Bug 715048 – Segfault when evince creates the thumbnail of PDF (only when thumbnail pane is visible)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 715048 - Segfault when evince creates the thumbnail of PDF (only when thumbnail pane is visible)


Summary:	Segfault when evince creates the thumbnail of PDF (only when thumbnail pane i...


Status:	RESOLVED NOTGNOME

Product:	evince
Classification:	Core
Component:	PDF
Version:	3.10.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Evince Maintainers
QA Contact:	Evince Maintainers

URL:
Whiteboard:

Duplicates:	721756 725984 737836 745302 746074 (view as bug list)
Depends on:
Blocks:

Reported:	2013-11-23 01:17 UTC by Dominique Leuenberger
Modified:	2015-10-16 16:18 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
The PDF file managing to get the crash done. (1.17 MB, application/pdf) 2013-11-23 01:17 UTC, Dominique Leuenberger	Details

Description Dominique Leuenberger 2013-11-23 01:17:59 UTC

Created attachment 261280 [details]
The PDF file managing to get the crash done.

Out of a 30 page PDF document provided to me that reliably crashed evince, I managed to strip it down to one single page, with the same result (easier test)

The segfault happens when evince loads the file and prepares the thumbnail to be shown; the crash does not happen if the sidebar is disabled (no thumbnails shown); then the page renders perfect on the screen.

Environment:
* Evince 3.10.2
* Poppler 0.24.3
* Cairo 1.12.16

Comment 1 Dominique Leuenberger 2013-11-23 01:18:55 UTC

Addon: also just verified with Evince 3.10.3 => equal

Comment 2 Dominique Leuenberger 2013-11-23 01:24:41 UTC

And a stack trace looks like:

(gdb) bt

+ Trace 232820

#0 active_edges
at cairo-polygon-intersect.c line 1235
#1 intersection_sweep
at cairo-polygon-intersect.c line 1271
#2 _cairo_polygon_intersect
at cairo-polygon-intersect.c line 1466
#3 clip_and_composite_polygon
at cairo-spans-compositor.c line 937
#4 _cairo_spans_compositor_fill
at cairo-spans-compositor.c line 1165
#5 _cairo_compositor_fill
at cairo-compositor.c line 203
#6 _cairo_image_surface_fill
at cairo-image-surface.c line 982
#7 _cairo_surface_fill
at cairo-surface.c line 2255
#8 _cairo_gstate_fill
at cairo-gstate.c line 1308
#9 _cairo_default_context_fill
at cairo-default-context.c line 1058
#10 cairo_fill
at cairo.c line 2201
#11 CairoOutputDev::fill
at CairoOutputDev.cc line 805
#12 Gfx::opFill
at Gfx.cc line 1836
#13 Gfx::go
at Gfx.cc line 712
#14 Gfx::display
at Gfx.cc line 678
#15 Page::displaySlice
at Page.cc line 584
#16 _poppler_page_render
at poppler-page.cc line 362
#17 pdf_page_render
at ev-poppler.cc line 408
#18 make_thumbnail_for_page
at ev-poppler.cc line 454
#19 pdf_document_get_thumbnail
at ev-poppler.cc line 514
#20 ev_job_thumbnail_run
at ev-jobs.c line 853
#21 ev_job_thread
at ev-job-scheduler.c line 184
#22 ev_job_thread_proxy
at ev-job-scheduler.c line 217
#23 g_thread_proxy
at gthread.c line 798
#24 start_thread
at pthread_create.c line 309
#25 clone
at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 111

Comment 3 Germán Poo-Caamaño 2013-11-23 06:34:47 UTC

Thanks for the report and the narrowed test case.

I can also get the same stacktrace with Evince/Poppler/Cairo master. 

I can't reproduce it with poppler-glib-cairo (likely for the lack of thumbnail view), so I keeping this bug here at this moment.

It seems there is some garbage in the text (encoding issue or something), not sure whether it is related with the bug, though.

Comment 4 Ori Avtalion 2015-01-18 22:21:48 UTC

Got a similar stack trace with <http://spacecowboys.fr/elysium/files/Rules_Elysium_US.pdf>.

Only crashes when the side pane with thumbnails is active. Probably crashes when trying to render the thumbnail for page 2.

Tested with evince 3.10.3 and libcairo2 1.13.0.
Also confirmed with evince 3.14.1.

Backtrace:

+ Trace 234569

#0 active_edges
at /build/buildd/cairo-1.13.0~20140204/src/cairo-polygon-intersect.c line 1235
#1 intersection_sweep
at /build/buildd/cairo-1.13.0~20140204/src/cairo-polygon-intersect.c line 1271
#2 _cairo_polygon_intersect
at /build/buildd/cairo-1.13.0~20140204/src/cairo-polygon-intersect.c line 1466
#3 clip_and_composite_polygon
at /build/buildd/cairo-1.13.0~20140204/src/cairo-spans-compositor.c line 946
#4 _cairo_spans_compositor_fill
at /build/buildd/cairo-1.13.0~20140204/src/cairo-spans-compositor.c line 1174
#5 _cairo_compositor_fill
at /build/buildd/cairo-1.13.0~20140204/src/cairo-compositor.c line 203
#6 _cairo_image_surface_fill
at /build/buildd/cairo-1.13.0~20140204/src/cairo-image-surface.c line 985
#7 _cairo_surface_fill
at /build/buildd/cairo-1.13.0~20140204/src/cairo-surface.c line 2305
#8 _cairo_gstate_fill
at /build/buildd/cairo-1.13.0~20140204/src/cairo-gstate.c line 1317
#9 _cairo_default_context_fill
at /build/buildd/cairo-1.13.0~20140204/src/cairo-default-context.c line 1055
#10 cairo_fill
at /build/buildd/cairo-1.13.0~20140204/src/cairo.c line 2205
#11 CairoOutputDev::fill(GfxState*)
from /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
#12 Gfx::opFill(Object*, int)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#13 Gfx::go(bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#14 Gfx::display(Object*, bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#15 Gfx::drawForm(Object*, Dict*, double*, double*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#16 Gfx::doForm(Object*)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#17 Gfx::opXObject(Object*, int)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#18 Gfx::go(bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#19 Gfx::display(Object*, bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#20 Gfx::drawForm(Object*, Dict*, double*, double*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#21 Gfx::doForm(Object*)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#22 Gfx::opXObject(Object*, int)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#23 Gfx::go(bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#24 Gfx::display(Object*, bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#25 Gfx::drawForm(Object*, Dict*, double*, double*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#26 Gfx::doForm(Object*)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#27 Gfx::opXObject(Object*, int)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#28 Gfx::go(bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#29 Gfx::display(Object*, bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#30 Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool)
from /usr/lib/x86_64-linux-gnu/libpoppler.so.44
#31 ??
from /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
#32 ??
from /usr/lib/evince/4/backends/libpdfdocument.so
#33 ??
from /usr/lib/evince/4/backends/libpdfdocument.so
#34 ??
from /usr/lib/libevview3.so.3
#35 ??
from /usr/lib/libevview3.so.3
#36 ??
from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#37 start_thread
at pthread_create.c line 312
#38 clone
at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 111

Comment 5 Germán Poo-Caamaño 2015-01-18 22:40:37 UTC

Thaknks, now I can reproduce it with master.

Indeed, it is only reproducible with the thumbnails pane opened. However, Evince can render every page if the pane is closed.

Comment 6 Germán Poo-Caamaño 2015-01-19 01:48:42 UTC

Steps to reproduce it:

1. Open the document.
2. Press F9 to show the sidebar
3. It renders the thumbnail for the first page, then it crashes.

Here a traceback that includes poppler-glib and evince:

+ Trace 234571

#0 active_edges
at cairo-polygon-intersect.c line 1235
#1 intersection_sweep
at cairo-polygon-intersect.c line 1271
#2 _cairo_polygon_intersect
at cairo-polygon-intersect.c line 1466
#3 clip_and_composite_polygon
at cairo-spans-compositor.c line 946
#4 _cairo_spans_compositor_fill
at cairo-spans-compositor.c line 1174
#5 _cairo_compositor_fill
at cairo-compositor.c line 203
#6 _cairo_image_surface_fill
at cairo-image-surface.c line 985
#7 _cairo_surface_fill
#8 _cairo_gstate_fill
at cairo-gstate.c line 1317
#9 _cairo_default_context_fill
at cairo-default-context.c line 1055
#10 cairo_fill
at cairo.c line 2205
#11 CairoOutputDev::fill
at CairoOutputDev.cc line 810
#12 Gfx::opFill
at Gfx.cc line 1891
#13 Gfx::go
at Gfx.cc line 763
#14 Gfx::display
at Gfx.cc line 729
#15 Gfx::drawForm
at Gfx.cc line 4931
#16 Gfx::doForm
at Gfx.cc line 4854
#17 Gfx::opXObject
at Gfx.cc line 4208
#18 Gfx::go
at Gfx.cc line 763
#19 Gfx::display
at Gfx.cc line 729
#20 Gfx::drawForm
at Gfx.cc line 4931
#21 Gfx::doForm
at Gfx.cc line 4854
#22 Gfx::opXObject
at Gfx.cc line 4208
#23 Gfx::go
at Gfx.cc line 763
#24 Gfx::display
at Gfx.cc line 729
#25 Gfx::drawForm
at Gfx.cc line 4931
#26 Gfx::doForm
at Gfx.cc line 4854
#27 Gfx::opXObject
at Gfx.cc line 4208
#28 Gfx::go
at Gfx.cc line 763
#29 Gfx::display
at Gfx.cc line 729
#30 Page::displaySlice
at Page.cc line 585
#31 _poppler_page_render
at poppler-page.cc line 362
#32 pdf_page_render
at ev-poppler.cc line 415
#33 pdf_document_get_thumbnail_surface
at ev-poppler.cc line 551
#34 ev_job_thumbnail_run
at ev-jobs.c line 860
#35 ev_job_thread
at ev-job-scheduler.c line 184
#36 ev_job_thread_proxy
at ev-job-scheduler.c line 217
#37 g_thread_proxy
at gthread.c line 764
#38 start_thread
at pthread_create.c line 309
#39 clone
at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 111

Comment 7 Germán Poo-Caamaño 2015-03-12 17:58:09 UTC

*** Bug 746074 has been marked as a duplicate of this bug. ***

Comment 8 Germán Poo-Caamaño 2015-10-16 14:58:22 UTC

*** Bug 725984 has been marked as a duplicate of this bug. ***

Comment 9 Germán Poo-Caamaño 2015-10-16 16:14:50 UTC

*** Bug 721756 has been marked as a duplicate of this bug. ***

Comment 10 Germán Poo-Caamaño 2015-10-16 16:14:58 UTC

*** Bug 737836 has been marked as a duplicate of this bug. ***

Comment 11 Germán Poo-Caamaño 2015-10-16 16:15:06 UTC

*** Bug 745302 has been marked as a duplicate of this bug. ***

Comment 12 Germán Poo-Caamaño 2015-10-16 16:18:21 UTC

This seems an issue in Cairo, which was fixed.

https://bugs.freedesktop.org/show_bug.cgi?id=74779