= Transfering this bug from GNOME Bugzilla: http://bugzilla.gnome.org/show_bug.cgi?id=316907 = Distribution: Debian testing/unstable Package: evince Severity: critical Version: GNOME2.10.2 0.4.x Gnome-Distributor: Debian Synopsis: Crashes when trying to fill in text Bugzilla-Product: evince Bugzilla-Component: general Bugzilla-Version: 0.4.x BugBuddy-GnomeVersion: 2.0 (2.10.1) Description: Description of the crash: My credit card company sends me statements. There's a little text box for me to fill in for how much I'm paying on my bill. When I tried to click there, evince crashed. The PDF is from Chase, FYI. Steps to reproduce the crash: 1. Open PDF from CC company 2. Try to fill in Amount Enclosed 3. Crash! Expected Results: CC company receives money and stops hounding me for more. How often does this happen? Very rarely; I'm poor. Additional Information: Even though they say I need Adobe Acrobat Reader 6.1, can I use this as an excuse for not paying my bill and get some kind of deference? ;-) Debugging Information: Backtrace was generated from '/usr/bin/evince' (no debugging symbols found) Using host libthread_db library "/lib/tls/libthread_db.so.1". (no debugging symbols found) `system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols. (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1227438400 (LWP 27407)] [New Thread -1229841488 (LWP 27408)] (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) 0xb7135b41 in waitpid () from /lib/tls/libc.so.6 #0 0xb7135b41 in waitpid () from /lib/tls/libc.so.6 #1 0xb7f57ee3 in libgnomeui_module_info_get () from /usr/lib/libgnomeui-2.so.0 #2 <signal handler called> #3 0xb754c634 in CairoFont::CairoFont () from /usr/lib/libpoppler.so.0 #4 0xb754ccf0 in CairoFontEngine::getFont () from /usr/lib/libpoppler.so.0 #5 0xb754e93f in CairoOutputDev::updateFont () from /usr/lib/libpoppler.so.0 #6 0xb75b9714 in TextSelectionPainter::visitWord () from /usr/lib/libpoppler.so.0 #7 0xb75b9894 in TextWord::visitSelection () from /usr/lib/libpoppler.so.0 #8 0xb75b9b3c in TextLine::visitSelection () from /usr/lib/libpoppler.so.0 #9 0xb75bf55a in TextBlock::visitSelection () from /usr/lib/libpoppler.so.0 #10 0xb75bf766 in TextPage::visitSelection () from /usr/lib/libpoppler.so.0 #11 0xb75c0e28 in TextPage::drawSelection () from /usr/lib/libpoppler.so.0 #12 0xb75c0e89 in TextOutputDev::drawSelection () from /usr/lib/libpoppler.so.0 #13 0xb771334f in poppler_page_render_selection () from /usr/lib/libpoppler-glib.so.0 #14 0x0808a2e7 in pdf_selection_render_selection () #15 0x08087e54 in ev_selection_render_selection () #16 0x08067694 in ev_pixbuf_cache_get_selection_pixbuf () #17 0x0806dec2 in ev_view_rotate_right () #18 0xb727c931 in g_child_watch_add () from /usr/lib/libglib-2.0.so.0 #19 0xb727a3f1 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #20 0xb727d647 in g_main_context_check () from /usr/lib/libglib-2.0.so.0 #21 0xb727db98 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #22 0xb79de989 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #23 0x08079b32 in main () Thread 2 (Thread -1229841488 (LWP 27408)): #0 0xb7084b61 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/libpthread.so.0 No symbol table info available. #1 0xb7182a8d in pthread_cond_wait () from /lib/tls/libc.so.6 No symbol table info available. #2 0x08060f94 in ev_document_types_add_filters () No symbol table info available. #3 0xb7297b65 in g_static_private_free () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #4 0xb7082ccd in start_thread () from /lib/tls/libpthread.so.0 No symbol table info available. #5 0xb7175b0e in clone () from /lib/tls/libc.so.6 No symbol table info available. Thread 1 (Thread -1227438400 (LWP 27407)): #0 0xb7135b41 in waitpid () from /lib/tls/libc.so.6 No symbol table info available. #1 0xb7f57ee3 in libgnomeui_module_info_get () from /usr/lib/libgnomeui-2.so.0 No symbol table info available. #2 <signal handler called> No symbol table info available. #3 0xb754c634 in CairoFont::CairoFont () from /usr/lib/libpoppler.so.0 No symbol table info available. #4 0xb754ccf0 in CairoFontEngine::getFont () from /usr/lib/libpoppler.so.0 No symbol table info available. #5 0xb754e93f in CairoOutputDev::updateFont () from /usr/lib/libpoppler.so.0 No symbol table info available. #6 0xb75b9714 in TextSelectionPainter::visitWord () from /usr/lib/libpoppler.so.0 No symbol table info available. #7 0xb75b9894 in TextWord::visitSelection () from /usr/lib/libpoppler.so.0 No symbol table info available. #8 0xb75b9b3c in TextLine::visitSelection () from /usr/lib/libpoppler.so.0 No symbol table info available. #9 0xb75bf55a in TextBlock::visitSelection () from /usr/lib/libpoppler.so.0 No symbol table info available. #10 0xb75bf766 in TextPage::visitSelection () from /usr/lib/libpoppler.so.0 No symbol table info available. #11 0xb75c0e28 in TextPage::drawSelection () from /usr/lib/libpoppler.so.0 No symbol table info available. #12 0xb75c0e89 in TextOutputDev::drawSelection () from /usr/lib/libpoppler.so.0 No symbol table info available. #13 0xb771334f in poppler_page_render_selection () from /usr/lib/libpoppler-glib.so.0 No symbol table info available. #14 0x0808a2e7 in pdf_selection_render_selection () No symbol table info available. #15 0x08087e54 in ev_selection_render_selection () No symbol table info available. #16 0x08067694 in ev_pixbuf_cache_get_selection_pixbuf () No symbol table info available. #17 0x0806dec2 in ev_view_rotate_right () No symbol table info available. #18 0xb727c931 in g_child_watch_add () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #19 0xb727a3f1 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #20 0xb727d647 in g_main_context_check () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #21 0xb727db98 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #22 0xb79de989 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. #23 0x08079b32 in main () No symbol table info available. #0 0xb7135b41 in waitpid () from /lib/tls/libc.so.6
Is it possible to provide the pdf that cause the crash?
Hello, I'm still getting this with current statements. Before the issue was on Debian, now it's on FC4. I've sent an inquiry to Chase asking for them to send me a statement without my account information. Sean
I reported a (presumably?) related bug against evince in the GNOME Bugzilla: http://bugzilla.gnome.org/show_bug.cgi?id=328810 It is provoked by selecting text from a PDF attached to another report in the GNOME Bugzilla: http://bugzilla.gnome.org/show_bug.cgi?id=314847 http://bugzilla.gnome.org/attachment.cgi?id=51717 Hopefully that PDF will be enough to debug this. (Again, assuming a crash from selecting is the same as a crash from an input field.)
Ubuntu bug about that: https://launchpad.net/products/poppler/+bug/50697 'I am using the version of evince that comes with dapper, 0.5.2. Open the attached PDF in evince and opt to select some of the text that is rendered. Sometimes it seems to take a few tries to get it to crash (just keep selecting different portions of text). This could be a problem with libpoppler. http://librarian.launchpad.net/3134680/can-crash-evince-0.5.2.pdf PDF to Crash Evince Just select some text, after opening this document in evince. http://librarian.launchpad.net/3134694/evince-backtrace.txt Backtrace Here's the backtrace produced when evince crashes. I copied this from the "bug buddy" window. ..."
