#2448 segfault on certain binary files (pango)

[fenugrec]

I'm having a reliable segfault when trying to open certain files with binary data. It's somewhere deep inside pango code. Unclear if it's a pango or scintilla bug; see backtrace below. This is with scite 5.5.2 on archlinux.

****** BT

Pango:ERROR:../pango/pango/pango-layout.c:4611:get_items_log_attrs: assertion failed: (item->offset <= start     + length) Bail out!
Pango:ERROR:../pango/pango/pango-layout.c:4611:get_items_log_attrs: assertion failed: (item->offse    t <= start + length)

Thread 61 "scite" received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7fff8fe006c0 (LWP 199694)]
 _cairo_ft_scaled_glyph_load_glyph (scaled_font=scaled_font@entry=0x555555bfb1c0,
     scaled_glyph=scaled_glyph@entry=0x7fffc01752f0, face=face@entry=0x7fffc013d680, load_flags=load_flags@entry=0x21200,
     use_em_size=use_em_size@entry=0x0, vertical_layout=vertical_layout@entry=0x0) at ../cairo/src/cairo-ft-font.c:2449
 2449            _cairo_ft_scaled_glyph_vertical_layout_bearing_fix (scaled_font, face->glyph);


> bt

#0  _cairo_ft_scaled_glyph_load_glyph (scaled_font=scaled_font@entry=0x555555bfb1c0, scaled_glyph=scaled_glyph@entry=0x7fffc01752f0, face=face@entry=0x7fffc013d680, load_flags=load_flags@entry=0x21200, use_em_size=use_em_size@entry=0x0, vertical_layout=vertical_layout@entry=0x0) at ../cairo/src/cairo-ft-font.c:2449
        error = <optimized out>
        status = CAIRO_STATUS_SUCCESS
        glyph_priv = <optimized out>
        __PRETTY_FUNCTION__ = "_cairo_ft_scaled_glyph_load_glyph"
#1  0x00007ffff756be69 in _cairo_ft_scaled_glyph_init_metrics (scaled_font=<optimized out>, scaled_glyph=0x7fffc01752f0, face=0x7fffc013d680, vertical_layout=0x0, load_flags=0x21200, foreground_color=0x7ffff75d9c40 <cairo_color_black.lto_priv>) at ../cairo/src/cairo-ft-font.c:3240
        status = CAIRO_INT_STATUS_SUCCESS
        glyph_priv = 0x7fff1c148510
        color_flag = 0x0
        is_svg_format = <optimized out>
        fs_metrics = {
          x_bearing = 0,
          y_bearing = 6.9531668687281756e-310,
          width = 6.9532628666041009e-310,
          height = 6.9533481607777473e-310,
          x_advance = 6.9531668205297004e-310,
          y_advance = 6.9531668687289661e-310
        }
        hint_metrics = 0x1
        status = <optimized out>
        fs_metrics = <optimized out>
        glyph_priv = <optimized out>
        hint_metrics = <optimized out>
        color_flag = <optimized out>
        is_svg_format = <optimized out>
#2  _cairo_ft_scaled_glyph_init (abstract_font=<optimized out>, scaled_glyph=0x7fffc01752f0, info=CAIRO_SCALED_GLYPH_INFO_METRICS, foreground_color=0x7ffff75d9c40 <cairo_color_black.lto_priv>) at ../cairo/src/cairo-ft-font.c:3381
        scaled_font = <optimized out>
        unscaled = <optimized out>
        face = 0x7fffc013d680
        load_flags = 0x21200
        vertical_layout = 0x0
        status = CAIRO_STATUS_SUCCESS
        glyph_priv = <optimized out>
        __PRETTY_FUNCTION__ = "_cairo_ft_scaled_glyph_init"
#3  0x00007ffff751d9ad in _cairo_scaled_glyph_lookup (scaled_font=scaled_font@entry=0x555555bfb1c0, index=<optimized out>, info=info@entry=CAIRO_SCALED_GLYPH_INFO_METRICS, foreground_color=0x7ffff75d9c40 <cairo_color_black.lto_priv>, foreground_color@entry=0x0, scaled_glyph_ret=scaled_glyph_ret@entry=0x7fff8fdfe910) at ../cairo/src/cairo-scaled-font.c:2913
        status = CAIRO_INT_STATUS_SUCCESS
        scaled_glyph = 0x7fffc01752f0
        need_info = <optimized out>
        key = {
          hash = 0x28a
        }
        __PRETTY_FUNCTION__ = "_cairo_scaled_glyph_lookup"
#4  0x00007ffff751dc83 in cairo_scaled_font_glyph_extents (scaled_font=0x555555bfb1c0, glyphs=0x7fff8fdfe960, num_glyphs=0x1, extents=0x7fff8fdfe980) at ../cairo/src/cairo-scaled-font.c:1643
        left = <optimized out>
        top = <optimized out>
        right = <optimized out>
        bottom = <optimized out>
        status = <optimized out>
        i = 0x0
        min_x = 0
        min_y = 0
        max_x = 0
        max_y = 0
        visible = 0x0
        scaled_glyph = 0x0
        status__ = <optimized out>
        status__ = <optimized out>
#5  0x00007ffff7e8d242 in compute_glyph_extents (cf_priv=0x7fff1c009818, glyph=0x28a, entry=0x7fff1c0126b0) at ../pango/pango/pangocairo-font.c:807
        extents = {
