The bug has been opened on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/207341 "Binary package hint: evince Crash trying to print attached PDF, two pages per sheet, 600dpi. Btw, it takes quite a long time, CPU goes to 100%, and the crash happens after a couple of minutes on my machine. Trying to print again, even at 300dpi, always results in another crash, so I believe it's always reproducible. http://launchpadlibrarian.net/12907877/inferenza-fol.pdf # PDF that triggers the crash when printed 2 pages per sheet (421.4 KiB, application/pdf) #0 ft_glyphslot_free_bitmap (slot=0xb0948c82) at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:247 No locals. #1 0x4ce73590 in FT_Load_Glyph (face=0x8f9bcd0, glyph_index=34, load_flags=522) at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:298 error = <value optimized out> driver = <value optimized out> hinter = <value optimized out> #2 0x4acd5782 in _cairo_ft_scaled_glyph_init (abstract_font=0x90a4938, scaled_glyph=0x900f180, info=CAIRO_SCALED_GLYPH_INFO_METRICS) at /build/buildd/cairo-1.5.14/src/cairo-ft-font.c:2159 fs_metrics = {x_bearing = 7.334742848667577e-316, y_bearing = -0.084837376325584024, width = 1.8032359957465722e+61, height = 2.0371159593266614e-312, x_advance = 5.9287877500949585e-323, y_advance = 841.5968728374512} scaled_font = <value optimized out> unscaled = (cairo_ft_unscaled_font_t *) 0x8ee0ca8 glyph = <value optimized out> face = (FT_Face) 0x8f9bcd0 error = <value optimized out> load_flags = 522 x_factor = 0.084837376325584024 y_factor = 0 vertical_layout = 0 status = CAIRO_STATUS_SUCCESS #3 0x4ac9e2bc in _cairo_scaled_glyph_lookup (scaled_font=0x90a4938, index=34, info=CAIRO_SCALED_GLYPH_INFO_METRICS, scaled_glyph_ret=0xb7e45c6c) at /build/buildd/cairo-1.5.14/src/cairo-scaled-font.c:1809 status = <value optimized out> key = {hash = 34, size = 2943} scaled_glyph = (cairo_scaled_glyph_t *) 0x900f180 need_info = <value optimized out> #4 0x4ac9f6d5 in _cairo_scaled_font_glyph_device_extents (scaled_font=0x90a4938, glyphs=0x8e3e528, num_glyphs=14, extents=0xb7e45cb0) at /build/buildd/cairo-1.5.14/src/cairo-scaled-font.c:1208 scaled_glyph = (cairo_scaled_glyph_t *) 0x0 x = -1209770816 y = 132 i = 0 #5 0x4acaf06e in _cairo_analysis_surface_show_glyphs (abstract_surface=0x8d94590, op=CAIRO_OPERATOR_OVER, source=0x86370b8, glyphs=0x8e3e528, num_glyphs=14, scaled_font=0x90a4938) at /build/buildd/cairo-1.5.14/src/cairo-analysis-surface.c:569 surface = <value optimized out> status = 150584528 backend_status = CAIRO_STATUS_SUCCESS extents = {x = 0, y = 0, width = 595, height = 841} glyph_extents = {x = 143986516, y = 0, width = 41316, height = 136573} #6 0x4aca12af in _cairo_surface_show_glyphs (surface=0x8d94590, op=CAIRO_OPERATOR_OVER, source=0x909cb44, glyphs=0x8e3e528, num_glyphs=14, scaled_font=0x90a4938) at /build/buildd/cairo-1.5.14/src/cairo-surface.c:2139 font_options = <value optimized out> dev_ctm = {xx = 1.1310237566022765e-311, yx = 3.3951932656432488e-313, xy = 2.8980733117991295e-309, yy = 2.2542569966026837e+52, x0 = 4.898451237867254e-266, y0 = 1.9541221367460229e+52} status = CAIRO_STATUS_SUCCESS dev_scaled_font = (cairo_scaled_font_t *) 0x90a4938 dev_source = (cairo_pattern_t *) 0x86370b8 font_matrix = {xx = 0, yx = -11.9453, xy = -11.9453, yy = -0, x0 = 0, y0 = 0} __PRETTY_FUNCTION__ = "_cairo_surface_show_glyphs" #7 0x4acace6e in _cairo_meta_surface_replay_internal (surface=0x8d21828, target=0x8d94590, type=CAIRO_META_CREATE_REGIONS, region=CAIRO_META_REGION_ALL) at /build/buildd/cairo-1.5.14/src/cairo-meta-surface.c:827 dev_ctm = {xx = 9.8987976806159559e+60, yx = 9.7967002597499062e+60, xy = 1.5391213486033423e-267, yy = 1.5391145877440321e-267, x0 = 3.1848144221872288e-265, y0 = 9.7967028276834704e+60} dev_ctm_inverse = {xx = 0, yx = -11.787257495590826, xy = -11.787257495590826, yy = 0, x0 = 9920.1190476190459, y0 = 7016.6666666666661} tmp = {xx = 0, yx = -0.084837376325584024, xy = -0.084837376325584024, yy = 0, x0 = 595.27559055118115, y0 = 841.5968728374512} stroke_command = <value optimized out> command = (cairo_command_t *) 0x909cb38 elements = (cairo_command_t **) 0x8fdcc90 i = 632 num_elements = 869 status = <value optimized out> clip = {mode = CAIRO_CLIP_MODE_PATH, all_clipped = 0, surface = 0x0, surface_rect = {x = 0, y = 0, width = 0, height = 0}, serial = 0, region = {rgn = {extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, data = 0x4cfa2208}}, has_region = 0, path = 0x0} has_device_transform = 0 device_transform = (cairo_matrix_t *) 0x8d945bc path_copy = {last_move_point = {x = 24, y = 1285862368}, current_point = {x = 151288848, y = -1209770168}, has_current_point = 0, has_curve_to = 0, buf_tail = 0x4ca67140, buf_head = {base = { next = 0x4c9862d1, prev = 0x4ca67164, buf_size = 150514808, num_ops = 1285862268, num_points = 151288840, op = 0x0, points = 0x8e3e648}, op = "X_ä·Ñb\230LTq¦Lô_¦L|³¤L(åã\b\210_ä", points = {{x = 1285071840, y = 1285976384}, {x = 1285055185, y = 151288848}, {x = 96, y = 1285862368}, { x = 137696184, y = -1209770072}, {x = 1285071840, y = 1285976384}, {x = 150095776, y = 73}, {x = 48, y = 1285862368}, {x = 140734376, y = -1209770040}, {x = 144168952, y = 1285976384}, {x = 140734376, y = 0}, {x = 1285971956, y = 1285976384}, {x = 144168296, y = -1209770008}, {x = 150095888, y = 1285976384}, {x = 144168296, y = 140734376}, {x = 1285971956, y = 1285976384}, {x = 150095784, y = -1209769976}, {x = 1285071840, y = 1285976384}, {x = 150095784, y = 144168296}, {x = 150530088, y = -1209769992}, {x = 150095776, y = 144168296}, {x = 1261719436, y = -1209769960}, {x = 1250357236, y = 0}, {x = 150530088, y = 1286210865}, {x = 1250143537, y = 150095784}, {x = 1261719436, y = -1209769800}, {x = 15859, y = 150095784}, {x = 136573800, y = 1286210865}, {x = -1209769828, y = 0}, {x = 1286216204, y = 1285057665}, {x = 15859, y = 1}, {x = -1, y = -1}, {x = 15859, y = 1286217200}, {x = 144279440, y = 1285976784}, {x = 1285849557, y = 1}, {x = 1285976432, y = 1286210865}, {x = 352, y = 44}, {x = 1286210848, y = 1312}, {x = 15859, y = 1265811928}, {x = 1, y = -1209769784}, {x = 1254714176, y = 148456940}, {x = 0, y = 1072693248}, {x = 0, y = 0}, {x = 0, y = -1209769752}, {x = 1254714176, y = 148457144}, {x = 0, y = 1072693248}, {x = 0, y = 0}, {x = 0, y = 1291287553}, {x = 1255022624, y = 148456848}, {x = 138232768, y = -1209769752}, {x = 1254739629, y = 148457096}, {x = 1255022624, y = -1209769704}, {x = 1254811955, y = 148457096}, {x = 1255018848, y = 12288}, {x = 0, y = -1227660236}}}} dev_path = (cairo_path_fixed_t *) 0x0 __PRETTY_FUNCTION__ = "_cairo_meta_surface_replay_internal" #8 0x4acae1db in _paint_page (surface=0x826dd10) at /build/buildd/cairo-1.5.14/src/cairo-paginated-surface.c:303 analysis = (cairo_surface_t *) 0x8d94590 status = <value optimized out> has_supported = <value optimized out> has_finegrained_fallback = <value optimized out> __PRETTY_FUNCTION__ = "_paint_page" #9 0x4acae47f in _cairo_paginated_surface_show_page (abstract_surface=0x826dd10) at /build/buildd/cairo-1.5.14/src/cairo-paginated-surface.c:464 status = <value optimized out> surface = (cairo_paginated_surface_t *) 0x8f9bcd0 #10 0x4aca19e0 in *INT_cairo_surface_show_page (surface=0x826dd10) at /build/buildd/cairo-1.5.14/src/cairo-surface.c:1746 __PRETTY_FUNCTION__ = "cairo_surface_show_page" #11 0x4ac92188 in _cairo_gstate_show_page (gstate=0x8498920) at /build/buildd/cairo-1.5.14/src/cairo-gstate.c:1082 No locals. #12 0x4ac8a992 