reproducable with latest cvs steps to reproduce: 1. open http://librarian.launchpad.net/3134680/can-crash-evince-0.5.2.pdf 2. edit->select all #3 <signal handler called> No symbol table info available. #4 0xb7d10775 in CairoFont::create (gfxFont=0x84441f8, xref=0x8487280, lib=0x8317388, useCIDs=1) at Object.h:279 cmap = <value optimized out> ctu = <value optimized out> cairo_font_face_key = {unused = 0} tmpFileName = (GooString *) 0x839a8d8 dfp = <value optimized out> uBuf = {0, 0, 3076259048, 3220933992, 3075990618, 138965644, 3074958112, 3220934008} codeToGID = <value optimized out> strObj = {type = objNull, {booln = 138965632, intg = 138965632, real = -7.0562016071739042e-44, string = 0x8487280, name = 0x8487280 "", array = 0x8487280, dict = 0x8487280, stream = 0x8487280, ref = { num = 138965632, gen = -1225183896}, cmd = 0x8487280 ""}} fileName = <value optimized out> c = <value optimized out> ff1c = <value optimized out> codeToGIDLen = 0 tmpFileName2 = <value optimized out> n = <value optimized out> code = <value optimized out> fontType = 1079655961 enc = <value optimized out> name = <value optimized out> ff = <value optimized out> cairo_font_face = <value optimized out> refObj = {type = objNone, {booln = 1890821786, intg = 1890821786, real = 114.96346681159994, string = 0x70b3a69a, name = 0x70b3a69a <Address 0x70b3a69a out of bounds>, array = 0x70b3a69a, dict = 0x70b3a69a, stream = 0x70b3a69a, ref = {num = 1890821786, gen = 1079819689}, cmd = 0x70b3a69a <Address 0x70b3a69a out of bounds>}} tmpFile = <value optimized out> face = <value optimized out> #5 0xb7d10fa1 in CairoFontEngine::getFont (this=0x831d0f0, gfxFont=0x84441f8, xref=0x8487280) at CairoFontEngine.cc:353 i = 64 ref = {num = -1694248026, gen = 1079410369} font = (CairoFont *) 0x0 #6 0xb7d12d5e in CairoOutputDev::updateFont (this=0x830a780, state=0x8486fa8) at CairoOutputDev.cc:276 font_face = <value optimized out> m11 = -1.722381591796875 m22 = 1 fontSize = 0 m = <value optimized out> m12 = -3.919002195208072e-44 m21 = 1 matrix = {xx = 1, yx = 1, xy = -nan(0xfffffffffffff), yy = 3.1524664462486777e-269, x0 = -7.8446562264848481e-40, y0 = 1} #7 0xb6f0ec1d in TextSelectionPainter::visitWord (this=0xbffb90c4, word=0x8443838, begin=0, end=6, selection=0xbffb8fb8) at TextOutputDev.cc:3383 string = (GooString *) 0x80000000 #8 0xb6f0ee44 in TextWord::visitSelection (this=0x8443838, visitor=0xbffb90c4, selection=0xbffb8fb8) at TextOutputDev.cc:3422 i = 6 begin = 0 end = 6 mid = 0 #9 0xb6f0f072 in TextLine::visitSelection (this=0x8442ea8, visitor=0xbffb90c4, selection=0xbffb8fb8) at TextOutputDev.cc:3460 begin = (TextWord *) 0x8443838 end = (TextWord *) 0x0 i = 6 p = (TextWord *) 0x8443838 edge_begin = <value optimized out> edge_end = 6 #10 0xb6f1491e in TextBlock::visitSelection (this=0x8443990, visitor=0xbffb90c4, selection=0xbffb9050) at TextOutputDev.cc:3532 begin = (TextLine *) 0x8442ea8 end = (TextLine *) 0x0 child_selection = {x1 = 0, y1 = 0, x2 = 595, y2 = 842} start_x = 0 stop_y = 842 p = (TextLine *) 0x8442ea8 start_y = 0 stop_x = 595 #11 0xb6f14b18 in TextPage::visitSelection (this=0x8440300, visitor=0xbffb90c4, selection=0xbffb9268) at TextOutputDev.cc:3605 i = -1074033300 begin = <value optimized out> end = 2 child_selection = {x1 = 0, y1 = 0, x2 = 595, y2 = 842} start_x = 0 stop_y = 842 start_y = 0 stop_x = 0 b = <value optimized out>
Created attachment 6605 [details] [review] Noise This patch avoided the crash here. This is really not a fix and I don't ask for inclusion as I think it hides several other bugs. I just put it here if someone needs a temporary solution.
Sorry for the noise, I don't understand why it started working repeatidly here on the various crashing PDF with this patch but no longer does now...
