Created attachment 77209 [details] pdf which crashes poppler Attached PDF crashes poppler. It crashes because fillToStrokePathClip() tries to to call cairo_set_dash() with non-zero "num_dashes" but with NULL "dashes". The code of fillToStrokePathClip() relies on consistency of cairo's dash pattern with the dash pattern stored in strokePathClip->dashes and length of cairo's dash pattern with strokePathClip->dash_count. But the attached PDF breaks this consistency, it makes poppler to call fillToStrokePathClip() after change of cairo's dash pattern but without update of strokePathClip->dashes. There are 2 possible solutions for this: 1) don't update strokePathClip->dash_count just before cairo_set_dash() in fillToStrokePathClip() - honour what we already have in strokePathClip->dash* 2) don't set dash pattern by cairo_set_dash() in fillToStrokePathClip() at all - honour what we already have in cairo The PDF doesn't have correct xref and lengths of streams because it was edited manually but this doesn't cause the crash. This was originally reported here: https://bugzilla.redhat.com/show_bug.cgi?id=928231 (contains link to the original PDF)
I can confirm this crash, and also have found what I think is the same crash in another PDF in Evince bug here (w/ stacktrace): https://bugzilla.gnome.org/show_bug.cgi?id=697471 Please do let me know if you think I am mistaken about them being the same bug.
Here is a backtrace full, info registers and info stack from poppler-glib-demo. I am using the branch 1.12 from cairo. Although, I just realized that the branch 1.12 seems to be isolated from any 1.12.x release :-/ poppler c7e28e3d (March 25). Starting program: /home/gpoo/code/evince/install/bin/poppler-glib-demo ~/test.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. _cairo_gstate_set_dash (offset=0, num_dashes=1, dash=0x0, gstate=0x8431c58) at cairo-gstate.c:542 542 if (dash[i] < 0) > > bt full #0 _cairo_gstate_set_dash (offset=0, num_dashes=1, dash=0x0, gstate=0x8431c58) at cairo-gstate.c:542 on_total = 0 i = 0 dash_total = 0 off_total = 0 j = 0 #1 _cairo_gstate_set_dash (gstate=0x8431c58, dash=0x0, num_dashes=1, offset=0) at cairo-gstate.c:519 No locals. #2 0xb77b0ca0 in cairo_set_dash (cr=0x8157000, dashes=0x0, num_dashes=1, offset=0) at cairo.c:1076 status = <optimized out> #3 0xb7fc3239 in CairoOutputDev::fillToStrokePathClip (this=0x8160000, state=0x8431920) at CairoOutputDev.cc:1163 No locals. #4 0xb7fc3906 in CairoOutputDev::fill (this=0x8160000, state=0x8431920) at CairoOutputDev.cc:803 No locals. #5 0xb72b1b2d in opFill (this=0x83bdf08, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1841 No locals. #6 Gfx::opFill (this=0x83bdf08, args=0xbfffd924, numArgs=0) at Gfx.cc:1831 No locals. #7 0xb72a5119 in Gfx::execOp (this=0x83bdf08, cmd=0xbfffdac4, args=0xbfffd924, numArgs=0) at Gfx.cc:858 op = <optimized out> name = 0x83c6040 "f" argPtr = 0xbfffd924 i = <optimized out> #8 0xb72ac7d0 in Gfx::go (this=0x83bdf08, topLevel=true) at Gfx.cc:717 timer = {start_time = {tv_sec = 1365530974, tv_usec = 877844}, end_time = {tv_sec = -1221684565, tv_usec = -1220591628}, active = true} obj = {type = objCmd, {booln = 64, intg = 138174528, int64g = -4156792768, real = -nan(0xfffff083c6040), string = 0x83c6040, name = 0x83c6040 "f", array = 0x83c6040, dict = 0x83c6040, stream = 0x83c6040, ref = {num = 138174528, gen = -1}, cmd = 0x83c6040 "f"}} numArgs = <optimized out> i = <optimized out> lastAbortCheck = <optimized out> args = {{type = objNone, {booln = 75, intg = 75, int64g = -4294967221, real = -nan(0xfffff0000004b), string = 0x4b, name = 0x4b <Address 0x4b out of bounds>, array = 0x4b, dict = 0x4b, stream = 0x4b, ref = {num = 75, gen = -1}, cmd = 0x4b <Address 0x4b out of bounds>}}, {type = objNone, {booln = 75, intg = 75, int64g = -4294967221, real = -nan(0xfffff0000004b), string = 0x4b, name = 0x4b <Address 0x4b out of bounds>, array = 0x4b, dict = 0x4b, stream = 0x4b, ref = {num = 75, gen = -1}, cmd = 0x4b <Address 0x4b