Bug 2426 - Mono 2.10.7 beta crashes in gdi+/cairo on OSX
Summary: Mono 2.10.7 beta crashes in gdi+/cairo on OSX
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: libgdiplus ()
Version: 2.10.x
Hardware: PC Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2011-12-08 14:53 UTC by Brian Luczkiewicz
Modified: 2013-09-18 04:10 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
Output from crash with mono 3.2.3 (28.90 KB, text/plain)
2013-09-16 09:02 UTC, Weeble
Details
Crash output during context creation instead of dispose (39.67 KB, text/plain)
2013-09-16 09:04 UTC, Weeble
Details
Crash output from shorter example (8.08 KB, text/plain)
2013-09-16 11:45 UTC, Weeble
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report for Bug 2426 on GitHub or Developer Community if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: GitHub Markdown or Developer Community HTML
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:
Status:
NEW

Description Brian Luczkiewicz 2011-12-08 14:53:31 UTC
I've observed this crash on a mac running lion. I am using this mono beta build: http://download.mono-project.com/archive/2.10.7/MonoFramework-MDK-2.10.7_gtk-beta.macos10.xamarin.x86.dmg. mono 2.10.6 does not crash like this.

I've constructed an isolated test case to reproduce this. For me, this crashes within a few seconds of startup.

If I add locking around the code in the body of the while(true) loop, the crash disappears. This points to a race condition in libgdiplus or Cairo.

To compile:

$ dmcs /r:System.Drawing foo.cs

To run:

$ cp <any valid jpeg file> foo.jpg
$ mono t.exe

foo.cs:

using System;
using System.IO;
using System.Threading;
using System.Drawing;
using System.Drawing.Imaging;

public class Foo {
    const string infile = "foo.jpg";

    public static void Main(string[] args) {
        for (int i =0; i < 10; i++) 
            new Thread(Hammer).Start();
        Hammer();
    }   
    
    static void Hammer() {
        while (true) {
            using (var outbmp = new Bitmap(100, 100, PixelFormat.Format24bppRgb))
            using (var stream = File.OpenRead(infile))
            using (var inbmp = Bitmap.FromStream(stream))
            using (var g = Graphics.FromImage(outbmp)) {
                g.DrawImage(inbmp, new Rectangle(0, 0, outbmp.Width, outbmp.Height));
            }   
        }   
    }   
}   


The crash:

Assertion failed: (!"reached"), function _cairo_hash_table_lookup_exact_key, file cairo-hash.c, line 471.
Stacktrace:

  at (wrapper managed-to-native) System.Drawing.GDIPlus.GdipDeleteGraphics (intptr) <0xffffffff>
  at System.Drawing.Graphics.Dispose () <0x00063>
  at Foo.Hammer () <0x00172>
  at System.Threading.Thread.StartInternal () <0x00059>
  at (wrapper runtime-invoke) object.runtime_invoke_void__this__ (object,intptr,intptr,intptr) <0xffffffff>

Native stacktrace:

	0   mono                                0x00094fcc mono_handle_native_sigsegv + 284
	1   mono                                0x000dad5d sigabrt_signal_handler + 109
	2   libsystem_c.dylib                   0x9afc459b _sigtramp + 43
	3   ???                                 0xffffffff 0x0 + 4294967295
	4   libsystem_c.dylib                   0x9af5fbdd abort + 167
	5   libsystem_c.dylib                   0x9af9420b __assert_rtn + 351
	6   libcairo.2.dylib                    0x03027f5e _cairo_hash_table_lookup_exact_key + 270
	7   libcairo.2.dylib                    0x03027f94 _cairo_hash_table_remove + 36
	8   libcairo.2.dylib                    0x030729ca _cairo_toy_font_face_destroy + 170
	9   libcairo.2.dylib                    0x0301f02a cairo_font_face_destroy + 170
	10  libcairo.2.dylib                    0x03022508 _cairo_gstate_fini + 40
	11  libcairo.2.dylib                    0x03014e89 cairo_destroy + 201
	12  libgdiplus.dylib                    0x01e0cbe2 GdipDeleteGraphics + 162
	13  ???                                 0x037f4bf4 0x0 + 58674164
	14  ???                                 0x037f39ec 0x0 + 58669548
	15  ???                                 0x004a8153 0x0 + 4882771
	16  ???                                 0x004a79fa 0x0 + 4880890
	17  ???                                 0x004a7879 0x0 + 4880505
	18  mono                                0x0000d352 mono_jit_runtime_invoke + 722
	19  mono                                0x001a43aa mono_runtime_invoke + 170
	20  mono                                0x001a5c47 mono_runtime_delegate_invoke + 135
	21  mono                                0x001e92f6 start_wrapper_internal + 726
	22  mono                                0x001e9357 start_wrapper + 23
	23  mono                                0x0022e6fe thread_start_routine + 206
	24  mono                                0x00268118 GC_start_routine + 120
	25  libsystem_c.dylib                   0x9af6ced9 _pthread_start + 335
	26  libsystem_c.dylib                   0x9af706de thread_start + 34
Comment 1 Gene 2012-01-26 11:44:55 UTC
This problem also occurs with mono 2.11 under Ubuntu 11.10 and Centos 6. Is there any work around or patches?

