Hide Forgot
# rpm -q evince poppler evince-3.28.4-11.el8.x86_64 poppler-20.11.0-2.el8.x86_64 Description of problem: When trying to open a PDF file evince dies. This happens ONLY to some PDF documents. Jul 11 15:50:46 s.localdomain systemd[2847]: Starting Evince document viewer... Jul 11 15:50:46 s.localdomain dbus-daemon[2887]: [session uid=1200 pid=2887] Successfully activated service 'org.gnome.evince.Daemon' Jul 11 15:50:46 s.localdomain systemd[2847]: Started Evince document viewer. Jul 11 15:50:46 s.localdomain kernel: EvJobScheduler[17050]: segfault at 10 ip 00007effd422cbb8 sp 00007effb6f367e0 error 4 in libglib-2.0.so.0.5600.4[7effd41f6000+116000] Jul 11 15:50:46 s.localdomain kernel: Code: 15 69 49 06 00 48 8d 35 16 4d 06 00 48 8d 3d cd 0d 06 00 e8 6a e8 01 00 66 0f ef c0 48 83 c4 08 c3 90 f3 0f 1e fa 53 48 89 fb <8b> 77 10 48 8b 7f 08 e8 2c 3b 04 00 48 63 4b 14 48 ba 00 60 d7 1d Jul 11 15:50:46 s.localdomain systemd[1]: Started Process Core Dump (PID 17051/UID 0). Jul 11 15:50:46 s.localdomain systemd[2847]: evince.service: Succeeded. Jul 11 15:50:47 s.localdomain systemd-coredump[17052]: Process 17039 (evince) of user 1200 dumped core. Stack trace of thread 17050: #0 0x00007effd422cbb8 g_date_time_to_unix (libglib-2.0.so.0) #1 0x00007effb62d3db9 _Z23_poppler_attachment_newP8FileSpec (libpoppler-glib.so.8) #2 0x00007effb62c940b poppler_document_get_attachments (libpoppler-glib.so.8) #3 0x00007effb652dd3e n/a (libpdfdocument.so) #4 0x00007effd71206fe ev_job_attachments_run (libevview3.so.3) #5 0x00007effd7122822 ev_job_thread_proxy (libevview3.so.3) #6 0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0) #7 0x00007effd3a4514a start_thread (libpthread.so.0) #8 0x00007effd3774dc3 __clone (libc.so.6) Stack trace of thread 17039: #0 0x00007effd4249340 g_malloc0 (libglib-2.0.so.0) #1 0x00007effd49d8bb6 g_file_real_set_attributes_async (libgio-2.0.so.0) #2 0x000055e9bee3abe8 ev_metadata_set_string (evince) #3 0x000055e9bee4a9f5 ev_window_document_changed_cb (evince) #4 0x00007effd451f3bd g_closure_invoke (libgobject-2.0.so.0) #5 0x00007effd4532945 signal_emit_unlocked_R (libgobject-2.0.so.0) #6 0x00007effd453ba56 g_signal_emit_valist (libgobject-2.0.so.0) #7 0x00007effd453c093 g_signal_emit (libgobject-2.0.so.0) #8 0x00007effd4523df4 g_object_dispatch_properties_changed (libgobject-2.0.so.0) #9 0x00007effd45262d1 g_object_notify (libgobject-2.0.so.0) #10 0x000055e9bee4babb ev_window_load_job_cb (evince) #11 0x00007effd451f3bd g_closure_invoke (libgobject-2.0.so.0) #12 0x00007effd4532945 signal_emit_unlocked_R (libgobject-2.0.so.0) #13 0x00007effd453ba56 g_signal_emit_valist (libgobject-2.0.so.0) #14 0x00007effd453c093 g_signal_emit (libgobject-2.0.so.0) #15 0x00007effd711e86b emit_finished (libevview3.so.3) #16 0x00007effd424015b g_idle_dispatch (libglib-2.0.so.0) #17 0x00007effd42437ed g_main_context_dispatch (libglib-2.0.so.0) #18 0x00007effd4243ba8 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #19 0x00007effd4243c40 g_main_context_iteration (libglib-2.0.so.0) #20 0x00007effd4a3513d g_application_run (libgio-2.0.so.0) #21 0x000055e9bee31f9c main (evince) #22 0x00007effd369b493 __libc_start_main (libc.so.6) #23 0x000055e9bee3207e _start (evince) Stack trace of thread 17042: #0 0x00007effd3769a41 __poll (libc.so.6) #1 0x00007effd4243b16 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #2 0x00007effd4243c40 g_main_context_iteration (libglib-2.0.so.0) #3 0x00007effbd7f3e6d dconf_gdbus_worker_thread (libdconfsettings.so) #4 0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0) #5 0x00007effd3a4514a start_thread (libpthread.so.0) #6 0x00007effd3774dc3 __clone (libc.so.6) Stack trace of thread 17045: #0 0x00007effd376f52d syscall (libc.so.6) #1 0x00007effd428acce g_cond_wait_until (libglib-2.0.so.0) #2 0x00007effd42160f1 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0) #3 0x00007effd426c9a2 g_thread_pool_thread_proxy (libglib-2.0.so.0) #4 0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0) #5 0x00007effd3a4514a start_thread (libpthread.so.0) #6 0x00007effd3774dc3 __clone (libc.so.6) Stack trace of thread 17043: #0 0x00007effd3769a41 __poll (libc.so.6) #1 0x00007effd4243b16 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #2 0x00007effd4243c40 g_main_context_iteration (libglib-2.0.so.0) #3 0x00007effd4243c91 glib_worker_main (libglib-2.0.so.0) #4 0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0) #5 0x00007effd3a4514a start_thread (libpthread.so.0) #6 0x00007effd3774dc3 __clone (libc.so.6) Stack trace of thread 17044: #0 0x00007effd3769a41 __poll (libc.so.6) #1 0x00007effd4243b16 g_main_context_iterate.isra.21 (libglib-2.0.so.0) #2 0x00007effd4243ed2 g_main_loop_run (libglib-2.0.so.0) #3 0x00007effd4a625da gdbus_shared_thread_func (libgio-2.0.so.0) #4 0x00007effd426be5a g_thread_proxy (libglib-2.0.so.0) #5 0x00007effd3a4514a start_thread (libpthread.so.0) #6 0x00007effd3774dc3 __clone (libc.so.6) Jul 11 15:50:47 s.localdomain systemd[1]: systemd-coredump: Succeeded. Unfortunately its a confidential document and therefore I can not provide it. $ hexdump -C '983911.pdf' |head 00000000 25 50 44 46 2d 31 2e 37 0a 25 b7 be ad aa 0a 31 |%PDF-1.7.%.....1| 00000010 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 | 0 obj.<<./Type | 00000020 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 |/Catalog./Pages | 00000030 32 20 30 20 52 0a 2f 4f 75 74 70 75 74 49 6e 74 |2 0 R./OutputInt| 00000040 65 6e 74 73 20 5b 20 38 20 30 20 52 20 5d 0a 2f |ents [ 8 0 R ]./| 00000050 4e 61 6d 65 73 20 31 31 20 30 20 52 0a 2f 41 46 |Names 11 0 R./AF| 00000060 20 31 36 20 30 20 52 0a 2f 4d 65 74 61 64 61 74 | 16 0 R./Metadat| 00000070 61 20 32 30 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f |a 20 0 R.>>.endo| 00000080 62 6a 0a 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 |bj.2 0 obj.<<./T| 00000090 79 70 65 20 2f 50 61 67 65 73 0a 2f 4b 69 64 73 |ype /Pages./Kids| I can convert the document with gs -q -dPDFSETTINGS=/ebook -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=output.pdf 983911.pdf and that produces a working copy (evince opens it) $ hexdump -C output.pdf |head -1 00000000 25 50 44 46 2d 31 2e 35 0a 25 c7 ec 8f a2 0a 35 |%PDF-1.5.%.....5|
Hi, it is hard to debug this without a PDF which triggers the issue so I'll ask you to show me backtrace from valgrind. First, you'll need to install debug packages. I hope that you can do that this way: "dnf debuginfo-install evince gtk3 glib2 poppler" Then install valgrind package please "dnf install valgrind" Then run evince inside valgrind (replacing the the-document.pdf with actual document name): "valgrind --track-origins=yes --num-callers=80 --malloc-fill=0xfa --free-fill=0xfb --trace-children=yes --read-var-info=yes --error-limit=no evince the-document.pdf &> ./valgrind.log" It will be very slow but it will give us better view of what is going on. Also, could you have a look at "Title" and "Author" of the PDF? Evince probably crashes when saving this info as metadata. So I would need to know whether there is something unusual (as some non-standard characters etc.). "pdfinfo the-document.pdf | grep -e Author -e Title" pdfinfo is part of poppler-utils package.