out of bounds>}}, {type = objNone, {booln = 50, intg = 50, int64g = -4294967246, real = -nan(0xfffff00000032), string = 0x32, name = 0x32 <Address 0x32 out of bounds>, array = 0x32, dict = 0x32, stream = 0x32, ref = {num = 50, gen = -1}, cmd = 0x32 <Address 0x32 out of bounds>}}, {type = objNone, {booln = 50, intg = 50, int64g = -4294967246, real = -nan(0xfffff00000032), string = 0x32, name = 0x32 <Address 0x32 out of bounds>, array = 0x32, dict = 0x32, stream = 0x32, ref = {num = 50, gen = -1}, cmd = 0x32 <Address 0x32 out of bounds>}}, {type = objNone, {booln = false, intg = 0, int64g = -5240145836704268288, real = -2.0862268793405816e-42, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1220066528}, cmd = 0x0}}, {type = objNone, { booln = false, intg = 0, int64g = 4294967296, real = 2.1219957909652723e-314, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 1}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = -5228036365391757312, real = -1.3117905249160694e-41, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1217247072}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = -5251421843843186688, real = -3.4978407614623522e-43, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1222691928}, cmd = 0x0}}, {type = objNone, { booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = -5228034475606147072, real = -1.312272221263181e-41, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1217246632}, cmd = 0x0}}, {type = objNone, { booln = false, intg = 0, int64g = -5188570318930706432, real = -5.6010936579926539e-39, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1208058167}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = -4611727559351074816, real = -1.9907760620117188, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1073751496}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = 4294967296, real = 2.1219957909652723e-314, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 1}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = 593445973569568768, real = 5.3651185577783122e-269, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 138172408}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = -5247096519718338560, real = -6.8536768924139757e-43, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1221684860}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = { num = 0, gen = 0}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = 593449379478634496, real = 5.3674089884024095e-269, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 138173201}, cmd = 0x0}}, {type = objNone, { booln = false, intg = 0, int64g = -5251034394843414528, real = -3.7169783880098665e-43, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1222601718}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = -5242401124031397888, real = -1.4012902535916277e-42, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1220591628}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = -5242401124031397888, real = -1.4012902535916277e-42, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1220591628}, cmd = 0x0}}, {type = objNone, { booln = false, intg = 0, int64g = 593449379478634496, real = 5.3674089884024095e-269, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 138173201}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = -5242401124031397888, real = -1.4012902535916277e-42, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1220591628}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = -5247084468040105984, real = -6.8632766079679196e-43, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1221682054}, cmd = 0x0}}, {type = objNone, { booln = false, intg = 0, int64g = 25769803776, real = 1.2731974745791634e-313, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 6}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = -5188164414456463360, real = -5.8659586859285448e-39, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1207963660}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = { num = 0, gen = 0}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}, { type = objNone, {booln = false, intg = 0, int64g = -5242401124031397888, real = -1.4012902535916277e-42, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1220591628}, cmd = 0x0}}, {type = objNone, {booln = false, intg = 0, int64g = -5251271485628088320, real = -3.5577243755237331e-43, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = -1222656920}, cmd = 0x0}}, {type = objNone, { booln = false, intg = 0, int64g = 0, real = 0, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 0}, cmd = 0x0}}} #9 0xb72accce in Gfx::display (this=0x83bdf08, obj=0xbfffdbb4, topLevel=true) at Gfx.cc:683 obj2 = {type = objNone, {booln = false, intg = 0, int64g = 4294967296, real = 2.1219957909652723e-314, string = 0x0, name = 0x0, array = 0x0, dict = 0x0, stream = 0x0, ref = {num = 0, gen = 1}, cmd = 0x0}} i = <optimized out> #10 0xb72f5bb6 in Page::displaySlice (this=0x8228458, out=0x8160000, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:580 gfx = 0x83bdf08 obj = {type = objStream, {booln = 248, intg = 138172408, int64g = 582653201929230328, real = 1.0410859470565595e-269, string = 0x83c57f8, name = 0x83c57f8 "\350'?\267\002", array = 0x83c57f8, dict = 0x83c57f8, stream = 0x83c57f8, ref = {num = 138172408, gen = 135659520}, cmd = 0x83c57f8 "\350'?\267\002"}} i = <optimized out> locker = {mutex = 0x82284c8, mode = DoLockMutex} localXRef = 0x8175df8 annotList = <optimized out> #11 0xb7fb3fda in _poppler_page_render (page=0x83beb20, cairo=0x8157000, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at poppler-page.cc:362 output_dev = 0x8160000 __PRETTY_FUNCTION__ = "void _poppler_page_render(PopplerPage*, cairo_t*, GBool, PopplerPrintFlags)" #12 0x0805c5cd in pgd_render_start (button=0x80863a8, demo=0x81ad8c0) at render.c:143 page = 0x83beb20 page_width = 200 page_height = 200 width = <optimized out> height = <optimized out> x = 0 y = 0 str = <optimized out> timer = 0x83ecc30 cr = 0x8157000 #13 0xb7733ef3 in g_cclosure_marshal_VOID__VOIDv (closure=0x81f6568, return_value=0x0, instance=0x80863a8, args=0xbfffdf6c "t\337\377\277", marshal_data=0x0, n_params=0, param_types=0x0) at gmarshal.c:115 cc = 0x81f6568 data1 = <optimized out> data2 = 0x81ad8c0 callback = <optimized out> #14 0xb77323d7 in _g_closure_invoke_va (closure=0x81f6568, return_value=0x0, instance=0x80863a8, args=0xbfffdf6c "t\337\377\277", n_params=0, param_types=0x0) at gclosure.c:840 marshal = 0xb7733ec0 <g_cclosure_marshal_VOID__VOIDv> marshal_data = 0x0 in_marshal = 0 real_closure = 0x81f6558 __PRETTY_FUNCTION__ = "_g_closure_invoke_va" #15 0xb774be53 in g_signal_emit_valist (instance=0x80863a8, signal_id=187, detail=0, var_args=0xbfffdf6c "t\337\377\277") at gsignal.c:3234 return_accu = 0x0 accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} accumulator = 0x0 emission = {next = 0xbfffe1c4, instance = 0x80863a8, ihint = {signal_id = 187, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 135939968} signal_id = 187 instance_type = <optimized out> emission_return = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} rtype = 4 static_scope = 0 fastpath_handler = <optimized out> closure = 0x81f6568 run_type = <optimized out> hlist = 0x81eeaa0 l = <optimized out> fastpath = 0 instance_and_params = <optimized out> signal_return_type = <optimized out> param_values = <optimized out> node = 0x81a4010 i = <optimized out> n_params = <optimized out> __PRETTY_FUNCTION__ = "g_signal_emit_valist" #16 0xb774ca53 in g_signal_emit (instance=0x80863a8, signal_id=187, detail=0) at gsignal.c:3384 var_args = 0xbfffdf6c "t\337\377\277" #17 0xb7b426fa in gtk_button_clicked (button=0x80863a8) at gtkbutton.c:1308 No locals. #18 0xb7b43500 in gtk_real_button_released (button=0x80863a8) at gtkbutton.c:1967 priv = <optimized out> #19 0xb7733ef3 in g_cclosure_marshal_VOID__VOIDv (closure=0x817ebc0, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*", marshal_data=0xb7b43400, n_params=0, param_types=0x0) at gmarshal.c:115 