          x_bearing = 0,
          y_bearing = 0,
          width = 0,
          height = 0,
          x_advance = 0,
          y_advance = 0
        }
        cairo_glyph = {
          index = 0x28a,
          x = 0,
          y = 0
        }
        extents = <optimized out>
        cairo_glyph = <optimized out>
#6  _pango_cairo_font_private_get_glyph_extents_cache_entry (cf_priv=0x7fff1c009818, glyph=0x28a) at ../pango/pango/pangocairo-font.c:833
        entry = 0x7fff1c0126b0
        idx = 0x8a
        entry = <optimized out>
        idx = <optimized out>
#7  _pango_cairo_font_private_get_glyph_extents (cf_priv=0x7fff1c009818, glyph=0x28a, ink_rect=0x7fff8fdfea30, logical_rect=0x7fff8fdfea40) at ../pango/pango/pangocairo-font.c:870
        entry = <optimized out>
        entry = <optimized out>
        __func__ = <optimized out>
#8  pango_cairo_fc_font_get_glyph_extents (font=0x7fff1c0097a0, glyph=0x28a, ink_rect=0x7fff8fdfea30, logical_rect=0x7fff8fdfea40) at ../pango/pango/pangocairo-fcfont.c:130
        cffont = 0x7fff1c0097a0
#9  0x00007ffff7e31779 in pango_glyph_string_extents_range (glyphs=0x7fff1c147d70, start=0x0, end=0x1, font=0x7fff1c0097a0, ink_rect=<optimized out>, logical_rect=0x7fff8fdfeaf0) at ../pango/pango/glyphstring.c:210
        glyph_ink = {
          x = 0x0,
          y = 0xffffd000,
          width = 0x1c009818,
          height = 0x7fff
        }
        glyph_logical = {
          x = 0x0,
          y = 0xffffcc00,
          width = 0x2000,
          height = 0x3c00
        }
        geometry = 0x7fff1c14c374
        x_pos = 0x0
        i = 0x0
        x_pos = <optimized out>
        i = <optimized out>
        __func__ = <optimized out>
        _g_boolean_var_16 = <optimized out>
        _g_boolean_var_17 = <optimized out>
        glyph_ink = <optimized out>
        glyph_logical = <optimized out>
        geometry = <optimized out>
        new_x = <optimized out>
        new_y = <optimized out>
        new_y = <optimized out>
#10 pango_glyph_string_extents_range (glyphs=0x7fff1c147d70, start=0x0, end=0x1, font=0x7fff1c0097a0, ink_rect=<optimized out>, logical_rect=0x7fff8fdfeaf0) at ../pango/pango/glyphstring.c:164
        x_pos = 0x0
        i = <optimized out>
        __func__ = "pango_glyph_string_extents_range"
        glyph_ink = <optimized out>
        glyph_logical = <optimized out>
        geometry = <optimized out>
        new_x = <optimized out>
        new_y = <optimized out>
        new_y = <optimized out>
#11 0x00007ffff7e4a01a in pango_layout_run_get_extents_and_height (run=0x7fff1c146d90, run_ink=run_ink@entry=0x7fff8fdfebd0, run_logical=0x7fff8fdfeaf0, run_logical@entry=0x0, line_logical=line_logical@entry=0x7fff8fdfebc0, height=height@entry=0x7fff8fdfebbc) at ../pango/pango/pango-layout.c:5640
        logical = {
          x = 0x0,
          y = 0x0,
          width = 0x0,
          height = 0x0
        }
        properties = {
          uline_single = 0x0,
          uline_double = 0x0,
          uline_low = 0x0,
          uline_error = 0x0,
          strikethrough = 0x0,
          oline_single = 0x0,
          showing_space = 0x0,
          letter_spacing = 0x0,
          shape_set = 0x0,
          shape_ink_rect = 0x0,
          shape_logical_rect = 0x0,
          line_height = 0,
          absolute_line_height = 0x0
        }
        metrics = <optimized out>
        has_underline = <optimized out>
        has_overline = <optimized out>
        y_offset = <optimized out>
#12 0x00007ffff7e4b253 in pango_layout_line_get_extents_and_height.part.0.lto_priv.0 (line=0x7fff1c0ebb00, ink_rect=<optimized out>, logical_rect=<optimized out>, height=<optimized out>) at ../pango/pango/pango-layout.c:5836
        run = <optimized out>
        new_pos = <optimized out>
        run_logical = <optimized out>
        run_ink = {
          x = 0x0,
          y = 0x0,
          width = 0x0,
          height = 0x0
        }
        run_height = 0x7fff
        private = <optimized out>
        tmp_list = 0x7fff1c14c5b0
        x_pos = 0x0
        caching = <optimized out>
        __func__ = <optimized out>
        _g_boolean_var_114 = <optimized out>
        _g_boolean_var_115 = <optimized out>
#13 0x00007ffff7e3fb46 in pango_layout_line_get_extents_and_height (line=0x7fff1c0ebb00, ink_rect=0x0, logical_rect=0x7fff8fdfec50, height=0x7fff8fdfec48) at ../pango/pango/pango-layout.c:5779
