Bug 30106

Summary: evince crashed with SIGSEGV in OptionalContentGroup::getRef()
Product: poppler Reporter: Pedro Villavicencio <pvillavi>
Component: glib frontendAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Pedro Villavicencio 2010-09-09 13:03:23 UTC
this report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/poppler/+bug/633574

"Reproduces when scrolling down to page 4 of http://www.ctan.org/tex-archive/macros/latex/contrib/microtype/microtype.pdf on at least x86-64 architecture."

"Hilo 5 (Thread 0xb2f12b70 (LWP 22406)):
#0  OptionalContentGroup::getRef (this=0x0) at OptionalContent.cc:314
No locales.
#1  0x051c58ca in get_layer_for_ref (document=<value optimized out>, 
    layers=<value optimized out>, ref=0xb245abe0, preserve_rb=1)
    at poppler-action.cc:533
        layer = <value optimized out>
        ocgRef = <value optimized out>
        l = 0x225017b0
#2  0x051c61b7 in build_ocg_state (document=0x22678320, link=0xb2395830, 
    title=0x0) at poppler-action.cc:586
        layer = <value optimized out>
        list = 0xb23e3e78
        preserve_rb = 1
        i = 0
        layer_state = 0x0
        st_list = 0xb24c33e8
        j = 1
#3  _poppler_action_new (document=0x22678320, link=0xb2395830, title=0x0)
    at poppler-action.cc:645
No locales.
#4  0x051ccf1f in poppler_page_get_link_mapping (page=0x226e7ee0)
    at poppler-page.cc:1261
        link_action = <value optimized out>
        link = 0xb239b160
        i = 0
        obj = {type = objNone, {booln = -1303332392, intg = -1303332392, 
            uintg = 2991634904, real = 1.4780640309659756e-314, 
            string = 0xb250b9d8, name = 0xb250b9d8 "Ȗn\"\360\271P\262\b", 
            array = 0xb250b9d8, dict = 0xb250b9d8, stream = 0xb250b9d8, ref = {
              num = -1303332392, gen = 0}, 
            cmd = 0xb250b9d8 "Ȗn\"\360\271P\262\b"}}
        __PRETTY_FUNCTION__ = "GList* poppler_page_get_link_mapping(PopplerPage*)"
        map_list = <value optimized out>
        width = 595.27600000000007
        height = 841.88999999999999
#5  0x00c68e7c in pdf_document_links_get_links (document_links=0x224e3ec8, 
    page=0xb23a0e00)
    at /build/buildd/evince-2.31.90/./backend/pdf/ev-poppler.cc:1268
        pdf_document = 0x224e3ec8
        retval = 0x226ec2e8
        list = <value optimized out>
        mapping_list = 0x0
        height = <value optimized out>
#6  0x00df467a in ev_document_links_get_links (document_links=0x224e3ec8, 
    page=0xb23a0e00)
    at /build/buildd/evince-2.31.90/./libdocument/ev-document-links.c:63
No locales.
#7  0x00599363 in ev_job_page_data_run (job=0x224a05a8)
    at /build/buildd/evince-2.31.90/./libview/ev-jobs.c:692
        job_pd = 0x224a05a8
        ev_page = 0xb23a0e00
#8  0x00596361 in ev_job_run (job=0x224a05a8)
    at /build/buildd/evince-2.31.90/./libview/ev-jobs.c:214
No locales.
#9  0x0059a358 in ev_job_thread (data=0x0)
    at /build/buildd/evince-2.31.90/./libview/ev-job-scheduler.c:183
        result = <value optimized out>
#10 ev_job_thread_proxy (data=0x0)
    at /build/buildd/evince-2.31.90/./libview/ev-job-scheduler.c:213
        job = 0x2273af28
#11 0x00642eef in g_thread_create_proxy (data=0x2265f3d8)
    at /build/buildd/glib2.0-2.25.15/glib/gthread.c:1897
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#12 0x006d3cc9 in start_thread (arg=0xb2f12b70) at pthread_create.c:304
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = 0xb2f12b70
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {7229428, 0, 4001536, 
                -1292819704, -2019742684, -1080008895}, mask_was_saved = 0}}, 
          priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, 
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = <value optimized out>
        robust = <value optimized out>
        freesize = <value optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#13 0x008706ae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locales.

