Bug 100164

Summary: evince segfault when opening this pdf (calling cairo_set_dash())
Product: poppler Reporter: Wim Lewis <wiml>
Component: cairo backendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Wim Lewis 2017-03-11 23:15:39 UTC
evince crashes while rendering this pdf. The window appears, it chews cpu for a few seconds, then segfaults before displaying anything from the file.

I'm using debian's version, which is old, but this may be useful information anyway.

http://www2.census.gov/geo/maps/blk2000/st02_Alaska/Place/0218675_Deltana/CBP0218675_001.pdf


versions:
  evince 3.14.1-2+deb8u1
  poppler 0.26.5-2+deb8u1
  cairo  1.14.0-2.1+deb8u2


(gdb) run /tmp/mozilla_wiml0/CBP0218675_001.pdf 
Starting program: /usr/bin/evince /tmp/mozilla_wiml0/CBP0218675_001.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffee0aa700 (LWP 9970)]
[New Thread 0x7fffed8a9700 (LWP 9971)]
[New Thread 0x7fffed0a8700 (LWP 9975)]
[New Thread 0x7fffdffff700 (LWP 9976)]
[New Thread 0x7fffdf7fe700 (LWP 9977)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdf7fe700 (LWP 9977)]
0x00007ffff5efd789 in _cairo_gstate_set_dash (gstate=0x7fffd00a3870, dash=0x0, num_dashes=8, offset=4.7430302000759668e-322)
    at ../../../../src/cairo-gstate.c:542
542	../../../../src/cairo-gstate.c: No such file or directory.
(gdb) bt
#0  0x00007ffff5efd789 in _cairo_gstate_set_dash (gstate=0x7fffd00a3870, dash=0x0, num_dashes=8, offset=4.7430302000759668e-322)
    at ../../../../src/cairo-gstate.c:542
#1  0x00007ffff5ef0f82 in cairo_set_dash (cr=0x7fffd04b2c40, dashes=0x7fffd0000038, num_dashes=-800379904, offset=4.7430302000759668e-322)
    at ../../../../src/cairo.c:1080
#2  0x00007fffdeddd4bc in CairoOutputDev::fillToStrokePathClip (this=this@entry=0x7fffd0042da0, state=state@entry=0x7fffd04b3a50)
    at CairoOutputDev.cc:1163
#3  0x00007fffdedddaf7 in CairoOutputDev::tilingPatternFill (this=0x7fffd0042da0, state=0x7fffd04b3a50, gfxA=<optimized out>, cat=<optimized out>, 
    str=<optimized out>, pmat=<optimized out>, paintType=2, resDict=0x7fffd05ff7a0, mat=0x7fffdf7fd640, bbox=0x7fffd05fd438, x0=316, y0=224, x1=329, 
    y1=228, xStep=<optimized out>, yStep=<optimized out>) at CairoOutputDev.cc:896
#4  0x00007fffde504156 in Gfx::doTilingPatternFill (this=0x7fffd00d2900, tPat=0x7fffd05fd420, stroke=<optimized out>, eoFill=<optimized out>, 
    text=<optimized out>) at Gfx.cc:2279
#5  0x00007fffde504e0d in Gfx::opCloseEOFillStroke (this=0x7fffd00d2900, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1987
#6  0x00007fffde500e78 in Gfx::go (this=this@entry=0x7fffd00d2900, topLevel=topLevel@entry=true) at Gfx.cc:762
#7  0x00007fffde501378 in Gfx::display (this=this@entry=0x7fffd00d2900, obj=obj@entry=0x7fffdf7fdad0, topLevel=topLevel@entry=true) at Gfx.cc:728
#8  0x00007fffde549375 in Page::displaySlice (this=0x7fffd005b200, out=out@entry=0x7fffd0042da0, hDPI=hDPI@entry=72, vDPI=vDPI@entry=72, 
    rotate=rotate@entry=0, useMediaBox=useMediaBox@entry=false, crop=crop@entry=true, sliceX=sliceX@entry=-1, sliceY=-1, sliceW=-1, sliceH=-1, 
    printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:585
#9  0x00007fffdedc9e52 in _poppler_page_render (page=0xb98e80, cairo=0xb6c9a0, printing=<optimized out>, print_flags=<optimized out>)
    at poppler-page.cc:362
#10 0x00007fffec05cb93 in pdf_page_render (page=page@entry=0xb98e80, width=2355, height=2157, rc=rc@entry=0xb98ec0)
    at /build/evince-3.14.1/./backend/pdf/ev-poppler.cc:415
#11 0x00007fffec05cdd1 in pdf_document_render (document=<optimized out>, rc=0xb98ec0) at /build/evince-3.14.1/./backend/pdf/ev-poppler.cc:442
#12 0x00007ffff7969342 in ev_job_render_run (job=0x7fffd000be00) at /build/evince-3.14.1/./libview/ev-jobs.c:638
#13 0x00007ffff796b19a in ev_job_thread (job=0x7fffd000be00) at /build/evince-3.14.1/./libview/ev-job-scheduler.c:184
#14 ev_job_thread_proxy (data=<optimized out>) at /build/evince-3.14.1/./libview/ev-job-scheduler.c:217
#15 0x00007ffff4de9845 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#16 0x00007ffff4648064 in start_thread (arg=0x7fffdf7fe700) at pthread_create.c:309
#17 0x00007ffff437d62d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) x/10i $pc
=> 0x7ffff5efd789 <_cairo_gstate_set_dash+89>:	movsd  (%rbx),%xmm0
   0x7ffff5efd78d <_cairo_gstate_set_dash+93>:	ucomisd %xmm0,%xmm2
   0x7ffff5efd791 <_cairo_gstate_set_dash+97>:	ja     0x7ffff5efd960 <_cairo_gstate_set_dash+560>
   0x7ffff5efd797 <_cairo_gstate_set_dash+103>:	movapd %xmm2,%xmm5
   0x7ffff5efd79b <_cairo_gstate_set_dash+107>:	movapd %xmm2,%xmm1
   0x7ffff5efd79f <_cairo_gstate_set_dash+111>:	movapd %xmm2,%xmm4
   0x7ffff5efd7a3 <_cairo_gstate_set_dash+115>:	xor    %ecx,%ecx
   0x7ffff5efd7a5 <_cairo_gstate_set_dash+117>:	xor    %eax,%eax
   0x7ffff5efd7a7 <_cairo_gstate_set_dash+119>:	movapd %xmm2,%xmm3
   0x7ffff5efd7ab <_cairo_gstate_set_dash+123>:	xor    %r9d,%r9d
(gdb) inf reg
rax            0x7fffd04b2c00	140736687975424
rbx            0x0	0
rcx            0x7fffd0000020	140736683048992
rdx            0x7fffd04b2c00	140736687975424
rsi            0x7fffd0000038	140736683049016
rdi            0x7fffd04b2c40	140736687975488
rbp            0x7fffd00a3870	0x7fffd00a3870
rsp            0x7fffdf7fd3f0	0x7fffdf7fd3f0
r8             0x3	3
r9             0x7fffd04b2c00	140736687975424
r10            0x0	0
r11            0x7ffff4401f90	140737291231120
r12            0x8	8
r13            0x7fffdf7fd640	140736943085120
r14            0x7fffd04b3a50	140736687979088
r15            0xb6cf40	11980608
rip            0x7ffff5efd789	0x7ffff5efd789 <_cairo_gstate_set_dash+89>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
Comment 1 GitLab Migration User 2018-08-21 10:32:38 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/250.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.