Bug 452816 - evince crashes with SIGSEGV
evince crashes with SIGSEGV
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: evince (Show other bugs)
9
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Kristian Høgsberg
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-25 05:39 EDT by Jiri Slaby
Modified: 2009-07-14 11:56 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-14 11:56:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/proc/PID/maps of evince (34.38 KB, text/plain)
2008-06-25 05:59 EDT, Jiri Slaby
no flags Details

  None (edit)
Description Jiri Slaby 2008-06-25 05:39:57 EDT
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x42085950 (LWP 17945)]
0x0000003846a10620 in FT_List_Find (list=0x7f8430e70d10, data=0x7f8430e71380)
    at /usr/src/debug/freetype-2.3.5/src/base/ftutil.c:250
250           if ( cur->data == data )
(gdb) info registers 
rax            0x4e00000000     335007449088
rbx            0x7f8431345670   140205737924208
rcx            0x0      0
rdx            0x7f8431345670   140205737924208
rsi            0x7f8430e71380   140205732860800
rdi            0x7f8430e70d10   140205732859152
rbp            0x7f8430e70ce0   0x7f8430e70ce0
rsp            0x42084998       0x42084998
r8             0x32ec930        53397808
r9             0x3dd2f660e0     265532367072
r10            0x0      0
r11            0x0      0
r12            0x7f8430e71380   140205732860800
r13            0x7f8430e70d10   140205732859152
r14            0x0      0
r15            0x42084b70       1107839856
rip            0x3846a10620     0x3846a10620 <FT_List_Find+16>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x63     99
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
(gdb) where
#0  0x0000003846a10620 in FT_List_Find (list=0x7f8430e70d10, 
    data=0x7f8430e71380) at /usr/src/debug/freetype-2.3.5/src/base/ftutil.c:250
#1  0x0000003846a10ef4 in FT_Done_Face (face=<value optimized out>)
    at /usr/src/debug/freetype-2.3.5/src/base/ftobjs.c:1964
#2  0x000000316a00c4ac in _cairo_user_data_array_fini (
    array=<value optimized out>) at cairo-array.c:378
#3  0x000000316a00faeb in cairo_font_face_destroy (
    font_face=<value optimized out>) at cairo-font-face.c:144
#4  0x000000316a050e85 in _cairo_ft_unscaled_font_destroy (
    abstract_font=<value optimized out>) at cairo-ft-font.c:493
#5  0x000000316a00f952 in _cairo_unscaled_font_destroy (
    unscaled_font=<value optimized out>) at cairo-font-face.c:531
#6  0x000000316a01c2a9 in _cairo_scaled_font_fini (
    scaled_font=<value optimized out>) at cairo-scaled-font.c:587
#7  0x000000316a01c387 in cairo_scaled_font_destroy (
    scaled_font=<value optimized out>) at cairo-scaled-font.c:843
#8  0x000000316a010d22 in _cairo_gstate_unset_scaled_font (
    gstate=<value optimized out>) at cairo-gstate.c:1219
#9  0x000000316a010d72 in _cairo_gstate_set_font_face (
    gstate=<value optimized out>, font_face=<value optimized out>)