----

[root@pitiruoci ~]# mono foo.exe 
*** glibc detected *** mono: double free or corruption (fasttop): 0x00007f245400c620 ***
Stacktrace:


Native stacktrace:

mono: cairo.c:435: cairo_destroy: Assertion `((*&(&cr->ref_count)->ref_count) > 0)' failed.
Abortito (core dumped)
[root@pitiruoci ~]# mono foo.exe 
*** glibc detected *** mono: double free or corruption (fasttop): 0x00007f4ab000b660 ***
======= Backtrace: =========
/lib64/libc.so.6[0x351f8750c6]
/usr/lib64/libcairo.so.2[0x30dc0522b4]
/usr/lib64/libcairo.so.2(cairo_font_face_destroy+0x3f)[0x30dc01cdff]
/usr/lib64/libcairo.so.2[0x30dc022246]
/usr/lib64/libcairo.so.2(cairo_destroy+0x91)[0x30dc0191b1]
/usr/local/lib/libgdiplus.so(GdipDeleteGraphics+0x85)[0x7f4adb673605]
[0x40c8975b]
======= Memory map: ========
00400000-0070e000 r-xp 00000000 08:02 8529423                            /usr/local/bin/mono
0090e000-00918000 rw-p 0030e000 08:02 8529423                            /usr/local/bin/mono
00918000-00952000 rw-p 00000000 00:00 0 
00ffc000-01444000 rw-p 00000000 00:00 0                                  [heap]
40c7d000-40c8e000 rwxp 00000000 00:00 0 
412e4000-412f5000 rwxp 00000000 00:00 0 
4189c000-4189d000 ---p 00000000 00:00 0 
41952000-41953000 r--p 00000000 00:00 0 
30dc000000-30dc0a6000 r-xp 00000000 08:02 8529458                        /usr/lib64/libcairo.so.2.11000.2
30dc0a6000-30dc2a6000 ---p 000a6000 08:02 8529458                        /usr/lib64/libcairo.so.2.11000.2
30dc2a6000-30dc2a8000 rw-p 000a6000 08:02 8529458                        /usr/lib64/libcairo.so.2.11000.2
30dc2a8000-30dc2ab000 rw-p 00000000 00:00 0 
351f000000-351f020000 r-xp 00000000 08:02 8126747                        /lib64/ld-2.12.so
351f21f000-351f220000 r--p 0001f000 08:02 8126747                        /lib64/ld-2.12.so
351f220000-351f221000 rw-p 00020000 08:02 8126747                        /lib64/ld-2.12.so
351f221000-351f222000 rw-p 00000000 00:00 0 
351f400000-351f4e4000 r-xp 00000000 08:02 8126884                        /lib64/libglib-2.0.so.0.2200.5
351f4e4000-351f6e4000 ---p 000e4000 08:02 8126884                        /lib64/libglib-2.0.so.0.2200.5
351f6e4000-351f6e5000 rw-p 000e4000 08:02 8126884                        /lib64/libglib-2.0.so.0.2200.5
351f6e5000-351f6e6000 rw-p 00000000 00:00 0 
351f800000-351f997000 r-xp 00000000 08:02 8126768                        /lib64/libc-2.12.so
351f997000-351fb97000 ---p 00197000 08:02 8126768                        /lib64/libc-2.12.so
351fb97000-351fb9b000 r--p 00197000 08:02 8126768                        /lib64/libc-2.12.so
351fb9b000-351fb9c000 rw-p 0019b000 08:02 8126768                        /lib64/libc-2.12.so
351fb9c000-351fba1000 rw-p 00000000 00:00 0 
351fc00000-351fc17000 r-xp 00000000 08:02 8126816                        /lib64/libpthread-2.12.so
351fc17000-351fe16000 ---p 00017000 08:02 8126816                        /lib64/libpthread-2.12.so
351fe16000-351fe17000 r--p 00016000 08:02 8126816                        /lib64/libpthread-2.12.so
351fe17000-351fe18000 rw-p 00017000 08:02 8126816                        /lib64/libpthread-2.12.so
351fe18000-351fe1c000 rw-p 00000000 00:00 0 
3520000000-3520002000 r-xp 00000000 08:02 8126869                        /lib64/libdl-2.12.so
3520002000-3520202000 ---p 00002000 08:02 8126869                        /lib64/libdl-2.12.so
3520202000-3520203000 r--p 00002000 08:02 8126869                        /lib64/libdl-2.12.so
3520203000-3520204000 rw-p 00003000 08:02 8126869                        /lib64/libdl-2.12.so
3520400000-3520483000 r-xp 00000000 08:02 8126815                        /lib64/libm-2.12.so
3520483000-3520682000 ---p 00083000 08:02 8126815                        /lib64/libm-2.12.so
3520682000-3520683000 r--p 00082000 08:02 8126815                        /lib64/libm-2.12.so
3520683000-3520684000 rw-p 00083000 08:02 8126815                        /lib64/libm-2.12.so
3520800000-3520815000 r-xp 00000000 08:02 8126834                        /lib64/libz.so.1.2.3
3520815000-3520a14000 ---p 00015000 08:02 8126834                        /lib64/libz.so.1.2.3
3520a14000-3520a15000 r--p 00014000 08:02 8126834                        /lib64/libz.so.1.2.3
3520a15000-3520a16000 rw-p 00015000 08:02 8126834                        /lib64/libz.so.1.2.3
3520c00000-3520c07000 r-xp 00000000 08:02 8126931                        /lib64/librt-2.12.so
3520c07000-3520e06000 ---p 00007000 08:02 8126931                        /lib64/librt-2.12.so
3520e06000-3520e07000 r--p 00006000 08:02 8126931                        /lib64/librt-2.12.so
3520e07000-3520e08000 rw-p 00007000 08:02 8126931                        /lib64/librt-2.12.so
3521c00000-3521c16000 r-xp 00000000 08:02 8126863                        /lib64/libgcc_s-4.4.6-20110824.so.1
3521c16000-3521e15000 ---p 00016000 08:02 8126863                        /lib64/libgcc_s-4.4.6-20110824.so.1
3521e15000-3521e16000 rw-p 00015000 08:02 8126863                        /lib64/libgcc_s-4.4.6-20110824.so.1
3524400000-3524423000 r-xp 00000000 08:02 8531342                        /usr/lib64/libjpeg.so.62.0.0
3524423000-3524623000 ---p 00023000 08:02 8531342                        /usr/lib64/libjpeg.so.62.0.0
3524623000-3524624000 rw-p 00023000 08:02 8531342                        /usr/lib64/libjpeg.so.62.0.0
3524800000-3524862000 r-xp 00000000 08:02 8525284                        /usr/lib64/libtiff.so.3.9.4
3524862000-3524a61000 ---p 00062000 08:02 8525284                        /usr/lib64/libtiff.so.3.9.4
3524a61000-3524a64000 rw-p 00061000 08:02 8525284                        /usr/lib64/libtiff.so.3.9.4
3524c00000-3524c26000 r-xp 00000000 08:02 8126862                        /lib64/libexpat.so.1.5.2
3524c26000-3524e25000 ---p 00026000 08:02 8126862                        /lib64/libexpat.so.1.5.2
3524e25000-3524e28000 rw-p 00025000 08:02 8126862                        /lib64/libexpat.so.1.5.2
3525000000-3525097000 r-xp 00000000 08:02 8531597                        /usr/lib64/libfreetype.so.6.3.22
3525097000-3525297000 ---p 00097000 08:02 8531597                        /usr/lib64/libfreetype.so.6.3.22
3525297000-352529d000 rw-p 00097000 08:02 8531597                        /usr/lib64/libfreetype.so.6.3.22
3525400000-3525434000 r-xp 00000000 08:02 8532677                        /usr/lib64/libfontconfig.so.1.4.4
3525434000-3525634000 ---p 00034000 08:02 8532677                        /usr/lib64/libfontconfig.so.1.4.4
3525634000-3525636000 rw-p 00034000 08:02 8532677                        /usr/lib64/libfontconfig.so.1.4.4
3526000000-3526139000 r-xp 00000000 08:02 8532685                        /usr/lib64/libX11.so.6.3.0
3526139000-3526339000 ---p 00139000 08:02 8532685                        /usr/lib64/libX11.so.6.3.0
3526339000-352633f000 rw-p 00139000 08:02 8532685                        /usr/lib64/libX11.so.6.3.0
3526800000-3526802000 r-xp 00000000 08:02 8532683                        /usr/lib64/libXau.so.6.0.0
3526802000-3526a02000 ---p 00002000 08:02 8532683                        /usr/lib64/libXau.so.6.0.0Stacktrace:

  at <unknown> <0xffffffff>
  at (wrapper managed-to-native) System.Drawing.GDIPlus.GdipDeleteGraphics (intptr) <0xffffffff>
  at System.Drawing.Graphics.Dispose () <0x00073>
  at Foo.Hammer () <0x0017b>
  at System.Threading.Thread.StartInternal () <0x000a8>
  at (wrapper runtime-invoke) object.runtime_invoke_void__this__ (object,intptr,intptr,intptr) <0xffffffff>

Native stacktrace:

	mono() [0x491c76]
	/lib64/libpthread.so.0() [0x351fc0f4a0]
	/lib64/libc.so.6(gsignal+0x35) [0x351f832885]
	/lib64/libc.so.6(abort+0x175) [0x351f834065]
	/lib64/libc.so.6() [0x351f86f7a7]
	/lib64/libc.so.6() [0x351f8750c6]
	/usr/lib64/libcairo.so.2() [0x30dc0522b4]
	/usr/lib64/libcairo.so.2(cairo_font_face_destroy+0x3f) [0x30dc01cdff]
	/usr/lib64/libcairo.so.2() [0x30dc022246]
	/usr/lib64/libcairo.so.2(cairo_destroy+0x91) [0x30dc0191b1]
	/usr/local/lib/libgdiplus.so(GdipDeleteGraphics+0x85) [0x7f4adb673605]
	[0x40c8975b]

Debug info from gdb:

Mono support loaded.
[Thread debugging using libthread_db enabled]
[New Thread 0x7f4ada43c700 (LWP 6896)]
[New Thread 0x7f4ada63d700 (LWP 6895)]
[New Thread 0x7f4ada842700 (LWP 6894)]
[New Thread 0x7f4adaa43700 (LWP 6893)]
[New Thread 0x7f4adac48700 (LWP 6892)]
[New Thread 0x7f4adae49700 (LWP 6891)]
[New Thread 0x7f4adb04e700 (LWP 6890)]
[New Thread 0x7f4adb24f700 (LWP 6889)]
[New Thread 0x7f4adbb3b700 (LWP 6888)]
[New Thread 0x7f4adbd40700 (LWP 6887)]
[New Thread 0x7f4adbf7d700 (LWP 6886)]
[New Thread 0x7f4add211700 (LWP 6885)]
0x000000352441b474 in ?? () from /usr/lib64/libjpeg.so.62
  13 Thread 0x7f4add211700 (LWP 6885)  0x000000351fc0b3dc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
  12 Thread 0x7f4adbf7d700 (LWP 6886)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  11 Thread 0x7f4adbd40700 (LWP 6887)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  10 Thread 0x7f4adbb3b700 (LWP 6888)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  9 Thread 0x7f4adb24f700 (LWP 6889)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  8 Thread 0x7f4adb04e700 (LWP 6890)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  7 Thread 0x7f4adae49700 (LWP 6891)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  6 Thread 0x7f4adac48700 (LWP 6892)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  5 Thread 0x7f4adaa43700 (LWP 6893)  0x000000351fc0d6c0 in sem_wait () from /lib64/libpthread.so.0
  4 Thread 0x7f4ada842700 (LWP 6894)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  3 Thread 0x7f4ada63d700 (LWP 6895)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
  2 Thread 0x7f4ada43c700 (LWP 6896)  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
* 1 Thread 0x7f4ae32bf740 (LWP 6884)  0x000000352441b474 in ?? () from /usr/lib64/libjpeg.so.62

