GNOME Bugzilla – Bug 706048
Segmentation fault when using "Open a copy" on any document with comments/annotations
Last modified: 2016-07-19 15:36:52 UTC
Hi, I have a PDF with comments/annotations. Evince displays it fine. However, when I click on File > Open a copy, I get a segmentation fault. I have tried to find out the specific page that causes the issue by extracting each page alone with Ghostcript. Every page in isolation worked fine. However, I noticed that the comments/annotations were converted by Ghostscript. Hence, it seems like the comments/annotations could be responsible for the issue. System details: Linux 3.9-1-amd64 #1 SMP Debian 3.9.8-1 x86_64 GNU/Linux Evince 3.4.0 libpoppler5 0.12.4 libpoppler13 0.16.7 libgtk-3-0 3.8.2-3 The PDF used and a full stack trace is attached. Let me know if you need any more details to address the issue. Cheers, Florent
Created attachment 251679 [details] Stack trace
Created attachment 251680 [details] Simple example PDF to reproduce the crash
Created attachment 251681 [details] Stack trace
I have manage to create a simple PDF that exhibits the issue. The key (to cause the crash) was to add an annotation.
Created attachment 251683 [details] Stacktrace with evince/poppler master (~3.9.5/~0.24) Attached an updated stacktrace with Evince and Poppler master (see Thread 1, after show_annotation_windows() and ev_view_window_child_move_with_parent()) in ev_view.c)
I can confirm that it happens for documents having annotations for which popup windows are generated in the EvView, like notes. The good news is, I think I have figured out why it is happening. However, I don't have a solution in my mind yet. Now, say we have such a document open in evince window A. When we use 'Open a copy', Evince starts up a new window, say B. The evil thing is that A and B share the same EvDocument object. As a result, the annotations objects are also shared. For annotations with popups, the pointer to their respective popup windows is stored using > g_object_set_data (G_OBJECT (annot), "popup", window); in function ev_view_create_annotation_window () at around line no 2847 in ev-view.c . Now, note that in B, a new popup window is not created for this annotation because in function show_annotation_window () in ev-view.c, the annotation object is checked for the pointer to its popup - (around line no 2836) > window = g_object_get_data (G_OBJECT (annot), "popup"); Since this annotation object is the same one which was used by A, the data for "popup" is there. Also, for the EvView in window A, this popup window is in the list of its children. However, for the EvView in window B, it is not. So, in window B, we come to > child = ev_view_get_window_child (view, window); in function ev_view_window_child_move_with_parent () in ev-view.c, and child stays NULL. As a result, in the condition check > if (root_x != child->parent_x || root_y != child->parent_y) a few lines later, there is an illegal memory access. I think this is what is causing the problem. If anyone can confirm this and propose a solution, I would be happy to work on it. Thanks!
"Open a copy" works for me with this document. evince-3.10.0-18.3.x86_64 libpoppler-glib8-0.24.3-1.1.x86_64 libpoppler43-0.24.3-1.1.x86_64 this bug should be changed to works-for-me
(In reply to comment #7) > "Open a copy" works for me with this document. > evince-3.10.0-18.3.x86_64 > libpoppler-glib8-0.24.3-1.1.x86_64 > libpoppler43-0.24.3-1.1.x86_64 > > this bug should be changed to works-for-me In GNOME bugzilla there is no such thing works-for-me, and it has been reproduced by 2 other people (with a backtrace included). That said, I still can reproduce the issue with evince/poppler master.
I wonder if this is a duplicate of Bug 760299
Indeed, I think it is a duplicate... The only difference is that here the annotations are in page 1. Thus, it crashes as soon as you open the copy. *** This bug has been marked as a duplicate of bug 760299 ***