    at cairo-gstate.c:1492
#10 0x000000316a009ea9 in cairo_set_font_face (cr=<value optimized out>, 
    font_face=<value optimized out>) at cairo.c:2688
#11 0x00007f8444fae9c1 in CairoOutputDev::updateFont ()
   from /usr/lib64/libpoppler-glib.so.3
#12 0x000000331f2b42ad in Gfx::opShowSpaceText ()
   from /usr/lib64/libpoppler.so.3
#13 0x000000331f2ab9ec in Gfx::go () from /usr/lib64/libpoppler.so.3
#14 0x000000331f2b20d6 in Gfx::display () from /usr/lib64/libpoppler.so.3
#15 0x000000331f2f7c10 in Page::displaySlice () from /usr/lib64/libpoppler.so.3
#16 0x00007f8444fa794f in ?? () from /usr/lib64/libpoppler-glib.so.3
#17 0x00007f843e85b506 in pdf_document_render (document=<value optimized out>, 
    rc=0x26d5c80) at ev-poppler.cc:488
#18 0x000000000041d83b in ev_job_render_run (job=0x2934990) at ev-jobs.c:372
#19 0x000000000041bbb3 in handle_job (job=0x2934990) at ev-job-queue.c:137
#20 0x000000000041c10a in ev_render_thread (data=<value optimized out>)
    at ev-job-queue.c:264
#21 0x000000331a660434 in ?? () from /lib64/libglib-2.0.so.0
#22 0x0000003dd380729a in start_thread () from /lib64/libpthread.so.0
#23 0x0000003dd2ce42cd in clone () from /lib64/libc.so.6
(gdb) disassemble 
Dump of assembler code for function FT_List_Find:
0x0000003846a10610 <FT_List_Find+0>:    mov    (%rdi),%rax
0x0000003846a10613 <FT_List_Find+3>:    test   %rax,%rax
0x0000003846a10616 <FT_List_Find+6>:    je     0x3846a1063a <FT_List_Find+42>
0x0000003846a10618 <FT_List_Find+8>:    cmp    %rsi,0x10(%rax)
0x0000003846a1061c <FT_List_Find+12>:   jne    0x3846a1062a <FT_List_Find+26>
0x0000003846a1061e <FT_List_Find+14>:   jmp    0x3846a1063c <FT_List_Find+44>
0x0000003846a10620 <FT_List_Find+16>:   cmp    %rsi,0x10(%rax)
0x0000003846a10624 <FT_List_Find+20>:   nopl   0x0(%rax)
0x0000003846a10628 <FT_List_Find+24>:   je     0x3846a1063a <FT_List_Find+42>
0x0000003846a1062a <FT_List_Find+26>:   mov    0x8(%rax),%rax
0x0000003846a1062e <FT_List_Find+30>:   test   %rax,%rax
0x0000003846a10631 <FT_List_Find+33>:   nopl   0x0(%rax)
0x0000003846a10638 <FT_List_Find+40>:   jne    0x3846a10620 <FT_List_Find+16>
0x0000003846a1063a <FT_List_Find+42>:   repz retq 
0x0000003846a1063c <FT_List_Find+44>:   repz retq 
End of assembler dump.
(gdb) l 250
245
246
247         cur = list->head;
248         while ( cur )
249         {
250           if ( cur->data == data )
251             return cur;
252
253           cur = cur->next;
254         }

$ rpm -q freetype evince
freetype-2.3.5-6.fc9.x86_64
freetype-2.3.5-6.fc9.i386
evince-2.22.2-1.fc9.x86_64
Comment 1 Jiri Slaby 2008-06-25 05:45:41 EDT
Not 100% reproducible. Run 2 instances of evince and then resize the top one to
see the other underlying. After a while, when having luck, this occurs.
Comment 2 Jiri Slaby 2008-06-25 05:57:59 EDT
This one even more interesting. See FT_Done_Face+49 and crashing FT_Done_Face+56.

Program received signal SIGBUS, Bus error.