Thread 13 (Thread 0x7f4add211700 (LWP 6885)):
#0  0x000000351fc0b3dc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00000000005e304c in GC_wait_marker () at pthread_support.c:1868
#2  0x00000000005e9fec in GC_help_marker (my_mark_no=323) at mark.c:1116
#3  0x00000000005e1ddc in GC_mark_thread (id=0x0) at pthread_support.c:552
#4  0x000000351fc077f1 in start_thread () from /lib64/libpthread.so.0
#5  0x000000351f8e570d in clone () from /lib64/libc.so.6

Thread 12 (Thread 0x7f4adbf7d700 (LWP 6886)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000351fc0d6be in sem_wait () from /lib64/libpthread.so.0
#5  0x00000000005cca08 in mono_sem_wait (sem=0x91a1a0, alertable=1) at mono-semaphore.c:113
#6  0x000000000059a04b in finalizer_thread (unused=<value optimized out>) at gc.c:1073

#7  0x000000000056d830 in start_wrapper_internal (data=0x1059ef0) at threads.c:571
#8  start_wrapper (data=0x1059ef0) at threads.c:619
#9  0x00000000005ae8d3 in thread_start_routine (args=0x1013c50) at wthreads.c:286
#10 0x00000000005d0359 in inner_start_thread (arg=0x105a240) at mono-threads-posix.c:49
#11 0x00000000005e2cb9 in GC_start_routine (arg=0x7f4adbffdfc0) at pthread_support.c:1473
#12 0x000000351fc077f1 in start_thread () from /lib64/libpthread.so.0
#13 0x000000351f8e570d in clone () from /lib64/libc.so.6

Thread 11 (Thread 0x7f4adbd40700 (LWP 6887)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000352441b4bb in ?? () from /usr/lib64/libjpeg.so.62
#5  0x000000352441b7f5 in ?? () from /usr/lib64/libjpeg.so.62
#6  0x00000035244141f4 in ?? () from /usr/lib64/libjpeg.so.62
#7  0x000000352440e3f6 in jpeg_read_scanlines () from /usr/lib64/libjpeg.so.62
#8  0x00007f4adb69bdc3 in gdip_load_jpeg_image_internal (src=0x7f4acc032c60, image=0x7f4adbd3f820) at jpegcodec.c:428
#9  0x00007f4adb69c142 in gdip_load_jpeg_image_from_stream_delegate (loader=0x7f4acc0223e0, image=0x7f4adbd3f820) at jpegcodec.c:640
#10 0x00007f4adb6808d3 in GdipLoadImageFromDelegate_linux (getHeaderFunc=<value optimized out>, getBytesFunc=<value optimized out>, putBytesFunc=0, seekFunc=0x7f4ada042620, closeFunc=0x7f4ada042700, sizeFunc=0x7f4ada0427e0, image=0x7f4adbd3f970) at image.c:2267
#11 0x0000000040c86f0c in ?? ()
#12 0x00007f4adbd3f970 in ?? ()
#13 0x0000000000000068 in ?? ()
#14 0x00007f4ada042700 in ?? ()
#15 0x00007f4ada042460 in ?? ()
#16 0x00007f4ada042540 in ?? ()
#17 0x0000000000000000 in ?? ()

Thread 10 (Thread 0x7f4adbb3b700 (LWP 6888)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000352ac3c885 in ?? () from /usr/lib64/libpixman-1.so.0
#5  0x000000352ac3088b in ?? () from /usr/lib64/libpixman-1.so.0
#6  0x000000352ac32a24 in pixman_image_composite32 () from /usr/lib64/libpixman-1.so.0
#7  0x00000030dc029ec3 in _composite_boxes (dst=0x7f4ad001ebc0, op=CAIRO_OPERATOR_OVER, src=0x7f4adbb3a6a0, boxes=0x7f4adbb3a170, antialias=CAIRO_ANTIALIAS_DEFAULT, extents=0x7f4adbb3a5c0, clip=0x0) at cairo-image-surface.c:3008
#8  _clip_and_composite_boxes (dst=0x7f4ad001ebc0, op=CAIRO_OPERATOR_OVER, src=0x7f4adbb3a6a0, boxes=0x7f4adbb3a170, antialias=CAIRO_ANTIALIAS_DEFAULT, extents=0x7f4adbb3a5c0, clip=0x0) at cairo-image-surface.c:3047
#9  0x00000030dc02ac3b in _cairo_image_surface_paint (abstract_surface=0x7f4ad001ebc0, op=CAIRO_OPERATOR_OVER, source=0x7f4adbb3a6a0, clip=0x0) at cairo-image-surface.c:3301
#10 0x00000030dc048857 in _cairo_surface_paint (surface=0x7f4ad001ebc0, op=CAIRO_OPERATOR_OVER, source=0x7f4adbb3a6a0, clip=0x0) at cairo-surface.c:2022
#11 0x00000030dc020612 in _cairo_gstate_paint (gstate=0x30dc2a8280) at cairo-gstate.c:1049
#12 0x00000030dc017964 in cairo_paint (cr=0x30dc2a8250) at cairo.c:2228
#13 0x00007f4adb683518 in GdipDrawImageRect (graphics=0x7f4ad001ed40, image=<value optimized out>, x=<value optimized out>, y=0, width=<value optimized out>, height=<value optimized out>) at image.c:472
#14 0x0000000040c895d9 in ?? ()
#15 0x00007f4ad0000e40 in ?? ()
#16 0x00007f4ada052e70 in ?? ()
#17 0x00007f4adbb3aaa0 in ?? ()
#18 0x00007f4acc088e00 in ?? ()
#19 0x00007f4adbd72598 in ?? ()
#20 0x00007f4adbb3aaa0 in ?? ()
#21 0x00007f4adbb3a8b0 in ?? ()
#22 0x00007f4adc7e5cc0 in ?? ()
#23 0x00007f4adbd72570 in ?? ()
#24 0x00007f4ada052e70 in ?? ()
#25 0x00007f4adbd72570 in ?? ()
#26 0x0000000040c894e4 in ?? ()
#27 0x00007f4acc000ed0 in ?? ()
#28 0x00007f4ada052e70 in ?? ()
#29 0x00007f4adbb3a8f0 in ?? ()
#30 0x00007f4ad001ed40 in ?? ()
#31 0x00007f4acc004f60 in ?? ()
#32 0x00007f4acc0073c8 in ?? ()
#33 0x0000000000000028 in ?? ()
#34 0x00007f4ada052e70 in ?? ()
#35 0x00007f4adbd72570 in ?? ()
#36 0x0000000000000000 in ?? ()

