Summary: | Crash in StreamPredictor::getChar | ||
---|---|---|---|
Product: | poppler | Reporter: | Nickolay V. Shmyrev <nshmyrev> |
Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
Status: | RESOLVED DUPLICATE | QA Contact: | |
Severity: | normal | ||
Priority: | high | CC: | m_kretzschmar, slomo |
Version: | unspecified | ||
Hardware: | x86 (IA32) | ||
OS: | Linux (All) | ||
Whiteboard: | |||
i915 platform: | i915 features: |
Description
Nickolay V. Shmyrev
2006-08-07 08:37:00 UTC
and the pdf files? Whitout it's so much more difficult to debug... No files attached to reports. I'll ask the reporters, probably someone will help. The link on document that cause crash http://www.uni-rostock.de/internationale_studenten/32/F_Nantes_UniversitaireNantes_03_hecht.pdf Works fine here, can you make it crash using cvs version? Another enable-zlib bug? Ubuntu switched that on in its last development release poppler package and all dupes of the GNOME bug use a very recent Ubuntu. Works fine here too with a zlib-enabled poppler on Ubuntu edgy Okay, that file doesn't seem to match the stacktrace anyway. I can't see any image in there which is strange, considering the Gfx::doImage in the stack trace. I got (random, unfortunately) crashes in StreamPredictor::getChar and occasionally image garbage with this file on Ubuntu edgy: http://actes.sstic.org/SSTIC06/Rump_sessions/SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf Better ignore the image garbage comment, doesn't belong here. Ok, with this pdf I got three different crashes when scrolling through the pdf... backtraces with debug symbols everywhere. The first two are probably the same. ===== first one ======= Starting program: /usr/bin/evince SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf [Thread debugging using libthread_db enabled] [New Thread -1229805904 (LWP 7534)] [New Thread -1231332448 (LWP 7538)] *** stack smashing detected ***: /usr/bin/evince terminated Program received signal SIGABRT, Aborted. [Switching to Thread -1231332448 (LWP 7538)] 0xffffe410 in __kernel_vsyscall () (gdb) thread apply all bt Thread 2 (Thread -1231332448 (LWP 7538)): #0 0xffffe410 in __kernel_vsyscall () #1 0xb7053861 in *__GI_raise () from /lib/tls/i686/cmov/libc.so.6 #2 0xb7055009 in *__GI_abort () from /lib/tls/i686/cmov/libc.so.6 #3 0xb70895bb in __libc_message () from /lib/tls/i686/cmov/libc.so.6 #4 0xb710e871 in __stack_chk_fail () from /lib/tls/i686/cmov/libc.so.6 #5 0xb6e10184 in __stack_chk_fail_local () at stack_chk_fail_local.c:29 #6 0xb6dc623d in StreamPredictor::getNextLine (this=0x8453048) at Stream.cc:589 #7 0x00000000 in ?? () Thread 1 (Thread -1229805904 (LWP 7534)): #0 0xffffe410 in __kernel_vsyscall () #1 0xb70eec53 in *__GI___poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb74525a2 in XProcessInternalConnection () from /usr/lib/libX11.so.6 #3 0xb745296f in _XRead () from /usr/lib/libX11.so.6 #4 0xb74532f5 in _XReply () from /usr/lib/libX11.so.6 #5 0xb744a85e in XSync () from /usr/lib/libX11.so.6 #6 0xb7649676 in IA__gdk_flush () at gdkevents-x11.c:2501 #7 0xb7626d33 in alloc_scratch_image (image_info=0x1) at gdkimage.c:319 #8 0xb762701f in _gdk_image_get_scratch (screen=0x80ea0e0, width=256, height=64, depth=24, x=0xbfeb7178, y=0xbfeb7174) at gdkimage.c:376 #9 0xb7631f3e in gdk_draw_rgb_image_core (image_info=0x841d030, drawable=0xb4c00ac8, gc=0x82b0038, x=8, y=302, width=1245, height=579, buf=0xb4849008 '�' <repeats 200 times>..., pixstride=3, rowstride=3736, conv=0xb762e8b1 <gdk_rgb_convert_0888>, cmap=0x0, xdith=0, ydith=0) at gdkrgb.c:3288 #10 0xb762302a in gdk_drawable_real_draw_pixbuf (drawable=0xb4c00ac8, gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0) at gdkdraw.c:1640 #11 0xb764769c in gdk_x11_draw_pixbuf (drawable=0x82c3860, gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0) at gdkdrawable-x11.c:1395 #12 0xb76219b7 in IA__gdk_draw_pixbuf (drawable=0x82c3860, gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0) at gdkdraw.c:759 #13 0xb762bb0c in gdk_pixmap_draw_pixbuf (drawable=0xb4c00ac8, gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0) at gdkpixmap.c:427 #14 0xb76219b7 in IA__gdk_draw_pixbuf (drawable=0xb4c00ac8, gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0) at gdkdraw.c:759 ---Type <return> to continue, or q <return> to quit--- #15 0xb7638dbc in gdk_window_draw_pixbuf (drawable=0x831b8c8, gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0) at gdkwindow.c:2046 #16 0xb76219b7 in IA__gdk_draw_pixbuf (drawable=0x831b8c8, gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0) at gdkdraw.c:759 #17 0x08073a1a in ev_view_expose_event (widget=0x80e81f8, event=0xbfeb7bd4) at ev-view.c:2344 #18 0xb77bcbc6 in _gtk_marshal_BOOLEAN__BOXED (closure=0x8100658, return_value=0xbfeb7800, n_param_values=2, param_values=0xbfeb78dc, invocation_hint=0xbfeb77ec, marshal_data=0x8073320) at gtkmarshalers.c:83 #19 0xb73e7f05 in g_type_class_meta_marshal (closure=0x8100658, return_value=0xbfeb7800, n_param_values=2, param_values=0xbfeb78dc, invocation_hint=0xbfeb77ec, marshal_data=0xc8) at gclosure.c:567 #20 0xb73e965f in IA__g_closure_invoke (closure=0x8100658, return_value=0xbfeb7800, n_param_values=2, param_values=0xbfeb78dc, invocation_hint=0xbfeb77ec) at gclosure.c:490 #21 0xb73f8f61 in signal_emit_unlocked_R (node=0x80f9e78, detail=0, instance=0x80e81f8, emission_return=0xbfeb7a9c, instance_and_params=0xbfeb78dc) at gsignal.c:2476 #22 0xb73f9c10 in IA__g_signal_emit_valist (instance=0x80e81f8, signal_id=57, detail=0, var_args=<value optimized out>) at gsignal.c:2207 #23 0xb73fa000 in IA__g_signal_emit (instance=0x80e81f8, signal_id=57, detail=0) at gsignal.c:2241 #24 0xb78bfc90 in gtk_widget_event_internal (widget=0x80e81f8, event=0xbfeb7bd4) at gtkwidget.c:3901 #25 0xb77b7e18 in IA__gtk_main_do_event (event=0xbfeb7bd4) at gtkmain.c:1402 #26 0xb763758b in gdk_window_process_updates_internal (window=0x831b8c8) at gdkwindow.c:2324 #27 0xb76377b1 in IA__gdk_window_process_all_updates () at gdkwindow.c:2387 #28 0xb77302af in gtk_container_idle_sizer (data=0x0) at gtkcontainer.c:1113 #29 0xb737356f in g_idle_dispatch (source=0x843e9d8, callback=0xffffffff, user_data=0x0) at gmain.c:3924 #30 0xb73750c8 in IA__g_main_context_dispatch (context=0x80ee638) at gmain.c:2043 #31 0xb7377e62 in g_main_context_iterate (context=0x80ee638, block=1, dispatch=1, self=0x80d2df0) at gmain.c:2675 #32 0xb737820c in IA__g_main_loop_run (loop=0x831e2a8) at gmain.c:2879 #33 0xb77b8052 in IA__gtk_main () at gtkmain.c:1023 #34 0x08080f91 in main (argc=2, argv=Cannot access memory at address 0x5 ) at main.c:344 #0 0xffffe410 in __kernel_vsyscall () ======= second one ========= Starting program: /usr/bin/evince SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf [Thread debugging using libthread_db enabled] [New Thread -1229715792 (LWP 7557)] [New Thread -1231242336 (LWP 7561)] *** stack smashing detected ***: /usr/bin/evince terminated Program received signal SIGABRT, Aborted. [Switching to Thread -1231242336 (LWP 7561)] 0xffffe410 in __kernel_vsyscall () (gdb) thread apply all bt Thread 2 (Thread -1231242336 (LWP 7561)): #0 0xffffe410 in __kernel_vsyscall () #1 0xb7069861 in *__GI_raise () from /lib/tls/i686/cmov/libc.so.6 #2 0xb706b009 in *__GI_abort () from /lib/tls/i686/cmov/libc.so.6 #3 0xb709f5bb in __libc_message () from /lib/tls/i686/cmov/libc.so.6 #4 0xb7124871 in __stack_chk_fail () from /lib/tls/i686/cmov/libc.so.6 #5 0xb6e26184 in __stack_chk_fail_local () at stack_chk_fail_local.c:29 #6 0xb6ddc23d in StreamPredictor::getNextLine (this=0x8435e88) at Stream.cc:589 #7 0x00000000 in ?? () Thread 1 (Thread -1229715792 (LWP 7557)): #0 0xffffe410 in __kernel_vsyscall () #1 0xb7104c53 in *__GI___poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb738de95 in g_main_context_iterate (context=0x80ee638, block=1, dispatch=1, self=0x80d2df0) at gmain.c:2977 #3 0xb738e20c in IA__g_main_loop_run (loop=0x82d9cb8) at gmain.c:2879 #4 0xb77ce052 in IA__gtk_main () at