[Switching to Thread 0x40cd7950 (LWP 18064)]
FT_Done_Face (face=<value optimized out>)
    at /usr/src/debug/freetype-2.3.5/src/base/ftobjs.c:1961
1961          memory = driver->root.memory;
(gdb) where
#0  FT_Done_Face (face=<value optimized out>)
    at /usr/src/debug/freetype-2.3.5/src/base/ftobjs.c:1961
#1  0x000000316a00c4ac in _cairo_user_data_array_fini (
    array=<value optimized out>) at cairo-array.c:378
#2  0x000000316a00faeb in cairo_font_face_destroy (
    font_face=<value optimized out>) at cairo-font-face.c:144
#3  0x000000316a050e85 in _cairo_ft_unscaled_font_destroy (
    abstract_font=<value optimized out>) at cairo-ft-font.c:493
#4  0x000000316a00f952 in _cairo_unscaled_font_destroy (
    unscaled_font=<value optimized out>) at cairo-font-face.c:531
#5  0x000000316a01c2a9 in _cairo_scaled_font_fini (
    scaled_font=<value optimized out>) at cairo-scaled-font.c:587
#6  0x000000316a01c387 in cairo_scaled_font_destroy (
    scaled_font=<value optimized out>) at cairo-scaled-font.c:843
#7  0x000000316a010d22 in _cairo_gstate_unset_scaled_font (
    gstate=<value optimized out>) at cairo-gstate.c:1219
#8  0x000000316a010d72 in _cairo_gstate_set_font_face (
    gstate=<value optimized out>, font_face=<value optimized out>)
    at cairo-gstate.c:1492
#9  0x000000316a009ea9 in cairo_set_font_face (cr=<value optimized out>, 
    font_face=<value optimized out>) at cairo.c:2688
#10 0x00007fae7e6cd9c1 in CairoOutputDev::updateFont ()
   from /usr/lib64/libpoppler-glib.so.3
#11 0x000000331f2b42ad in Gfx::opShowSpaceText ()
   from /usr/lib64/libpoppler.so.3
#12 0x000000331f2ab9ec in Gfx::go () from /usr/lib64/libpoppler.so.3
#13 0x000000331f2b20d6 in Gfx::display () from /usr/lib64/libpoppler.so.3
#14 0x000000331f2f7c10 in Page::displaySlice () from /usr/lib64/libpoppler.so.3
#15 0x00007fae7e6c694f in ?? () from /usr/lib64/libpoppler-glib.so.3
#16 0x00007fae73dfd506 in pdf_document_render (document=<value optimized out>, 
    rc=0x1c59e40) at ev-poppler.cc:488
#17 0x000000000041d83b in ev_job_render_run (job=0x7fae69f9e020)
    at ev-jobs.c:372
#18 0x000000000041bbb3 in handle_job (job=0x7fae69f9e020) at ev-job-queue.c:137
#19 0x000000000041c10a in ev_render_thread (data=<value optimized out>)
    at ev-job-queue.c:264
#20 0x000000331a660434 in ?? () from /lib64/libglib-2.0.so.0
#21 0x0000003dd380729a in start_thread () from /lib64/libpthread.so.0
#22 0x0000003dd2ce42cd in clone () from /lib64/libc.so.6
(gdb) l
1956
1957        error = FT_Err_Invalid_Face_Handle;
1958        if ( face && face->driver )
1959        {
1960          driver = face->driver;
1961          memory = driver->root.memory;
1962
1963          /* find face in driver's list */
1964          node = FT_List_Find( &driver->faces_list, face );
1965          if ( node )
(gdb) disassemble 
Dump of assembler code for function FT_Done_Face:
0x0000003846a10eb0 <FT_Done_Face+0>:    mov    %r12,-0x18(%rsp)
0x0000003846a10eb5 <FT_Done_Face+5>:    mov    %rbx,-0x28(%rsp)
0x0000003846a10eba <FT_Done_Face+10>:   mov    %rdi,%r12
0x0000003846a10ebd <FT_Done_Face+13>:   mov    %rbp,-0x20(%rsp)
0x0000003846a10ec2 <FT_Done_Face+18>:   mov    %r13,-0x10(%rsp)
0x0000003846a10ec7 <FT_Done_Face+23>:   mov    %r14,-0x8(%rsp)
0x0000003846a10ecc <FT_Done_Face+28>:   sub    $0x28,%rsp
0x0000003846a10ed0 <FT_Done_Face+32>:   test   %rdi,%rdi
0x0000003846a10ed3 <FT_Done_Face+35>:   je     0x3846a10f40 <FT_Done_Face+144>
0x0000003846a10ed5 <FT_Done_Face+37>:   mov    0xb0(%rdi),%rbp
