Can be related to bug 4402 or 4386, but backtrace seems to be a bit different. #0 0x009e4f0d in SplashOutputDev::updateFont (this=0xa27a678, state=0xa3b73e8) at Object.h:278 278 { stream->reset(); } (gdb) p stream $1 = 0 #0 0x009e4f0d in SplashOutputDev::updateFont (this=0xa27a678, state=0xa3b73e8) at Object.h:278 #1 0x00a4ba9a in TextSelectionPainter::visitWord (this=0xbf81ec74, word=0xa3e0030, begin=0, end=4, selection=0xbf81eb78) at TextOutputDev.cc:3302 #2 0x00a4bbf2 in TextWord::visitSelection (this=0xa3e0030, visitor=0xbf81ec74, selection=0xbf81eb78) at TextOutputDev.cc:3339 #3 0x00a4be4f in TextLine::visitSelection (this=0xa39cbe8, visitor=0xbf81ec74, selection=0xbf81eb78) at TextOutputDev.cc:3377 #4 0x00a51352 in TextBlock::visitSelection (this=0xa2f04d0, visitor=0xbf81ec74, selection=0xbf81ec10) at TextOutputDev.cc:3449 #5 0x00a51514 in TextPage::visitSelection (this=0xa2f2448, visitor=0xbf81ec74, selection=0xbf81ef20) at TextOutputDev.cc:3522 #6 0x00a52a69 in TextPage::drawSelection (this=0xa2f2448, out=0xa27a678, scale=0.68235296010971069, rotation=0, selection=0xbf81ef20, glyph_color=0xbf81ed20, box_color=0xbf81ee20) at TextOutputDev.cc:3535 #7 0x00a52ac1 in TextOutputDev::drawSelection (this=0x8d10c483, out=0xa27a678, scale=0.68235296010971069, rotation=0, selection=0xbf81ef20, glyph_color=0xbf81ed20, box_color=0xbf81ee20) at TextOutputDev.cc:4104 #8 0x00276321 in poppler_page_render_selection (page=0xa2f0ac8, scale=0.68235296010971069, rotation=0, pixbuf=0xa3639b8, selection=0xa29cb5c, old_selection=0xa29cb34, glyph_color=0xa161144, background_color=0xa161180) at poppler-page.cc:478 #9 0x0809c5fe in pdf_selection_render_selection (selection=0xa26d020, rc=0xa2d6aa0, pixbuf=0xa29cb54, points=0xa29cb5c, old_points=0xa29cb34, text=0xa161144, base=0xa161180) at ev-poppler.cc:1269 #10 0x08093d30 in ev_selection_render_selection () #11 0x0806c20b in ev_pixbuf_cache_get_selection_pixbuf () #12 0x08075d85 in merge_selection_region () #13 0x08076027 in compute_selections () #14 0x08071cce in selection_update_idle_cb () #15 0x003c5650 in g_child_watch_add () from /usr/lib/libglib-2.0.so.0 #16 0x003c33ee in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #17 0x003c63f6 in g_main_context_check () from /usr/lib/libglib-2.0.so.0 #18 0x003c66e3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #19 0x00efb1b5 in IA__gtk_main () at gtkmain.c:963 #20 0x08083276 in main ()
Created attachment 3308 [details] Test document To get a crash select tree lines at document top.
The ubuntu bugzilla has a bug about that too: http://bugzilla.ubuntu.com/show_bug.cgi?id=18848
This is still reproducible with the patch from #4402. It's definitely a different bug.
I've investigated this question a bit: the reason is that TextPage on word creation copy GfxFont from context, but then this GfxFont is destroyed. After that usage of TextPage functions may crash app. We need to copy GfxFont on TextPage::updateFont or ref it somehow. I am not sure how to fix it properly, it seems there is no way to dup or ref GfxFont
Gary Coady came up with a fix, which seems to fix https://launchpad.net/bugs/41661 https://launchpad.net/bugs/36747 and https://launchpad.net/bugs/24970 as well: http://librarian.launchpad.net/2382580/poppler_fixmem.patch *attaching it in a bit*
Created attachment 5495 [details] [review] Fix by Gary Coady
Thanks, that was just the patch I was looking for :) Committed to CVS head, closing this bug.
*** Bug 6007 has been marked as a duplicate of this bug. ***
After this patch (and the subsequent 05-13 leak fix), the convention is that you have to call font->incRefCnt() before calling GfxState::setFont, but setFont will deal with calling font->decRefCnt() on the old font for you. That's just awful. The incRefCnt()s in Gfx::opSetFont and TextSelectionPainter::visitWord should be removed, and GfxState::setFont should inc the font itself.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.