cc = 0x817ebc0 data1 = <optimized out> data2 = 0x81a4780 callback = <optimized out> #20 0xb7730a67 in g_type_class_meta_marshalv (closure=0x817ebc0, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*", marshal_data=0x1fc, n_params=0, param_types=0x0) at gclosure.c:997 real_closure = 0x817ebb0 class = <optimized out> callback = <optimized out> offset = 508 #21 0xb77323d7 in _g_closure_invoke_va (closure=0x817ebc0, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*", n_params=0, param_types=0x0) at gclosure.c:840 marshal = 0xb7730a20 <g_type_class_meta_marshalv> marshal_data = 0x1fc in_marshal = 0 real_closure = 0x817ebb0 __PRETTY_FUNCTION__ = "_g_closure_invoke_va" #22 0xb774be53 in g_signal_emit_valist (instance=0x80863a8, signal_id=186, detail=0, var_args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*") at gsignal.c:3234 return_accu = 0x0 accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} accumulator = 0x0 emission = {next = 0xbfffe4a4, instance = 0x80863a8, ihint = {signal_id = 186, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 135939968} signal_id = 186 instance_type = <optimized out> emission_return = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} rtype = 4 static_scope = 0 fastpath_handler = <optimized out> closure = 0x817ebc0 run_type = <optimized out> hlist = 0x0 l = <optimized out> fastpath = 0 instance_and_params = <optimized out> signal_return_type = <optimized out> param_values = <optimized out> node = 0x817ebf0 i = <optimized out> n_params = <optimized out> __PRETTY_FUNCTION__ = "g_signal_emit_valist" #23 0xb774ca53 in g_signal_emit (instance=0x80863a8, signal_id=186, detail=0) at gsignal.c:3384 var_args = 0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*" #24 0xb7b42036 in gtk_button_button_release (widget=0x80863a8, event=<optimized out>) at gtkbutton.c:1802 button = 0x80863a8 #25 gtk_button_button_release (widget=0x80863a8, event=0x834f530) at gtkbutton.c:1794 No locals. #26 0xb7c32a01 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004", marshal_data=0xb7b41ff0, n_params=1, param_types=0x8079c88) at gtkmarshalers.c:130 cc = 0x8079c70 data1 = <optimized out> data2 = <optimized out> callback = 0xb7b41ff0 <gtk_button_button_release> arg0 = 0x834f530 args_copy = 0xbfffe560 "\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004" v_return = <optimized out> __PRETTY_FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXEDv" #27 0xb7730a67 in g_type_class_meta_marshalv (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004", marshal_data=0xc4, n_params=1, param_types=0x8079c88) at gclosure.c:997 real_closure = 0x8079c60 class = <optimized out> callback = <optimized out> offset = 196 #28 0xb77323d7 in _g_closure_invoke_va (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004", n_params=1, param_types=0x8079c88) at gclosure.c:840 marshal = 0xb7730a20 <g_type_class_meta_marshalv> marshal_data = 0xc4 in_marshal = 0 real_closure = 0x8079c60 __PRETTY_FUNCTION__ = "_g_closure_invoke_va" #29 0xb774be53 in g_signal_emit_valist (instance=0x80863a8, signal_id=29, detail=0, var_args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004") at gsignal.c:3234 return_accu = 0xbfffe4c0 accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} accumulator = 0x806df90 emission = {next = 0x0, instance = 0x80863a8, ihint = {signal_id = 29, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 135939968} signal_id = 29 instance_type = <optimized out> emission_return = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} rtype = 20 static_scope = 0 fastpath_handler = <optimized out> closure = 0x8079c70 run_type = <optimized out> hlist = 0x0 l = <optimized out> fastpath = 134668176 instance_and_params = <optimized out> signal_return_type = <optimized out> param_values = <optimized out> node = 0x8079c98 i = <optimized out> n_params = <optimized out> __PRETTY_FUNCTION__ = "g_signal_emit_valist" #30 0xb774ca53 in g_signal_emit (instance=0x80863a8, signal_id=29, detail=0) at