(In reply to Marek Kašík from comment #1) > Also, could you have a look at "Title" and "Author" of the PDF? Evince > probably crashes when saving this info as metadata. So I would need to know > whether there is something unusual (as some non-standard characters etc.). > > "pdfinfo the-document.pdf | grep -e Author -e Title" > > pdfinfo is part of poppler-utils package. It seems to be plain ASCII: $ pdfinfo nonpublic_test.pdf |egrep 'Author|Title|Subject|Keywords|Producer|CreationDate' > pdfinfos.txt $ file pdfinfos.txt pdfinfos.txt: ASCII text $ cat pdfinfos.txt |tr -d [A-Z][a-z][0-9] : // . : : ,//,,. , : : : :: I also deleted this content without any change to the coredumps $ cp nonpublic_test.pdf nonpublic_test_deltitle.pdf $ /usr/bin/exiftool -all= --ICC_Profile:all nonpublic_test_deltitle.pdf $ pdfinfo nonpublic_test_deltitle.pdf |egrep 'Author|Title|Subject|Keywords|Producer|CreationDate' (manually annotated: empty output) $ evince nonpublic_test_deltitle.pdf (manually annotated: dumped core here again) YFI: The ExifTool PDF edits are reversible. So the data may be still in the file.
(In reply to Marek Kašík from comment #1) > Then run evince inside valgrind (replacing the the-document.pdf with actual > document name): > > "valgrind --track-origins=yes --num-callers=80 --malloc-fill=0xfa > --free-fill=0xfb --trace-children=yes --read-var-info=yes --error-limit=no > evince the-document.pdf &> ./valgrind.log" > I added --show-error-list=yes $ cat valgrind.log ==3908== Memcheck, a memory error detector ==3908== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3908== Using Valgrind-3.16.0 and LibVEX; rerun with -h for copyright info ==3908== Command: evince nonpublic_test.pdf ==3908== ==3908== Thread 6 EvJobScheduler: ==3908== Invalid read of size 4 ==3908== at 0x7F02BB8: g_date_time_to_instant (gdatetime.c:734) ==3908== by 0x7F02BB8: g_date_time_to_unix (gdatetime.c:2502) ==3908== by 0x19656DB8: ??? (in /usr/lib64/libpoppler-glib.so.8.19.0) ==3908== by 0x1964C40A: poppler_document_get_attachments (in /usr/lib64/libpoppler-glib.so.8.19.0) ==3908== by 0x19420D3D: ??? (in /usr/lib64/evince/4/backends/libpdfdocument.so) ==3908== by 0x50A36FD: ??? (in /usr/lib64/libevview3.so.3.0.0) ==3908== by 0x50A5821: ??? (in /usr/lib64/libevview3.so.3.0.0) ==3908== by 0x7F41E59: g_thread_proxy (gthread.c:784) ==3908== by 0x8786149: start_thread (in /usr/lib64/libpthread-2.28.so) ==3908== by 0x8A9ADC2: clone (in /usr/lib64/libc-2.28.so) ==3908== Address 0x10 is not stack'd, malloc'd or (recently) free'd ==3908== ==3908== ==3908== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==3908== Access not within mapped region at address 0x10 ==3908== at 0x7F02BB8: g_date_time_to_instant (gdatetime.c:734) ==3908== by 0x7F02BB8: g_date_time_to_unix (gdatetime.c:2502) ==3908== by 0x19656DB8: ??? (in /usr/lib64/libpoppler-glib.so.8.19.0) ==3908== by 0x1964C40A: poppler_document_get_attachments (in /usr/lib64/libpoppler-glib.so.8.19.0) ==3908== by 0x19420D3D: ??? (in /usr/lib64/evince/4/backends/libpdfdocument.so) ==3908== by 0x50A36FD: ??? (in /usr/lib64/libevview3.so.3.0.0) ==3908== by 0x50A5821: ??? (in /usr/lib64/libevview3.so.3.0.0) ==3908== by 0x7F41E59: g_thread_proxy (gthread.c:784) ==3908== by 0x8786149: start_thread (in /usr/lib64/libpthread-2.28.so) ==3908== by 0x8A9ADC2: clone (in /usr/lib64/libc-2.28.so) ==3908== If you believe this happened as a result of a stack ==3908== overflow in your program's main thread (unlikely but ==3908== possible), you can try to increase the size of the ==3908== main thread stack using the --main-stacksize= flag. ==3908== The main thread stack size used in this run was 8388608. ==3908== ==3908== HEAP SUMMARY: ==3908== in use at exit: 7,411,381 bytes in 83,157 blocks ==3908== total heap usage: 435,452 allocs, 352,295 frees, 33,521,745 bytes allocated ==3908== ==3908== LEAK SUMMARY: ==3908== definitely lost: 20,829 bytes in 41 blocks ==3908== indirectly lost: 21,935 bytes in 931 blocks ==3908== possibly lost: 13,680 bytes in 131 blocks ==3908== still reachable: 6,078,609 bytes in 73,676 blocks ==3908== of which reachable via heuristic: ==3908== length64 : 16,792 bytes in 211 blocks ==3908== newarray : 2,672 bytes in 87 blocks ==3908== suppressed: 