evince crashed with SIGSEGV in FcConfigSubstituteWithPat()

Bug #286175 reported by Greg Grossmeier
426
This bug affects 36 people
Affects Status Importance Assigned to Milestone
cairo (Ubuntu)
Invalid
High
Unassigned
Nominated for Jaunty by Phil M
Nominated for Karmic by Phil M
Intrepid
Won't Fix
Undecided
Unassigned
fontconfig (Ubuntu)
Incomplete
High
Unassigned
Nominated for Jaunty by Phil M
Nominated for Karmic by Phil M
Intrepid
Won't Fix
High
Unassigned

Bug Description

Binary package hint: evince

Opening a pdf document from the web.

Crashed before it was able to render anything.

Link: http://www.copyright.gov/history/1790act.pdf

STEPS TO REPRODUCE:
1. Make sure GNOME is running, evince gets fontconfig info from another library (it doesn't access FC directly)
2. Open evince on any file, then close it.
3. Install or remove a font (try mstcorefonts)
4. Open evince with a document (i.e., try the link provided above). It SHOULD crash.

ProblemType: Crash
Architecture: amd64
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/evince
NonfreeKernelModules: nvidia
Package: evince 2.24.0-0ubuntu2
ProcAttrCurrent: unconfined
ProcCmdline: evince file:///home/username/Documents/Grad_School/SI-519/SI519%20-%20SyllabusF2008.%20Aug.%2026.pdf
ProcEnviron:
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_US.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: evince
StacktraceTop:
 FcConfigSubstituteWithPat ()
 GlobalParams::getDisplayFont (this=0x2989190,
 CairoFont::create (gfxFont=0x7fc1eeb14f70,
 CairoFontEngine::getFont (this=0x7fc1eea017e0,
 CairoOutputDev::updateFont (this=0x7fc1eea020a0,
Title: evince crashed with SIGSEGV in FcConfigSubstituteWithPat()
Uname: Linux 2.6.27-7-generic x86_64
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin plugdev sambashare video

Revision history for this message
Greg Grossmeier (greg.grossmeier) wrote :
Revision history for this message
Apport retracing service (apport) wrote : Symbolic stack trace

StacktraceTop:IA__FcConfigSubstituteWithPat (config=0x27940b0, p=0x7fc1eea99290, p_pat=0x0,
GlobalParams::getDisplayFont (this=0x2989190, font=0x7fc1eeb14f70) at GlobalParams.cc:1097
CairoFont::create (gfxFont=0x7fc1eeb14f70, xref=0x7fc1eeaa1740, lib=0x29735f0, useCIDs=1)
CairoFontEngine::getFont (this=0x7fc1eea017e0, gfxFont=0x7fc1eeb14f70, xref=0x7fc1eeaa1740)
CairoOutputDev::updateFont (this=0x7fc1eea020a0, state=0x7fc1eea033c0)

Revision history for this message
Apport retracing service (apport) wrote : Symbolic threaded stack trace
Changed in evince:
importance: Undecided → Medium
Revision history for this message
Pedro Villavicencio (pedro) wrote :

looks like a fontconfig issue, reassigning.

Changed in fontconfig:
status: New → Confirmed
Revision history for this message
Chris Cheney (ccheney) wrote :

I think this also affects OpenOffice.org, bug 254359. It crashes any time a font is added/removed and fc-cache is rerun.

Changed in fontconfig:
importance: Medium → High
milestone: none → ubuntu-8.10
Revision history for this message
Chris Cheney (ccheney) wrote :

Greg,

When the crash happened were you also doing a system update and/or installing any fonts? I see a similar crash with OpenOffice.org due to adding/removing fonts from fontconfig.

Thanks,

Chris Cheney

Revision history for this message
Greg Grossmeier (greg.grossmeier) wrote :

Chris,

I don't believe so, but I could be wrong.

Any other people from the duplicates remember if they were updating and/or installing any fonts when this crash happened?