gsignal.c:3384 var_args = 0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004" #31 0xb7d7f64b in gtk_widget_event_internal (widget=0x80863a8, event=0x834f530) at gtkwidget.c:6714 signal_num = <optimized out> return_val = 0 #32 0xb7c302ef in propagate_event_up (topmost=<optimized out>, event=<optimized out>, widget=0x80863a8) at gtkmain.c:2393 tmp = <optimized out> handled_event = <optimized out> #33 propagate_event (widget=<optimized out>, event=0x834f530, captured=0, topmost=0x0) at gtkmain.c:2501 handled_event = 0 propagate_func = <optimized out> #34 0xb7c325b8 in gtk_main_do_event (event=0x834f530) at gtkmain.c:1716 event_widget = <optimized out> grab_widget = 0x80863a8 topmost_widget = <optimized out> window_group = 0x8310938 rewritten_event = <optimized out> device = <optimized out> tmp_list = <optimized out> __PRETTY_FUNCTION__ = "gtk_main_do_event" #35 0xb7a24c8c in _gdk_event_emit (event=0x834f530) at gdkevents.c:69 No locals. #36 0xb7a528a8 in gdk_event_source_dispatch (source=0x80a52b8, callback=0, user_data=0x0) at gdkeventsource.c:364 display = <optimized out> event = 0x834f530 #37 0xb7640ce6 in g_main_dispatch (context=0x808b8b0) at gmain.c:3054 dispatch = 0xb7a52870 <gdk_event_source_dispatch> was_in_call = 0 user_data = 0x0 callback = 0 cb_funcs = 0x0 cb_data = 0x0 current_source_link = {data = 0x80a52b8, next = 0x0} need_destroy = <optimized out> source = 0x80a52b8 current = 0x830de48 i = <optimized out> #38 g_main_context_dispatch (context=0x808b8b0) at gmain.c:3630 No locals. #39 0xb7641085 in g_main_context_iterate (dispatch=1, block=-1218122256, context=0x808b8b0, self=<optimized out>) at gmain.c:3701 timeout = 10661 some_ready = 1 fds = 0x8318e58 max_priority = 2147483647 nfds = <optimized out> allocated_nfds = <optimized out> #40 g_main_context_iterate (context=0x808b8b0, block=-1218122256, dispatch=1, self=<optimized out>) at gmain.c:3638 some_ready = 1 #41 0xb764155b in g_main_loop_run (loop=0x82ffc10) at gmain.c:3895 __PRETTY_FUNCTION__ = "g_main_loop_run" #42 0xb7c3175d in gtk_main () at gtkmain.c:1156 loop = 0x82ffc10 #43 0x08050a92 in main (argc=2, argv=0xbfffe8f4) at main.c:380 document = 0x80f4ae0 win = 0x819c088 hbox = 0x8085900 notebook = 0x81ab068 treeview = 0x81a6158 selection = <optimized out> file = 0x8168bc8 timer = 0x816a568 error = 0x0 gtk_accel = 0x81ab068 closure = <optimized out> > > info registers eax 0x1 1 ecx 0xb75b4440 -1218755520 edx 0xb75b4440 -1218755520 ebx 0xb78a0ff4 -1215688716 esp 0xbfffd780 0xbfffd780 ebp 0x4 0x4 esi 0x0 0 edi 0x8431c58 138615896 eip 0xb77bf998 0xb77bf998 <_cairo_gstate_set_dash+120> eflags 0x10202 [ IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 > > info stack #0 _cairo_gstate_set_dash (offset=0, num_dashes=1, dash=0x0, gstate=0x8431c58) at cairo-gstate.c:542 #1 _cairo_gstate_set_dash (gstate=0x8431c58, dash=0x0, num_dashes=1, offset=0) at cairo-gstate.c:519 #2 0xb77b0ca0 in cairo_set_dash (cr=0x8157000, dashes=0x0, num_dashes=1, offset=0) at cairo.c:1076 #3 0xb7fc3239 in CairoOutputDev::fillToStrokePathClip (this=0x8160000, state=0x8431920) at CairoOutputDev.cc:1163 #4 0xb7fc3906 in CairoOutputDev::fill (this=0x8160000, state=0x8431920) at CairoOutputDev.cc:803 #5 0xb72b1b2d in opFill (this=0x83bdf08, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1841 #6 Gfx::opFill (this=0x83bdf08, args=0xbfffd924, numArgs=0) at Gfx.cc:1831 #7 0xb72a5119 in Gfx::execOp (this=0x83bdf08, cmd=0xbfffdac4, args=0xbfffd924, numArgs=0) at Gfx.cc:858 #8 0xb72ac7d0 in Gfx::go (this=0x83bdf08, topLevel=true) at Gfx.cc:717 #9 0xb72accce in Gfx::display (this=0x83bdf08, obj=0xbfffdbb4, topLevel=true) at Gfx.cc:683 #10 0xb72f5bb6 in Page::displaySlice (this=0x8228458, out=0x8160000, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:580 #11 0xb7fb3fda in _poppler_page_render (page=0x83beb20, cairo=0x8157000, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at poppler-page.cc:362 #12 0x0805c5cd in pgd_render_start (button=0x80863a8, demo=0x81ad8c0) at