Hilo 4 (Thread 0xb63e2b70 (LWP 22401)):
#0  0x00995416 in __kernel_vsyscall ()
No symbol table info available.
#1  0x006d8884 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locales.
#2  0x002e6ede in g_cond_timed_wait_posix_impl (cond=0xfffffdfc, 
    entered_mutex=0x1, abs_time=0xb63e2198)
    at /build/buildd/glib2.0-2.25.15/gthread/gthread-posix.c:242
        result = <value optimized out>
        end_time = {tv_sec = 1284062473, tv_nsec = 449946000}
        timed_out = <value optimized out>
        __PRETTY_FUNCTION__ = "g_cond_timed_wait_posix_impl"
#3  0x005ed22c in g_async_queue_pop_intern_unlocked (queue=0x224ec720, 
    try=<value optimized out>, end_time=0xb63e2198)
    at /build/buildd/glib2.0-2.25.15/glib/gasyncqueue.c:423
        retval = <value optimized out>
        __PRETTY_FUNCTION__ = "g_async_queue_pop_intern_unlocked"
#4  0x005ed35d in g_async_queue_timed_pop (queue=0x224ec720, 
    end_time=0xb63e2198)
    at /build/buildd/glib2.0-2.25.15/glib/gasyncqueue.c:549
        retval = <value optimized out>
        __PRETTY_FUNCTION__ = "g_async_queue_timed_pop"
#5  0x00644d97 in g_thread_pool_wait_for_new_pool (data=0x224ee2f0)
    at /build/buildd/glib2.0-2.25.15/glib/gthreadpool.c:170
        end_time = {tv_sec = 1284062473, tv_usec = 449946}
        local_max_idle_time = 15000
        local_max_unused_threads = 2
        last_wakeup_thread_serial = <value optimized out>
        have_relayed_thread_marker = 0
#6  g_thread_pool_thread_proxy (data=0x224ee2f0)
    at /build/buildd/glib2.0-2.25.15/glib/gthreadpool.c:373
        task = <value optimized out>
        pool = <value optimized out>
#7  0x00642eef in g_thread_create_proxy (data=0x224ee758)
    at /build/buildd/glib2.0-2.25.15/glib/gthread.c:1897
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#8  0x006d3cc9 in start_thread (arg=0xb63e2b70) at pthread_create.c:304
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = 0xb63e2b70
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {7229428, 0, 4001536, 
                -1237441784, 429730861, -1080008895}, mask_was_saved = 0}}, 
          priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, 
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = <value optimized out>
        robust = <value optimized out>
        freesize = <value optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9  0x008706ae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locales.

Hilo 2 (Thread 0xb73e4b70 (LWP 22399)):
#0  0x00995416 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00861de6 in __poll (fds=0x8f9ff4, nfds=3, timeout=-1)
    at ../sysdeps/unix/sysv/linux/poll.c:87
        resultvar = <value optimized out>
        oldtype = 0
        result = <value optimized out>
#2  0x0062925b in g_poll (fds=0x224eb890, nfds=3, timeout=-1)
    at /build/buildd/glib2.0-2.25.15/glib/gpoll.c:126
No locales.
#3  0x0061bbfc in g_main_context_poll (context=0x224e9098, 
    block=<value optimized out>, dispatch=1, self=0x224cd420)
    at /build/buildd/glib2.0-2.25.15/glib/gmain.c:3063
        poll_func = 0x629230 <g_poll>
#4  g_main_context_iterate (context=0x224e9098, block=<value optimized out>, 
    dispatch=1, self=0x224cd420)
    at /build/buildd/glib2.0-2.25.15/glib/gmain.c:2745
        max_priority = 2147483647
        timeout = -1
        some_ready = <value optimized out>
        nfds = 3
        allocated_nfds = <value optimized out>
        fds = <value optimized out>
        __PRETTY_FUNCTION__ = "g_main_context_iterate"
#5  0x0061c367 in g_main_loop_run (loop=0x224cd3d0)
    at /build/buildd/glib2.0-2.25.15/glib/gmain.c:2958
        self = 0x224cd420
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#6  0x004eea64 in shared_thread_func (data=0x0)
    at /build/buildd/glib2.0-2.25.15/gio/gdbusprivate.c:248
No locales.
#7  0x00642eef in g_thread_create_proxy (data=0x224cd420)
    at /build/buildd/glib2.0-2.25.15/glib/gthread.c:1897
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#8  0x006d3cc9 in start_thread (arg=0xb73e4b70) at pthread_create.c:304
        __res = <value optimized out>
        __ignore1 = <value optimized out>
        __ignore2 = <value optimized out>
        pd = 0xb73e4b70
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {7229428, 0, 4001536, 
                -1220656376, 425536559, -1080008895}, mask_was_saved = 0}}, 
          priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, 
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = <value optimized out>
        robust = <value optimized out>
        freesize = <value optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9  0x008706ae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locales.

