Bug 15216

Summary: evince crashed with SIGSEGV in ft_glyphslot_free_bitmap()
Product: poppler Reporter: Sebastien Bacher <seb128>
Component: cairo backendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Do not call FT_Done_Face on a live cairo_font_t.

Description Sebastien Bacher 2008-03-26 16:01:06 UTC
The bug has been opened on https://bugs.launchpad.net/ubuntu/+source/evince/+bug/207341

"Binary package hint: evince

Crash trying to print attached PDF, two pages per sheet, 600dpi.
Btw, it takes quite a long time, CPU goes to 100%, and the crash happens after a couple of minutes on my machine.
Trying to print again, even at 300dpi, always results in another crash, so I believe it's always reproducible.

http://launchpadlibrarian.net/12907877/inferenza-fol.pdf
#  PDF that triggers the crash when printed 2 pages per sheet  (421.4 KiB, application/pdf) 

#0  ft_glyphslot_free_bitmap (slot=0xb0948c82)
    at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:247
No locals.
#1  0x4ce73590 in FT_Load_Glyph (face=0x8f9bcd0, glyph_index=34, load_flags=522)
    at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:298
	error = <value optimized out>
	driver = <value optimized out>
	hinter = <value optimized out>
#2  0x4acd5782 in _cairo_ft_scaled_glyph_init (abstract_font=0x90a4938, scaled_glyph=0x900f180, 
    info=CAIRO_SCALED_GLYPH_INFO_METRICS) at /build/buildd/cairo-1.5.14/src/cairo-ft-font.c:2159
	fs_metrics = {x_bearing = 7.334742848667577e-316, y_bearing = -0.084837376325584024, 
  width = 1.8032359957465722e+61, height = 2.0371159593266614e-312, x_advance = 5.9287877500949585e-323, 
  y_advance = 841.5968728374512}
	scaled_font = <value optimized out>
	unscaled = (cairo_ft_unscaled_font_t *) 0x8ee0ca8
	glyph = <value optimized out>
	face = (FT_Face) 0x8f9bcd0
	error = <value optimized out>
	load_flags = 522
	x_factor = 0.084837376325584024
	y_factor = 0
	vertical_layout = 0
	status = CAIRO_STATUS_SUCCESS
#3  0x4ac9e2bc in _cairo_scaled_glyph_lookup (scaled_font=0x90a4938, index=34, 
    info=CAIRO_SCALED_GLYPH_INFO_METRICS, scaled_glyph_ret=0xb7e45c6c)
    at /build/buildd/cairo-1.5.14/src/cairo-scaled-font.c:1809
	status = <value optimized out>
	key = {hash = 34, size = 2943}
	scaled_glyph = (cairo_scaled_glyph_t *) 0x900f180
	need_info = <value optimized out>
#4  0x4ac9f6d5 in _cairo_scaled_font_glyph_device_extents (scaled_font=0x90a4938, glyphs=0x8e3e528, 
    num_glyphs=14, extents=0xb7e45cb0) at /build/buildd/cairo-1.5.14/src/cairo-scaled-font.c:1208
	scaled_glyph = (cairo_scaled_glyph_t *) 0x0
	x = -1209770816
	y = 132
	i = 0
#5  0x4acaf06e in _cairo_analysis_surface_show_glyphs (abstract_surface=0x8d94590, op=CAIRO_OPERATOR_OVER, 
    source=0x86370b8, glyphs=0x8e3e528, num_glyphs=14, scaled_font=0x90a4938)
    at /build/buildd/cairo-1.5.14/src/cairo-analysis-surface.c:569
	surface = <value optimized out>
	status = 150584528
	backend_status = CAIRO_STATUS_SUCCESS
	extents = {x = 0, y = 0, width = 595, height = 841}
	glyph_extents = {x = 143986516, y = 0, width = 41316, height = 136573}
