locals.
#5 0x00005573ef42ec99 in gimp_sigfatal_handler (sig_num=11) at ../../../../../../../dev/src/gimp/app/signals.c:196
No locals.
#6 <signal handler called>
No locals.
#7 0x00007f570ed938b0 in INT_cairo_region_get_rectangle (region=0x0, nth=1, rectangle=0x7ffc094ef6a0) at ../../../../../../../dev/src/cairo/src/cairo-region.c:477
pbox = 0x7ffc094ef6a0
#8 0x00005573ef2c384d in gimp_projection_flush_whenever (direct=1, now=1, proj=0x5573f5940e10) at ../../../../../../../dev/src/gimp/app/core/gimpprojection.c:667
rect = {x = 1504, y = 864, width = 160, height = 64}
n_rects = 2
i = 1
#9 gimp_projection_flush_whenever (direct=1, now=1, proj=0x5573f5940e10) at ../../../../../../../dev/src/gimp/app/core/gimpprojection.c:649
n_rects = <optimized out>
i = <optimized out>
rect = {x = <optimized out>, y = <optimized out>, width = <optimized out>, height = <optimized out>}
_pp = <optimized out>
_ptr = <optimized out>
#10 gimp_projection_flush_now (proj=0x5573f5940e10, direct=direct@entry=1) at ../../../../../../../dev/src/gimp/app/core/gimpprojection.c:546
__func__ = "gimp_projection_flush_now"
#11 0x00005573ef4a1081 in gimp_paint_tool_paint_timeout (paint_tool=0x5573f4f7f560, paint_tool@entry=<error reading variable: value has been optimized out>) at ../../../../../../../dev/src/gimp/app/tools/gimppainttool-paint.c:197
draw_tool = 0x5573f4f7f560
display = 0x5573f0077750
image = 0x5573f65b38a0
core = <optimized out>
update = <optimized out>
#12 0x00007f570eb814bb in g_timeout_dispatch (user_data=<optimized out>, callback=<optimized out>, source=0x5573f75bdec0) at ../../../../../../../dev/src/glib/glib/gmain.c:5123
timeout_source = <optimized out>
again = <optimized out>
timeout_source = <optimized out>
again = <optimized out>
once_callback = <optimized out>
#13 g_timeout_dispatch (source=0x5573f75bdec0, callback=<optimized out>, user_data=<optimized out>) at ../../../../../../../dev/src/glib/glib/gmain.c:5101
timeout_source = 0x5573f75bdec0
again = <optimized out>
#14 0x00007f570eb7d7d8 in g_main_dispatch (context=context@entry=0x5573efe50ce0) at ../../../../../../../dev/src/glib/glib/gmain.c:3476
dispatch = 0x7f570eb814a0 <g_timeout_dispatch>
prev_source = 0x0
begin_time_nsec = 0
was_in_call = 0
user_data = 0x5573f4f7f560
callback = 0x5573ef4a0fa0 <gimp_paint_tool_paint_timeout>
cb_funcs = <optimized out>
cb_data = 0x5573f5e70be0
need_destroy = <optimized out>
source = 0x5573f75bdec0
current = 0x5573f0021020
i = 0
__func__ = "g_main_dispatch"
#15 0x00007f570eb806d7 in g_main_context_dispatch_unlocked (context=0x5573efe50ce0) at ../../../../../../../dev/src/glib/glib/gmain.c:4286
No locals.
#16 g_main_context_iterate_unlocked (context=context@entry=0x5573efe50ce0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../../../../../dev/src/glib/glib/gmain.c:4351
max_priority = 100
timeout = 0
some_ready = 1
nfds = <optimized out>
allocated_nfds = <optimized out>
fds = 0x5573f5b192a0
begin_time_nsec = 0
#17 0x00007f570eb80dcf in g_main_context_iteration (context=context@entry=0x5573efe50ce0, may_block=may_block@entry=1) at ../../../../../../../dev/src/glib/glib/gmain.c:4416
retval = <optimized out>
#18 0x00007f570e8e0d25 in g_application_run (application=application@entry=0x5573f0088a50, argc=156170284, argc@entry=0, argv=argv@entry=0x0) at ../../../../../../../dev/src/glib/gio/gapplication.c:2573
arguments = 0x5573f024e8f0
status = 0
context = 0x5573efe50ce0
acquired_context = <optimized out>
__func__ = "g_application_run"
#19 0x00005573ef42b8f6 in app_run (full_prog_name=0x5573efe4dd60 "app/gimp-2.99", filenames=<optimized out>, alternate_system_gimprc=alternate_system_gimprc@entry=0x0, alternate_gimprc=alternate_gimprc@entry=0x0, session_name=<optimized out>, batch_interpreter=<optimized out>, batch_commands=0x0, quit=0, as_new=0, no_interface=0, no_data=0, no_fonts=0, no_splash=0, be_verbose=0, use_shm=1, use_cpu_accel=1, console_messages=0, use_debug_handler=0, show_playground=1, show_debug_menu=1, stack_trace_mode=GIMP_STACK_TRACE_QUERY, pdb_compat_mode=GIMP_PDB_COMPAT_WARN, backtrace_file=0x5573efe43320 "/home/jehan/.config/GIMP/2.99/CrashLog/gimp-crash-1690475204.txt") at ../../../../../../../dev/src/gimp/app/app.c:317
gimp = 0x5573effe6290
app = 0x5573f0088a50
default_folder = 0x0
gimpdir = 0x5573f01b0b40
abort_message = <optimized out>
retval = 0
__func__ = "app_run"
#20 0x00005573ef2769d6 in main (argc=<optimized out>, argv=<optimized out>) at ../../../../../../../dev/src/gimp/app/main.c:796
context = 0x5573efe4dda0
error = 0x0
abort_message = <optimized out>
basename = <optimized out>
system_gimprc_file = 0x0
user_gimprc_file = 0x0
gimp_group = <optimized out>
backtrace_file = 0x5573efe43320 "/home/jehan/.config/GIMP/2.99/CrashLog/gimp-crash-1690475204.txt"
retval = <optimized out>
i = <optimized out>
[Inferior 1 (process 2284) detached]