Bug 4481

Summary: Crash selecting text with splash backend
Product: poppler Reporter: Nickolay V. Shmyrev <nshmyrev>
Component: generalAssignee: Kristian Høgsberg <krh>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: daniel.holbach, mitch, seb128
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Test document
Fix by Gary Coady

Description Nickolay V. Shmyrev 2005-09-17 04:44:38 UTC 
Can be related to bug 4402 or 4386, but backtrace seems to be a bit different.

#0  0x009e4f0d in SplashOutputDev::updateFont (this=0xa27a678, state=0xa3b73e8)
    at Object.h:278
278       { stream->reset(); }
(gdb) p stream
$1 = 0


#0  0x009e4f0d in SplashOutputDev::updateFont (this=0xa27a678, state=0xa3b73e8)
    at Object.h:278
#1  0x00a4ba9a in TextSelectionPainter::visitWord (this=0xbf81ec74,
    word=0xa3e0030, begin=0, end=4, selection=0xbf81eb78)
    at TextOutputDev.cc:3302
#2  0x00a4bbf2 in TextWord::visitSelection (this=0xa3e0030,
    visitor=0xbf81ec74, selection=0xbf81eb78) at TextOutputDev.cc:3339
#3  0x00a4be4f in TextLine::visitSelection (this=0xa39cbe8,
    visitor=0xbf81ec74, selection=0xbf81eb78) at TextOutputDev.cc:3377
#4  0x00a51352 in TextBlock::visitSelection (this=0xa2f04d0,
    visitor=0xbf81ec74, selection=0xbf81ec10) at TextOutputDev.cc:3449
#5  0x00a51514 in TextPage::visitSelection (this=0xa2f2448,
    visitor=0xbf81ec74, selection=0xbf81ef20) at TextOutputDev.cc:3522
#6  0x00a52a69 in TextPage::drawSelection (this=0xa2f2448, out=0xa27a678,
    scale=0.68235296010971069, rotation=0, selection=0xbf81ef20,
    glyph_color=0xbf81ed20, box_color=0xbf81ee20) at TextOutputDev.cc:3535
#7  0x00a52ac1 in TextOutputDev::drawSelection (this=0x8d10c483,
    out=0xa27a678, scale=0.68235296010971069, rotation=0,
    selection=0xbf81ef20, glyph_color=0xbf81ed20, box_color=0xbf81ee20)
    at TextOutputDev.cc:4104
#8  0x00276321 in poppler_page_render_selection (page=0xa2f0ac8,
    scale=0.68235296010971069, rotation=0, pixbuf=0xa3639b8,
    selection=0xa29cb5c, old_selection=0xa29cb34, glyph_color=0xa161144,
    background_color=0xa161180) at poppler-page.cc:478
#9  0x0809c5fe in pdf_selection_render_selection (selection=0xa26d020,
    rc=0xa2d6aa0, pixbuf=0xa29cb54, points=0xa29cb5c, old_points=0xa29cb34,
    text=0xa161144, base=0xa161180) at ev-poppler.cc:1269
#10 0x08093d30 in ev_selection_render_selection ()
#11 0x0806c20b in ev_pixbuf_cache_get_selection_pixbuf ()
#12 0x08075d85 in merge_selection_region ()
#13 0x08076027 in compute_selections ()
#14 0x08071cce in selection_update_idle_cb ()
#15 0x003c5650 in g_child_watch_add () from /usr/lib/libglib-2.0.so.0
#16 0x003c33ee in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0x003c63f6 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#18 0x003c66e3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#19 0x00efb1b5 in IA__gtk_main () at gtkmain.c:963
#20 0x08083276 in main ()
Comment 1 Nickolay V. Shmyrev 2005-09-17 04:45:27 UTC 
Created attachment 3308 [details]
Test document

To get a crash select tree lines at document top.
Comment 2 Sebastien Bacher 2005-11-09 09:55:16 UTC 
The ubuntu bugzilla has a bug about that too:
http://bugzilla.ubuntu.com/show_bug.cgi?id=18848
Comment 3 Kristian Høgsberg 2005-12-04 13:37:20 UTC 
This is still reproducible with the patch from #4402.  It's definitely a
different bug.
Comment 4 Nickolay V. Shmyrev 2005-12-05 09:03:02 UTC 
I've investigated this question a bit: the reason is that TextPage on word
creation copy GfxFont from context, but then this GfxFont is destroyed. After
that usage of TextPage functions may crash app. We need to copy GfxFont on
TextPage::updateFont or ref it somehow. I am not sure how to fix it properly, it
seems there is no way to dup or ref GfxFont
Comment 5 Daniel Holbach 2006-04-27 18:03:17 UTC 
Gary Coady came up with a fix, which seems to fix
https://launchpad.net/bugs/41661  https://launchpad.net/bugs/36747 and
https://launchpad.net/bugs/24970 as well:
http://librarian.launchpad.net/2382580/poppler_fixmem.patch *attaching it in a bit*
Comment 6 Daniel Holbach 2006-04-27 18:03:51 UTC 
Created attachment 5495 [details] [review]
Fix by Gary Coady
Comment 7 Kristian Høgsberg 2006-05-02 14:39:47 UTC 
Thanks, that was just the patch I was looking for :)  Committed to CVS head,
closing this bug.
Comment 8 Kristian Høgsberg 2006-05-20 08:48:44 UTC 
*** Bug 6007 has been marked as a duplicate of this bug. ***
Comment 9 Dan Winship 2006-06-12 09:07:06 UTC 
After this patch (and the subsequent 05-13 leak fix), the convention is that you
have to call font->incRefCnt() before calling GfxState::setFont, but setFont
will deal with calling font->decRefCnt() on the old font for you. That's just
awful. The incRefCnt()s in Gfx::opSetFont and TextSelectionPainter::visitWord
should be removed, and GfxState::setFont should inc the font itself.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.