Segfault when resizing and rendering SVG canvas

[Tharit]

We recently upgraded from 1.x to 2.x; now with the new version, the node process terminates with the following error when rendering SVG:

node(45011,0x10d46d5c0) malloc: *** error for object 0x102332710: pointer being freed was not allocated
node(45011,0x10d46d5c0) malloc: *** set a breakpoint in malloc_error_break to debug

Other formats (PNG, PDF) work perfectly fine. I can also render an empty canvas as SVG; the error seems to related to the contents / issues rendering commands.

I did what the error message suggested, and came up with the following stacktrace. The last relevant frame here seems to be #15 Closure::writeVec [...] at closure.h:29; then the actual crash happens somewhere inside some stdlib routines for string processing.

Stacktrace: https://gist.github.com/Tharit/670228ebc114c97231ff6f71368d5696

It was created locally on OSX Mojave using node v8.9.4 and a debug build of node-canvas v2.3.1
I also tried node v10.15.3 in combination with node-canvas v2.3.1 and v2.0.0, to make sure the error was not related to the node version, or see if it was introduced recently. I could reproduce the crash with ALL versions.

The same crash is observed on our debian based live systems.

We were using a really old version of node-canvas before (v1.3.0), so at the moment I can only say that the issue appeared between v1.3.0 and v2.0.0, which is probably not super helpful.

I will try to see if I can isolate the issue down to a specific drawing command, but that could take some time. In the meantime, if there is some other information that I could provide please let me know.

[zbjornson]

Thanks for all the details. Were you changing the width/height of your canvas after you create it? Sorta confused by the stack trace; the code that crashed should only kick in when you use toBuffer() on an SVG canvas, but there are frames referencing the width setter.

[Tharit]

@zbjornson yes, sometimes we are changing the size a few times after creating the context.

Sidenote: That's not very efficient of course, but unavoidable due to the way the we serialize/deserialize data. The rendered data is used by an interactive component in browsers where users can add/remove things that affect the size.

Turns out it is indeed the resizing that is causing the crash. I can reproduce it with this simple example:

const createCanvas = require('canvas').createCanvas;
const myCanvas = createCanvas(100, 100, 'svg')
myCanvas.width = 120;
myCanvas.toBuffer('image/svg+xml');

[zbjornson]

Thanks for confirming. That relates to one of the oldest open bugs then, #63 -- resizing a canvas is not a nice codepath right now, and I don't think its behavior conforms to spec either.

[Tharit]

@zbjornson Can confirm that the issue is fixed, thank you. Would it be possible to provide this fix in a new tagged version?

[zbjornson]

@Tharit thanks for confirming! @LinusU and @chearon are in charge of releases, so I defer to them. It's probably a good time to do one, we've had a lot of bug fixes go in.

[LinusU]

Let's release 🚀

[LinusU]

Released 2.6.0 🚀

[chearon]

Seems the MSYS2 issue from #1351 is back, so no Windows builds. I'll try to look into it soon