        private = 0x7fff1c0ebb00
        tmp_list = <optimized out>
        x_pos = 0x0
        caching = 0x0
        private = <optimized out>
        tmp_list = <optimized out>
        x_pos = <optimized out>
        caching = <optimized out>
        __func__ = <optimized out>
        _g_boolean_var_114 = <optimized out>
        _g_boolean_var_115 = <optimized out>
        run = <optimized out>
        new_pos = <optimized out>
        run_ink = <optimized out>
        run_logical = <optimized out>
        run_height = <optimized out>
        r = <optimized out>
        rect = <optimized out>
#14 get_line_extents_layout_coords (layout=layout@entry=0x7fff1c0fd890, line=0x7fff1c0ebb00, layout_width=layout_width@entry=0xffffffff, y_offset=0x0, baseline=baseline@entry=0x7fff8fdfed0c, line_ink_layout=line_ink_layout@entry=0x0, line_logical_layout=0x7fff8fdfed10) at ../pango/pango/pango-layout.c:2877
        x_offset = 0x0
        line_ink = {
          x = 0x1c000bf0,
          y = 0x7fff,
          width = 0x55a91540,
          height = 0x5555
        }
        line_logical = {
          x = 0x0,
          y = 0x0,
          width = 0x0,
          height = 0x0
        }
        first_line = <optimized out>
        new_baseline = <optimized out>
        height = 0x0
#15 0x00007ffff7e3ff6c in pango_layout_get_extents_internal (layout=0x7fff1c0fd890, ink_rect=<optimized out>, logical_rect=<optimized out>, line_extents=0x0) at ../pango/pango/pango-layout.c:3001
        line = <optimized out>
        line_ink_layout = {
          x = 0x8fdfed60,
          y = 0x7fff,
          width = 0xf6c645ce,
          height = 0x7fff
        }
        line_logical_layout = <optimized out>
        new_pos = <optimized out>
        line_list = 0x7fff1c15c2c0
        y_offset = <optimized out>
        width = <optimized out>
        need_width = <optimized out>
        line_index = 0x0
        baseline = 0x0
        __func__ = "pango_layout_get_extents_internal"
#16 0x00007ffff7e4026e in pango_layout_get_size (layout=<optimized out>, width=0x7fff8fdff070, height=0x7fff8fdfef90) at ../pango/pango/pango-layout.c:3166
        logical_rect = {
          x = 0x0,
          y = 0x0,
          width = 0x0,
          height = 0x0
        }
#17 0x00007ffff7e4e827 in pango_layout_check_lines.part.0.lto_priv.0 (layout=layout@entry=0x7fff1c0fd890) at ../pango/pango/pango-layout.c:4983
        start = <optimized out>
        done = <optimized out>
        start_offset = <optimized out>
        attrs = <optimized out>
        itemize_attrs = <optimized out>
        shape_attrs = <optimized out>
        iter = {
          attrs = 0x7fff1c15f940,
          n_attrs = 0x1,
          attribute_stack = 0x7fff1c1582e0,
          attr_index = 0x1,
          start_index = 0x0,
          end_index = 0xffffffff
        }
        prev_base_dir = <optimized out>
        base_dir = <optimized out>
        state = <optimized out>
        need_log_attrs = <optimized out>
        w = 0x0
        h = 0x3c00
        __func__ = <optimized out>
        _g_boolean_var_98 = <optimized out>
#18 0x00007ffff7e4f5b9 in pango_layout_check_lines (layout=0x7fff1c0fd890) at ../pango/pango/pango-layout.c:4792
        attrs = <optimized out>
        itemize_attrs = <optimized out>
        shape_attrs = <optimized out>
        iter = <optimized out>
        prev_base_dir = PANGO_DIRECTION_NEUTRAL
        need_log_attrs = <optimized out>
        w = <optimized out>
        done = 0x0
        start_offset = <optimized out>
        state = <optimized out>
        h = <optimized out>
        start = <optimized out>
        base_dir = PANGO_DIRECTION_NEUTRAL
        start = <optimized out>
        done = <optimized out>
        start_offset = <optimized out>
        attrs = <optimized out>
        itemize_attrs = <optimized out>
        shape_attrs = <optimized out>
        iter = <optimized out>
        prev_base_dir = <optimized out>
        base_dir = <optimized out>
        state = <optimized out>
        need_log_attrs = <optimized out>
        __func__ = <optimized out>
        w = <optimized out>
        h = <optimized out>
        _g_boolean_var_98 = <optimized out>
        _g_boolean_var_99 = <optimized out>
        __n = <optimized out>
        __s = <optimized out>
        __p = <optimized out>
        logical = <optimized out>
        height = <optimized out>
        delim_len = <optimized out>
        end = <optimized out>
        delimiter_index = <optimized out>
        next_para_index = <optimized out>
        _g_boolean_var_100 = <optimized out>
        _g_boolean_var_101 = <optimized out>
        _g_boolean_var_102 = <optimized out>
        _g_boolean_var_103 = <optimized out>
        _g_boolean_var_104 = <optimized out>
        empty_line = <optimized out>
#19 _pango_layout_get_iter (layout=0x7fff1c0fd890, iter=0x7fff1c144a50) at ../pango/pango/pango-layout.c:7221
        run_start_index = <optimized out>
        run_start_index = <optimized out>
        __func__ = <optimized out>
        _g_boolean_var_121 = <optimized out>
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
        logical_rect = <optimized out>
#20 _pango_layout_get_iter (layout=0x7fff1c0fd890, iter=0x7fff1c144a50) at ../pango/pango/pango-layout.c:7212
        run_start_index = <optimized out>
        __func__ = "_pango_layout_get_iter"
        logical_rect = <optimized out>
#21 0x00007ffff7e4f68f in pango_layout_get_iter (layout=0x7fff1c0fd890) at ../pango/pango/pango-layout.c:7206
        iter = 0x7fff1c144a50
        __func__ = "pango_layout_get_iter"
#22 0x00007ffff6fa2715 in (anonymous namespace)::ClusterIterator::ClusterIterator (this=0x7fff8fdff240, layout=0x7fff1c0fd890, text="Ӹ") at /usr/src/debug/scite/scintilla/gtk/PlatGTK.cxx:841
No locals.
#23 Scintilla::SurfaceImpl::MeasureWidthsUTF8 (this=0x555555bac250, font_=0x555555c7ee60, text="Ӹ", positions=0x7ffff005ddc0) at /usr/src/debug/scite/scintilla/gtk/PlatGTK.cxx:1082
        contextMeasure = std::unique_ptr<_PangoContext> = {
          get() = 0x7fff1c0fd820
        }
        layoutMeasure = <optimized out>
        iti = {
          iter = std::unique_ptr<_PangoLayoutIter> = {
            get() = 0x0
          },
          pos = {
            x = 0x0,
            y = 0x0,
            width = 0x0,
            height = 0x0
          },
          lenPositions = 0x2,
          finished = 0x0,
          positionStart = 0,
          position = 0,
          distance = 0,
          curIndex = 0x0
        }
        i = <optimized out>
#24 0x00007ffff6f84036 in PositionCache::MeasureWidths (this=0x555555a76d30, surface=<optimized out>, vstyle=..., styleNumber=0x0, unicode=0x1, sv="Ӹ", positions=<optimized out>, needsLocking=0x1) at ./../src/PositionCache.cxx:1168
        style = @0x555555a6d480: {
          <Scintilla::Internal::FontSpecification> = {
            fontName = 0x555555bf1f30 "Terminus",
            size = 0x3e8,
            weight = Scintilla::FontWeight::Normal,
            stretch = Scintilla::FontStretch::Normal,
            italic = 0x0,
            characterSet = Scintilla::CharacterSet::Default,
            extraFontFlag = Scintilla::FontQuality::QualityDefault,
            checkMonospaced = 0x0
          }, 
          <Scintilla::Internal::FontMeasurements> = {
            ascent = 13,
            descent = 2,
            capitalHeight = 13,
            aveCharWidth = 7.998046875,
            monospaceCharacterWidth = 7.998046875,
            spaceWidth = 7.998046875,
            monospaceASCII = 0x0,
            sizeZoomed = 0x3e8
          }, 
          members of Scintilla::Internal::Style:
          fore = {
            static rgbMask = 0xffffff,
            co = 0xff000000
          },
          back = {
            static rgbMask = 0xffffff,
            co = 0xffffffff
          },
          eolFilled = 0x0,
          underline = 0x0,
          caseForce = Scintilla::Internal::Style::CaseForce::mixed,
          visible = 0x1,
          changeable = 0x1,
          hotspot = 0x0,
          invisibleRepresentation = "\000\000\000\000",
          font = std::shared_ptr<Scintilla::Internal::Font> (use count 255, weak count 0) = {
            get() = 0x555555c7ee60
          }
        }
        probe = <optimized out>
        fontStyle = <optimized out>
#25 0x00007ffff6f6144e in (anonymous namespace)::LayoutSegments (pCache=<optimized out>, surface=0x555555bac250, vstyle=..., ll=0x555555ca29b0, segments=std::vector of length 24858, capacity 32768 = {...}, nextIndex=std::atomic<unsigned int> = { 0x2540 }, textUnicode=0x1, multiThreaded=0x1) at /usr/include/c++/14.2.1/string_view:146
        i = <optimized out>
        ts = <optimized out>
        styleSegment = <optimized out>
        positions = 0x7ffff005ddc0
#26 0x00007ffff6f6c1d3 in operator() (__closure=<optimized out>) at ./../src/EditView.cxx:513
        multiThreadedContext = <optimized out>
        textUnicode = <optimized out>
        nextIndex = <optimized out>
        segments = <optimized out>
        ll = <optimized out>
        vstyle = <optimized out>
        surface = <optimized out>
        pCache = <optimized out>
#27 std::__invoke_impl<void, Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > (__f=...) at /usr/include/c++/14.2.1/bits/invoke.h:61
No locals.
#28 std::__invoke<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > (__fn=...) at /usr/include/c++/14.2.1/bits/invoke.h:96
No locals.
#29 std::thread::_Invoker<std::tuple<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > >::_M_invoke<0> (this=<optimized out>) at /usr/include/c++/14.2.1/bits/std_thread.h:301
No locals.
#30 std::thread::_Invoker<std::tuple<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > >::operator() (this=<optimized out>) at /usr/include/c++/14.2.1/bits/std_thread.h:308
No locals.
#31 std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > >, void>::operator() (this=0x7fff8fdffbc0) at /usr/include/c++/14.2.1/future:1439
No locals.
#32 std::__invoke_impl<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > >, void>&> (__f=...) at /usr/include/c++/14.2.1/bits/invoke.h:61
No locals.
#33 std::__invoke_r<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > >, void>&> (__fn=...) at /usr/include/c++/14.2.1/bits/invoke.h:114
No locals.
#34 std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>(), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > >, void> >::_M_invoke(const std::_Any_data &) (__functor=...) at /usr/include/c++/14.2.1/bits/std_function.h:291
No locals.
#35 0x00007ffff6f3a2d6 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>()>::operator() (this=<optimized out>) at /usr/include/c++/14.2.1/bits/std_function.h:591
No locals.
#36 std::__future_base::_State_baseV2::_M_do_set (this=0x555555ccec30, __f=<optimized out>, __did_set=0x7fff8fdffb77) at /usr/include/c++/14.2.1/future:596
        __res = std::unique_ptr<std::__future_base::_Result_base> = {
          get() = 0x0
        }
#37 0x00007ffff6c588fb in ?? () from /usr/lib/libc.so.6
No symbol table info available.
#38 0x00007ffff6c58979 in pthread_once () from /usr/lib/libc.so.6
No symbol table info available.
#39 0x00007ffff6f6c876 in __gthread_once (__once=0x555555ccec48, __func=<optimized out>) at /usr/include/c++/14.2.1/x86_64-pc-linux-gnu/bits/gthr-default.h:713
No locals.
#40 std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>()>*, bool*> (__once=..., __f=@0x7fff8fdffb90: (void (std::__future_base::_State_baseV2::*)(std::__future_base::_State_baseV2 * const, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>()> *, bool *)) 0x7ffff6f3a2a0 <std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>) at /usr/include/c++/14.2.1/mutex:916
        __e = <optimized out>
        __callable = {
          ____f = @0x7fff8fdffb90,
          ____args#0 = @0x7fff8fdffb78,
          ____args#1 = @0x7fff8fdffb80,
          ____args#2 = @0x7fff8fdffb88
        }
        __exec = <optimized out>
        __callable = <optimized out>
        __exec = <optimized out>
        __e = <optimized out>
#41 std::__future_base::_State_baseV2::_M_set_result (this=0x555555ccec30, __res=..., __ignore_failure=0x0) at /usr/include/c++/14.2.1/future:435
        __did_set = 0x0
        __did_set = <optimized out>
#42 std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<Scintilla::Internal::EditView::LayoutLine(const Scintilla::Internal::EditModel&, Scintilla::Internal::Surface*, const Scintilla::Internal::ViewStyle&, Scintilla::Internal::LineLayout*, int, bool)::<lambda()> > >, void>::_M_run(void) (this=0x555555ccec30) at /usr/include/c++/14.2.1/future:1781
No locals.
#43 0x00007ffff70e1c34 in std::execute_native_thread_routine (__p=0x555555ccecd0) at /usr/src/debug/gcc/gcc/libstdc++-v3/src/c++11/thread.cc:104
        __t = <optimized out>
#44 0x00007ffff6c5339d in ?? () from /usr/lib/libc.so.6
No symbol table info available.
#45 0x00007ffff6cd849c in ?? () from /usr/lib/libc.so.6
No symbol table info available.
Continuing.
Couldn't get registers: No such process.
Couldn't read debug register: No such process.
Not confirmed.

