Bug 7798

Summary: Crash in StreamPredictor::getChar
Product: poppler Reporter: Nickolay V. Shmyrev <nshmyrev>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: high CC: m_kretzschmar, slomo
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Nickolay V. Shmyrev 2006-08-07 08:37:00 UTC
We have a lot of crash reports in evince with recent poppler, for example this one:

http://bugzilla.gnome.org/show_bug.cgi?id=349364

---------------------------------------------------------------
What were you doing when the application crashed?
openup a pdf file which was in a zip file
Evince crashed
it did see that the document has 12 pages.
extracting the pdf to the deskop and than viewing it with evince
gave same result.
xpdf showed just fine


Distribution: Ubuntu 6.10 (edgy)
Gnome Release: 2.15.90 2006-07-24 (Ubuntu)
BugBuddy Version: 2.15.90

Memory status: size: 58761216 vsize: 0 resident: 58761216 share: 0 rss:
25272320 rss_rlim: 0
CPU usage: start_time: 1154303935 rtime: 0 utime: 93 stime: 0 cutime:87 cstime:
0 timeout: 6 it_real_value: 0 frequency: 0

Backtrace was generated from '/usr/bin/evince'

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1230014272 (LWP 13374)]
[New Thread -1231578208 (LWP 13376)]
(no debugging symbols found)
0xffffe410 in __kernel_vsyscall ()
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb70ac6a3 in poll () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7335e95 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#3  0xb733620c in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#4  0xb7776072 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#5  0x0808310c in main ()

Thread 2 (Thread -1231578208 (LWP 13376)):
#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb712b35b in __waitpid_nocancel ()
   from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0xb7eac558 in gnome_gtk_module_info_get () from /usr/lib/libgnomeui-2.so.0
No symbol table info available.
#3  <signal handler called>
No symbol table info available.
#4  0xb6d8ed39 in StreamPredictor::getChar () from /usr/lib/libpoppler.so.1
No symbol table info available.
#5  0xb6d30114 in FlateStream::getChar () from /usr/lib/libpoppler.so.1
No symbol table info available.
#6  0xb6d873cf in OutputDev::drawImage () from /usr/lib/libpoppler.so.1
No symbol table info available.
#7  0xb6d45689 in Gfx::doImage () from /usr/lib/libpoppler.so.1
No symbol table info available.
#8  0xb6d45e97 in Gfx::opBeginImage () from /usr/lib/libpoppler.so.1
No symbol table info available.
#9  0xb6d431ae in Gfx::execOp () from /usr/lib/libpoppler.so.1
No symbol table info available.
#10 0xb6d43376 in Gfx::go () from /usr/lib/libpoppler.so.1
No symbol table info available.
#11 0xb6d438d3 in Gfx::display () from /usr/lib/libpoppler.so.1
No symbol table info available.
#12 0xb6d87823 in Page::display () from /usr/lib/libpoppler.so.1
No symbol table info available.
#13 0xb7c5e9b1 in poppler_page_free_link_mapping ()
   from /usr/lib/libpoppler-glib.so.1
No symbol table info available.
#14 0xb7c5ee76 in poppler_page_get_selection_region ()
   from /usr/lib/libpoppler-glib.so.1
No symbol table info available.
#15 0x080973d2 in pdf_selection_get_selection_map ()
No symbol table info available.
#16 0x08096947 in ev_selection_get_selection_map ()
No symbol table info available.
#17 0x08066848 in ev_job_render_run ()
No symbol table info available.
#18 0x0806572c in ev_job_queue_update_job ()
No symbol table info available.
#19 0x08065bd1 in ev_job_queue_init ()
No symbol table info available.
#20 0xb734f545 in g_thread_create_full () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#21 0xb7124534 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#22 0xb70b621e in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.

Thread 1 (Thread -1230014272 (LWP 13374)):
#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb70ac6a3 in poll () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#2  0xb7335e95 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3  0xb733620c in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#4  0xb7776072 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#5  0x0808310c in main ()
No symbol table info available.
#0  0xffffe410 in __kernel_vsyscall ()
Comment 1 Albert Astals Cid 2006-08-07 08:45:44 UTC
and the pdf files?