gtkmain.c:1023 #5 0x08080f91 in main (argc=2, argv=Cannot access memory at address 0xc ) at main.c:344 #0 0xffffe410 in __kernel_vsyscall () ===== third one ====== Starting program: /usr/bin/evince SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf [Thread debugging using libthread_db enabled] [New Thread -1229838672 (LWP 7587)] [New Thread -1231365216 (LWP 7592)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1231365216 (LWP 7592)] 0xb6dbe261 in StreamPredictor::getChar (this=0x8195870) at Stream.cc:468 468 return predLine[predIdx++]; Current language: auto; currently c++ (gdb) thread apply all bt Thread 2 (Thread -1231365216 (LWP 7592)): #0 0xb6dbe261 in StreamPredictor::getChar (this=0x8195870) at Stream.cc:468 #1 0xb6d5c796 in FlateStream::getChar (this=0xffffffff) at FlateStream.cc:48 #2 0xb6dbacb1 in ImageStream::getLine (this=0x8407150) at Stream.cc:381 #3 0xb7c9b578 in CairoOutputDev::drawImage (this=0x8308cc8, state=0x8195238, ref=0xb69ad0f4, str=0x8438af8, width=60, height=60, colorMap=0x8392d50, maskColors=0x0, inlineImg=0) at CairoOutputDev.cc:855 #4 0xb6d72238 in Gfx::doImage (this=0x83ee118, ref=0xb69ad0f4, str=0x8438af8, inlineImg=0) at Gfx.cc:3224 #5 0xb6d74d41 in Gfx::opXObject (this=0x83ee118, args=0xb69ad1b0, numArgs=1) at Gfx.cc:2903 #6 0xb6d6fcf0 in Gfx::execOp (this=0x83ee118, cmd=0xb69ad210, args=0xb69ad1b0, numArgs=<value optimized out>) at Gfx.cc:713 #7 0xb6d6fe8d in Gfx::go (this=0x83ee118, topLevel=1) at Gfx.cc:581 #8 0xb6d703db in Gfx::display (this=0x83ee118, obj=0xb69ad290, topLevel=1) at Gfx.cc:544 #9 0xb6db77e8 in Page::displaySlice (this=0x8307ad0, out=0x8308cc8, hDPI=114.92307758331299, vDPI=114.92307758331299, rotate=0, useMediaBox=0, crop=1, sliceX=0, sliceY=0, sliceW=1245, sliceH=932, links=0x0, catalog=0x82f6aa8, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:375 #10 0xb7c9836f in poppler_page_render_to_pixbuf (page=0x82d1340, src_x=0, src_y=0, src_width=1245, src_height=932, scale=1.5961538553237915, rotation=0, pixbuf=0x82ea8c0) at poppler-page.cc:363 #11 0x0808fb4f in pdf_document_render_pixbuf (document=0x82be740, rc=0x8343140) at ev-poppler.cc:430 #12 0x0808d239 in ev_document_render_pixbuf (document=0x82be740, rc=0x8343140) at ev-document.c:223 #13 0x08065331 in ev_job_render_run (job=0x8167258) at ev-jobs.c:319 #14 0x08064005 in handle_job (job=0x8167258) at ev-job-queue.c:102 #15 0x08064558 in ev_render_thread (data=0x0) at ev-job-queue.c:187 #16 0xb7389545 in g_thread_create_proxy (data=0x8103260) at gthread.c:553 #17 0xb715d534 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #18 0xb70f0a6e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 1 (Thread -1229838672 (LWP 7587)): #0 0xffffe410 in __kernel_vsyscall () #1 0xb70e6c53 in *__GI___poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb736fe95 in g_main_context_iterate (context=0x80ee638, block=1, dispatch=1, self=0x80d2df0) at gmain.c:2977 #3 0xb737020c in IA__g_main_loop_run (loop=0x831e2a8) at gmain.c:2879 #4 0xb77b0052 in IA__gtk_main () at gtkmain.c:1023 #5 0x08080f91 in main (argc=2, argv=Cannot access memory at address 0xc ) at main.c:344 0xb6dbe261 468 return predLine[predIdx++]; This is obviously with everything compiled with SSP (which is the default in Ubuntu). For the third crash an additional information: Starting program: /usr/bin/evince SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf [Thread debugging using libthread_db enabled] [New Thread -1229986128 (LWP 7646)] [New Thread -1231512672 (LWP 7650)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1231512672 (LWP 7650)] 0xb6d9a261 in StreamPredictor::getChar (this=0x8400b08) at Stream.cc:468 468 return predLine[predIdx++]; Current language: auto; currently c++ (gdb) print predLine $1 = (Guchar *) 0x0 (gdb) print predIdx $2 = 0 My guess is that this is a dup of 7646. If anyone can reproduce with current CVS reopen. *** This bug has been marked as a duplicate of 7646 *** |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.