Best,

Greg

Revision history for this message
rasmus nielsen (rasmusnielsen91) wrote : Re: [Bug 286175] Re: evince crashed with SIGSEGV in FcConfigSubstituteWithPat()

... As far as i remember I had just done a system update, When it crashed,
think i minimized the windows and used compiz... but I'm not sure at all...

:)

2008/10/28 Greg Grossmeier <email address hidden>

> Chris,
> this system had just done a update
> I don't believe so, but I could be wrong.
>
> Any other people from the duplicates remember if they were updating
> and/or installing any fonts when this crash happened?
>
> Best,
>
> Greg
>
> --
> evince crashed with SIGSEGV in FcConfigSubstituteWithPat()
> https://bugs.launchpad.net/bugs/286175
> You received this bug notification because you are a direct subscriber
> of a duplicate bug.
>
> Status in "fontconfig" source package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: evince
>
> Opening a pdf document from the web.
>
> Crashed before it was able to render anything.
>
> Link: http://www.copyright.gov/history/1790act.pdf
>
> I am not currently able to reproduce it, unfortunately.
>
> ProblemType: Crash
> Architecture: amd64
> DistroRelease: Ubuntu 8.10
> ExecutablePath: /usr/bin/evince
> NonfreeKernelModules: nvidia
> Package: evince 2.24.0-0ubuntu2
> ProcAttrCurrent: unconfined
> ProcCmdline: evince
> file:///home/username/Documents/Grad_School/SI-519/SI519%20-%20SyllabusF2008.%20Aug.%2026.pdf
> ProcEnviron:
>
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> Signal: 11
> SourcePackage: evince
> StacktraceTop:
> FcConfigSubstituteWithPat ()
> GlobalParams::getDisplayFont (this=0x2989190,
> CairoFont::create (gfxFont=0x7fc1eeb14f70,
> CairoFontEngine::getFont (this=0x7fc1eea017e0,
> CairoOutputDev::updateFont (this=0x7fc1eea020a0,
> Title: evince crashed with SIGSEGV in FcConfigSubstituteWithPat()
> Uname: Linux 2.6.27-7-generic x86_64
> UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin plugdev
> sambashare video
>

Revision history for this message
pcollaog (pcollaog) wrote :

This crash happens when I installed msttcorefonts.

I tryed to open pdf made with docbook

Colin Watson (cjwatson)
Changed in fontconfig:
milestone: ubuntu-8.10 → intrepid-updates
Revision history for this message
Chris Cheney (ccheney) wrote :

This *might* be an OOo and Evince issue not related to fontconfig but it needs more investigation. It didn't seem to start happening until Intrepid in any case and OOo didn't change that much between Hardy and Intrepid.

This bug might be related:

https://bugzilla.novell.com/show_bug.cgi?id=436441

Revision history for this message
Gabriel Bauman (gabrielbauman) wrote :

Patch for the OpenOffice version of the crash available here: http://qa.openoffice.org/issues/show_bug.cgi?id=94069 .

"Installing a font while OOo is running runs the risk of referencing stuff in psprint's m_pDefConfig which is now invalid... It looks like a safer bet to use FcConfigGetCurrent()..."

Revision history for this message
Michael Casadevall (mcasadevall) wrote :

I can confirm this bug.

Steps to reproduce added to the summary.

As an additional note, it seems firefox is also partially affected. Once doing the steps to reproduce, if firefox is open, the render on some pages get completely screwed up.

I don't think the issue is with fontconfig itself, but some programs using fontconfig in a way that is not supported (there is an API, but at least in OpenOffice, it access a direct pointer which becomes void if a font is adding or removed).

description: updated
Changed in cairo:
assignee: nobody → sonicmctails
importance: Undecided → High
milestone: none → intrepid-updates
status: New → Confirmed
Revision history for this message
Michael Casadevall (mcasadevall) wrote :

It seems my method to reproduce is not 100% foolproof, as I can not make evience crash reliably (at least when I have GDB or valgrind attached). However, I've noticed if the fc-cache is run and forces an update of system caches, it seems rendering bugs on my hardware appear (i.e., xchat and firefox seem to screw up from time to time, possibly from accessing the old cache or the old fonts).

