Graphviz Issue Tracker
Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002002graphvizDotpublic2010-12-08 17:082011-04-28 04:03
ReporterMichael Bosch 
Assigned Toellson 
PrioritynormalSeveritycriticalReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSx86-Windows-7OS Version
Summary0002002: dot crashes with access violation on long tooltip containing ->
Description



When running
  dot -T svg -o test.svg test.dot
an access violation happens (test.dot attached below).



Other variations tested:
<CD>
- using -T png (works)
- replacing all -> with -- (crashes)
- replacing all > with x (works)
- replacing the x with any other letter, space digit or | (crashes)
- changing the number of x's (sometimes works sometimes crashes)
</CD>



The bug is not present in version 2.8 but is present in all versions since 2.12.
Steps To Reproduce

digraph g {
a -> b [tooltip="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx->xxxxxxxxxxxx"];
}
Additional Information

[ellson]
Can't reproduce on Linux with latest snapshot. Possibly a
Windows-specific bug, Arif?

[michael]
I have done some more tests, this time on Linux using dot version 2.20.2.
The example provided originally indeed works. However if I replace the tooltip string with about 3755 minuses (see b2087.gv)
dot also crashes on Linux. The crashes sometimes already happen with 3754 minuses, so there is some nondeterminism involved.
Using the letter x instead of minus nothing bad happens, even when adding 10000 more x.

I also had a look at the crashing dot on Windows using WinDbg (dot version 2.26.3 again, test.dot).
See b2087.txt for details.
Looks like the the XML escaped version of the tooltip string is located on the stack.
Apparently both minus and greater than are being escaped, the minus resulting in 5 characters (-), the greater than in 4 characters (>).

[ellson]
2.20.2 is way too old. We have certainly had problems with string
buffers in the past. If you can reproduce the bug with a recent
graphviz-2.27 then I'm interested.

Still hoping Arif can try to reproduce this on Windows.

[north]
Hi, Michael. I wonder if you're using the cairopango driver for SVG
or the native SVG driver?

It's weird that the contents of the tooltip make any difference.

If the native driver, perhaps we have a buffer size problem.
The native driver is basically just code we wrote that uses
the equivalent of printf() to generate the SVG we want.
So I'd look at text buffers in the tooltip-generating code.

If cairopango, I wonder if they have code that is scanning
the contents of tooltips and has some logic that is based
on whether they contain comments. Actually, who knows
what lurks down there. One would probably have to try
to construct the minimal cairo test program to exercise the
tooltips and submit it as a bug report to their project.

[ellson]
I believe this has to be the native SVG driver. In fact I don't believe
our cairopango driver supports tooltips, or anchors, at this time.

So, Michael, I'm assuming you're using "-Tsvg" and not "-Tsvg:cairo" ?

[ellson]
OK, thanks, found it.

Fixed in CVS. Should be in tomorrow's development snapshot.

John


<CD>
On 12/11/2010 03:18 PM, [email protected] wrote:
> > Hi John, hi Stephen,
> >
> > For the original problem file I called dot using the exact command line
> > svg -T svg -o test.svg test.dot
> > So apparently I am using the native version. Using -T svg:cairo there is
> > no crash.
> > I will test if that option is a workable alternative for me.
> >
> > The test file test2.dot crashes also on the last stable version and the
> > current development snapshot on Linux
> > (graphviz_2.27.20101211.0545-1_i386.deb).
> >
> > So the pattern is like this:
> > - test.dot + Windows 7 + dot 2.8 -> works
> > - test.dot + Windows 7 + dot >=2.12 -> crashes
> > - test2.dot + Windows 7 + dot 2.26.3 -> crashes
> > - test.dot + ubuntu 10.04 + dot 2.20 -> works
> > - test2.dot + ubuntu 10.04 + dot >=2.20 -> crashes
> >
> > I have again attached the two test files in question as sent before.
> > As far as I can see they are already the minimal files for reproducing the
> > problem.
> >
</CD>

TagsNo tags attached.
AUXILLARY-FILEShttp://www.graphviz.org/bugs/b2087.gv [^] http://www.graphviz.org/bugs/b2087.txt [^]
DATE-FIXED
FIX-COMMENT
FORMER-ID2087
INPUT-FILE
OUTPUT-FILE
STATUS-COMMENTFixed (12 Dec 2010)
VERSION     2.26.3
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2011-04-28 04:03 user1 New Issue
2011-04-28 04:03 user1 Assigned To => user695


MantisBT 1.2.5[^]
Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker