Bug 4649

Summary: crash on click on input field in PDF
Product: poppler Reporter: Brent Smith <gnome>
Component: cairo backendAssignee: Jeff Muizelaar <jmuizelaar>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: high CC: gnome, pterjan, rhamph, sproctor
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
URL: http://bugs.gnome.org/show_bug.cgi?id=316907
Whiteboard:
i915 platform: i915 features:
Attachments: Noise
increment the refcount and be more robust
Properly RefCnt inside TextFontInfo

Description Brent Smith 2005-09-30 10:59:53 UTC 
= Transfering this bug from GNOME Bugzilla:
http://bugzilla.gnome.org/show_bug.cgi?id=316907 =

Distribution: Debian testing/unstable
Package: evince
Severity: critical
Version: GNOME2.10.2 0.4.x
Gnome-Distributor: Debian
Synopsis: Crashes when trying to fill in text
Bugzilla-Product: evince
Bugzilla-Component: general
Bugzilla-Version: 0.4.x
BugBuddy-GnomeVersion: 2.0 (2.10.1)
Description:
Description of the crash:
My credit card company sends me statements. There's a little text box
for me to fill in for how much I'm paying on my bill. When I tried to
click there, evince crashed. The PDF is from Chase, FYI.

Steps to reproduce the crash:
1. Open PDF from CC company
2. Try to fill in Amount Enclosed
3. Crash!

Expected Results:
CC company receives money and stops hounding me for more.

How often does this happen?
Very rarely; I'm poor.

Additional Information:
Even though they say I need Adobe Acrobat Reader 6.1, can I use this as
an excuse for not paying my bill and get some kind of deference? ;-)


Debugging Information:

Backtrace was generated from '/usr/bin/evince'

(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(no debugging symbols found)
`system-supplied DSO at 0xffffe000' has disappeared; keeping its
symbols.
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1227438400 (LWP 27407)]
[New Thread -1229841488 (LWP 27408)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
0xb7135b41 in waitpid () from /lib/tls/libc.so.6
#0  0xb7135b41 in waitpid () from /lib/tls/libc.so.6
#1  0xb7f57ee3 in libgnomeui_module_info_get ()
   from /usr/lib/libgnomeui-2.so.0
#2  <signal handler called>
#3  0xb754c634 in CairoFont::CairoFont () from /usr/lib/libpoppler.so.0
#4  0xb754ccf0 in CairoFontEngine::getFont () from
/usr/lib/libpoppler.so.0
#5  0xb754e93f in CairoOutputDev::updateFont () from
/usr/lib/libpoppler.so.0
#6  0xb75b9714 in TextSelectionPainter::visitWord ()
   from /usr/lib/libpoppler.so.0
#7  0xb75b9894 in TextWord::visitSelection () from
/usr/lib/libpoppler.so.0
#8  0xb75b9b3c in TextLine::visitSelection () from
/usr/lib/libpoppler.so.0
#9  0xb75bf55a in TextBlock::visitSelection () from
/usr/lib/libpoppler.so.0
#10 0xb75bf766 in TextPage::visitSelection () from
/usr/lib/libpoppler.so.0
#11 0xb75c0e28 in TextPage::drawSelection () from
/usr/lib/libpoppler.so.0
#12 0xb75c0e89 in TextOutputDev::drawSelection ()
   from /usr/lib/libpoppler.so.0
#13 0xb771334f in poppler_page_render_selection ()
   from /usr/lib/libpoppler-glib.so.0
#14 0x0808a2e7 in pdf_selection_render_selection ()
#15 0x08087e54 in ev_selection_render_selection ()
#16 0x08067694 in ev_pixbuf_cache_get_selection_pixbuf ()
#17 0x0806dec2 in ev_view_rotate_right ()
#18 0xb727c931 in g_child_watch_add () from /usr/lib/libglib-2.0.so.0
#19 0xb727a3f1 in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
#20 0xb727d647 in g_main_context_check () from
/usr/lib/libglib-2.0.so.0
#21 0xb727db98 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#22 0xb79de989 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#23 0x08079b32 in main ()

Thread 2 (Thread -1229841488 (LWP 27408)):
#0  0xb7084b61 in pthread_cond_wait@@GLIBC_2.3.2 ()
   from /lib/tls/libpthread.so.0
No symbol table info available.
#1  0xb7182a8d in pthread_cond_wait () from /lib/tls/libc.so.6
No symbol table info available.
#2  0x08060f94 in ev_document_types_add_filters ()
No symbol table info available.
#3  0xb7297b65 in g_static_private_free () from
/usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0xb7082ccd in start_thread () from /lib/tls/libpthread.so.0
No symbol table info available.
#5  0xb7175b0e in clone () from /lib/tls/libc.so.6
No symbol table info available.

Thread 1 (Thread -1227438400 (LWP 27407)):
#0  0xb7135b41 in waitpid () from /lib/tls/libc.so.6
No symbol table info available.
#1  0xb7f57ee3 in libgnomeui_module_info_get ()
   from /usr/lib/libgnomeui-2.so.0
No symbol table info available.
#2  <signal handler called>
No symbol table info available.
#3  0xb754c634 in CairoFont::CairoFont () from /usr/lib/libpoppler.so.0
No symbol table info available.
#4  0xb754ccf0 in CairoFontEngine::getFont () from
/usr/lib/libpoppler.so.0
No symbol table info available.
#5  0xb754e93f in CairoOutputDev::updateFont () from
/usr/lib/libpoppler.so.0
No symbol table info available.
#6  0xb75b9714 in TextSelectionPainter::visitWord ()
   from /usr/lib/libpoppler.so.0
No symbol table info available.
#7  0xb75b9894 in TextWord::visitSelection () from
/usr/lib/libpoppler.so.0
No symbol table info available.
#8  0xb75b9b3c in TextLine::visitSelection () from
/usr/lib/libpoppler.so.0
No symbol table info available.
#9  0xb75bf55a in TextBlock::visitSelection () from
/usr/lib/libpoppler.so.0
No symbol table info available.
#10 0xb75bf766 in TextPage::visitSelection () from
/usr/lib/libpoppler.so.0
No symbol table info available.
#11 0xb75c0e28 in TextPage::drawSelection () from
/usr/lib/libpoppler.so.0
No symbol table info available.
#12 0xb75c0e89 in TextOutputDev::drawSelection ()
   from /usr/lib/libpoppler.so.0
No symbol table info available.
#13 0xb771334f in poppler_page_render_selection ()
   from /usr/lib/libpoppler-glib.so.0
No symbol table info available.
#14 0x0808a2e7 in pdf_selection_render_selection ()
No symbol table info available.
#15 0x08087e54 in ev_selection_render_selection ()
No symbol table info available.
#16 0x08067694 in ev_pixbuf_cache_get_selection_pixbuf ()
No symbol table info available.
#17 0x0806dec2 in ev_view_rotate_right ()
No symbol table info available.
#18 0xb727c931 in g_child_watch_add () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#19 0xb727a3f1 in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
No symbol table info available.
#20 0xb727d647 in g_main_context_check () from
/usr/lib/libglib-2.0.so.0
No symbol table info available.
#21 0xb727db98 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#22 0xb79de989 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#23 0x08079b32 in main ()
No symbol table info available.
#0  0xb7135b41 in waitpid () from /lib/tls/libc.so.6
Comment 1 Kristian Høgsberg 2005-12-04 14:00:01 UTC 
Is it possible to provide the pdf that cause the crash?
Comment 2 Sean Proctor 2005-12-28 12:02:11 UTC 
Hello,

I'm still getting this with current statements. Before the issue was on Debian,
now it's on FC4. I've sent an inquiry to Chase asking for them to send me a
statement without my account information.

Sean
Comment 3 Adam Olsen 2006-01-27 23:09:10 UTC 
I reported a (presumably?) related bug against evince in the GNOME Bugzilla:
http://bugzilla.gnome.org/show_bug.cgi?id=328810
It is provoked by selecting text from a PDF attached to another report in the
GNOME Bugzilla:
http://bugzilla.gnome.org/show_bug.cgi?id=314847
http://bugzilla.gnome.org/attachment.cgi?id=51717

Hopefully that PDF will be enough to debug this.  (Again, assuming a crash from
selecting is the same as a crash from an input field.)
Comment 4 Sebastien Bacher 2006-08-06 05:20:34 UTC 
Ubuntu bug about that: https://launchpad.net/products/poppler/+bug/50697

'I am using the version of evince that comes with dapper, 0.5.2.

Open the attached PDF in evince and opt to select some of the text that is
rendered. Sometimes it seems to take a few tries to get it to crash (just keep
selecting different portions of text).

This could be a problem with libpoppler.

http://librarian.launchpad.net/3134680/can-crash-evince-0.5.2.pdf
PDF to Crash Evince

Just select some text, after opening this document in evince.

http://librarian.launchpad.net/3134694/evince-backtrace.txt
Backtrace

Here's the backtrace produced when evince crashes. I copied this from the "bug
buddy" window.
..."
Comment 5 Christian Kirbach 2006-08-11 06:09:42 UTC 
reproducable with latest cvs

steps to reproduce:
1. open http://librarian.launchpad.net/3134680/can-crash-evince-0.5.2.pdf
2. edit->select all


#3  <signal handler called>
No symbol table info available.
#4  0xb7d10775 in CairoFont::create (gfxFont=0x84441f8, xref=0x8487280, 
    lib=0x8317388, useCIDs=1) at Object.h:279
	cmap = <value optimized out>
	ctu = <value optimized out>
	cairo_font_face_key = {unused = 0}
	tmpFileName = (GooString *) 0x839a8d8
	dfp = <value optimized out>
	uBuf = {0, 0, 3076259048, 3220933992, 3075990618, 138965644, 
  3074958112, 3220934008}
	codeToGID = <value optimized out>
	strObj = {type = objNull, {booln = 138965632, intg = 138965632, 
    real = -7.0562016071739042e-44, string = 0x8487280, name = 0x8487280 "", 
    array = 0x8487280, dict = 0x8487280, stream = 0x8487280, ref = {
      num = 138965632, gen = -1225183896}, cmd = 0x8487280 ""}}
	fileName = <value optimized out>
	c = <value optimized out>
	ff1c = <value optimized out>
	codeToGIDLen = 0
	tmpFileName2 = <value optimized out>
	n = <value optimized out>
	code = <value optimized out>
	fontType = 1079655961
	enc = <value optimized out>
	name = <value optimized out>
	ff = <value optimized out>
	cairo_font_face = <value optimized out>
	refObj = {type = objNone, {booln = 1890821786, intg = 1890821786, 
    real = 114.96346681159994, string = 0x70b3a69a, 
    name = 0x70b3a69a <Address 0x70b3a69a out of bounds>, array = 0x70b3a69a, 
    dict = 0x70b3a69a, stream = 0x70b3a69a, ref = {num = 1890821786, 
      gen = 1079819689}, cmd = 0x70b3a69a <Address 0x70b3a69a out of bounds>}}
	tmpFile = <value optimized out>
	face = <value optimized out>
#5  0xb7d10fa1 in CairoFontEngine::getFont (this=0x831d0f0, 
    gfxFont=0x84441f8, xref=0x8487280) at CairoFontEngine.cc:353
	i = 64
	ref = {num = -1694248026, gen = 1079410369}
	font = (CairoFont *) 0x0
#6  0xb7d12d5e in CairoOutputDev::updateFont (this=0x830a780, state=0x8486fa8)
    at CairoOutputDev.cc:276
	font_face = <value optimized out>
	m11 = -1.722381591796875
	m22 = 1
	fontSize = 0
	m = <value optimized out>
	m12 = -3.919002195208072e-44
	m21 = 1
	matrix = {xx = 1, yx = 1, xy = -nan(0xfffffffffffff), 
  yy = 3.1524664462486777e-269, x0 = -7.8446562264848481e-40, y0 = 1}
#7  0xb6f0ec1d in TextSelectionPainter::visitWord (this=0xbffb90c4, 
    word=0x8443838, begin=0, end=6, selection=0xbffb8fb8)
    at TextOutputDev.cc:3383
	string = (GooString *) 0x80000000
#8  0xb6f0ee44 in TextWord::visitSelection (this=0x8443838, 
    visitor=0xbffb90c4, selection=0xbffb8fb8) at TextOutputDev.cc:3422
	i = 6
	begin = 0
	end = 6
	mid = 0
#9  0xb6f0f072 in TextLine::visitSelection (this=0x8442ea8, 
    visitor=0xbffb90c4, selection=0xbffb8fb8) at TextOutputDev.cc:3460
	begin = (TextWord *) 0x8443838
	end = (TextWord *) 0x0
	i = 6
	p = (TextWord *) 0x8443838
	edge_begin = <value optimized out>
	edge_end = 6
#10 0xb6f1491e in TextBlock::visitSelection (this=0x8443990, 
    visitor=0xbffb90c4, selection=0xbffb9050) at TextOutputDev.cc:3532
	begin = (TextLine *) 0x8442ea8
	end = (TextLine *) 0x0
	child_selection = {x1 = 0, y1 = 0, x2 = 595, y2 = 842}
	start_x = 0
	stop_y = 842
	p = (TextLine *) 0x8442ea8
	start_y = 0
	stop_x = 595
#11 0xb6f14b18 in TextPage::visitSelection (this=0x8440300, 
    visitor=0xbffb90c4, selection=0xbffb9268) at TextOutputDev.cc:3605
	i = -1074033300
	begin = <value optimized out>
	end = 2
	child_selection = {x1 = 0, y1 = 0, x2 = 595, y2 = 842}
	start_x = 0
	stop_y = 842
	start_y = 0
	stop_x = 0
	b = <value optimized out>
Comment 6 Pascal Terjan 2006-08-19 10:04:40 UTC 
Created attachment 6605 [details] [review]
Noise

