Bug 191794 - Evince crasher
Evince crasher
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: evince (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kristian Høgsberg
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-15 16:37 EDT by Jon Orris
Modified: 2008-03-09 03:45 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-09 03:45:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Zero out the glyph count (441 bytes, text/x-patch)
2006-05-16 11:40 EDT, Jon Orris
no flags Details

  None (edit)
Description Jon Orris 2006-05-15 16:37:38 EDT
Description of problem:

I have a couple of PDFs that can consistently crash evince. This seems to occur
when moving between certain pages, though not always the same page transition. 
 

evince-0.5.1-3
poppler-0.5.1-2

Backtrace was generated from '/usr/bin/evince'

Using host libthread_db library "/lib/libthread_db.so.1".
`shared object read from target memory' has disappeared; keeping its symbols.
[Thread debugging using libthread_db enabled]
[New Thread -1209128064 (LWP 6726)]
[New Thread -1211233376 (LWP 6727)]
0x00134402 in __kernel_vsyscall ()
#0  0x00134402 in __kernel_vsyscall ()
#1  0x00234550 in poll () from /lib/libc.so.6
#2  0x0044c669 in _XWaitForReadable (dpy=0x92cb478) at XlibInt.c:498
#3  0x0044ca4f in _XRead (dpy=0x92cb478, 
    data=0xbfe00140 "p\002\021\230Û\217©9", size=32) at XlibInt.c:1080
#4  0x0044d484 in _XReply (dpy=0x92cb478, rep=0xbfe00140, extra=0, discard=1)
    at XlibInt.c:1712
#5  0x0043e2e0 in XQueryPointer (dpy=0x92cb478, w=56623922, root=0xbfe001cc, 
    child=0xbfe001c8, root_x=0xbfe001c4, root_y=0xbfe001c0, win_x=0xbfe001bc, 
    win_y=0xbfe001b8, mask=0xbfe001b4) at QuPntr.c:46
#6  0x03ada0d1 in _gdk_windowing_window_get_pointer (display=0x92d30e8, 
    window=0x9429518, x=0xbfe00208, y=0xbfe00204, mask=0xbfe00200)
    at gdkwindow-x11.c:3425
#7  0x03aae327 in IA__gdk_window_get_pointer (window=0x9429518, x=0xbfe00318, 
    y=0xbfe00314, mask=0x0) at gdkwindow.c:2916
#8  0x03d15d0c in gtk_tree_view_expose (widget=0x931b678, event=0xbfe008b4)
    at gtktreeview.c:3812
#9  0x03c3e52e in _gtk_marshal_BOOLEAN__BOXED (closure=0x92e5eb0, 
    return_value=0xbfe004e0, n_param_values=2, param_values=0xbfe005bc, 
    invocation_hint=0xbfe004cc, marshal_data=0x3d14a70) at gtkmarshalers.c:83
#10 0x0033c7a9 in g_value_set_static_boxed ()
   from /usr/lib/libgobject-2.0.so.0
#11 0x0033df6d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#12 0x0034f083 in g_signal_override_class_closure ()
   from /usr/lib/libgobject-2.0.so.0
#13 0x0034fd0f in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#14 0x00350109 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#15 0x03d297e8 in gtk_widget_event_internal (widget=0x931b678, 
    event=0xbfe008b4) at gtkwidget.c:3751
#16 0x03c39374 in IA__gtk_main_do_event (event=0xbfe008b4) at gtkmain.c:1382
#17 0x03aaf53f in gdk_window_process_updates_internal (window=0x9429518)
    at gdkwindow.c:2292
#18 0x03aaf6f7 in IA__gdk_window_process_all_updates () at gdkwindow.c:2345
#19 0x03aaf775 in gdk_window_update_idle (data=0x0) at gdkwindow.c:2213
#20 0x00d6c7a1 in g_list_remove_link () from /usr/lib/libglib-2.0.so.0
#21 0x00d6e15d in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#22 0x00d713ef in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#23 0x00d71799 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#24 0x03c395d4 in IA__gtk_main () at gtkmain.c:1003
#25 0x08078cf0 in main (argc=) at main.c:295
#26 0x0018a724 in __libc_start_main () from /lib/libc.so.6
#27 0x08058761 in _start ()

Thread 2 (Thread -1211233376 (LWP 6727)):
#0  0x00134402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x0011cc0b in __waitpid_nocancel () from /lib/libpthread.so.0
No symbol table info available.
#2  0x00b56e26 in libgnomeui_segv_handle (signum=11) at gnome-ui-init.c:820
	estatus = 2768884
	sa = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, 
  sa_mask = {__val = {0, 154134368, 161238464, 3083729368, 2992223, 61176100, 
      1372120, 1935139, 3083729588, 3083729608, 1304137, 3083729588, 1374224, 
      56, 0, 1935139, 0, 40, 161238464, 2685864, 2992487, 3083729504, 
      161238064, 12, 3101016, 32, 0, 2685864, 3101016, 0, 161238464, 
      1935139}}, sa_flags = 2998294, sa_restorer = 0x99c4dc0}
	pid = 
Thread 1 (Thread -1209128064 (LWP 6726)):
#0  0x00134402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00234550 in poll () from /lib/libc.so.6
No symbol table info available.
#2  0x0044c669 in _XWaitForReadable (dpy=0x92cb478) at XlibInt.c:498
	result = 3
	fd = 3
	ilist =
Comment 1 Jon Orris 2006-05-15 16:41:13 EDT
Running in gdb, I'm seeing:

Starting program: /usr/bin/evince
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x2ad000
[Thread debugging using libthread_db enabled]
[New Thread -1208525952 (LWP 6950)]
[New Thread -1210631264 (LWP 6955)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210631264 (LWP 6955)]
_cairo_gstate_show_glyphs (gstate=0x9598380, glyphs=0x0, num_glyphs=1) at
cairo-gstate.c:2101
2101            transformed_glyphs[i] = glyphs[i];


(gdb) backtrace
#0  _cairo_gstate_show_glyphs (gstate=0x9598380, glyphs=0x0, num_glyphs=1) at
cairo-gstate.c:2101
#1  0x03a190c4 in cairo_show_glyphs (cr=0x9796290, glyphs=0x0, num_glyphs=1) at
cairo.c:2161
#2  0x007a8ebf in CairoOutputDev::endString (this=0x967d978, state=0x97d4ee0) at
CairoOutputDev.cc:406
#3  0x0426ccff in Gfx::doShowText (this=0x9795f10, s=0x9503ca0) at Gfx.cc:2866
#4  0x0426d89e in Gfx::opShowText (this=0x9795f10, args=0xb7d73130, numArgs=1)
at Gfx.cc:2612
#5  0x042693dd in Gfx::execOp (this=0x9795f10, cmd=0xb7d73190, args=0xb7d73130,
numArgs=Variable "numArgs" is not available.
) at Gfx.cc:712
#6  0x042695b4 in Gfx::go (this=0x9795f10, topLevel=1) at Gfx.cc:580
#7  0x0426a18f in Gfx::display (this=0x9795f10, obj=0xb7d73250, topLevel=1) at
Gfx.cc:543
#8  0x042b08b4 in Page::displaySlice (this=0x95ec020, out=0x967d978,
hDPI=94.777773857116699, vDPI=94.777773857116699, rotate=0, useMediaBox=0, crop=1,
    sliceX=0, sliceY=0, sliceW=711, sliceH=853, links=0x0, catalog=0x95cdf08,
abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0,
    annotDisplayDecideCbkData=0x0) at Page.cc:375
#9  0x007a6a69 in poppler_page_render_to_pixbuf (page=0x951ef80, src_x=0,
src_y=0, src_width=711, src_height=853, scale=1.3163579702377319, rotation=0,
    pixbuf=0x95c19a0) at poppler-page.cc:324
#10 0x0808967e in pdf_document_render_pixbuf (document=0x9564aa0, rc=0x9564790)
at ev-poppler.cc:350
#11 0x0808db00 in ev_document_render_pixbuf (document=0x9564aa0, rc=0x9564790)
at ev-document.c:215
#12 0x0805c4bf in ev_job_render_run (job=0x9483768) at ev-jobs.c:298
#13 0x0805b672 in handle_job (job=0x9483768) at ev-job-queue.c:104
#14 0x0805bb6c in ev_render_thread (data=0x0) at ev-job-queue.c:187
#15 0x00d8ba1f in g_thread_create_full () from /usr/lib/libglib-2.0.so.0
#16 0x00fe140b in start_thread () from /lib/libpthread.so.0
#17 0x00202b7e in clone () from /lib/libc.so.6




(gdb) list cairo-gstate.c:2101
2096        if (transformed_glyphs == NULL)
2097            return CAIRO_STATUS_NO_MEMORY;
2098
2099        for (i = 0; i < num_glyphs; ++i)
2100        {
2101            transformed_glyphs[i] = glyphs[i];
2102            _cairo_gstate_user_to_backend (gstate,
2103                                           &transformed_glyphs[i].x,
2104                                           &transformed_glyphs[i].y);
2105        }
(gdb) print num_glyphs
$1 = 1
(gdb) print glyphs
$2 = (cairo_glyph_t *) 0x0



#2  0x007a8ebf in CairoOutputDev::endString (this=0x967d978, state=0x97d4ee0) at
CairoOutputDev.cc:406
406         cairo_show_glyphs (cairo, glyphs, glyphCount);
Current language:  auto; currently c++
(gdb) p
$4 = 0
(gdb) list
401       }
402
403       if (!(render & 1)) {
404         LOG (printf ("fill string\n"));
405         cairo_set_source (cairo, fill_pattern);
406         cairo_show_glyphs (cairo, glyphs, glyphCount);
407       }
408
409       // stroke
410       if ((render & 3) == 1 || (render & 3) == 2) {
(gdb) print glyphs
$5 = (._7 *) 0x0
(gdb) print glyphCount
$6 = 1
Comment 2 Jon Orris 2006-05-16 11:40:24 EDT
Created attachment 129208 [details]
Zero out the glyph count

Zeroing out the glyphCount when glyphs is reset eliminates the crashes.
Comment 3 Kristian Høgsberg 2006-05-16 12:40:36 EDT
Thanks for debugging this, but I pretty sure this isn't the right fix though. 
outputdev->beginString() is always called before outputting text, and this
functions resets the glyph count to zero so doing this in endString shouldn't
matter.  Can you attach the pdf that gives the crash, or alternatively email it
to me?

Thanks
Comment 4 Kristian Høgsberg 2006-09-22 17:27:06 EDT
I can't reproduce this crasher with poppler 0.5.4 and evince 0.6.  Please update
and give it a try, thanks.
Comment 5 petrosyan 2008-03-09 03:45:57 EDT
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Note You need to log in before you can comment on or make changes to this bug.