Program terminated with signal SIGSEGV, Segmentation fault.

[Neil Hodgson]

The example file doesn't crash for me on Ubuntu 24.04 64-bit.

There have been similar problems when there is an unusual locale set that overrides Pango.

The file appears to be text in the Big5 Chinese encoding which can be seen with these settings:

code.page=950
character.set=136

The file text as Big5 is:

L法建立目錄 '[2]'。同名的檔案已經存在，請更名或移除此檔案，然後重試，或按 "取消" 結束。目前無使用磁碟機 [2]，請選取別的磁碟機。指定的路徑 '[2]' 無法使用。指定的資料夾 [2] 無法寫入。嘗試從檔案讀取時發生網路錯誤: [2]嘗試建立目錄時發生錯誤: [2]嘗試建立目錄時發生網路錯誤: [2]嘗試開啟來源檔案時發生網路錯誤: [2]指定的路徑太長: [2]Installer 的權限不足以修改這個檔案: [2]。資料夾路徑 '[2]' 的部份超過系統允許的長度或參雜系統不允許的字元。資料夾路徑 '[2]' 含有無效資料夾路徑字元。資料夾路徑 '[2]' 含有無效字元。'[2]' 不是有效的短檔名。取得檔案安全性時發生錯誤: [3] GetLastError: [2]無效的磁碟機: [2]套用修正至檔案 [2] 發生錯誤。可能已被其他方法更新過，並且無法被此修正更改。請接洽此修正程式的廠商以取得更多訊息。{{系統錯誤: [3]}}無法安裝所需的檔案，因為 CAB 檔案 [2] 並未以數位方式簽名。這可能表示 CAB 檔案已毀壞。無法安裝所需的檔案，因為 CAB 檔案 [2] 具有無效的數位簽名。這可能表示 CAB 檔案已毀壞。{WinVerifyTrust 傳回錯誤 [3]。}無法正確複製 [2] 檔案：CRC 錯誤。無法正確修補 [2] 檔案：CRC 錯誤。由於無法在 CAB 檔案'[3]' 中找到檔案 '[2]'，因此無法安裝該檔案。這可能表示發生網路錯誤、從 CD-ROM 讀取時發生錯誤，或是此套裝軟體有問題。此安裝所需的 CAB 檔案 '[2]' 已毀壞，因此無法使用。這可能表示發生網路錯誤、從 CD-ROM 讀取時發生錯誤，或是此套裝軟體有問題。建立完成此安裝所需的暫存檔時發生錯誤。資料夾：[3]。系統錯誤代碼： [2]無法建立機碼: [2]。{{ 系統錯誤 [3]。}} 檢查您是有足夠的權限存取該機碼，或是連絡您的支援人員。無法開啟機碼: [2]。{{ 系統錯誤 [3]。}} 檢查您是有足夠的權限存取該機碼，或是連絡您的支援人員。無法刪除值: [2] 從機碼 [3]。{{ 系統錯誤 [4]。}} 檢查您是有足夠的權限存取該機碼，或是連絡您的支援人員。無法刪除機碼: [2]。{{ 系統錯誤 [3]。}} 檢查您是有足夠的權限存取該機碼，或是連絡您的支援人員。無法從機碼 [3] 讀取值 [2]。{{ 系統錯誤 [4]。}} 檢查您是有足夠的權限存取該機碼，或是連絡您的支援人員。無法寫入值 [2] 至機碼 [3]。{{ 系統錯誤 [4]。}} 檢查您是有足夠的權限存取該機碼，或是連絡您的支援人員。無法取機碼 [2] 的值名稱。{{ 系統錯誤 [3]。}} 檢查您是有足夠的權限存取該機碼，或是連絡您的支援人員。無法取子機碼 [2] 的值名稱。{{ 系統錯誤 [3