On this document there is a first crash in CairoFont::create : strObj.getTypeName() giving "null" (create is entered about 20 times with the same invalid ref on the given doc and each time fontType is also invalid). A check on the type before using the stream might be nice. For the real bug, valgrind is quite helpful : ==32431== ==32431== Invalid read of size 4 ==32431== at 0x408D4D6: GfxFont::incRefCnt() (GfxFont.cc:172) ==32431== by 0x40F1205: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3381) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== by 0x809454C: ev_selection_render_selection (in /usr/bin/evince) ==32431== by 0x806B2D4: ev_pixbuf_cache_get_selection_pixbuf (in /usr/bin/evince) ==32431== Address 0x564AE64 is 164 bytes inside a block of size 3,536 free'd ==32431== at 0x401EBFA: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939) ==32431== by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177) ==32431== by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635) ==32431== by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304) ==32431== by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649) ==32431== by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*) (Gfx.cc:3479) ==32431== by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305) ==32431== by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907) ==32431== by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713) ==32431== by 0x4082FC3: Gfx::go(int) (Gfx.cc:581) ==32431== by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544) ==32431== ==32431== Invalid read of size 4 ==32431== at 0x4031490: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:273) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== by 0x809454C: ev_selection_render_selection (in /usr/bin/evince) ==32431== by 0x806B2D4: ev_pixbuf_cache_get_selection_pixbuf (in /usr/bin/evince) ==32431== Address 0x564ADE4 is 36 bytes inside a block of size 3,536 free'd ==32431== at 0x401EBFA: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939) ==32431== by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177) ==32431== by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635) ==32431== by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304) ==32431== by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649) ==32431== by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*) (Gfx.cc:3479) ==32431== by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305) ==32431== by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907) ==32431== by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713) ==32431== by 0x4082FC3: Gfx::go(int) (Gfx.cc:581) ==32431== by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544) ==32431== ==32431== Invalid read of size 4 ==32431== at 0x402F5A9: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:346) ==32431== by 0x40314B5: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:276) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== by 0x809454C: ev_selection_render_selection (in /usr/bin/evince) ==32431== Address 0x564ADC8 is 8 bytes inside a block of size 3,536 free'd ==32431== at 0x401EBFA: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939) ==32431== by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177) ==32431== by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635) ==32431== by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304) ==32431== by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649) ==32431== by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*) (Gfx.cc:3479) ==32431== by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305) ==32431== by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907) ==32431== by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713) ==32431== by 0x4082FC3: Gfx::go(int) (Gfx.cc:581) ==32431== by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544) ==32431== ==32431== Invalid read of size 4 ==32431== at 0x402F5AC: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:346) ==32431== by 0x40314B5: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:276) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== by 0x809454C: ev_selection_render_selection (in /usr/bin/evince) ==32431== Address 0x564ADCC is 12 bytes inside a block of size 3,536 free'd ==32431== at 0x401EBFA: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939) ==32431== by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177) ==32431== by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635) ==32431== by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304) ==32431== by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649) ==32431== by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*) (Gfx.cc:3479) ==32431== by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305) ==32431== by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907) ==32431== by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713) ==32431== by 0x4082FC3: Gfx::go(int) (Gfx.cc:581) ==32431== by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544) ==32431== ==32431== Invalid read of size 4 ==32431== at 0x408D4E9: GfxFont::decRefCnt() (GfxFont.cc:176) ==32431== by 0x4099031: GfxState::setFont(GfxFont*, double) (GfxState.cc:4057) ==32431== by 0x40F1223: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3382) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== by 0x809454C: ev_selection_render_selection (in /usr/bin/evince) ==32431== Address 0x564AE64 is 164 bytes inside a block of size 3,536 free'd ==32431== at 0x401EBFA: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939) ==32431== by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177) ==32431== by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635) ==32431== by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304) ==32431== by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649) ==32431== by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*) (Gfx.cc:3479) ==32431== by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305) ==32431== by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907) ==32431== by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713) ==32431== by 