Bug 15302

Summary: evince crashed with SIGSEGV in FT_Get_Char_Index()
Product: poppler Reporter: Sebastien Bacher <seb128>
Component: cairo backendAssignee: Adrian Johnson <ajohnson>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium CC: danilopiazza
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Patch for 0.6.4

Description Sebastien Bacher 2008-04-01 07:51:34 UTC 
The bug has been opened on https://bugs.launchpad.net/bugs/208485

"attempting to print this pdf with evince in Hardy:
http://www.linux-magazine.com/w3/issue/86/Email_Suites_Review.pdf

#0  0xb6e24df1 in FT_Get_Char_Index (face=0xb54f0530, charcode=0)
    at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:2794
	result = <value optimized out>
#1  0xb6e24ea2 in FT_Get_First_Char (face=0xb54f0530, agindex=0xb6a26e28)
    at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:2812
	result = <value optimized out>
	gindex = 0
#2  0xb75e84d1 in _cairo_ft_map_glyphs_to_unicode (abstract_font=0xb54edcd8, font_subset=0xb6a26fbc)
    at /build/buildd/cairo-1.5.14/src/cairo-ft-font.c:2414
	unscaled = (cairo_ft_unscaled_font_t *) 0xb48676d8
	face = (FT_Face) 0xb54f0530
	glyph = <value optimized out>
	charcode = <value optimized out>
	i = <value optimized out>
	count = 50
#3  0xb75dd567 in _cairo_scaled_font_subset_create_glyph_names (subset=0xb6a26fbc)
    at /build/buildd/cairo-1.5.14/src/cairo-scaled-font-subsets.c:768
	i = <value optimized out>
	status = <value optimized out>
	names = (cairo_hash_table_t *) 0x3057
	key = {base = {hash = 3035627520}, 
  string = 0xb4f32fa8 "%!FontType1-1.1 f-50-0 1.0\n11 dict begin\n/FontName /f-50-0 def\n/PaintType 0 def\n/FontType 1 def\n/FontMatrix [0.001 0 0 0.001 0 0] readonly def\n/FontBBox {-24 -199 857 744", ' ' <repeats 30 times>...}
	entry = <value optimized out>
	buf = "\000\000 P_·\000o¢¶\000\000\000\000¨n¢¶\032¼]·¨/ó´¨/ó´"
#4  0xb75c61dd in _cairo_ps_surface_emit_unscaled_font_subset (font_subset=0xb6a26fbc, closure=0xb484b570)
    at /build/buildd/cairo-1.5.14/src/cairo-ps-surface.c:574
	status = <value optimized out>
	__PRETTY_FUNCTION__ = "_cairo_ps_surface_emit_unscaled_font_subset"
#5  0xb75ddaeb in _cairo_sub_font_collect (entry=0xb54fd4f0, closure=0xb6a2703c)
    at /build/buildd/cairo-1.5.14/src/cairo-scaled-font-subsets.c:425
	subset = {scaled_font = 0xb54edcd8, font_id = 2, subset_id = 0, glyphs = 0xb5c961e0, 
  to_unicode = 0xb5c05a50, glyph_names = 0x0, num_glyphs = 50, is_composite = 0}
	i = 0
	j = 50
	__PRETTY_FUNCTION__ = "_cairo_sub_font_collect"
#6  0xb75a6dac in _cairo_hash_table_foreach (hash_table=0xb54f5ed0, 
    hash_callback=0xb75dda00 <_cairo_sub_font_collect>, closure=0xb6a2703c)
    at /build/buildd/cairo-1.5.14/src/cairo-hash.c:565
	i = 121
	entry = (cairo_hash_entry_t *) 0x0
#7  0xb75dd931 in _cairo_scaled_font_subsets_foreach_internal (font_subsets=0xb5ce1290, 
    font_subset_callback=0xb75c61a0 <_cairo_ps_surface_emit_unscaled_font_subset>, closure=0xb484b570, 
    is_scaled=0) at /build/buildd/cairo-1.5.14/src/cairo-scaled-font-subsets.c:680