Whitout it's so much more difficult to debug...
Comment 2 Nickolay V. Shmyrev 2006-08-07 09:14:40 UTC
No files attached to reports. I'll ask the reporters, probably someone will help.
Comment 3 Nickolay V. Shmyrev 2006-08-08 13:52:21 UTC
The link on document that cause crash

http://www.uni-rostock.de/internationale_studenten/32/F_Nantes_UniversitaireNantes_03_hecht.pdf
Comment 4 Albert Astals Cid 2006-08-10 08:35:22 UTC
Works fine here, can you make it crash using cvs version?
Comment 5 Martin Kretzschmar 2006-08-15 10:32:59 UTC
Another enable-zlib bug? Ubuntu switched that on in its last development release
poppler package and all dupes of the GNOME bug use a very recent Ubuntu. 
Comment 6 Sebastian Dröge (slomo) 2006-08-15 10:45:08 UTC
Works fine here too with a zlib-enabled poppler on Ubuntu edgy
Comment 7 Martin Kretzschmar 2006-08-15 11:28:37 UTC
Okay, that file doesn't seem to match the stacktrace anyway. I can't see any
image in there which is strange, considering the Gfx::doImage in the stack trace.

I got (random, unfortunately) crashes in StreamPredictor::getChar and
occasionally image garbage with this file on Ubuntu edgy:

http://actes.sstic.org/SSTIC06/Rump_sessions/SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf
Comment 8 Martin Kretzschmar 2006-08-15 11:30:31 UTC
Better ignore the image garbage comment, doesn't belong here.
Comment 9 Sebastian Dröge (slomo) 2006-08-15 11:57:36 UTC
Ok, with this pdf I got three different crashes when scrolling through the
pdf... backtraces with debug symbols everywhere. The first two are probably the
same.

===== first one =======

Starting program: /usr/bin/evince
SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf
[Thread debugging using libthread_db enabled]
[New Thread -1229805904 (LWP 7534)]
[New Thread -1231332448 (LWP 7538)]
*** stack smashing detected ***: /usr/bin/evince terminated

Program received signal SIGABRT, Aborted.
[Switching to Thread -1231332448 (LWP 7538)]
0xffffe410 in __kernel_vsyscall ()

(gdb) thread apply all bt

Thread 2 (Thread -1231332448 (LWP 7538)):
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7053861 in *__GI_raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7055009 in *__GI_abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb70895bb in __libc_message () from /lib/tls/i686/cmov/libc.so.6
#4  0xb710e871 in __stack_chk_fail () from /lib/tls/i686/cmov/libc.so.6
#5  0xb6e10184 in __stack_chk_fail_local () at stack_chk_fail_local.c:29
#6  0xb6dc623d in StreamPredictor::getNextLine (this=0x8453048)
    at Stream.cc:589
#7  0x00000000 in ?? ()