Thread 9 (Thread 0x7f4adb24f700 (LWP 6889)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x0000003524412601 in ?? () from /usr/lib64/libjpeg.so.62
#5  0x0000003524415023 in ?? () from /usr/lib64/libjpeg.so.62
#6  0x00000035244141be in ?? () from /usr/lib64/libjpeg.so.62
#7  0x000000352440e3f6 in jpeg_read_scanlines () from /usr/lib64/libjpeg.so.62
#8  0x00007f4adb69bdc3 in gdip_load_jpeg_image_internal (src=0x7f4ac400c760, image=0x7f4adb24e820) at jpegcodec.c:428
#9  0x00007f4adb69c142 in gdip_load_jpeg_image_from_stream_delegate (loader=0x7f4ac400bcb0, image=0x7f4adb24e820) at jpegcodec.c:640
#10 0x00007f4adb6808d3 in GdipLoadImageFromDelegate_linux (getHeaderFunc=<value optimized out>, getBytesFunc=<value optimized out>, putBytesFunc=0, seekFunc=0x7f4ada041dc0, closeFunc=0x7f4ada041e80, sizeFunc=0x7f4ada041f40, image=0x7f4adb24e970) at image.c:2267
#11 0x0000000040c86f0c in ?? ()
#12 0x00007f4adb24e970 in ?? ()
#13 0x0000000000000068 in ?? ()
#14 0x00007f4ada041e80 in ?? ()
#15 0x00007f4ada041c00 in ?? ()
#16 0x00007f4ada041cc0 in ?? ()
#17 0x0000000000000000 in ?? ()

Thread 8 (Thread 0x7f4adb04e700 (LWP 6890)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000352441b43c in ?? () from /usr/lib64/libjpeg.so.62
#5  0x000000352441b7f5 in ?? () from /usr/lib64/libjpeg.so.62
#6  0x00000035244141f4 in ?? () from /usr/lib64/libjpeg.so.62
#7  0x000000352440e3f6 in jpeg_read_scanlines () from /usr/lib64/libjpeg.so.62
#8  0x00007f4adb69bdc3 in gdip_load_jpeg_image_internal (src=0x7f4ac80128f0, image=0x7f4adb04d820) at jpegcodec.c:428
#9  0x00007f4adb69c142 in gdip_load_jpeg_image_from_stream_delegate (loader=0x7f4ac800e9b0, image=0x7f4adb04d820) at jpegcodec.c:640
#10 0x00007f4adb6808d3 in GdipLoadImageFromDelegate_linux (getHeaderFunc=<value optimized out>, getBytesFunc=<value optimized out>, putBytesFunc=0, seekFunc=0x7f4ada041960, closeFunc=0x7f4ada041a40, sizeFunc=0x7f4ada041b20, image=0x7f4adb04d970) at image.c:2267
#11 0x0000000040c86f0c in ?? ()
#12 0x00007f4adb04d970 in ?? ()
#13 0x0000000000000068 in ?? ()
#14 0x00007f4ada041a40 in ?? ()
#15 0x00007f4ada041760 in ?? ()
#16 0x00007f4ada041840 in ?? ()
#17 0x0000000000000000 in ?? ()

Thread 7 (Thread 0x7f4adae49700 (LWP 6891)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x00000035244172c5 in jpeg_idct_islow () from /usr/lib64/libjpeg.so.62
#5  0x000000352441516f in ?? () from /usr/lib64/libjpeg.so.62
#6  0x00000035244141be in ?? () from /usr/lib64/libjpeg.so.62
#7  0x000000352440e3f6 in jpeg_read_scanlines () from /usr/lib64/libjpeg.so.62
#8  0x00007f4adb69bdc3 in gdip_load_jpeg_image_internal (src=0x7f4abc00bc40, image=0x7f4adae48820) at jpegcodec.c:428
#9  0x00007f4adb69c142 in gdip_load_jpeg_image_from_stream_delegate (loader=0x7f4abc00c3a0, image=0x7f4adae48820) at jpegcodec.c:640
#10 0x00007f4adb6808d3 in GdipLoadImageFromDelegate_linux (getHeaderFunc=<value optimized out>, getBytesFunc=<value optimized out>, putBytesFunc=0, seekFunc=0x7f4ada042220, closeFunc=0x7f4ada042320, sizeFunc=0x7f4ada0423c0, image=0x7f4adae48970) at image.c:2267
#11 0x0000000040c86f0c in ?? ()
#12 0x00007f4adae48970 in ?? ()
#13 0x0000000000000068 in ?? ()
#14 0x00007f4ada042320 in ?? ()
#15 0x00007f4ada042020 in ?? ()
#16 0x00007f4ada042120 in ?? ()
#17 0x0000000000000000 in ?? ()