in cairo_show_page (cr=0x8498900) at /build/buildd/cairo-1.5.14/src/cairo.c:2207 status = <value optimized out> #13 0xb6d30f38 in pdf_document_file_exporter_end_page (exporter=0x822acf0) at /build/buildd/evince-2.22.0/./backend/pdf/ev-poppler.cc:1785 ctx = <value optimized out> __PRETTY_FUNCTION__ = "void pdf_document_file_exporter_end_page(EvFileExporter*)" #14 0x4ad126d9 in ev_file_exporter_end_page (exporter=0x822acf0) at /build/buildd/evince-2.22.0/./libdocument/ev-file-exporter.c:80 No locals. #15 0x080606dd in ev_job_print_run (job=0x83b8b90) at /build/buildd/evince-2.22.0/./shell/ev-jobs.c:946 k = <value optimized out> page = 46 step = 2 n_copies = 1 document = (EvDocument *) 0x822acf0 fc = {format = EV_FILE_FORMAT_PS, filename = 0x8498f18 "/tmp/evince_print.ps.2K0R8T", first_page = 0, last_page = 52, paper_width = 595.27559055118115, paper_height = 841.88976377952758, duplex = 0, pages_per_sheet = 2} rc = (EvRenderContext *) 0x8230e00 fd = 19 n_pages = 53 last_page = <value optimized out> first_page = 2 i = 0 j = 2 __PRETTY_FUNCTION__ = "ev_job_print_run" #16 0x0805f584 in handle_job (job=0x83b8b90) at /build/buildd/evince-2.22.0/./shell/ev-job-queue.c:141 __PRETTY_FUNCTION__ = "handle_job" #17 0x0805fa4c in ev_render_thread (data=0x0) at /build/buildd/evince-2.22.0/./shell/ev-job-queue.c:264 job = (EvJob *) 0x83b8b90 #18 0x4b6929ef in g_thread_create_proxy (data=0x8102ea8) at /build/buildd/glib2.0-2.16.1/glib/gthread.c:635 __PRETTY_FUNCTION__ = "g_thread_create_proxy" #19 0x4ca9e4fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #20 0x4c9f1d4e in clone () from /lib/tls/i686/cmov/libc.so.6"
valgrind reports: ==13745== Invalid read of size 4 ==13745== at 0x51BE572: FT_Load_Glyph (ftobjs.c:549) ==13745== by 0x4A24921: _cairo_ft_scaled_glyph_init (cairo-ft-font.c:1922) ==13745== by 0x4A117AB: _cairo_scaled_glyph_lookup (cairo-scaled-font.c:1674) ==13745== by 0x4A12A5A: _cairo_scaled_font_glyph_device_extents (cairo-scaled-font.c:1124) ==13745== by 0x4A21ECD: _cairo_analysis_surface_show_glyphs (cairo-analysis-surface.c:516) ==13745== by 0x4A144DC: _cairo_surface_show_glyphs (cairo-surface.c:2086) ==13745== by 0x4A1FCC8: _cairo_meta_surface_replay_internal (cairo-meta-surface.c:816) ==13745== by 0x4A214B1: _paint_page (cairo-paginated-surface.c:299) ==13745== by 0x4A2171E: _cairo_paginated_surface_show_page (cairo-paginated-surface.c:445) ==13745== by 0x4A14BDF: cairo_surface_show_page (cairo-surface.c:1702) ==13745== by 0x49FF661: cairo_show_page (cairo.c:2155) ==13745== by 0xA267D97: pdf_document_file_exporter_end_page(_EvFileExporter*) (ev-poppler.cc:1753) ==13745== Address 0x55c5630 is 88 bytes inside a block of size 552 free'd ==13745== at 0x402269C: free (vg_replace_malloc.c:326) ==13745== by 0x51B7ABC: ft_free (ftsystem.c:158) ==13745== by 0x51BB319: ft_mem_free (ftutil.c:171) ==13745== by 0x51BC318: destroy_face (ftobjs.c:856) ==13745== by 0x51BC3B2: FT_Done_Face (ftobjs.c:1972) ==13745== by 0x4363704: CairoFont::~CairoFont() (CairoFontEngine.cc:251) ==13745== by 0x436401D: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:335) ==13745== by 0x4366915: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:318) ==13745== by 0x5093BF1: Gfx::opShowText(Object*, int) (Gfx.cc:3073) ==13745== by 0x508F901: Gfx::execOp(Object*, Object*, int) (Gfx.cc:726) ==13745== by 0x50906FF: Gfx::go(int) (Gfx.cc:594) ==13745== by 0x5090C96: Gfx::display(Object*, int) (Gfx.cc:557) ==13745== which looks like poppler has called FT_Done_Face on a live cairo_font_face_t.
Created attachment 15501 [details] [review] Do not call FT_Done_Face on a live cairo_font_t.
Pushed to both master and poppler-0.8 branch. Thanks!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.