Revision history for this message
John Dong (jdong) wrote :

I just got this crash in an up-to-date Jaunty, no updates done on this bootup; Have 5 Firefox windows and HAD 8 or 9 Evince PDF's open. Opened one more and BOOM.

I've been unable to reproduce it though, much to my annoyance.

Revision history for this message
Sebastien Bacher (seb128) wrote :

could you try if that's still an issue in jaunty?

Changed in cairo (Ubuntu):
assignee: Michael Casadevall (mcasadevall) → nobody
milestone: intrepid-updates → none
Revision history for this message
John McCabe-Dansted (gmatht) wrote :

I get this crash in Karmic-i386 as well.

Revision history for this message
hexa- (mweinelt-deactivatedaccount) wrote :

Issue there in Karmic x64 as well.

Revision history for this message
Alexander Sack (asac) wrote :

any hints how to reproduce? maybe this happens for a specific .pdf/font?

Revision history for this message
Alexander Sack (asac) wrote :

oh sorry. failed to read the summary :)

Revision history for this message
Miguel Martinez (el-quark) wrote :

I'd like to add that I've seen this happening after installing the Adobe Minion Pro fonts into $HOME/.fonts/ and then opening a Nature research paper (they use the Minion Pro font family).

Revision history for this message
Miguel Martinez (el-quark) wrote :

Sorry, last post refers to a crash I've seen in evince in fully up-to-date Karmic.

tags: added: iso-testing
Revision history for this message
Morris Cavestro (fly82) wrote :

10.4 lucid beta1 bug

Revision history for this message
Sergio Zanchetta (primes2h) wrote :

Thank you for reporting this bug to Ubuntu. Intrepid Ibex 8.10 reached EOL on 30 March 2010.
Please see this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

Please feel free to report any other bugs you may find.
Thank you.

Changed in cairo (Ubuntu Intrepid):
status: New → Won't Fix
Changed in fontconfig (Ubuntu Intrepid):
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

I realized I had made a mistake.
Intrepid Ibex 8.10 "will reach" EOL on 30 "APRIL" 2010.

Sorry for this.

Anyway, I think that one month doesn't make any difference now.

Revision history for this message
Damjan Jovanovic (damjan-jov) wrote :

As of Natty (and not earlier versions), FcConfigSubstituteWithPat() reproducibly crashes in some Windows applications running under Wine. Example backtrace:

Unhandled exception: denormal float operand in 32-bit code (0x7e9d9310).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7e9d9310 ESP:00d6de60 EBP:00d6dec8 EFLAGS:00010202( R- -- I - - - )
 EAX:00000003 EBX:7e9ffff4 ECX:00000012 EDX:00000003
 ESI:00000003 EDI:00000003
Stack dump:
0x00d6de60: 00d6de98 00d6df24 7e9ffff4 7e9ffff4
0x00d6de70: 7d730140 7d77a650 00d6dec8 00000012
0x00d6de80: 00000000 00000014 f75fe3c0 00000003
0x00d6de90: 7d72d9f0 00000003 00000003 7d7304f0
0x00d6dea0: 00000003 00000003 7d72d9f0 00000003
0x00d6deb0: 00000001 7d77a528 7e9d929b 7e9ffff4
Backtrace:
=>0 0x7e9d9310 in libfontconfig.so.1 (+0x7310) (0x00d6dec8)
  1 0x7e9da382 FcConfigSubstituteWithPat+0x191() in libfontconfig.so.1 (0x00d6df48)
  2 0x7e9da8e7 FcConfigSubstitute+0x26() in libfontconfig.so.1 (0x00d6df68)
  3 0x7e96ef72 X11DRV_XRender_SelectFont+0xc41(physDev=0x1535d8, hfont=0xe98) [/home/user/wine/dlls/winex11.drv/xrender.c:935] in winex11 (0x00d6e108)
  4 0x7e965e05 X11DRV_SelectFont+0xee4(physDev=0x1535d8, hfont=0xe98, gdiFont=0x189c88) [/home/user/wine/dlls/winex11.drv/xfont.c:3241] in winex11 (0x00d6e558)
  5 0x7ec0c19f FONT_SelectObject+0x9e(handle=0xe98, hdc=0x660) [/home/user/wine/dlls/gdi32/font.c:546] in gdi32 (0x00d6e5c8)
  6 0x7ec22eeb SelectObject+0xba(hdc=0x660, hObj=0xe98) [/home/user/wine/dlls/gdi32/gdiobj.c:1112] in gdi32 (0x00d6e618)
  7 0x7e6d45fa SelectObject16+0x19(hdc=0x660, handle=0xe98) [/home/user/wine/dlls/gdi.exe16/gdi.c:1101] in gdi.exe16 (0x00d6e638)
  8 0x7e6d05da __i686.get_pc_thunk.bx+0xc82() in gdi.exe16 (0x00d6e648)
  9 0x7eadac9e __wine_call_from_16+0x75() in krnl386.exe16 (0x00d6e678)
  10 0x1227:0x213e (0x124f:0x4b6e)
  11 0x1227:0x20a9 (0x124f:0x4c7a)
  12 0x1227:0x1dde (0x124f:0x4c8c)
  13 0x1237:0x2af8 (0x124f:0x4c9c)
  14 0x1237:0x29a2 (0x124f:0x4cb0)
  15 0x123f:0x3aa9 (0x124f:0x4dd4)
  16 0x123f:0x2305 (0x124f:0x4df2)
  17 0x123f:0x0b32 (0x124f:0x4f64)
  18 0x1237:0x2533 (0x124f:0x507a)
  19 0x1237:0x6e26 (0x124f:0x5096)
  20 0x11df:0x0072 (0x124f:0x50a8)
  21 0x11df:0x0000 (0x124f:0x0000)
0x7e9d9310: fstpl 0xffffffe0(%ebp)

Yes, it happens for more than one application, and no, none of them are freely available.

Revision history for this message
Sagawa (sagawa-aki+lp) wrote :

Above Wine's failure seems to be reproduced with 16-bit Windows application.

I ran Emi Clock ( http://www003.upp.so-net.ne.jp/motosoft/ ) Windows 3.1 version, a similar failure occurred, because the code also crashes with fstpl opcode.

I'll attach wine-emiclock16-dump.txt which produced with libfontconfig1-dbg(2.8.0-2.1ubuntu3) and wine1.2-dbg(1.2.2-0ubuntu6) under my x86 PC.

Revision history for this message
Sagawa (sagawa-aki+lp) wrote :

I guess unmasking FPU's denormal exception flag is a trigger of this bug.

I made a small source code, bug.c, to demonstrate it.

Please compile it with following instruction:
| % gcc -o bug bug.c -lfontconfig
Then run it.
| % ./bug
| zsh: floating point exception ./bug
The code crashed with SIGFPE.

But the following:
| % gcc -DBUG_OFF -o bug bug.c -lfontconfig
| % ./bug
It works fine.

Revision history for this message
Bryce Harrington (bryce) wrote :

Not reproducing on precise. Both the test case in the description, and the bug.c test case (thanks!) seem to be working fine.

Further, in the backtraces while there are mentions of cairo, those calls aren't from cairo's source code (the calls are C++, but cairo is all C).

Changed in cairo (Ubuntu):
status: Confirmed → Invalid
madbiologist (me-again)
tags: added: intrepid jaunty karmic lucid natty
Revision history for this message
madbiologist (me-again) wrote :

Official support for Ubuntu 11.04 "Natty Narwhal" and earlier releases has ended. Is this still occurring on Ubuntu 17.10 "Artful Aardvark"?

Changed in fontconfig (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.