0x4082FC3: Gfx::go(int) (Gfx.cc:581) ==32431== by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544) ==32431== ==32431== Invalid write of size 4 ==32431== at 0x408D4F4: GfxFont::decRefCnt() (GfxFont.cc:176) ==32431== by 0x4099031: GfxState::setFont(GfxFont*, double) (GfxState.cc:4057) ==32431== by 0x40F1223: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3382) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== by 0x809454C: ev_selection_render_selection (in /usr/bin/evince) ==32431== Address 0x564AE64 is 164 bytes inside a block of size 3,536 free'd ==32431== at 0x401EBFA: operator delete(void*) (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x408E16F: Gfx8BitFont::~Gfx8BitFont() (GfxFont.cc:939) ==32431== by 0x408D507: GfxFont::decRefCnt() (GfxFont.cc:177) ==32431== by 0x408D600: GfxFontDict::~GfxFontDict() (GfxFont.cc:1635) ==32431== by 0x4080C1A: GfxResources::~GfxResources() (Gfx.cc:304) ==32431== by 0x4080C9A: Gfx::popResources() (Gfx.cc:3649) ==32431== by 0x40872BC: Gfx::doForm1(Object*, Dict*, double*, double*) (Gfx.cc:3479) ==32431== by 0x4087C19: Gfx::doForm(Object*) (Gfx.cc:3305) ==32431== by 0x4087F3D: Gfx::opXObject(Object*, int) (Gfx.cc:2907) ==32431== by 0x4082DEC: Gfx::execOp(Object*, Object*, int) (Gfx.cc:713) ==32431== by 0x4082FC3: Gfx::go(int) (Gfx.cc:581) ==32431== by 0x408352E: Gfx::display(Object*, int) (Gfx.cc:544) ==32431== ==32431== Invalid read of size 4 ==32431== at 0x402ED40: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*, int) (CairoFontEngine.cc:68) ==32431== by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:359) ==32431== by 0x40314B5: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:276) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== Address 0x564ADCC is 12 bytes inside a block of size 1,280 free'd ==32431== at 0x401EEBB: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84) ==32431== by 0x0: ??? ==32431== ==32431== Invalid read of size 4 ==32431== at 0x402ED43: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*, int) (CairoFontEngine.cc:68) ==32431== by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:359) ==32431== by 0x40314B5: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:276) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== Address 0x564ADC8 is 8 bytes inside a block of size 1,280 free'd ==32431== at 0x401EEBB: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84) ==32431== by 0x0: ??? ==32431== ==32431== Invalid read of size 4 ==32431== at 0x402ED46: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*, int) (GfxFont.h:147) ==32431== by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:359) ==32431== by 0x40314B5: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:276) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== Address 0x564ADE4 is 36 bytes inside a block of size 1,280 free'd ==32431== at 0x401EEBB: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84) ==32431== by 0x0: ??? ==32431== ==32431== Invalid read of size 4 ==32431== at 0x402ED71: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*, int) (GfxFont.h:153) ==32431== by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:359) ==32431== by 0x40314B5: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:276) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== Address 0x564ADF0 is 48 bytes inside a block of size 1,280 free'd ==32431== at 0x401EEBB: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84) ==32431== by 0x0: ??? ==32431== ==32431== Invalid read of size 4 ==32431== at 0x402ED7B: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*, int) (GfxFont.h:153) ==32431== by 0x402F634: CairoFontEngine::getFont(GfxFont*, XRef*) (CairoFontEngine.cc:359) ==32431== by 0x40314B5: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:276) ==32431== by 0x40F123B: TextSelectionPainter::visitWord(TextWord*, int, int, PDFRectangle*) (TextOutputDev.cc:3383) ==32431== by 0x40E9E27: TextWord::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3422) ==32431== by 0x40EA062: TextLine::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3460) ==32431== by 0x40EA242: TextBlock::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3532) ==32431== by 0x40F1600: TextPage::visitSelection(TextSelectionVisitor*, PDFRectangle*) (TextOutputDev.cc:3605) ==32431== by 0x40F2C71: TextPage::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:3618) ==32431== by 0x40F2CE9: TextOutputDev::drawSelection(OutputDev*, double, int, PDFRectangle*, GfxColor*, GfxColor*) (TextOutputDev.cc:4202) ==32431== by 0x402D1EA: poppler_page_render_selection (poppler-page.cc:560) ==32431== by 0x8095194: pdf_selection_render_selection(_EvSelection*, _EvRenderContext*, _GdkPixbuf**, EvRectangle*, EvRectangle*, _GdkColor*, _GdkColor*) (in /usr/bin/evince) ==32431== Address 0x564ADF4 is 52 bytes inside a block of size 1,280 free'd ==32431== at 0x401EEBB: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==32431== by 0x4E27D2A: _cairo_traps_fini (cairo-traps.c:84) ==32431== by 0x0: ???
I think I got it this time ! GfxFontDict::~GfxFontDict calls decRefCnt on all fonts, but GfxFontDict::GfxFontDict does not call incRefCnt, so fonts get freed.
Created attachment 6611 [details] [review] increment the refcount and be more robust
patch fixes the crash for me!
GfxFontDict makes the fonts which start of with a refCount of 1. So inc them looks wrong.
OK, I'll try to have another look at the counters to find if there is unmatched dec somewhere else, but I don't remember seeing another one.
Created attachment 7091 [details] [review] Properly RefCnt inside TextFontInfo The attached patch should fix things. TextFontInfo takes a reference to a GfxFont but doesn't do a incRefCnt(). This patch fixes that.
Pascal, Are the robustness enhancements needed? i.e. is there a pdf that shows a problem that the robustness enhancements fix?
It's not really needed as fixing the real issue to have a valid stream there is better. I just prefer avoiding crashes when something goes wrong elsewhere in the code and actually added this before finding the refcount issue to hide it.
Fixed in cvs.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.