0x0000003846a10edc <FT_Done_Face+44>:   test   %rbp,%rbp
0x0000003846a10edf <FT_Done_Face+47>:   je     0x3846a10f40 <FT_Done_Face+144>
0x0000003846a10ee1 <FT_Done_Face+49>:   lea    0x30(%rbp),%r13
0x0000003846a10ee5 <FT_Done_Face+53>:   mov    %rdi,%rsi
0x0000003846a10ee8 <FT_Done_Face+56>:   mov    0x10(%rbp),%r14
0x0000003846a10eec <FT_Done_Face+60>:   mov    %r13,%rdi
0x0000003846a10eef <FT_Done_Face+63>:   callq  0x3846a0c088 <FT_List_Find@plt>
0x0000003846a10ef4 <FT_Done_Face+68>:   test   %rax,%rax
0x0000003846a10ef7 <FT_Done_Face+71>:   mov    %rax,%rbx
0x0000003846a10efa <FT_Done_Face+74>:   je     0x3846a10f40 <FT_Done_Face+144>
0x0000003846a10efc <FT_Done_Face+76>:   mov    %rax,%rsi
0x0000003846a10eff <FT_Done_Face+79>:   mov    %r13,%rdi
0x0000003846a10f02 <FT_Done_Face+82>:   callq  0x3846a0b968 <FT_List_Remove@plt>
0x0000003846a10f07 <FT_Done_Face+87>:   mov    %rbx,%rsi
0x0000003846a10f0a <FT_Done_Face+90>:   mov    %r14,%rdi
0x0000003846a10f0d <FT_Done_Face+93>:   callq  0x3846a0b5c8 <ft_mem_free@plt>
0x0000003846a10f12 <FT_Done_Face+98>:   mov    %rbp,%rdx
0x0000003846a10f15 <FT_Done_Face+101>:  mov    %r12,%rsi
0x0000003846a10f18 <FT_Done_Face+104>:  mov    %r14,%rdi
0x0000003846a10f1b <FT_Done_Face+107>:  callq  0x3846a10dc0 <destroy_face>
0x0000003846a10f20 <FT_Done_Face+112>:  xor    %eax,%eax
0x0000003846a10f22 <FT_Done_Face+114>:  mov    (%rsp),%rbx
0x0000003846a10f26 <FT_Done_Face+118>:  mov    0x8(%rsp),%rbp
0x0000003846a10f2b <FT_Done_Face+123>:  mov    0x10(%rsp),%r12
0x0000003846a10f30 <FT_Done_Face+128>:  mov    0x18(%rsp),%r13
0x0000003846a10f35 <FT_Done_Face+133>:  mov    0x20(%rsp),%r14
0x0000003846a10f3a <FT_Done_Face+138>:  add    $0x28,%rsp
0x0000003846a10f3e <FT_Done_Face+142>:  retq   
0x0000003846a10f3f <FT_Done_Face+143>:  nop    
0x0000003846a10f40 <FT_Done_Face+144>:  mov    $0x23,%eax
0x0000003846a10f45 <FT_Done_Face+149>:  jmp    0x3846a10f22 <FT_Done_Face+114>
End of assembler dump.
(gdb) info registers 
rax            0x7fae7e6cab10   140387422087952
rbx            0x7fae74a6e3d0   140387258131408
rcx            0x0      0
rdx            0x7fae74a6e3d0   140387258131408
rsi            0x7fae74a72320   140387258147616
rdi            0x7fae74a72320   140387258147616
rbp            0x4072c00000000000       0x4072c00000000000
rsp            0x40cd69a0       0x40cd69a0
r8             0x7fae6c5fe5f0   140387119261168
r9             0x3dd2f660e0     265532367072
r10            0x0      0
r11            0x0      0
r12            0x7fae74a72320   140387258147616
r13            0x4072c00000000030       4643985272004935728
r14            0x1      1
r15            0x40cd6b70       1087204208
rip            0x3846a10ee8     0x3846a10ee8 <FT_Done_Face+56>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x63     99
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
Comment 3 Jiri Slaby 2008-06-25 05:59:44 EDT
Created attachment 310245 [details]
/proc/PID/maps of evince
Comment 4 Jiri Slaby 2008-06-25 06:23:49 EDT
Well the sequence is: open evince, open next document, X: open yet another
document, close it, do the resize. If not successfull go to the step X.

The rbp and rip is always the same:
rbp            0x4072c00000000000       0x4072c00000000000
...
rip            0x3846a10ee8     0x3846a10ee8 <FT_Done_Face+56>
Comment 5 Bug Zapper 2009-06-09 21:46:41 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Bug Zapper 2009-07-14 11:56:05 EDT
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.