Ubuntu

evince crashed with SIGSEGV in clear_job_selection()

Reported by Wim on 2010-09-30
86
This bug affects 22 people
Affects Status Importance Assigned to Milestone
Evince
Fix Released
Critical
evince (Ubuntu)
Medium
Unassigned
Natty
Undecided
Unassigned
Oneiric
Medium
Unassigned

Bug Description

Evince crashes when clicking on the blank document area during the short interval between Evince's window opening, and before the document has been loaded.

Steps to reproduce:
1. Find a PDF file (the larger the better, so that there's a greater time window)
2. Double click it to open the document in Evince.
3. When Evince's window appears, click on the blank document area immediately. This has to be done before the document loads in the window.
4. Observe Evince segfault.

SegvAnalysis:
 Segfault happened at: 0x9c1964 <ev_pixbuf_cache_set_selection_list+436>: mov 0x58(%eax),%edx
 PC (0x009c1964) ok
 source "0x58(%eax)" (0x00000058) not located in a known VMA region (needed readable region)!
 destination "%edx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
 clear_job_selection (pixbuf_cache=0x21de3f18, selection_list=0x0) at /build/buildd/evince-2.32.0/./libview/ev-pixbuf-cache.c:1014
 ev_pixbuf_cache_set_selection_list (pixbuf_cache=0x21de3f18, selection_list=0x0) at /build/buildd/evince-2.32.0/./libview/ev-pixbuf-cache.c:1078
 clear_selection (view=0x21de2018) at /build/buildd/evince-2.32.0/./libview/ev-view.c:5998
 start_selection_for_event (view=0x0, event=0x0) at /build/buildd/evince-2.32.0/./libview/ev-view.c:3492
 ev_view_button_press_event (widget=0x21de2018, event=0x21de75e0) at /build/buildd/evince-2.32.0/./libview/ev-view.c:3596
Title: evince crashed with SIGSEGV in clear_job_selection()
UserGroups: adm admin audio cdrom davfs2 dialout dip floppy fuse lpadmin netdev plugdev powerdev sambashare scanner video

Wim (wim-yedema) wrote :
visibility: private → public

StacktraceTop:
 ev_pixbuf_cache_set_selection_list (pixbuf_cache=0x21de3f18,
 clear_selection (view=0x21de2018)
 start_selection_for_event (view=0x0, event=0x0)
 ev_view_button_press_event (widget=0x21de2018,
 _gtk_marshal_BOOLEAN__BOXED (closure=0x21c8b6f0,

Changed in evince (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Pedro Villavicencio (pedro) wrote :

Thank you for your bug report. This bug has been reported to the developers of the software. You can track it and make comments at:
 https://bugzilla.gnome.org/show_bug.cgi?id=630999

Changed in evince (Ubuntu):
status: New → Triaged
Changed in evince:
importance: Unknown → Critical
status: Unknown → New

Wim: can you attach the document?

Wim (wim-yedema) wrote :

I'm afraid not. The content of the document is confidential to the company I work for.

Pedro Villavicencio (pedro) wrote :

steubens , could you attach the pdf to the report? thanks.

Milan Bouchet-Valat (nalimilan) wrote :

I bumped on the same crash, but sadly it doesn't seem to be reproducible. I'm not sure it has anything to do with the document itself, maybe with the fact that it was opened from the Web browser, or something completely random...

steubens (steubens) wrote :

it's any given pdf, i was able to reproduce it with several; you just need to click before the document area is redrawn/resized

heres a handful:
http://delivery.acm.org/10.1145/1070000/1066954/p1231-mcpherson.pdf?key1=1066954&key2=7358983711&coll=GUIDE&dl=GUIDE&CFID=15151515&CFTOKEN=6184618
http://vis.cs.ucdavis.edu/~ogawa/apvis07ogawa.pdf
http://vis.cs.ucdavis.edu/~shearer/papers/pixelplexing.pdf
http://www.firstamendmentcenter.org/pdf/SOFA.Sept.2010data.pdf

essentially every pdf in my download history; because thats what i verified it with once i realized what did it, i'd had it happen long before that but never figured it was clicking in the client area that did it.

the timing in the bug i posted, that was marked duplicate here; that is the key to at least the bug i posted, remains to be seen if its an actual duplicate i guess

Changed in evince:
status: New → Confirmed
Linus Hoppe (linus-hoppe) wrote :

can confirm, evince crashed the first time, the second time it works.

steubens: Are you still able to reproduce the bug on demande? Could you give us precise instructions to reproduce it? Upstream developers would need more informations to fix the bug.

steubens (steubens) wrote :

in the bug i posted; it had instructions to reproduce it, unfortunately it was marked as a duplicate of this one instead of the other way around (or not at all)

https://bugs.launchpad.net/ubuntu/+source/evince/+bug/661732

and by my own instructions, i can still do it on demand, every time.