	collection = {glyphs = 0xb5c961e0, glyphs_size = 65, max_glyph = 49, num_glyphs = 50, subset_id = 0, 
  status = CAIRO_STATUS_SUCCESS, 
  font_subset_callback = 0xb75c61a0 <_cairo_ps_surface_emit_unscaled_font_subset>, 
  font_subset_callback_closure = 0xb484b570}
#8  0xb75c69eb in _cairo_ps_surface_finish (abstract_surface=0xb484b570)
    at /build/buildd/cairo-1.5.14/src/cairo-ps-surface.c:625
	status = <value optimized out>
	status2 = <value optimized out>
	i = <value optimized out>
	num_comments = <value optimized out>
#9  0xb75b6623 in *INT_cairo_surface_finish (surface=0xb484b570)
    at /build/buildd/cairo-1.5.14/src/cairo-surface.c:516
	status = <value optimized out>
#10 0xb75c164c in _cairo_paginated_surface_finish (abstract_surface=0xb5417888)
    at /build/buildd/cairo-1.5.14/src/cairo-paginated-surface.c:171
	status = 3040966792
#11 0xb75b6623 in *INT_cairo_surface_finish (surface=0xb5417888)
    at /build/buildd/cairo-1.5.14/src/cairo-surface.c:516
	status = <value optimized out>
#12 0xb75b66df in *INT_cairo_surface_destroy (surface=0xb5417888)
    at /build/buildd/cairo-1.5.14/src/cairo-surface.c:411
	__PRETTY_FUNCTION__ = "cairo_surface_destroy"
#13 0xb75a6315 in _cairo_gstate_fini (gstate=0xb54fd8b0) at /build/buildd/cairo-1.5.14/src/cairo-gstate.c:199
No locals.
#14 0xb759ef7f in *INT_cairo_destroy (cr=0xb54fd890) at /build/buildd/cairo-1.5.14/src/cairo.c:267
	__PRETTY_FUNCTION__ = "cairo_destroy"
#15 0xb5e5454c in pdf_print_context_free (ctx=0xb54e7550)
    at /build/buildd/evince-2.22.0/./backend/pdf/ev-poppler.cc:1541
No locals.
#16 0xb5e545a5 in pdf_document_file_exporter_end (exporter=0x8402450)
    at /build/buildd/evince-2.22.0/./backend/pdf/ev-poppler.cc:1794
No locals.
#17 0xb7f50693 in ev_file_exporter_end (exporter=0x8402450)
    at /build/buildd/evince-2.22.0/./libdocument/ev-file-exporter.c:88
No locals.
#18 0x08060739 in ev_job_print_run (job=0x872fe80) at /build/buildd/evince-2.22.0/./shell/ev-jobs.c:955
	page = 7
	step = 1
	n_copies = <value optimized out>
	document = (EvDocument *) 0x8402450
	fc = {format = EV_FILE_FORMAT_PS, filename = 0xb483d720 "/tmp/evince_print.ps.ZDVG8T", 
  first_page = 0, last_page = 6, paper_width = 611.99998269869593, paper_height = 791.99998269869593, 
  duplex = 0, pages_per_sheet = 1}
	rc = (EvRenderContext *) 0x8402790
	fd = 19
	n_pages = 7
	last_page = <value optimized out>
	first_page = 1
	i = 1
	j = 1
	__PRETTY_FUNCTION__ = "ev_job_print_run"
#19 0x0805f584 in handle_job (job=0x872fe80) at /build/buildd/evince-2.22.0/./shell/ev-job-queue.c:141
	__PRETTY_FUNCTION__ = "handle_job"
#20 0x0805fa4c in ev_render_thread (data=0x0) at /build/buildd/evince-2.22.0/./shell/ev-job-queue.c:264
	job = (EvJob *) 0x872fe80
#21 0xb75059ef in g_thread_create_proxy (data=0x80ee848) at /build/buildd/glib2.0-2.16.1/glib/gthread.c:635
	__PRETTY_FUNCTION__ = "g_thread_create_proxy"
#22 0xb72ab4fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#23 0xb722dd4e in clone () from /lib/tls/i686/cmov/libc.so.6"
Comment 1 Sebastien Bacher 2008-04-01 08:04:51 UTC 
Valgrind lists those errors on the example