Thread 6 (Thread 0x7f4adac48700 (LWP 6892)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000352ac3c87b in ?? () from /usr/lib64/libpixman-1.so.0
#5  0x000000352ac3088b in ?? () from /usr/lib64/libpixman-1.so.0
#6  0x000000352ac32a24 in pixman_image_composite32 () from /usr/lib64/libpixman-1.so.0
#7  0x00000030dc029ec3 in _composite_boxes (dst=0x7f4ac000c230, op=CAIRO_OPERATOR_OVER, src=0x7f4adac476a0, boxes=0x7f4adac47170, antialias=CAIRO_ANTIALIAS_DEFAULT, extents=0x7f4adac475c0, clip=0x0) at cairo-image-surface.c:3008
#8  _clip_and_composite_boxes (dst=0x7f4ac000c230, op=CAIRO_OPERATOR_OVER, src=0x7f4adac476a0, boxes=0x7f4adac47170, antialias=CAIRO_ANTIALIAS_DEFAULT, extents=0x7f4adac475c0, clip=0x0) at cairo-image-surface.c:3047
#9  0x00000030dc02ac3b in _cairo_image_surface_paint (abstract_surface=0x7f4ac000c230, op=CAIRO_OPERATOR_OVER, source=0x7f4adac476a0, clip=0x0) at cairo-image-surface.c:3301
#10 0x00000030dc048857 in _cairo_surface_paint (surface=0x7f4ac000c230, op=CAIRO_OPERATOR_OVER, source=0x7f4adac476a0, clip=0x0) at cairo-surface.c:2022
#11 0x00000030dc020612 in _cairo_gstate_paint (gstate=0x30dc2a8da0) at cairo-gstate.c:1049
#12 0x00000030dc017964 in cairo_paint (cr=0x30dc2a8d70) at cairo.c:2228
#13 0x00007f4adb683518 in GdipDrawImageRect (graphics=0x7f4ac000c3b0, image=<value optimized out>, x=<value optimized out>, y=0, width=<value optimized out>, height=<value optimized out>) at image.c:472
#14 0x0000000040c895d9 in ?? ()
#15 0x00007f4ac0000e40 in ?? ()
#16 0x00007f4ada052540 in ?? ()
#17 0x00007f4adac47aa0 in ?? ()
#18 0x00007f4acc088e00 in ?? ()
#19 0x00007f4ada22fdd8 in ?? ()
#20 0x00007f4adac47aa0 in ?? ()
#21 0x00007f4adac478b0 in ?? ()
#22 0x00007f4adc7e5cc0 in ?? ()
#23 0x00007f4ada22fdb0 in ?? ()
#24 0x00007f4ada052540 in ?? ()
#25 0x00007f4ada22fdb0 in ?? ()
#26 0x0000000040c894e4 in ?? ()
#27 0x00007f4acc000ed0 in ?? ()
#28 0x00007f4ada052540 in ?? ()
#29 0x00007f4adac478f0 in ?? ()
#30 0x00007f4ac000c3b0 in ?? ()
#31 0x00007f4acc004f60 in ?? ()
#32 0x00007f4acc0073c8 in ?? ()
#33 0x0000000000000028 in ?? ()
#34 0x00007f4ada052540 in ?? ()
#35 0x00007f4ada22fdb0 in ?? ()
#36 0x0000000000000000 in ?? ()

Thread 5 (Thread 0x7f4adaa43700 (LWP 6893)):
#0  0x000000351fc0d6c0 in sem_wait () from /lib64/libpthread.so.0
#1  0x00000000005ee13e in pthread_stop_world () at pthread_stop_world.c:450
#2  0x00000000005ee19f in GC_stop_world () at pthread_stop_world.c:609
#3  0x00000000005e397f in GC_stopped_mark (stop_func=0x5e30af <GC_never_stop_func>) at alloc.c:503
#4  0x00000000005e36f4 in GC_try_to_collect_inner (stop_func=0x5e30af <GC_never_stop_func>) at alloc.c:382
#5  0x00000000005e4761 in GC_collect_or_expand (needed_blocks=2, ignore_off_page=0) at alloc.c:1045
#6  0x00000000005e6009 in GC_alloc_large (lw=516, k=0, flags=0) at malloc.c:60
#7  0x00000000005e63d0 in GC_generic_malloc (lb=4128, k=0) at malloc.c:204
#8  0x00000000005e6597 in GC_malloc_atomic (lb=4128) at malloc.c:270
#9  0x00000000005e19dd in GC_local_malloc_atomic (bytes=4128) at pthread_support.c:380
#10 0x000000000050cf92 in mono_object_allocate_ptrfree (vtable=vtable("System.Byte[]"), n=4096) at object.c:4252
#11 mono_array_new_specific (vtable=vtable("System.Byte[]"), n=4096) at object.c:4811
#12 0x0000000040c7ed0d in ?? ()
#13 0x00007f4ab4000e40 in ?? ()
#14 0x00007f4adbffdb40 in ?? ()
#15 0x00007f4adaa429a0 in ?? ()
#16 0x0000000040c7dcda in ?? ()
#17 0x00007f4acc000ed0 in ?? ()
#18 0x00007f4adaa429a0 in ?? ()
#19 0x00007f4adaa428a0 in ?? ()
#20 0x00007f4adc7e5cc0 in ?? ()
#21 0x00007f4adbffdb40 in ?? ()
#22 0x00007f4ada03ae88 in ?? ()
#23 0x0000000000000000 in ?? ()