Thread 1 (Thread -1229805904 (LWP 7534)):
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb70eec53 in *__GI___poll () from /lib/tls/i686/cmov/libc.so.6
#2  0xb74525a2 in XProcessInternalConnection () from /usr/lib/libX11.so.6
#3  0xb745296f in _XRead () from /usr/lib/libX11.so.6
#4  0xb74532f5 in _XReply () from /usr/lib/libX11.so.6
#5  0xb744a85e in XSync () from /usr/lib/libX11.so.6
#6  0xb7649676 in IA__gdk_flush () at gdkevents-x11.c:2501
#7  0xb7626d33 in alloc_scratch_image (image_info=0x1) at gdkimage.c:319
#8  0xb762701f in _gdk_image_get_scratch (screen=0x80ea0e0, width=256, 
    height=64, depth=24, x=0xbfeb7178, y=0xbfeb7174) at gdkimage.c:376
#9  0xb7631f3e in gdk_draw_rgb_image_core (image_info=0x841d030, 
    drawable=0xb4c00ac8, gc=0x82b0038, x=8, y=302, width=1245, height=579, 
    buf=0xb4849008 '�' <repeats 200 times>..., pixstride=3, rowstride=3736, 
    conv=0xb762e8b1 <gdk_rgb_convert_0888>, cmap=0x0, xdith=0, ydith=0)
    at gdkrgb.c:3288
#10 0xb762302a in gdk_drawable_real_draw_pixbuf (drawable=0xb4c00ac8, 
    gc=0x82b0038, pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, 
    width=1245, height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, 
    y_dither=0) at gdkdraw.c:1640
#11 0xb764769c in gdk_x11_draw_pixbuf (drawable=0x82c3860, gc=0x82b0038, 
    pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, 
    height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0)
    at gdkdrawable-x11.c:1395
#12 0xb76219b7 in IA__gdk_draw_pixbuf (drawable=0x82c3860, gc=0x82b0038, 
    pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, 
    height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0)
    at gdkdraw.c:759
#13 0xb762bb0c in gdk_pixmap_draw_pixbuf (drawable=0xb4c00ac8, gc=0x82b0038, 
    pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, 
    height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0)
    at gdkpixmap.c:427
#14 0xb76219b7 in IA__gdk_draw_pixbuf (drawable=0xb4c00ac8, gc=0x82b0038, 
    pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, 
    height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0)
    at gdkdraw.c:759
---Type <return> to continue, or q <return> to quit---
#15 0xb7638dbc in gdk_window_draw_pixbuf (drawable=0x831b8c8, gc=0x82b0038, 
    pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, 
    height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0)
    at gdkwindow.c:2046
#16 0xb76219b7 in IA__gdk_draw_pixbuf (drawable=0x831b8c8, gc=0x82b0038, 
    pixbuf=0x82ef188, src_x=0, src_y=0, dest_x=8, dest_y=302, width=1245, 
    height=579, dither=GDK_RGB_DITHER_NORMAL, x_dither=0, y_dither=0)
    at gdkdraw.c:759
#17 0x08073a1a in ev_view_expose_event (widget=0x80e81f8, event=0xbfeb7bd4)
    at ev-view.c:2344
#18 0xb77bcbc6 in _gtk_marshal_BOOLEAN__BOXED (closure=0x8100658, 
    return_value=0xbfeb7800, n_param_values=2, param_values=0xbfeb78dc, 
    invocation_hint=0xbfeb77ec, marshal_data=0x8073320) at gtkmarshalers.c:83
#19 0xb73e7f05 in g_type_class_meta_marshal (closure=0x8100658, 
    return_value=0xbfeb7800, n_param_values=2, param_values=0xbfeb78dc, 
    invocation_hint=0xbfeb77ec, marshal_data=0xc8) at gclosure.c:567
#20 0xb73e965f in IA__g_closure_invoke (closure=0x8100658, 
    return_value=0xbfeb7800, n_param_values=2, param_values=0xbfeb78dc, 
    invocation_hint=0xbfeb77ec) at gclosure.c:490
#21 0xb73f8f61 in signal_emit_unlocked_R (node=0x80f9e78, detail=0, 
    instance=0x80e81f8, emission_return=0xbfeb7a9c, 
    instance_and_params=0xbfeb78dc) at gsignal.c:2476
#22 0xb73f9c10 in IA__g_signal_emit_valist (instance=0x80e81f8, signal_id=57, 
    detail=0, var_args=<value optimized out>) at gsignal.c:2207
#23 0xb73fa000 in IA__g_signal_emit (instance=0x80e81f8, signal_id=57, 
    detail=0) at gsignal.c:2241
#24 0xb78bfc90 in gtk_widget_event_internal (widget=0x80e81f8, 
    event=0xbfeb7bd4) at gtkwidget.c:3901
#25 0xb77b7e18 in IA__gtk_main_do_event (event=0xbfeb7bd4) at gtkmain.c:1402
#26 0xb763758b in gdk_window_process_updates_internal (window=0x831b8c8)
    at gdkwindow.c:2324
#27 0xb76377b1 in IA__gdk_window_process_all_updates () at gdkwindow.c:2387
#28 0xb77302af in gtk_container_idle_sizer (data=0x0) at gtkcontainer.c:1113
#29 0xb737356f in g_idle_dispatch (source=0x843e9d8, callback=0xffffffff, 
    user_data=0x0) at gmain.c:3924
#30 0xb73750c8 in IA__g_main_context_dispatch (context=0x80ee638)
    at gmain.c:2043
#31 0xb7377e62 in g_main_context_iterate (context=0x80ee638, block=1, 
    dispatch=1, self=0x80d2df0) at gmain.c:2675
#32 0xb737820c in IA__g_main_loop_run (loop=0x831e2a8) at gmain.c:2879
#33 0xb77b8052 in IA__gtk_main () at gtkmain.c:1023
#34 0x08080f91 in main (argc=2, argv=Cannot access memory at address 0x5
) at main.c:344
#0  0xffffe410 in __kernel_vsyscall ()




======= second one =========

Starting program: /usr/bin/evince
SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf
[Thread debugging using libthread_db enabled]
[New Thread -1229715792 (LWP 7557)]
[New Thread -1231242336 (LWP 7561)]
*** stack smashing detected ***: /usr/bin/evince terminated

Program received signal SIGABRT, Aborted.
[Switching to Thread -1231242336 (LWP 7561)]
0xffffe410 in __kernel_vsyscall ()
(gdb) thread apply all bt

Thread 2 (Thread -1231242336 (LWP 7561)):
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7069861 in *__GI_raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb706b009 in *__GI_abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb709f5bb in __libc_message () from /lib/tls/i686/cmov/libc.so.6
#4  0xb7124871 in __stack_chk_fail () from /lib/tls/i686/cmov/libc.so.6
#5  0xb6e26184 in __stack_chk_fail_local () at stack_chk_fail_local.c:29
#6  0xb6ddc23d in StreamPredictor::getNextLine (this=0x8435e88)
    at Stream.cc:589
#7  0x00000000 in ?? ()

Thread 1 (Thread -1229715792 (LWP 7557)):
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7104c53 in *__GI___poll () from /lib/tls/i686/cmov/libc.so.6
#2  0xb738de95 in g_main_context_iterate (context=0x80ee638, block=1, 
    dispatch=1, self=0x80d2df0) at gmain.c:2977
#3  0xb738e20c in IA__g_main_loop_run (loop=0x82d9cb8) at gmain.c:2879
#4  0xb77ce052 in IA__gtk_main () at gtkmain.c:1023
#5  0x08080f91 in main (argc=2, argv=Cannot access memory at address 0xc
) at main.c:344
#0  0xffffe410 in __kernel_vsyscall ()


===== third one ======

Starting program: /usr/bin/evince
SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf
[Thread debugging using libthread_db enabled]
[New Thread -1229838672 (LWP 7587)]
[New Thread -1231365216 (LWP 7592)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231365216 (LWP 7592)]
0xb6dbe261 in StreamPredictor::getChar (this=0x8195870) at Stream.cc:468
468       return predLine[predIdx++];
Current language:  auto; currently c++
(gdb) thread apply all bt