==2516== Conditional jump or move depends on uninitialised value(s)
==2516==    at 0x4B5E062: (within /usr/lib/libz.so.1.2.3.3)
==2516==    by 0x4B5CBE6: deflate (in /usr/lib/libz.so.1.2.3.3)
==2516==    by 0x49DAFDE: cairo_deflate_stream_deflate (cairo-deflate-stream.c:57)
==2516==    by 0x49DB0A5: _cairo_deflate_stream_close (cairo-deflate-stream.c:108)
==2516==    by 0x49C7180: _cairo_output_stream_close (cairo-output-stream.c:192)
==2516==    by 0x49C7FFC: _cairo_output_stream_destroy (cairo-output-stream.c:216)
==2516==    by 0x49D2D9D: _cairo_pdf_surface_close_stream (cairo-pdf-surface.c:879)
==2516==    by 0x49D64E8: _cairo_pdf_surface_emit_pattern (cairo-pdf-surface.c:1453)
==2516==    by 0x49D7208: _cairo_pdf_surface_show_page (cairo-pdf-surface.c:3929)
==2516==    by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516==    by 0x49CB492: _cairo_paginated_surface_show_page (cairo-paginated-surface.c:468)
==2516==    by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516==    by 0x49AF187: _cairo_gstate_show_page (cairo-gstate.c:1082)
==2516==    by 0x49A7991: cairo_show_page (cairo.c:2207)
==2516==    by 0x7FA9F37: (within /usr/lib/evince/backends/libpdfdocument.so)
==2516==    by 0x404D6D8: ev_file_exporter_end_page (in /usr/lib/libevbackend.so.0.0.0)
==2516==    by 0x80606DC: (within /usr/bin/evince)
==2516==    by 0x805F583: (within /usr/bin/evince)
==2516==    by 0x805FA4B: (within /usr/bin/evince)
==2516==    by 0x4AA09EE: g_thread_create_proxy (gthread.c:635)
==2516==    by 0x4CDCFD9: start_thread (pthread_create.c:297)
==2516==    by 0x4DB483D: clone (in /usr/lib/debug/libc-2.7.so)
==2516== 
==2516== Use of uninitialised value of size 4
==2516==    at 0x4B5F655: (within /usr/lib/libz.so.1.2.3.3)
==2516==    by 0x4B61491: (within /usr/lib/libz.so.1.2.3.3)
==2516==    by 0x4B5E0A2: (within /usr/lib/libz.so.1.2.3.3)
==2516==    by 0x4B5CBE6: deflate (in /usr/lib/libz.so.1.2.3.3)
==2516==    by 0x49DAFDE: cairo_deflate_stream_deflate (cairo-deflate-stream.c:57)
==2516==    by 0x49DB0A5: _cairo_deflate_stream_close (cairo-deflate-stream.c:108)
==2516==    by 0x49C7180: _cairo_output_stream_close (cairo-output-stream.c:192)
==2516==    by 0x49C7FFC: _cairo_output_stream_destroy (cairo-output-stream.c:216)
==2516==    by 0x49D2D9D: _cairo_pdf_surface_close_stream (cairo-pdf-surface.c:879)
==2516==    by 0x49D64E8: _cairo_pdf_surface_emit_pattern (cairo-pdf-surface.c:1453)
==2516==    by 0x49D7208: _cairo_pdf_surface_show_page (cairo-pdf-surface.c:3929)
==2516==    by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516==    by 0x49CB492: _cairo_paginated_surface_show_page (cairo-paginated-surface.c:468)
==2516==    by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516==    by 0x49AF187: _cairo_gstate_show_page (cairo-gstate.c:1082)
==2516==    by 0x49A7991: cairo_show_page (cairo.c:2207)
==2516==    by 0x7FA9F37: (within /usr/lib/evince/backends/libpdfdocument.so)
==2516==    by 0x404D6D8: ev_file_exporter_end_page (in /usr/lib/libevbackend.so.0.0.0)
==2516==    by 0x80606DC: (within /usr/bin/evince)
==2516==    by 0x805F583: (within /usr/bin/evince)
==2516==    by 0x805FA4B: (within /usr/bin/evince)
==2516==    by 0x4AA09EE: g_thread_create_proxy (gthread.c:635)
==2516==    by 0x4CDCFD9: start_thread (pthread_create.c:297)
==2516==    by 0x4DB483D: clone (in /usr/lib/debug/libc-2.7.so)
Comment 2 Adrian Johnson 2008-05-30 18:18:59 UTC 
Does this bug still occur after updating poppler to include the following bug fix?