Thread 4 (Thread 0x7f4ada842700 (LWP 6894)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000352ac3c965 in ?? () from /usr/lib64/libpixman-1.so.0
#5  0x000000352ac3088b in ?? () from /usr/lib64/libpixman-1.so.0
#6  0x000000352ac32a24 in pixman_image_composite32 () from /usr/lib64/libpixman-1.so.0
#7  0x00000030dc029ec3 in _composite_boxes (dst=0x7f4ab800b320, op=CAIRO_OPERATOR_OVER, src=0x7f4ada8416a0, boxes=0x7f4ada841170, antialias=CAIRO_ANTIALIAS_DEFAULT, extents=0x7f4ada8415c0, clip=0x0) at cairo-image-surface.c:3008
#8  _clip_and_composite_boxes (dst=0x7f4ab800b320, op=CAIRO_OPERATOR_OVER, src=0x7f4ada8416a0, boxes=0x7f4ada841170, antialias=CAIRO_ANTIALIAS_DEFAULT, extents=0x7f4ada8415c0, clip=0x0) at cairo-image-surface.c:3047
#9  0x00000030dc02ac3b in _cairo_image_surface_paint (abstract_surface=0x7f4ab800b320, op=CAIRO_OPERATOR_OVER, source=0x7f4ada8416a0, clip=0x0) at cairo-image-surface.c:3301
#10 0x00000030dc048857 in _cairo_surface_paint (surface=0x7f4ab800b320, op=CAIRO_OPERATOR_OVER, source=0x7f4ada8416a0, clip=0x0) at cairo-surface.c:2022
#11 0x00000030dc020612 in _cairo_gstate_paint (gstate=0x30dc2a8810) at cairo-gstate.c:1049
#12 0x00000030dc017964 in cairo_paint (cr=0x30dc2a87e0) at cairo.c:2228
#13 0x00007f4adb683518 in GdipDrawImageRect (graphics=0x7f4ab800b4a0, image=<value optimized out>, x=<value optimized out>, y=0, width=<value optimized out>, height=<value optimized out>) at image.c:472
#14 0x0000000040c895d9 in ?? ()
#15 0x00007f4ab8000e40 in ?? ()
#16 0x00007f4ad98fbc78 in ?? ()
#17 0x00007f4ada841aa0 in ?? ()
#18 0x00007f4acc088e00 in ?? ()
#19 0x00007f4adbd72ec8 in ?? ()
#20 0x00007f4ada841aa0 in ?? ()
#21 0x00007f4ada8418b0 in ?? ()
#22 0x00007f4adc7e5cc0 in ?? ()
#23 0x00007f4adbd72ea0 in ?? ()
#24 0x00007f4ad98fbc78 in ?? ()
#25 0x00007f4adbd72ea0 in ?? ()
#26 0x0000000040c894e4 in ?? ()
#27 0x00007f4acc000ed0 in ?? ()
#28 0x00007f4ad98fbc78 in ?? ()
#29 0x00007f4ada8418f0 in ?? ()
#30 0x00007f4ab800b4a0 in ?? ()
#31 0x00007f4acc004f60 in ?? ()
#32 0x00007f4acc0073c8 in ?? ()
#33 0x0000000000000028 in ?? ()
#34 0x00007f4ad98fbc78 in ?? ()
#35 0x00007f4adbd72ea0 in ?? ()
#36 0x0000000000000000 in ?? ()

Thread 3 (Thread 0x7f4ada63d700 (LWP 6895)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000351f8e2347 in madvise () from /lib64/libc.so.6
#5  0x000000351f877923 in _int_free () from /lib64/libc.so.6
#6  0x00007f4adb66bb3a in gdip_bitmapdata_dispose (bitmap=0x7f4aac00b030) at bitmap.c:474
#7  gdip_bitmap_dispose (bitmap=0x7f4aac00b030) at bitmap.c:722
#8  0x0000000040c899cb in ?? ()
#9  0x00007f4aac000e40 in ?? ()
#10 0x0000000040c897da in ?? ()
#11 0x00007f4aac000e40 in ?? ()
#12 0x0000000040c893a4 in ?? ()
#13 0x00007f4acc000ed0 in ?? ()
#14 0x00007f4ada63caa0 in ?? ()
#15 0x00007f4ada63c960 in ?? ()
#16 0x00007f4adc7e5cc0 in ?? ()
#17 0x00007f4adbff7700 in ?? ()
#18 0x00007f4adbff7700 in ?? ()
#19 0x00007f4ada05ac00 in ?? ()
#20 0x0000000040c89918 in ?? ()
#21 0x00007f4ada05ac00 in ?? ()
#22 0x0000000040c896c1 in ?? ()
#23 0x00007f4adbff5c30 in ?? ()
#24 0x0000000040c898a9 in ?? ()
#25 0x00007f4adbff5c30 in ?? ()
#26 0x0000000040c7e344 in ?? ()
#27 0x0000000040c7e31a in ?? ()
#28 0x0000000040c7e2d0 in ?? ()
#29 0x0000000000000064 in ?? ()
#30 0x00007f4ada05ac00 in ?? ()
#31 0x00007f4ada234658 in ?? ()
#32 0x00007f4ada234658 in ?? ()
#33 0x00007f4ada05ac00 in ?? ()
#34 0x00007f4adbfee870 in ?? ()
#35 0x00007f4ada05acf0 in ?? ()
#36 0x0000000000000000 in ?? ()