This patch avoided the crash here. This is really not a fix and I don't ask for
inclusion as I think it hides several other bugs. I just put it here if someone
needs a temporary solution.
Comment 7 Pascal Terjan 2006-08-19 10:18:57 UTC 
Sorry for the noise, I don't understand why it started working repeatidly here
on the various crashing PDF with this patch but no longer does now...
Comment 8 Pascal Terjan 2006-08-19 12:32:17 UTC 
On this document there is a first crash in CairoFont::create :
strObj.getTypeName() giving "null" (create is entered about 20 times with the
same invalid ref on the given doc and each time fontType is also invalid).
A check on the type before using the stream might be nice.

For the real bug, valgrind is quite helpful :

==32431== 
==32431== Invalid read of size 4
==32431==    at 0x408D4D6: GfxFont::incRefCnt() (GfxFont.cc:172)
==32431==    by 0x40F1205: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3381)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==    by 0x809454C: ev_selection_render_selection (in /usr/bin/evince)
==32431==    by 0x806B2D4: ev_pixbuf_cache_get_selection_pixbuf (in /usr/bin/evince)
==32431==  Address 0x564AE64 is 164 bytes inside a block of size 3,536 free'd
==32431==    at 0x401EBFA: operator delete(void*) (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939)
==32431==    by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177)
==32431==    by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635)
==32431==    by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304)
==32431==    by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649)
==32431==    by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*)
(Gfx.cc:3479)
==32431==    by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305)
==32431==    by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907)
==32431==    by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713)
==32431==    by 0x4082FC3: Gfx::go(int) (Gfx.cc:581)
==32431==    by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544)
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x4031490: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:273)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==    by 0x809454C: ev_selection_render_selection (in /usr/bin/evince)
==32431==    by 0x806B2D4: ev_pixbuf_cache_get_selection_pixbuf (in /usr/bin/evince)
==32431==  Address 0x564ADE4 is 36 bytes inside a block of size 3,536 free'd
==32431==    at 0x401EBFA: operator delete(void*) (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939)
==32431==    by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177)
==32431==    by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635)
==32431==    by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304)
==32431==    by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649)
==32431==    by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*)
(Gfx.cc:3479)
==32431==    by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305)
==32431==    by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907)
==32431==    by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713)
==32431==    by 0x4082FC3: Gfx::go(int) (Gfx.cc:581)
==32431==    by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544)
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x402F5A9: CairoFontEngine::getFont(GfxFont*, XRef*)
(CairoFontEngine.cc:346)
==32431==    by 0x40314B5: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:276)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==    by 0x809454C: ev_selection_render_selection (in /usr/bin/evince)
==32431==  Address 0x564ADC8 is 8 bytes inside a block of size 3,536 free'd
==32431==    at 0x401EBFA: operator delete(void*) (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939)
==32431==    by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177)
==32431==    by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635)
==32431==    by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304)
==32431==    by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649)
==32431==    by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*)
(Gfx.cc:3479)
==32431==    by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305)
==32431==    by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907)
==32431==    by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713)
==32431==    by 0x4082FC3: Gfx::go(int) (Gfx.cc:581)
==32431==    by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544)
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x402F5AC: CairoFontEngine::getFont(GfxFont*, XRef*)
(CairoFontEngine.cc:346)
==32431==    by 0x40314B5: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:276)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==    by 0x809454C: ev_selection_render_selection (in /usr/bin/evince)
==32431==  Address 0x564ADCC is 12 bytes inside a block of size 3,536 free'd
==32431==    at 0x401EBFA: operator delete(void*) (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939)
==32431==    by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177)
==32431==    by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635)
==32431==    by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304)
==32431==    by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649)
==32431==    by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*)
(Gfx.cc:3479)
==32431==    by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305)
==32431==    by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907)
==32431==    by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713)
==32431==    by 0x4082FC3: Gfx::go(int) (Gfx.cc:581)
==32431==    by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544)
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x408D4E9: GfxFont::decRefCnt() (GfxFont.cc:176)
==32431==    by 0x4099031: GfxState::setFont(GfxFont*, double) (GfxState.cc:4057)
==32431==    by 0x40F1223: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3382)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==    by 0x809454C: ev_selection_render_selection (in /usr/bin/evince)
==32431==  Address 0x564AE64 is 164 bytes inside a block of size 3,536 free'd
==32431==    at 0x401EBFA: operator delete(void*) (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939)
==32431==    by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177)
==32431==    by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635)
==32431==    by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304)
==32431==    by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649)
==32431==    by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*)
(Gfx.cc:3479)
==32431==    by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305)