http://bugs.freedesktop.org/show_bug.cgi?id=15216
Comment 3 Sebastien Bacher 2008-06-11 10:09:25 UTC 
yes that's still an issue using the current poppler tarball which has this change
Comment 4 Adrian Johnson 2008-06-15 05:09:40 UTC 
I installed Hardy and could reproduce the bug. I then installed poppler 0.8.3. However due to some poppler API changes the evince in Hardy does not link with the updated poppler I installed:

$ LD_LIBRARY_PATH=/home/ajohnson/lib ldd /usr/bin/evince | grep poppler
        libpoppler-glib.so.2 => /usr/lib/libpoppler-glib.so.2 (0xb7736000)
        libpoppler.so.2 => /usr/lib/libpoppler.so.2 (0xb6ee7000)

Evince still reproduces the bug since it is still using the system installed poppler.

So I applied the patch in bug 15216 to poppler 0.6.4, installed it and evince printed the test case without crashing.

This is the same problem that was reported and fixed in bug 15216.

I am attaching an updated patch for poppler 0.6.4 since the original patch does not apply cleanly to this old version of poppler that Hardy is using.
Comment 5 Adrian Johnson 2008-06-15 05:10:30 UTC 
Created attachment 17119 [details] [review]
Patch for 0.6.4
Comment 6 Sebastien Bacher 2008-06-16 04:16:35 UTC 
thanks Adrian the change indeed fix the issue, I tried previously on ubuntu intrepid which has poppler 0.8.2 and the bug was still there but maybe the change was not available yet in this version, sorry for the extra work there
Comment 7 Sebastien Bacher 2008-06-25 03:32:44 UTC 
the change has been backported to hardy but creates a regression, now evince is crashing when reloading documents

(gdb) bt
#0  FT_Done_Face (face=0xb455dd48) at /build/buildd/freetype-2.3.6/freetype-2.3.6/src/base/ftobjs.c:2020
#1  0xb75ceb0d in _ft_done_face (data=0xb455dd48) at CairoFontEngine.cc:37
#2  0xb74601b0 in _cairo_user_data_array_fini (array=0xb455dc7c) at /build/buildd/cairo-1.6.4/src/cairo-array.c:378
#3  0xb74640b3 in *INT_cairo_font_face_destroy (font_face=0xb455dc70) at /build/buildd/cairo-1.6.4/src/cairo-font-face.c:144
#4  0xb74aa8b0 in _cairo_ft_unscaled_font_destroy (abstract_font=0xb455e010) at /build/buildd/cairo-1.6.4/src/cairo-ft-font.c:495
#5  0xb7463e98 in _cairo_unscaled_font_destroy (unscaled_font=0xb455e010) at /build/buildd/cairo-1.6.4/src/cairo-font-face.c:531
#6  0xb74717e7 in _cairo_scaled_font_fini (scaled_font=0xb4560210) at /build/buildd/cairo-1.6.4/src/cairo-scaled-font.c:587
#7  0xb74718ac in *INT_cairo_scaled_font_destroy (scaled_font=0xb455e0e8) at /build/buildd/cairo-1.6.4/src/cairo-scaled-font.c:843
#8  0xb75ce0ff in CairoFont::getSubstitutionCorrection (this=0xb44046a0, gfxFont=0x83f0870) at CairoFontEngine.cc:307
#9  0xb75d1f4f in CairoOutputDev::updateFont (this=0x8411a60, state=0x84405f8) at CairoOutputDev.cc:390
#10 0xb6d0d0c2 in Gfx::opShowSpaceText () from /usr/lib/libpoppler.so.3
#11 0xb6d08e02 in Gfx::execOp () from /usr/lib/libpoppler.so.3
#12 0xb6d0905f in Gfx::go () from /usr/lib/libpoppler.so.3
#13 0xb6d0c1bf in Gfx::display () from /usr/lib/libpoppler.so.3
#14 0xb6d551cd in Page::displaySlice () from /usr/lib/libpoppler.so.3
#15 0xb75ca01a in _poppler_page_render (page=0x83bd518, cairo=0x83edda0, printing=0) at poppler-page.cc:529
#16 0xb75ca157 in poppler_page_render (page=0x83bd518, cairo=0x83edda0) at poppler-page.cc:550
Comment 8 Sebastien Bacher 2008-06-25 03:35:00 UTC 
corresponding valgrind log