#6  0x4aca12af in _cairo_surface_show_glyphs (surface=0x8d94590, op=CAIRO_OPERATOR_OVER, source=0x909cb44, 
    glyphs=0x8e3e528, num_glyphs=14, scaled_font=0x90a4938)
    at /build/buildd/cairo-1.5.14/src/cairo-surface.c:2139
	font_options = <value optimized out>
	dev_ctm = {xx = 1.1310237566022765e-311, yx = 3.3951932656432488e-313, xy = 2.8980733117991295e-309, 
  yy = 2.2542569966026837e+52, x0 = 4.898451237867254e-266, y0 = 1.9541221367460229e+52}
	status = CAIRO_STATUS_SUCCESS
	dev_scaled_font = (cairo_scaled_font_t *) 0x90a4938
	dev_source = (cairo_pattern_t *) 0x86370b8
	font_matrix = {xx = 0, yx = -11.9453, xy = -11.9453, yy = -0, x0 = 0, y0 = 0}
	__PRETTY_FUNCTION__ = "_cairo_surface_show_glyphs"
#7  0x4acace6e in _cairo_meta_surface_replay_internal (surface=0x8d21828, target=0x8d94590, 
    type=CAIRO_META_CREATE_REGIONS, region=CAIRO_META_REGION_ALL)
    at /build/buildd/cairo-1.5.14/src/cairo-meta-surface.c:827
	dev_ctm = {xx = 9.8987976806159559e+60, yx = 9.7967002597499062e+60, xy = 1.5391213486033423e-267, 
  yy = 1.5391145877440321e-267, x0 = 3.1848144221872288e-265, y0 = 9.7967028276834704e+60}
	dev_ctm_inverse = {xx = 0, yx = -11.787257495590826, xy = -11.787257495590826, yy = 0, 
  x0 = 9920.1190476190459, y0 = 7016.6666666666661}
	tmp = {xx = 0, yx = -0.084837376325584024, xy = -0.084837376325584024, yy = 0, 
  x0 = 595.27559055118115, y0 = 841.5968728374512}
	stroke_command = <value optimized out>
	command = (cairo_command_t *) 0x909cb38
	elements = (cairo_command_t **) 0x8fdcc90
	i = 632
	num_elements = 869
	status = <value optimized out>
	clip = {mode = CAIRO_CLIP_MODE_PATH, all_clipped = 0, surface = 0x0, surface_rect = {x = 0, y = 0, 
    width = 0, height = 0}, serial = 0, region = {rgn = {extents = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, 
      data = 0x4cfa2208}}, has_region = 0, path = 0x0}
	has_device_transform = 0
	device_transform = (cairo_matrix_t *) 0x8d945bc
	path_copy = {last_move_point = {x = 24, y = 1285862368}, current_point = {x = 151288848, 
    y = -1209770168}, has_current_point = 0, has_curve_to = 0, buf_tail = 0x4ca67140, buf_head = {base = {
      next = 0x4c9862d1, prev = 0x4ca67164, buf_size = 150514808, num_ops = 1285862268, 
      num_points = 151288840, op = 0x0, points = 0x8e3e648}, op = "X_ä·Ñb\230LTq¦Lô_¦L|³¤L(åã\b\210_ä", 
    points = {{x = 1285071840, y = 1285976384}, {x = 1285055185, y = 151288848}, {x = 96, y = 1285862368}, {
        x = 137696184, y = -1209770072}, {x = 1285071840, y = 1285976384}, {x = 150095776, y = 73}, {x = 48, 
        y = 1285862368}, {x = 140734376, y = -1209770040}, {x = 144168952, y = 1285976384}, {x = 140734376, 
        y = 0}, {x = 1285971956, y = 1285976384}, {x = 144168296, y = -1209770008}, {x = 150095888, 
        y = 1285976384}, {x = 144168296, y = 140734376}, {x = 1285971956, y = 1285976384}, {x = 150095784, 
        y = -1209769976}, {x = 1285071840, y = 1285976384}, {x = 150095784, y = 144168296}, {x = 150530088, 