Linus Hoppe (linus-hoppe) wrote :

i can still reproduce, too

Indeed, thanks for these valuable details. When your bug is marked as duplicate and you think you provided more information than the duplicate report already has, please post them as a comment!

I've been able to reproduce the crash again, and I've let upstream developers know how to do so, thus they're likely to be able to do something about it.

steubens (steubens) wrote :

i'll try and remember that next time; i figured the people marking bugs would have actually read them, since report quality isn't uniform

Changed in evince:
status: Confirmed → Fix Released
Pedro Villavicencio (pedro) wrote :

this is fixed upstream now, thanks for reporting.

Changed in evince (Ubuntu):
status: Triaged → Fix Committed
Linus Hoppe (linus-hoppe) wrote :

Will the update for ubuntu only be available for natty? or can we hope to see a fix in maverick?

Roy Jamison (xteejx) wrote :

To have this fixed in another Ubuntu release, you will need to complete the Stable Release Update procedure. Full instructions on how to do this can be found at https://wiki.ubuntu.com/StableReleaseUpdates?action=show&redirect=MOTU%2FSRU#Procedure Thank you.

steubens (steubens) wrote :

this is still happening in natty b2, did it not get updated?

On Friday 15,April,2011 05:43 AM, steubens wrote:
> this is still happening in natty b2, did it not get updated?
>

No, it was just fixed upstream, but not actually brought into Ubuntu. The patch
can be backported to Ubuntu without too much trouble though, I reckon.

--
Kind regards,
Loong Jin

Chow Loong Jin (hyperair) wrote :

Attached is a debdiff targeted for Oneiric. I understand that this bug will probably eventually be fixed by the upload of Evince 3.0, but I'd like to get this patch into natty-proposed as well.

description: updated
Roy Jamison (xteejx) wrote :

Do we not need to subscribe the sponsors to this so that they are made aware?

tags: added: patch
Chow Loong Jin (hyperair) wrote :

On 08/05/2011 22:55, Teej wrote:
> Do we not need to subscribe the sponsors to this so that they are made
> aware?

Er, right. I forgot.

  subscribe ubuntu-sponsors

--
Kind regards,
Loong Jin

Dave Walker (davewalker) on 2011-05-16
Changed in evince (Ubuntu Natty):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.32.0-0ubuntu13

---------------
evince (2.32.0-0ubuntu13) oneiric; urgency=low

  * debian/patches/0001-libview-Make-sure-we-have-a-valid-page-range*:
    - Backport patch from upstream commit, fixing segfault in
      clear_job_selection(). (LP: #651931)
 -- Chow Loong Jin <email address hidden> Sun, 08 May 2011 19:18:04 +0800

Changed in evince (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Chow Loong Jin (hyperair) wrote :

On 16/05/2011 21:14, Launchpad Bug Tracker wrote:
> ** Branch linked: lp:ubuntu/evince
>

Here's a debdiff for an SRU to natty.

--
Kind regards,
Loong Jin

Marc Deslauriers (mdeslaur) wrote :

@Chow Loong Jin:

The Natty debdiff is incomplete. Could you please make a minimal debdiff against Natty's 2.32.0-0ubuntu12.1, including setting the version number to something more appropriate, such as 2.32.0-0ubuntu12.2? Thanks.

Chris Coulson (chrisccoulson) wrote :

Unsubscribing sponsors for now

Chow Loong Jin (hyperair) wrote :

Here's a new debdiff against -0ubuntu12.1.

Marc Deslauriers (mdeslaur) wrote :

Debdiff looks good, thanks!

SRU request:

Evince crashes when clicking on the blank document area during the short interval between Evince's window opening, and before the document has been loaded.

Steps to reproduce:
1. Find a PDF file (the larger the better, so that there's a greater time window)
2. Double click it to open the document in Evince.
3. When Evince's window appears, click on the blank document area immediately. This has to be done before the document loads in the window.
4. Observe Evince segfault.

See the attached debdiff for a minimal patch that fixes the issue. Thanks!

Marc Deslauriers (mdeslaur) wrote :

Accepted evince into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in evince (Ubuntu Natty):
status: Triaged → Fix Committed
tags: added: verification-needed
steubens (steubens) wrote :

this fix works for the set of steps i was using to reproduce the bug, thanks

tags: removed: verification-needed
Martin Pitt (pitti) on 2011-06-18
tags: added: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.32.0-0ubuntu12.2

---------------
evince (2.32.0-0ubuntu12.2) natty-proposed; urgency=low

  * debian/patches/0001-libview-Make-sure-we-have-a-valid-page-range*:
    - Backport patch from upstream commit, fixing segfault in
      clear_job_selection(). (LP: #651931)
 -- Chow Loong Jin <email address hidden> Sun, 08 May 2011 19:18:04 +0800

Changed in evince (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.