Thread 2 (Thread -1231365216 (LWP 7592)):
#0  0xb6dbe261 in StreamPredictor::getChar (this=0x8195870) at Stream.cc:468
#1  0xb6d5c796 in FlateStream::getChar (this=0xffffffff) at FlateStream.cc:48
#2  0xb6dbacb1 in ImageStream::getLine (this=0x8407150) at Stream.cc:381
#3  0xb7c9b578 in CairoOutputDev::drawImage (this=0x8308cc8, state=0x8195238, 
    ref=0xb69ad0f4, str=0x8438af8, width=60, height=60, colorMap=0x8392d50, 
    maskColors=0x0, inlineImg=0) at CairoOutputDev.cc:855
#4  0xb6d72238 in Gfx::doImage (this=0x83ee118, ref=0xb69ad0f4, str=0x8438af8, 
    inlineImg=0) at Gfx.cc:3224
#5  0xb6d74d41 in Gfx::opXObject (this=0x83ee118, args=0xb69ad1b0, numArgs=1)
    at Gfx.cc:2903
#6  0xb6d6fcf0 in Gfx::execOp (this=0x83ee118, cmd=0xb69ad210, 
    args=0xb69ad1b0, numArgs=<value optimized out>) at Gfx.cc:713
#7  0xb6d6fe8d in Gfx::go (this=0x83ee118, topLevel=1) at Gfx.cc:581
#8  0xb6d703db in Gfx::display (this=0x83ee118, obj=0xb69ad290, topLevel=1)
    at Gfx.cc:544
#9  0xb6db77e8 in Page::displaySlice (this=0x8307ad0, out=0x8308cc8, 
    hDPI=114.92307758331299, vDPI=114.92307758331299, rotate=0, useMediaBox=0, 
    crop=1, sliceX=0, sliceY=0, sliceW=1245, sliceH=932, links=0x0, 
    catalog=0x82f6aa8, abortCheckCbk=0, abortCheckCbkData=0x0, 
    annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:375
#10 0xb7c9836f in poppler_page_render_to_pixbuf (page=0x82d1340, src_x=0, 
    src_y=0, src_width=1245, src_height=932, scale=1.5961538553237915, 
    rotation=0, pixbuf=0x82ea8c0) at poppler-page.cc:363
#11 0x0808fb4f in pdf_document_render_pixbuf (document=0x82be740, rc=0x8343140)
    at ev-poppler.cc:430
#12 0x0808d239 in ev_document_render_pixbuf (document=0x82be740, rc=0x8343140)
    at ev-document.c:223
#13 0x08065331 in ev_job_render_run (job=0x8167258) at ev-jobs.c:319
#14 0x08064005 in handle_job (job=0x8167258) at ev-job-queue.c:102
#15 0x08064558 in ev_render_thread (data=0x0) at ev-job-queue.c:187
#16 0xb7389545 in g_thread_create_proxy (data=0x8103260) at gthread.c:553
#17 0xb715d534 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#18 0xb70f0a6e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread -1229838672 (LWP 7587)):
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb70e6c53 in *__GI___poll () from /lib/tls/i686/cmov/libc.so.6
#2  0xb736fe95 in g_main_context_iterate (context=0x80ee638, block=1, 
    dispatch=1, self=0x80d2df0) at gmain.c:2977
#3  0xb737020c in IA__g_main_loop_run (loop=0x831e2a8) at gmain.c:2879
#4  0xb77b0052 in IA__gtk_main () at gtkmain.c:1023
#5  0x08080f91 in main (argc=2, argv=Cannot access memory at address 0xc
) at main.c:344
0xb6dbe261      468       return predLine[predIdx++];
Comment 10 Sebastian Dröge (slomo) 2006-08-15 12:02:03 UTC
This is obviously with everything compiled with SSP (which is the default in
Ubuntu).

For the third crash an additional information:
Starting program: /usr/bin/evince
SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf
[Thread debugging using libthread_db enabled]
[New Thread -1229986128 (LWP 7646)]
[New Thread -1231512672 (LWP 7650)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231512672 (LWP 7650)]
0xb6d9a261 in StreamPredictor::getChar (this=0x8400b08) at Stream.cc:468
468       return predLine[predIdx++];
Current language:  auto; currently c++
(gdb) print predLine 
$1 = (Guchar *) 0x0
(gdb) print predIdx 
$2 = 0
Comment 11 Jeff Muizelaar 2006-09-04 18:34:08 UTC
My guess is that this is a dup of 7646. If anyone can reproduce with current CVS
reopen.

*** This bug has been marked as a duplicate of 7646 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.