==32431==    by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907)
==32431==    by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713)
==32431==    by 0x4082FC3: Gfx::go(int) (Gfx.cc:581)
==32431==    by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544)
==32431== 
==32431== Invalid write of size 4
==32431==    at 0x408D4F4: GfxFont::decRefCnt() (GfxFont.cc:176)
==32431==    by 0x4099031: GfxState::setFont(GfxFont*, double) (GfxState.cc:4057)
==32431==    by 0x40F1223: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3382)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==    by 0x809454C: ev_selection_render_selection (in /usr/bin/evince)
==32431==  Address 0x564AE64 is 164 bytes inside a block of size 3,536 free'd
==32431==    at 0x401EBFA: operator delete(void*) (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939)
==32431==    by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177)
==32431==    by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635)
==32431==    by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304)
==32431==    by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649)
==32431==    by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*)
(Gfx.cc:3479)
==32431==    by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305)
==32431==    by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907)
==32431==    by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713)
==32431==    by 0x4082FC3: Gfx::go(int) (Gfx.cc:581)
==32431==    by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544)
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x402ED40: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*,
int) (CairoFontEngine.cc:68)
==32431==    by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*)
(CairoFontEngine.cc:359)
==32431==    by 0x40314B5: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:276)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==  Address 0x564ADCC is 12 bytes inside a block of size 1,280 free'd
==32431==    at 0x401EEBB: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84)
==32431==    by 0x0: ???
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x402ED43: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*,
int) (CairoFontEngine.cc:68)
==32431==    by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*)
(CairoFontEngine.cc:359)
==32431==    by 0x40314B5: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:276)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==  Address 0x564ADC8 is 8 bytes inside a block of size 1,280 free'd
==32431==    at 0x401EEBB: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84)
==32431==    by 0x0: ???
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x402ED46: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*,
int) (GfxFont.h:147)
==32431==    by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*)
(CairoFontEngine.cc:359)
==32431==    by 0x40314B5: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:276)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==  Address 0x564ADE4 is 36 bytes inside a block of size 1,280 free'd
==32431==    at 0x401EEBB: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84)
==32431==    by 0x0: ???
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x402ED71: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*,
int) (GfxFont.h:153)
==32431==    by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*)
(CairoFontEngine.cc:359)
==32431==    by 0x40314B5: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:276)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==  Address 0x564ADF0 is 48 bytes inside a block of size 1,280 free'd
==32431==    at 0x401EEBB: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84)
==32431==    by 0x0: ???
==32431== 
==32431== Invalid read of size 4
==32431==    at 0x402ED7B: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*,
int) (GfxFont.h:153)
==32431==    by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*)
(CairoFontEngine.cc:359)
==32431==    by 0x40314B5: CairoOutputDev::updateFont(GfxState*)
(CairoOutputDev.cc:276)
==32431==    by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int,
PDFRectangle*) (TextOutputDev.cc:3383)
==32431==    by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3422)
==32431==    by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3460)
==32431==    by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3532)
==32431==    by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*,
PDFRectangle*) (TextOutputDev.cc:3605)
==32431==    by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618)
==32431==    by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int,
PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202)
==32431==    by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560)
==32431==    by 0x8095194: pdf_selection_render_selection(_EvSelection*,
_EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*,
_GdkColor*) (in /usr/bin/evince)
==32431==  Address 0x564ADF4 is 52 bytes inside a block of size 1,280 free'd
==32431==    at 0x401EEBB: free (in
/usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==32431==    by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84)
==32431==    by 0x0: ???
Comment 9 Pascal Terjan 2006-08-19 13:25:40 UTC 
I think I got it this time !
GfxFontDict::~GfxFontDict calls decRefCnt on all fonts, but
GfxFontDict::GfxFontDict does not call incRefCnt, so fonts get freed.
Comment 10 Pascal Terjan 2006-08-19 13:41:43 UTC 
Created attachment 6611 [details] [review]
increment the refcount and be more robust
Comment 11 Christian Kirbach 2006-09-08 15:54:33 UTC 
patch fixes the crash for me!
Comment 12 Jeff Muizelaar 2006-09-13 13:26:13 UTC 
GfxFontDict makes the fonts which start of with a refCount of 1. So inc them 
looks wrong.
Comment 13 Pascal Terjan 2006-09-14 02:25:07 UTC 
OK, I'll try to have another look at the counters to find if there is unmatched
dec somewhere else, but I don't remember seeing another one.
Comment 14 Jeff Muizelaar 2006-09-19 19:57:30 UTC 
Created attachment 7091 [details] [review]
Properly RefCnt inside TextFontInfo

The attached patch should fix things.

TextFontInfo takes a reference to a GfxFont but doesn't do a incRefCnt(). This
patch fixes that.
Comment 15 Jeff Muizelaar 2006-09-19 19:58:56 UTC 
Pascal,

Are the robustness enhancements needed? i.e. is there a pdf that shows a problem
that the robustness enhancements fix?
Comment 16 Pascal Terjan 2006-09-19 22:28:54 UTC 
It's not really needed as fixing the real issue to have a valid stream there is
better.
I just prefer avoiding crashes when something goes wrong elsewhere in the code
and actually added this before finding the refcount issue to hide it.
Comment 17 Jeff Muizelaar 2006-09-20 13:22:53 UTC 
Fixed in cvs.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.