        y = -1209769992}, {x = 150095776, y = 144168296}, {x = 1261719436, y = -1209769960}, {x = 1250357236, 
        y = 0}, {x = 150530088, y = 1286210865}, {x = 1250143537, y = 150095784}, {x = 1261719436, 
        y = -1209769800}, {x = 15859, y = 150095784}, {x = 136573800, y = 1286210865}, {x = -1209769828, 
        y = 0}, {x = 1286216204, y = 1285057665}, {x = 15859, y = 1}, {x = -1, y = -1}, {x = 15859, 
        y = 1286217200}, {x = 144279440, y = 1285976784}, {x = 1285849557, y = 1}, {x = 1285976432, 
        y = 1286210865}, {x = 352, y = 44}, {x = 1286210848, y = 1312}, {x = 15859, y = 1265811928}, {x = 1, 
        y = -1209769784}, {x = 1254714176, y = 148456940}, {x = 0, y = 1072693248}, {x = 0, y = 0}, {x = 0, 
        y = -1209769752}, {x = 1254714176, y = 148457144}, {x = 0, y = 1072693248}, {x = 0, y = 0}, {x = 0, 
        y = 1291287553}, {x = 1255022624, y = 148456848}, {x = 138232768, y = -1209769752}, {x = 1254739629, 
        y = 148457096}, {x = 1255022624, y = -1209769704}, {x = 1254811955, y = 148457096}, {x = 1255018848, 
        y = 12288}, {x = 0, y = -1227660236}}}}
	dev_path = (cairo_path_fixed_t *) 0x0
	__PRETTY_FUNCTION__ = "_cairo_meta_surface_replay_internal"
#8  0x4acae1db in _paint_page (surface=0x826dd10)
    at /build/buildd/cairo-1.5.14/src/cairo-paginated-surface.c:303
	analysis = (cairo_surface_t *) 0x8d94590
	status = <value optimized out>
	has_supported = <value optimized out>
	has_finegrained_fallback = <value optimized out>
	__PRETTY_FUNCTION__ = "_paint_page"
#9  0x4acae47f in _cairo_paginated_surface_show_page (abstract_surface=0x826dd10)
    at /build/buildd/cairo-1.5.14/src/cairo-paginated-surface.c:464
	status = <value optimized out>
	surface = (cairo_paginated_surface_t *) 0x8f9bcd0
#10 0x4aca19e0 in *INT_cairo_surface_show_page (surface=0x826dd10)
    at /build/buildd/cairo-1.5.14/src/cairo-surface.c:1746
	__PRETTY_FUNCTION__ = "cairo_surface_show_page"
#11 0x4ac92188 in _cairo_gstate_show_page (gstate=0x8498920)
    at /build/buildd/cairo-1.5.14/src/cairo-gstate.c:1082
No locals.
#12 0x4ac8a992 in cairo_show_page (cr=0x8498900) at /build/buildd/cairo-1.5.14/src/cairo.c:2207
	status = <value optimized out>
#13 0xb6d30f38 in pdf_document_file_exporter_end_page (exporter=0x822acf0)
    at /build/buildd/evince-2.22.0/./backend/pdf/ev-poppler.cc:1785
	ctx = <value optimized out>
	__PRETTY_FUNCTION__ = "void pdf_document_file_exporter_end_page(EvFileExporter*)"
#14 0x4ad126d9 in ev_file_exporter_end_page (exporter=0x822acf0)
    at /build/buildd/evince-2.22.0/./libdocument/ev-file-exporter.c:80
No locals.
#15 0x080606dd in ev_job_print_run (job=0x83b8b90) at /build/buildd/evince-2.22.0/./shell/ev-jobs.c:946
	k = <value optimized out>
	page = 46
	step = 2
	n_copies = 1
	document = (EvDocument *) 0x822acf0
	fc = {format = EV_FILE_FORMAT_PS, filename = 0x8498f18 "/tmp/evince_print.ps.2K0R8T", first_page = 0, 
  last_page = 52, paper_width = 595.27559055118115, paper_height = 841.88976377952758, duplex = 0, 
  pages_per_sheet = 2}