Hilo 1 (Thread 0xb7781850 (LWP 22396)):
#0  0x00995416 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00861de6 in __poll (fds=0x8f9ff4, nfds=5, timeout=216)
    at ../sysdeps/unix/sysv/linux/poll.c:87
        resultvar = <value optimized out>
        oldtype = 0
        result = <value optimized out>
#2  0x0062925b in g_poll (fds=0x224f58d0, nfds=5, timeout=216)
    at /build/buildd/glib2.0-2.25.15/glib/gpoll.c:126
No locales.
#3  0x0061bbfc in g_main_context_poll (context=0x224898c8, 
    block=<value optimized out>, dispatch=1, self=0x22472028)
    at /build/buildd/glib2.0-2.25.15/glib/gmain.c:3063
        poll_func = 0x629230 <g_poll>
#4  g_main_context_iterate (context=0x224898c8, block=<value optimized out>, 
    dispatch=1, self=0x22472028)
    at /build/buildd/glib2.0-2.25.15/glib/gmain.c:2745
        max_priority = 2147483647
        timeout = 216
        some_ready = <value optimized out>
        nfds = 5
        allocated_nfds = <value optimized out>
        fds = <value optimized out>
        __PRETTY_FUNCTION__ = "g_main_context_iterate"
#5  0x0061c367 in g_main_loop_run (loop=0x224f5b90)
    at /build/buildd/glib2.0-2.25.15/glib/gmain.c:2958
        self = 0x22472028
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#6  0x0100e749 in IA__gtk_main ()
    at /build/buildd/gtk+2.0-2.21.7/gtk/gtkmain.c:1237
        tmp_list = 0x0
        functions = 0x0
        init = 0x0
        loop = 0x224f5b90
#7  0x00b05282 in main ()"
Comment 1 Dennis Sheil 2010-09-09 17:47:34 UTC
I reproduced this bug with the poppler-glib-demo included with poppler with the same PDF file.

What I do reproduce the crash is I run the poppler-glib-demo included with poppler in poppler/glib/demo, go to Links, go to page 4, click "Get Links" and get a segmentation fault with the same backtrace. This is with poppler-0.14.2 which is 4 commits back.

Here is the backtrace, which is like the other one attached:


poppler-0.14.2.real/glib/demo/.libs/poppler-glib-demo ../../../microtype.pdf
[Thread debugging using libthread_db enabled]
Document successfully loaded in 0.0066 seconds

Program received signal SIGSEGV, Segmentation fault.
OptionalContentGroup::getRef (this=0x0) at OptionalContent.cc:314
314     OptionalContent.cc: No such file or directory.
        in OptionalContent.cc
(gdb) backtrace full
#0  OptionalContentGroup::getRef (this=0x0) at OptionalContent.cc:314
No locals.
#1  0x00007ffff7bb9f20 in get_layer_for_ref (document=0x6a31c0, layers=0x84a840, ref=0x8a8ef0, preserve_rb=1) at poppler-action.cc:533
        layer = 0x847080
        ocgRef = {num = 9337824, gen = 0}
        l = 0x84a840
#2  0x00007ffff7bba77e in build_ocg_state (document=0x6a31c0, link=<value optimized out>, title=<value optimized out>) at poppler-action.cc:586
        layer = <value optimized out>
        list = 0x8a8f10
        preserve_rb = 1
        i = 0
        layer_state = 0x0
        st_list = 0x8a8ed0
        j = 1
#3  _poppler_action_new (document=0x6a31c0, link=<value optimized out>, title=<value optimized out>) at poppler-action.cc:645
No locals.
#4  0x00007ffff7bc0ab3 in poppler_page_get_link_mapping (page=0x8d2b80) at poppler-page.cc:1261
        link_action = <value optimized out>
        link = 0x75ccc0
        i = 0
        obj = {type = objNone, {booln = 7119280, intg = 7119280, uintg = 7119280, real = 3.5173916711246697e-317, string = 0x6ca1b0, name = 0x6ca1b0 "\340>l", array = 0x6ca1b0, 
            dict = 0x6ca1b0, stream = 0x6ca1b0, ref = {num = 7119280, gen = 0}, cmd = 0x6ca1b0 "\340>l"}}
        __PRETTY_FUNCTION__ = "GList* poppler_page_get_link_mapping(PopplerPage*)"
        map_list = <value optimized out>
        width = 595.27600000000007
        height = 841.88999999999999
#5  0x000000000040fc73 in pgd_links_get_links (button=<value optimized out>, demo=0x81f6c0) at links.c:80
        page = 0x8d2b80
        mapping = 0x8db2c0
        l = <value optimized out>
        timer = 0x8e7ac0
#6  0x00007ffff56e7afe in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
[...]
Comment 2 Carlos Garcia Campos 2010-09-12 02:47:00 UTC
There were actually two problems with the layers in this document. Layers tree was not correctly built, and of course the crash with the action layer. I've just fixed both issues in master and poppler-0.14 branch. Thanks for reporting.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.