[fenugrec]

Thanks for testing. Do you think it has something to do with a particular font (which may not have glyphs for everything, too) ?
As for locale, I have en_US and en_CA and that's it, nothing terribly unusual

[Neil Hodgson]

The assertion that failed is item->offset <= start + length which could indicate a failure to correctly break the text into pieces. There have previously been problems with right to left modes (like Hebrew) which can be unexpectedly activated and that disturb item order. If the text is incorrectly itemized then subsequent code is more likely to fail.

The mention of _cairo_ft_scaled_glyph_vertical_layout_bearing_fixis weird as vertical_layout = 0x0 earlier and I would only expect horizontal layout as Scintilla doesn't support vertical layout (like older Japanese books). I'm reading a copy of the Cairo source from Mozilla as the sourcegraph.com source code searcher didn't find anything that looked more authoritative.

Potential contributions from Scintilla to a failure here include breaking the text in a bad place. Scintilla breaks text up into segments of 100-300 bytes and it tries to do so in 'safe' positions to only measure/draw ranges of whole characters. This should only matter if you are using a multi-byte encoding like UTF-8 or Big5.

Another potential problem is multi-threading since the called libraries may have threading issues. SciTE is distributed with multi-threaded layout enabled for speed. This can be disabled with threads.layout=1.

There could be problems with the "Terminus" font so another font could be tried. I wasn't able to install "Terminus" well to try it myself.

[Neil Hodgson]

The text being measured is, as bytes, D3 B8. This is being interpreted as UTF-8 Ӹ which is Cyrillic Capital Letter Yeru With Diaeresis (U+04F8).

Cairo may be constructing this glyph by combining Ы capital Yeru with a ◌̈ diaeresis and something has failed such as not finding one part in the font.

[fenugrec]

I see, interesting.

Tried :

• with threads.layout=1,2 or 8: no more crash
• threads.layout=12 or 16 : crash

I noticed that at threads=12, sometimes the crash is not on the assert() I saw earlier, but a SIGSEGV inside pango get_alignment() , where it's trying to access line->layout->auto_dir but the 'layout' pointer is corrupt:

0x00007ffff7e3f91f in get_alignment (layout=layout@entry=0x555555c18960, line=line@entry=0x7fffcc0b00e0)
    at ../pango/pango/pango-layout.c:2780
2780      if (alignment != PANGO_ALIGN_CENTER && line->layout->auto_dir &&

(gdb) p *line
$3 = {
  layout = 0x3fa6fec66,
  start_index = 0x4b231808,
  length = 0x1d4071e0,
  runs = 0x3,
  is_paragraph_start = 0x1,
  resolved_dir = 0x7
}

(gdb) p line->layout
$4 = (PangoLayout *) 0x3fa6fec66

(gdb) p *line->layout
Cannot access memory at address 0x3fa6fec66

I might try running under valgrind next. Is pango meant to be thread-safe ?

[Neil Hodgson]

Pango on Linux is supposed to be thread safe in the sense that you can use separate objects (like PangoLayouts) from separate threads but an object should not be shared between multiple threads as the calls don't lock the objects.