32 bytes in 1 blocks ==3908== Rerun with --leak-check=full to see details of leaked memory ==3908== ==3908== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ==3908== ==3908== 1 errors in context 1 of 1: ==3908== Invalid read of size 4 ==3908== at 0x7F02BB8: g_date_time_to_instant (gdatetime.c:734) ==3908== by 0x7F02BB8: g_date_time_to_unix (gdatetime.c:2502) ==3908== by 0x19656DB8: ??? (in /usr/lib64/libpoppler-glib.so.8.19.0) ==3908== by 0x1964C40A: poppler_document_get_attachments (in /usr/lib64/libpoppler-glib.so.8.19.0) ==3908== by 0x19420D3D: ??? (in /usr/lib64/evince/4/backends/libpdfdocument.so) ==3908== by 0x50A36FD: ??? (in /usr/lib64/libevview3.so.3.0.0) ==3908== by 0x50A5821: ??? (in /usr/lib64/libevview3.so.3.0.0) ==3908== by 0x7F41E59: g_thread_proxy (gthread.c:784) ==3908== by 0x8786149: start_thread (in /usr/lib64/libpthread-2.28.so) ==3908== by 0x8A9ADC2: clone (in /usr/lib64/libc-2.28.so) ==3908== Address 0x10 is not stack'd, malloc'd or (recently) free'd ==3908== --3908-- --3908-- used_suppression: 1 dtv-addr-tail /usr/libexec/valgrind/default.supp:1450 suppressed: 32 bytes in 1 blocks ==3908== ==3908== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
BTW: The pdf document can be opened in Fedora 34's evince ...
I am able to reproduce the issue now. I've attached a file inside a PDF and modified its ModDate and CreationDate to contain non-existing dates. This causes passing NULL to "g_date_time_to_unix()" and the crash at RHEL 8, it does not crash at Fedora 34 since it placed assert in the function so it just shows a warning. Could you check values of ModDate and CreationDate in your PDF? If they are not readable there you maybe need to uncompress streams in the PDF by "qpdf --stream-data=uncompress input.pdf output.pdf".
Created attachment 1805938 [details] reproducer
Great that you can reproduce it. Indeed my PDF file (both original and uncompressed) does not have any ModDate entry !
(In reply to Leon Fauster from comment #7) > Great that you can reproduce it. Indeed my PDF file (both original and > uncompressed) does not have any ModDate entry ! Is there any CreationDate? The backtrace I get is the same as yours.
Hi, I've prepared a COPR repository with a fix for the issue I see. Could you try to update poppler from it and test whether it fixes the crash? You can enable it by running: dnf copr enable mkasik/poppler-test-build and then run the update: dnf update poppler The COPR repository comes from here: https://copr.fedorainfracloud.org/coprs/mkasik/poppler-test-build/
(In reply to Marek Kašík from comment #8) > (In reply to Leon Fauster from comment #7) > > Great that you can reproduce it. Indeed my PDF file (both original and > > uncompressed) does not have any ModDate entry ! > > Is there any CreationDate? > > The backtrace I get is the same as yours. It has only the CreationDate: $ pdfinfo Q1.pdf|grep -i date CreationDate: Mon Apr 19 23:55:54 2021 CEST
(In reply to Marek Kašík from comment #10) > I've prepared a COPR repository with a fix for the issue I see. Could you > try to update poppler from it and test whether it fixes the crash? > > You can enable it by running: > > dnf copr enable mkasik/poppler-test-build > > and then run the update: > > dnf update poppler > > The COPR repository comes from here: > https://copr.fedorainfracloud.org/coprs/mkasik/poppler-test-build/ Hey Marek, this worked! Evince does not crash anymore and displays the PDF document. JFI: When looking into the "properties" of the document in Evince the "ModDate" field (that is missing in the PDF file) has the epoch time as value displayed. So, it seems that the patch addresses this issue. Thanks!
Great! Thank you for testing it. You'll need to downgrade the poppler and remove the COPR repository before updating to official release once ready though (it will take some time yet). You can do it this way: dnf downgrade poppler dnf copr remove mkasik/poppler-test-build
I reproduced evince crash with attached pdf file (poppler-20.11.0-2.el8.x86_64) Then I installed poppler-20.11.0-3.el8.x86_64 and file was successfully opened by evince.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (evince bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4155