==30405== Invalid read of size 4
==30405==    at 0x507AF64: FT_Done_Face (ftobjs.c:2017)
==30405==    by 0x494EB0C: _ZL13_ft_done_facePv (CairoFontEngine.cc:37)
==30405==    by 0x4A661AF: _cairo_user_data_array_fini (cairo-array.c:378)
==30405==    by 0x4A6A0B2: cairo_font_face_destroy (cairo-font-face.c:144)
==30405==    by 0x4AB08AF: _cairo_ft_unscaled_font_destroy (cairo-ft-font.c:495)
==30405==    by 0x4A69E97: _cairo_unscaled_font_destroy (cairo-font-face.c:531)
==30405==    by 0x4A777E6: _cairo_scaled_font_fini (cairo-scaled-font.c:587)
==30405==    by 0x4A778AB: cairo_scaled_font_destroy (cairo-scaled-font.c:843)
==30405==    by 0x4A6B4E7: _cairo_gstate_unset_scaled_font (cairo-gstate.c:1219)
==30405==    by 0x4A6B53D: _cairo_gstate_set_font_face (cairo-gstate.c:1492)
==30405==    by 0x4A634CE: cairo_set_font_face (cairo.c:2688)
==30405==    by 0x4951F2D: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:383)
==30405==  Address 0x70758d8 is 16 bytes inside a block of size 84 free'd
==30405==    at 0x4023B4A: free (vg_replace_malloc.c:323)
==30405==    by 0x4B455B5: g_free (gmem.c:190)
==30405==    by 0x4A3CFB9: pango_parse_markup (in /usr/lib/libpango-1.0.so.0.2101.2)
==30405==    by 0x458C796: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405==    by 0x4AD34CE: g_object_set_property (gobject.c:697)
==30405==    by 0x460A784: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405==    by 0x4610904: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405==    by 0x4610F04: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405==    by 0x49735DA: (within /usr/lib/libgdk-x11-2.0.so.0.1303.0)
==30405==    by 0x4B3B540: g_idle_dispatch (gmain.c:4168)
==30405==    by 0x4B3D437: g_main_context_dispatch (gmain.c:2063)
==30405==    by 0x4B4099A: g_main_context_iterate (gmain.c:2696)
==30405== 
==30405== Invalid read of size 4
==30405==    at 0x507A68F: FT_List_Find (ftutil.c:250)
==30405==    by 0x507AF88: FT_Done_Face (ftobjs.c:2023)
==30405==    by 0x494EB0C: _ZL13_ft_done_facePv (CairoFontEngine.cc:37)
==30405==    by 0x4A661AF: _cairo_user_data_array_fini (cairo-array.c:378)
==30405==    by 0x4A6A0B2: cairo_font_face_destroy (cairo-font-face.c:144)
==30405==    by 0x4AB08AF: _cairo_ft_unscaled_font_destroy (cairo-ft-font.c:495)
==30405==    by 0x4A69E97: _cairo_unscaled_font_destroy (cairo-font-face.c:531)
==30405==    by 0x4A777E6: _cairo_scaled_font_fini (cairo-scaled-font.c:587)
==30405==    by 0x4A778AB: cairo_scaled_font_destroy (cairo-scaled-font.c:843)
==30405==    by 0x4A6B4E7: _cairo_gstate_unset_scaled_font (cairo-gstate.c:1219)
==30405==    by 0x4A6B53D: _cairo_gstate_set_font_face (cairo-gstate.c:1492)
==30405==    by 0x4A634CE: cairo_set_font_face (cairo.c:2688)
==30405==  Address 0x5d8928f4 is not stack'd, malloc'd or (recently) free'd
==30405== 
==30405== Process terminating with default action of signal 11 (SIGSEGV)
==30405==  Access not within mapped region at address 0x5D8928F4
==30405==    at 0x507A68F: FT_List_Find (ftutil.c:250)
==30405==    by 0x507AF88: FT_Done_Face (ftobjs.c:2023)
==30405==    by 0x494EB0C: _ZL13_ft_done_facePv (CairoFontEngine.cc:37)
==30405==    by 0x4A661AF: _cairo_user_data_array_fini (cairo-array.c:378)
==30405==    by 0x4A6A0B2: cairo_font_face_destroy (cairo-font-face.c:144)
==30405==    by 0x4AB08AF: _cairo_ft_unscaled_font_destroy (cairo-ft-font.c:495)
==30405==    by 0x4A69E97: _cairo_unscaled_font_destroy (cairo-font-face.c:531)
==30405==    by 0x4A777E6: _cairo_scaled_font_fini (cairo-scaled-font.c:587)
==30405==    by 0x4A778AB: cairo_scaled_font_destroy (cairo-scaled-font.c:843)
==30405==    by 0x4A6B4E7: _cairo_gstate_unset_scaled_font (cairo-gstate.c:1219)
==30405==    by 0x4A6B53D: _cairo_gstate_set_font_face (cairo-gstate.c:1492)
==30405==    by 0x4A634CE: cairo_set_font_face (cairo.c:2688)
Comment 9 Sebastien Bacher 2008-06-25 03:36:09 UTC 
the 0.8.2 version has been used to get the stacktrace and valgrind log
Comment 10 Adrian Johnson 2008-06-25 05:53:46 UTC 
There was a recent bug report and patch for this problem posted to the poppler mailing list:

http://lists.freedesktop.org/archives/poppler/2008-June/003900.html
Comment 11 Sebastien Bacher 2008-06-25 07:38:03 UTC 
there is no reply on the list, should I open a new bug about the issue?
Comment 12 Adrian Johnson 2008-06-25 16:56:36 UTC 
(In reply to comment #11)
> there is no reply on the list, should I open a new bug about the issue?
> 

As it is a different bug to this one, yes open a new bug.
Comment 13 Sebastien Bacher 2008-06-26 01:50:04 UTC 
bug #16529 opened about the issue

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.