render.c:143 #13 0xb7733ef3 in g_cclosure_marshal_VOID__VOIDv (closure=0x81f6568, return_value=0x0, instance=0x80863a8, args=0xbfffdf6c "t\337\377\277", marshal_data=0x0, n_params=0, param_types=0x0) at gmarshal.c:115 #14 0xb77323d7 in _g_closure_invoke_va (closure=0x81f6568, return_value=0x0, instance=0x80863a8, args=0xbfffdf6c "t\337\377\277", n_params=0, param_types=0x0) at gclosure.c:840 #15 0xb774be53 in g_signal_emit_valist (instance=0x80863a8, signal_id=187, detail=0, var_args=0xbfffdf6c "t\337\377\277") at gsignal.c:3234 #16 0xb774ca53 in g_signal_emit (instance=0x80863a8, signal_id=187, detail=0) at gsignal.c:3384 #17 0xb7b426fa in gtk_button_clicked (button=0x80863a8) at gtkbutton.c:1308 #18 0xb7b43500 in gtk_real_button_released (button=0x80863a8) at gtkbutton.c:1967 #19 0xb7733ef3 in g_cclosure_marshal_VOID__VOIDv (closure=0x817ebc0, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*", marshal_data=0xb7b43400, n_params=0, param_types=0x0) at gmarshal.c:115 #20 0xb7730a67 in g_type_class_meta_marshalv (closure=0x817ebc0, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*", marshal_data=0x1fc, n_params=0, param_types=0x0) at gclosure.c:997 #21 0xb77323d7 in _g_closure_invoke_va (closure=0x817ebc0, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*", n_params=0, param_types=0x0) at gclosure.c:840 #22 0xb774be53 in g_signal_emit_valist (instance=0x80863a8, signal_id=186, detail=0, var_args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b0\365\064\bpl\a\b\241'\357\266x\356\b\b*") at gsignal.c:3234 #23 0xb774ca53 in g_signal_emit (instance=0x80863a8, signal_id=186, detail=0) at gsignal.c:3384 #24 0xb7b42036 in gtk_button_button_release (widget=0x80863a8, event=<optimized out>) at gtkbutton.c:1802 #25 gtk_button_button_release (widget=0x80863a8, event=0x834f530) at gtkbutton.c:1794 #26 0xb7c32a01 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004", marshal_data=0xb7b41ff0, n_params=1, param_types=0x8079c88) at gtkmarshalers.c:130 #27 0xb7730a67 in g_type_class_meta_marshalv (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004", marshal_data=0xc4, n_params=1, param_types=0x8079c88) at gclosure.c:997 #28 0xb77323d7 in _g_closure_invoke_va (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004", n_params=1, param_types=0x8079c88) at gclosure.c:840 #29 0xb774be53 in g_signal_emit_valist (instance=0x80863a8, signal_id=29, detail=0, var_args=0xbfffe55c "0\365\064\b\214\345\377\277\060\365\064\b0\365\064\b\223\364\327\267\250c\b\bpl\a\b\004") at gsignal.c:3234 #30 0xb774ca53 in g_signal_emit (instance=0x80863a8, signal_id=29, detail=0) at gsignal.c:3384 #31 0xb7d7f64b in gtk_widget_event_internal (widget=0x80863a8, event=0x834f530) at gtkwidget.c:6714 #32 0xb7c302ef in propagate_event_up (topmost=<optimized out>, event=<optimized out>, widget=0x80863a8) at gtkmain.c:2393 #33 propagate_event (widget=<optimized out>, event=0x834f530, captured=0, topmost=0x0) at gtkmain.c:2501 #34 0xb7c325b8 in gtk_main_do_event (event=0x834f530) at gtkmain.c:1716 #35 0xb7a24c8c in _gdk_event_emit (event=0x834f530) at gdkevents.c:69 #36 0xb7a528a8 in gdk_event_source_dispatch (source=0x80a52b8, callback=0, user_data=0x0) at gdkeventsource.c:364 #37 0xb7640ce6 in g_main_dispatch (context=0x808b8b0) at gmain.c:3054 #38 g_main_context_dispatch (context=0x808b8b0) at gmain.c:3630 #39 0xb7641085 in g_main_context_iterate (dispatch=1, block=-1218122256, context=0x808b8b0, self=<optimized out>) at gmain.c:3701 #40 g_main_context_iterate (context=0x808b8b0, block=-1218122256, dispatch=1, self=<optimized out>) at gmain.c:3638 #41 0xb764155b in g_main_loop_run (loop=0x82ffc10) at gmain.c:3895 #42 0xb7c3175d in gtk_main () at gtkmain.c:1156 #43 0x08050a92 in main (argc=2, argv=0xbfffe8f4) at main.c:380