Pango was made thread-safe in 2013 with this item at https://github.com/GNOME/pango/blob/main/NEWS

Overview of changes between 1.32.5 and 1.32.6

• Make pango threadsafe

[Neil Hodgson]

Interesting elements here are:

1. Does the failure occur with a different font?
2. What text is being processed on each failure? The MeasureWidthsUTF8 call arguments line reveals the text.
3. The backtrace doesn't appear to match the file which makes it more difficult to reproduce. The file is only 2K but the backtrace says that there are 24858 segments (at least 1 byte per segment) of text and it is failing near segment 0x2450.

segments=std::vector of length 24858, capacity 32768 = {...}, nextIndex=std::atomic<unsigned int=""> = { 0x2540 }</unsigned>

The MeasureWidthsUTF8 arguments line with the text looks like this in the backtrace:

#23 Scintilla::SurfaceImpl::MeasureWidthsUTF8 (this=0x555555bac250, font_=0x555555c7ee60, text="Ӹ", positions=0x7ffff005ddc0) at /usr/src/debug/scite/scintilla/gtk/PlatGTK.cxx:1082

Where I mentioned vertical layout earlier, I think that is just that the Ы and ◌̈ are being stacked together vertically within a horizontal context.

[fenugrec]

1. with a different font (DejaVu Sans), crash is less frequent under gdb, but pretty reliable when running directly. A sample of corruption causing the crash :

Thread 8 "scite" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffeb4006c0 (LWP 517153)]
0x00007ffff7e4a4e2 in pango_font_get_scale_factors (font=0x7fffc8076fe0, x_scale=0x7fffeb3fea88, y_scale=0x7fffeb3fea80)
    at ../pango/pango/fonts.c:2979
2979      PANGO_FONT_GET_CLASS_PRIVATE (font)->get_scale_factors (font, x_scale, y_scale);

(gdb) p *(PangoFontClassPrivate *)font
$15 = {
  get_languages = 0x7fffc8085340,
  is_hinted = 0x0,
  get_scale_factors = 0x20,
  has_char = 0x25,
  get_face = 0x6b61646f6f4b,
  get_matrix = 0x0,
  get_absolute_size = 0x20,
  get_variant = 0x25
}

(notice the get_scale_factors pointer is set to 0x20, and get_face looks a lot like ASCII...

2:

#12 0x00007ffff6f84036 in PositionCache::MeasureWidths (this=0x555555a75ab0, surface=<optimized out>, vstyle=...,
    styleNumber=0x0, unicode=0x1, sv="իإߥؿ", positions=<optimized out>, needsLocking=0x1)

3: hmm, it's possible the backtrace I posted was while I was in the process of shortening the file to the minimum repeatable case. Now with the attached file the vector length is more realistic, e.g.

#15 0x00007ffff6f6144e in (anonymous namespace)::LayoutSegments (pCache=<optimized out>, surface=0x555555b7cdb0, vstyle=...,
    ll=0x555555b7df90, segments=std::vector of length 1368, capacity 2048 = {...}

[Neil Hodgson]

իإߥؿ is a complex string that has a good chance of triggering interesting behaviour since it is bidirectional with 2 Arabic characters and each Arabic character may be further decomposed with a diacritic above or below. The NKo letter ߥ is also right-to-left like Arabic. There was a thread safety fix mentioned in Pango's changelog "Make Thai and Arabic support thread-safe" so it wouldn't be surprising if there were more similar issues.

Character	Codepoint	Name
ի	U+056B	ARMENIAN SMALL LETTER INI
إ	U+0625	ARABIC LETTER ALEF WITH HAMZA BELOW
ߥ	U+07E5	NKO LETTER WA
ؿ	U+063F	ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE

Reviewing Scintilla's code, the PangoFontDescription objects aren't recreated for each thread. However, they are used in const contexts and are quite simple structs with no pointers to other structs. They contain 2 strings which are commonly set at creation with code equivalent to strdup. It is possible there is ancillary thread-local data that is somehow keyed off the font description but I couldn't find any trace of this in the implementation file pango/fonts.c.

If the font descriptions need to be isolated per-thread then they could be recreated in every measurement call from the font properties (which would need to be remembered) at the cost of more allocations and performance or there could be a cached thread-id -> font description map in Scintilla's FontHandle class.

[Neil Hodgson]

Since I haven't been able to reproduce this crash, it's unlikely I will work on it further..