Thread 2 (Thread 0x7f4ada43c700 (LWP 6896)):
#0  0x000000351f832c34 in sigsuspend () from /lib64/libc.so.6
#1  0x00000000005edcfe in _GC_suspend_handler (sig=30) at pthread_stop_world.c:186
#2  0x00000000005edd3d in GC_suspend_handler (sig=30) at pthread_stop_world.c:211
#3  <signal handler called>
#4  0x000000351fc0f03b in waitpid () from /lib64/libpthread.so.0
#5  0x0000000000491d8e in mono_handle_native_sigsegv (signal=<value optimized out>, ctx=<value optimized out>) at mini-exceptions.c:2241
#6  <signal handler called>
#7  0x000000351f832885 in raise () from /lib64/libc.so.6
#8  0x000000351f834065 in abort () from /lib64/libc.so.6
#9  0x000000351f86f7a7 in __libc_message () from /lib64/libc.so.6
#10 0x000000351f8750c6 in malloc_printerr () from /lib64/libc.so.6
#11 0x00000030dc0522b4 in _cairo_toy_font_face_fini (font_face=0x7f4ab000b600) at cairo-toy-font-face.c:214
#12 0x00000030dc01cdff in cairo_font_face_destroy (font_face=0x7f4ab000b600) at cairo-font-face.c:150
#13 0x00000030dc022246 in _cairo_gstate_fini (gstate=0x30dc2a7cf0) at cairo-gstate.c:207
#14 0x00000030dc0191b1 in cairo_destroy (cr=0x30dc2a7cc0) at cairo.c:445
#15 0x00007f4adb673605 in GdipDeleteGraphics (graphics=0x7f4ab000b4f0) at graphics.c:369
#16 0x0000000040c8975b in ?? ()
#17 0x00007f4ab0000e40 in ?? ()
#18 0x0000000040c893a4 in ?? ()
#19 0x00007f4ada05a5d0 in ?? ()
#20 0x00007f4ada234ea8 in ?? ()
#21 0x00007f4acc000ed0 in ?? ()
#22 0x00007f4ada43baa0 in ?? ()
#23 0x00007f4ada43b970 in ?? ()
#24 0x00007f4adc7e5cc0 in ?? ()
#25 0x00007f4adbff7620 in ?? ()
#26 0x00007f4adbff7620 in ?? ()
#27 0x00007f4ada234ea8 in ?? ()
#28 0x0000000040c89694 in ?? ()
#29 0x00007f4adbff5be0 in ?? ()
#30 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f4ae32bf740 (LWP 6884)):
#0  0x000000352441b474 in ?? () from /usr/lib64/libjpeg.so.62
#1  0x000000352441b7f5 in ?? () from /usr/lib64/libjpeg.so.62
#2  0x00000035244141f4 in ?? () from /usr/lib64/libjpeg.so.62
#3  0x000000352440e3f6 in jpeg_read_scanlines () from /usr/lib64/libjpeg.so.62
#4  0x00007f4adb69bdc3 in gdip_load_jpeg_image_internal (src=0x10624f0, image=0x7fff7ca76c00) at jpegcodec.c:428
#5  0x00007f4adb69c142 in gdip_load_jpeg_image_from_stream_delegate (loader=0x104a3b0, image=0x7fff7ca76c00) at jpegcodec.c:640
#6  0x00007f4adb6808d3 in GdipLoadImageFromDelegate_linux (getHeaderFunc=<value optimized out>, getBytesFunc=<value optimized out>, putBytesFunc=0, seekFunc=0x7f4ada03d980, closeFunc=0x7f4ada03da60, sizeFunc=0x7f4ada03db40, image=0x7fff7ca76d50) at image.c:2267
#7  0x0000000040c86f0c in ?? ()
#8  0x00007fff7ca76d50 in ?? ()
#9  0x0000000000000068 in ?? ()
#10 0x00007f4ada03da60 in ?? ()
#11 0x00007f4ada03d780 in ?? ()
#12 0x00007f4ada03d860 in ?? ()
#13 0x0000000000000000 in ?? ()

=================================================================
Got a SIGABRT while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================



Abortito (core dumped)
------
Comment 2 Weeble 2013-09-16 09:02:21 UTC
Created attachment 4894 [details]
Output from crash with mono 3.2.3

I still see this bug. I built Mono 3.2.3 from the tag in github, and libgdiplus from master. I have libcairo 1.12.14. This is all running on a 32-bit Raring Ringtail VM running on top of 64-bit Windows 7. I've attached the crash output.

On this run, it asserted at:

#9  0xb4111b98 in _cairo_hash_table_lookup_exact_key (key=0xb560be20, hash_table=<optimised out>) at /build/buildd/cairo-1.12.14/src/cairo-hash.c:506

I've also seen it assert higher up the stack, complaining that the reference count is bad in cairo_destroy or cairo_font_face_destroy, although that seems to happen less often.
Comment 3 Weeble 2013-09-16 09:04:33 UTC
Created attachment 4895 [details]
Crash output during context creation instead of dispose

Attached is a different crash generated by the same test program. This time it crashed during Graphics.FromImage instead of Graphics.Dispose.
Comment 4 Weeble 2013-09-16 11:44:31 UTC
Here's a shorter test program that fails pretty much instantly for me, and only needs two concurrent threads:

---

using System;
using System.Threading;
using System.Drawing;
using System.Drawing.Imaging;

public class Foo {
    public static void Main(string[] args) {
        new Thread(Hammer).Start();
        Hammer();
    }

    static void Hammer() {
        while (true) {
            using (var outbmp = new Bitmap(100, 100, PixelFormat.Format24bppRgb))
            using (var g = Graphics.FromImage(outbmp)) {
            }
        }
    }
}
Comment 5 Weeble 2013-09-16 11:45:53 UTC
Created attachment 4900 [details]
Crash output from shorter example

Here's the output from running this shorter test program.
Comment 6 Weeble 2013-09-18 04:10:53 UTC
It's a libcairo bug: https://bugs.freedesktop.org/show_bug.cgi?id=69470