Similar stacktrace with cairo master (a64ce0) and poppler master (fcc146). Using 'thread apply all bt': Starting program: /home/gpoo/code/evince/install/bin/poppler-glib-demo ~/test.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. _cairo_gstate_set_dash (offset=0, num_dashes=1, dash=0x0, gstate=0x843b960) at cairo-gstate.c:542 542 if (dash[i] < 0) Thread 1 (Thread 0xb56beac0 (LWP 9701)): #0 _cairo_gstate_set_dash (offset=0, num_dashes=1, dash=0x0, gstate=0x843b960) at cairo-gstate.c:542 #1 _cairo_gstate_set_dash (gstate=0x843b960, dash=0x0, num_dashes=1, offset=0) at cairo-gstate.c:519 #2 0xb77a35e0 in cairo_set_dash (cr=0x8155a00, dashes=0x0, num_dashes=1, offset=0) at cairo.c:1076 #3 0xb7fc3339 in CairoOutputDev::fillToStrokePathClip (this=0x815ec00, state=0x843b628) at CairoOutputDev.cc:1163 #4 0xb7fc3a06 in CairoOutputDev::fill (this=0x815ec00, state=0x843b628) at CairoOutputDev.cc:803 #5 0xb72a2abd in opFill (this=0x83cc6f0, args=<optimized out>, numArgs=<optimized out>) at Gfx.cc:1841 #6 Gfx::opFill (this=0x83cc6f0, args=0xbfffd924, numArgs=0) at Gfx.cc:1831 #7 0xb72960a9 in Gfx::execOp (this=0x83cc6f0, cmd=0xbfffdac4, args=0xbfffd924, numArgs=0) at Gfx.cc:858 #8 0xb729d760 in Gfx::go (this=0x83cc6f0, topLevel=true) at Gfx.cc:717 #9 0xb729dc5e in Gfx::display (this=0x83cc6f0, obj=0xbfffdbb4, topLevel=true) at Gfx.cc:683 #10 0xb72e6d43 in Page::displaySlice (this=0x8228268, out=0x815ec00, hDPI=72, vDPI=72, rotate=0, useMediaBox=false, crop=true, sliceX=-1, sliceY=-1, sliceW=-1, sliceH=-1, printing=false, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0, copyXRef=false) at Page.cc:580 #11 0xb7fb409a in _poppler_page_render (page=0x83e0120, cairo=0x8155a00, printing=false, print_flags=POPPLER_PRINT_DOCUMENT) at poppler-page.cc:362 #12 0x0805c5cd in pgd_render_start (button=0x80863a8, demo=0x81ad6b0) at render.c:143 #13 0xb7725ef3 in g_cclosure_marshal_VOID__VOIDv (closure=0x82288d0, return_value=0x0, instance=0x80863a8, args=0xbfffdf6c "t\337\377\277", marshal_data=0x0, n_params=0, param_types=0x0) at gmarshal.c:115 #14 0xb77243d7 in _g_closure_invoke_va (closure=0x82288d0, return_value=0x0, instance=0x80863a8, args=0xbfffdf6c "t\337\377\277", n_params=0, param_types=0x0) at gclosure.c:840 #15 0xb773de53 in g_signal_emit_valist (instance=0x80863a8, signal_id=187, detail=0, var_args=0xbfffdf6c "t\337\377\277") at gsignal.c:3234 #16 0xb773ea53 in g_signal_emit (instance=0x80863a8, signal_id=187, detail=0) at gsignal.c:3384 #17 0xb7b426fa in gtk_button_clicked (button=0x80863a8) at gtkbutton.c:1308 #18 0xb7b43500 in gtk_real_button_released (button=0x80863a8) at gtkbutton.c:1967 #19 0xb7725ef3 in g_cclosure_marshal_VOID__VOIDv (closure=0x817ec80, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b\310P5\bpl\a\b\241\067\356\266x\356\b\b*", marshal_data=0xb7b43400, n_params=0, param_types=0x0) at gmarshal.c:115 #20 0xb7722a67 in g_type_class_meta_marshalv (closure=0x817ec80, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b\310P5\bpl\a\b\241\067\356\266x\356\b\b*", marshal_data=0x1fc, n_params=0, param_types=0x0) at gclosure.c:997 #21 0xb77243d7 in _g_closure_invoke_va (closure=0x817ec80, return_value=0x0, instance=0x80863a8, args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b\310P5\bpl\a\b\241\067\356\266x\356\b\b*", n_params=0, param_types=0x0) at gclosure.c:840 #22 0xb773de53 in g_signal_emit_valist (instance=0x80863a8, signal_id=186, detail=0, var_args=0xbfffe27c "\f㢷\030\362\t\b8\344\377\277\364?\371\267\001*÷\250c\b\b\310P5\bpl\a\b\241\067\356\266x\356\b\b*") at gsignal.c:3234 #23 0xb773ea53 in g_signal_emit (instance=0x80863a8, signal_id=186, detail=0) at gsignal.c:3384 #24 0xb7b42036 in gtk_button_button_release (widget=0x80863a8, event=<optimized out>) at gtkbutton.c:1802 #25 gtk_button_button_release (widget=0x80863a8, event=0x83550c8) at gtkbutton.c:1794 #26 0xb7c32a01 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "\310P5\b\214\345\377\277\310P5\b\310P5\b\223\364\327\267\250c\b\bpl\a\b\004", marshal_data=0xb7b41ff0, n_params=1, param_types=0x8079c88) at gtkmarshalers.c:130 #27 0xb7722a67 in g_type_class_meta_marshalv (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "\310P5\b\214\345\377\277\310P5\b\310P5\b\223\364\327\267\250c\b\bpl\a\b\004", marshal_data=0xc4, n_params=1, param_types=0x8079c88) at gclosure.c:997 #28 0xb77243d7 in _g_closure_invoke_va (closure=0x8079c70, return_value=0xbfffe4c0, instance=0x80863a8, args=0xbfffe55c "\310P5\b\214\345\377\277\310P5\b\310P5\b\223\364\327\267\250c\b\bpl\a\b\004", n_params=1, param_types=0x8079c88) at gclosure.c:840 #29 0xb773de53 in g_signal_emit_valist (instance=0x80863a8, signal_id=29, detail=0, var_args=0xbfffe55c "\310P5\b\214\345\377\277\310P5\b\310P5\b\223\364\327\267\250c\b\bpl\a\b\004") at gsignal.c:3234 #30 0xb773ea53 in g_signal_emit (instance=0x80863a8, signal_id=29, detail=0) at gsignal.c:3384 #31 0xb7d7f64b in gtk_widget_event_internal (widget=0x80863a8, event=0x83550c8) at gtkwidget.c:6714 #32 0xb7c302ef in propagate_event_up (topmost=<optimized out>, event=<optimized out>, widget=0x80863a8) at gtkmain.c:2393 #33 propagate_event (widget=<optimized out>, event=0x83550c8, captured=0, topmost=0x0) at gtkmain.c:2501 #34 0xb7c325b8 in gtk_main_do_event (event=0x83550c8) at gtkmain.c:1716 #35 0xb7a24c8c in _gdk_event_emit (event=0x83550c8) at gdkevents.c:69 #36 0xb7a528a8 in gdk_event_source_dispatch (source=0x80a52b8, callback=0, user_data=0x0) at gdkeventsource.c:364 #37 0xb7632ce6 in g_main_dispatch (context=0x808b8b0) at gmain.c:3054 #38 g_main_context_dispatch (context=0x808b8b0) at gmain.c:3630 #39 0xb7633085 in g_main_context_iterate (dispatch=1, block=-1218179600, context=0x808b8b0, self=<optimized out>) at gmain.c:3701 #40 g_main_context_iterate (context=0x808b8b0, block=-1218179600, dispatch=1, self=<optimized out>) at gmain.c:3638 #41 0xb763355b in g_main_loop_run (loop=0x83388f8) at gmain.c:3895 #42 0xb7c3175d in gtk_main () at gtkmain.c:1156 #43 0x08050a92 in main (argc=2, argv=0xbfffe8f4) at main.c:380
*** Bug 94233 has been marked as a duplicate of this bug. ***
fillToStrokePathClip() should probably not be getting the dash count. It's also a problem that the strokePathClip struct is sometimes not being destroyed when it should be. I was tempted to write a replacement clipToStrokePath function based on the one in splash, one that really did clipping instead of just faking it, but I found there was some work on a cairo_stroke_to_path function a few years ago which was much more advanced than anything I would have done. For some reason it never made it into cairo. Anyone know the status of cairo_stroke_to_path?
(In reply to Jason Crain from comment #5) > Anyone know the status of cairo_stroke_to_path? Last I heard Andrea Canciani had been working on it. His branch is still available here: https://cgit.freedesktop.org/~ranma42/cairo/log/?h=wip/stroke-to-path His last mention of the status of it was in: https://lists.freedesktop.org/archives/cairo/2010-October/020957.html
Created attachment 122051 [details] [review] fix fillToStrokePathClip crash and rendering This patch fixes this crash and fixes the rendering for this document and the various dupes. Removes the call to cairo_get_dash_count in CairoOutputDev::fillToStrokePathClip. It makes strokePathClip reference counted because when drawing tiling patterns it may need to be kept around for more than one drawing operation and uses fillToStrokePathClip in a few more places.
Still not working March 2016, using Ubuntu LTS 15.04 Can't open US Census maps in evince (https://bugzilla.gnome.org/show_bug.cgi?id=697471) I'm Looking for suggestions for an immediate work-around, can't wait years for this to get into Debian/Ubuntu stable.
Comment on attachment 122051 [details] [review] fix fillToStrokePathClip crash and rendering Review of attachment 122051 [details] [review]: ----------------------------------------------------------------- Pushed, thank you!
*** Bug 94351 has been marked as a duplicate of this bug. ***
*** Bug 91487 has been marked as a duplicate of this bug. ***
*** Bug 91160 has been marked as a duplicate of this bug. ***
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.