	rc = (EvRenderContext *) 0x8230e00
	fd = 19
	n_pages = 53
	last_page = <value optimized out>
	first_page = 2
	i = 0
	j = 2
	__PRETTY_FUNCTION__ = "ev_job_print_run"
#16 0x0805f584 in handle_job (job=0x83b8b90) at /build/buildd/evince-2.22.0/./shell/ev-job-queue.c:141
	__PRETTY_FUNCTION__ = "handle_job"
#17 0x0805fa4c in ev_render_thread (data=0x0) at /build/buildd/evince-2.22.0/./shell/ev-job-queue.c:264
	job = (EvJob *) 0x83b8b90
#18 0x4b6929ef in g_thread_create_proxy (data=0x8102ea8) at /build/buildd/glib2.0-2.16.1/glib/gthread.c:635
	__PRETTY_FUNCTION__ = "g_thread_create_proxy"
#19 0x4ca9e4fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#20 0x4c9f1d4e in clone () from /lib/tls/i686/cmov/libc.so.6"
Comment 1 Chris Wilson 2008-03-27 03:51:54 UTC
valgrind reports:
==13745== Invalid read of size 4
==13745==    at 0x51BE572: FT_Load_Glyph (ftobjs.c:549)
==13745==    by 0x4A24921: _cairo_ft_scaled_glyph_init (cairo-ft-font.c:1922)
==13745==    by 0x4A117AB: _cairo_scaled_glyph_lookup (cairo-scaled-font.c:1674)
==13745==    by 0x4A12A5A: _cairo_scaled_font_glyph_device_extents (cairo-scaled-font.c:1124)
==13745==    by 0x4A21ECD: _cairo_analysis_surface_show_glyphs (cairo-analysis-surface.c:516)
==13745==    by 0x4A144DC: _cairo_surface_show_glyphs (cairo-surface.c:2086)
==13745==    by 0x4A1FCC8: _cairo_meta_surface_replay_internal (cairo-meta-surface.c:816)
==13745==    by 0x4A214B1: _paint_page (cairo-paginated-surface.c:299)
==13745==    by 0x4A2171E: _cairo_paginated_surface_show_page (cairo-paginated-surface.c:445)
==13745==    by 0x4A14BDF: cairo_surface_show_page (cairo-surface.c:1702)
==13745==    by 0x49FF661: cairo_show_page (cairo.c:2155)
==13745==    by 0xA267D97: pdf_document_file_exporter_end_page(_EvFileExporter*) (ev-poppler.cc:1753)
==13745==  Address 0x55c5630 is 88 bytes inside a block of size 552 free'd
==13745==    at 0x402269C: free (vg_replace_malloc.c:326)
==13745==    by 0x51B7ABC: ft_free (ftsystem.c:158)
==13745==    by 0x51BB319: ft_mem_free (ftutil.c:171)
==13745==    by 0x51BC318: destroy_face (ftobjs.c:856)
==13745==    by 0x51BC3B2: FT_Done_Face (ftobjs.c:1972)
==13745==    by 0x4363704: CairoFont::~CairoFont() (CairoFontEngine.cc:251)
==13745==    by 0x436401D: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:335)
==13745==    by 0x4366915: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:318)
==13745==    by 0x5093BF1: Gfx::opShowText(Object*, int) (Gfx.cc:3073)
==13745==    by 0x508F901: Gfx::execOp(Object*, Object*, int) (Gfx.cc:726)
==13745==    by 0x50906FF: Gfx::go(int) (Gfx.cc:594)
==13745==    by 0x5090C96: Gfx::display(Object*, int) (Gfx.cc:557)
==13745==

which looks like poppler has called FT_Done_Face on a live cairo_font_face_t.
Comment 2 Chris Wilson 2008-03-27 03:57:29 UTC
Created attachment 15501 [details] [review]
Do not call FT_Done_Face on a live cairo_font_t.
Comment 3 Carlos Garcia Campos 2008-04-09 11:12:49 UTC
Pushed to both master and poppler-0.8 branch. Thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.