Ubuntu
freetype package

evince crashed with SIGFPE

Bug #263742 reported by Daniel J Blueman on 2008-09-01

This bug report is a duplicate of: Bug #277294: evince crashed with SIGFPE, trying to seek in KXTGA930.PDF. Edit Remove

Affects		Status	Importance	Assigned to	Milestone
	freetype (Ubuntu)	New	Undecided	Unassigned
Nominated for Intrepid by Daniel J Blueman

Bug Description

Binary package hint: evince

We see evince hit with SIGFPE when viewing:

http://www.scottishpower.co.uk/mediaassets/doc/Safonau_Gwasanaeth.pdf
or
http://www.casio-europe.com/it/downloads/manuals/calc/fx570MS_991MS_I.pdf

Note: LP#27189 is marked as invalid, so I'm reporting this with a fresh coredump

ProblemType: Crash
Architecture: amd64
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/evince
Package: evince 2.23.6-0ubuntu1
ProcAttrCurrent: unconfined
ProcCmdline: evince file:///tmp/Safonau_Gwasanaeth-2.pdf
ProcEnviron:
PATH=/store/users/username/.bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
LANG=en_GB.UTF-8
SHELL=/bin/bash
Signal: 8
SourcePackage: evince
StacktraceTop:
?? () from /usr/lib/libfreetype.so.6
?? () from /usr/lib/libfreetype.so.6
?? () from /usr/lib/libfreetype.so.6
?? () from /usr/lib/libfreetype.so.6
?? () from /usr/lib/libfreetype.so.6
Title: evince crashed with SIGFPE
Uname: Linux 2.6.27-2-generic x86_64
UserGroups: adm admin audio cdrom dialout dip floppy kvm lpadmin mythtv plugdev scanner video

Tags:

Revision history for this message

Daniel J Blueman (danielblueman) wrote on 2008-09-01:

Download full text (4.1 KiB)

We get the same crash signature for both PDFs, but alas I can't find libfreetype-dbg packages, so have to rely on apport-retrace:

$ valgrind --trace-children=yes evince fx570MS_991MS_I.pdf
==20374== Memcheck, a memory error detector.
==20374== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==20374== Using LibVEX rev 1854, a library for dynamic binary translation.
==20374== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==20374== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework.
==20374== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==20374== For more details, rerun with: -v
==20374==
==20374== Syscall param write(buf) points to uninitialised byte(s)
==20374== at 0xBA47E90: __write_nocancel (in /usr/lib/debug/libpthread-2.8.90.so)
==20374== by 0x60C8EFE: _IceTransSocketWrite (Xtranssock.c:2171)
==20374== by 0x60CC787: _IceWrite (misc.c:369)
==20374== by 0x60CC863: IceFlush (misc.c:82)
==20374== by 0x5C49DFB: client_set_string (gnome-client.c:264)
==20374== by 0x5C4BBC2: gnome_real_client_connect (gnome-client.c:2442)
==20374== by 0xB33628C: g_closure_invoke (gclosure.c:767)
==20374== by 0xB34C91D: signal_emit_unlocked_R (gsignal.c:3174)
==20374== by 0xB34E718: g_signal_emit_valist (gsignal.c:2977)
==20374== by 0xB34EC82: g_signal_emit (gsignal.c:3034)
==20374== by 0x5C4B92E: gnome_client_connect (gnome-client.c:1627)
==20374== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==20374== Address 0x10b3343c is 12 bytes inside a block of size 1,024 alloc'd
==20374== at 0x4C24384: calloc (vg_replace_malloc.c:397)
==20374== by 0x60C5373: IceOpenConnection (connect.c:211)
==20374== by 0x5EB8CB0: SmcOpenConnection (sm_client.c:135)
==20374== by 0x5C4B8AC: gnome_client_connect (gnome-client.c:1595)
==20374== by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==20374== by 0x69F6DBD: gnome_program_postinit (in /usr/lib/libgnome-2.so.0.2303.2)
==20374== by 0x69F718A: (within /usr/lib/libgnome-2.so.0.2303.2)
==20374== by 0x69F740C: gnome_program_initv (in /usr/lib/libgnome-2.so.0.2303.2)
==20374== by 0x69F7503: gnome_program_init (in /usr/lib/libgnome-2.so.0.2303.2)
==20374== by 0x44B5CC: main (main.c:346)
==20374==
==20374== Process terminating with default action of signal 8 (SIGFPE)
==20374== Integer divide by zero at address 0x40940F1C3
==20374== at 0x9A5DED1: (within /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x9A5E02F: (within /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x9A5E2AA: (within /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x9A6259C: (within /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x9A6298D: (within /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x9A428AF: (within /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x9A44D3D: FT_Open_Face (in /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x9A45B21: FT_New_Face (in /usr/lib/libfreetype.so.6.3.18)
==20374== by 0x8A15F1C: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*, int) (in /usr/lib/libpoppler-glib.so.3.0.0)
==20374== by 0x8A162FF: CairoFontEngine::getFont(GfxFont*, XRef*) (in /usr/lib/libpo...

We get the same crash signature for both PDFs, but alas I can't find libfreetype-dbg packages, so have to rely on apport-retrace:

$ valgrind --trace-children=yes evince fx570MS_991MS_I.pdf
==20374== Memcheck, a memory error detector.
==20374== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==20374== Using LibVEX rev 1854, a library for dynamic binary translation.
==20374== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==20374== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework.
==20374== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==20374== For more details, rerun with: -v
==20374== 
==20374== Syscall param write(buf) points to uninitialised byte(s)
==20374==    at 0xBA47E90: __write_nocancel (in /usr/lib/debug/libpthread-2.8.90.so)
==20374==    by 0x60C8EFE: _IceTransSocketWrite (Xtranssock.c:2171)
==20374==    by 0x60CC787: _IceWrite (misc.c:369)
==20374==    by 0x60CC863: IceFlush (misc.c:82)
==20374==    by 0x5C49DFB: client_set_string (gnome-client.c:264)
==20374==    by 0x5C4BBC2: gnome_real_client_connect (gnome-client.c:2442)
==20374==    by 0xB33628C: g_closure_invoke (gclosure.c:767)
==20374==    by 0xB34C91D: signal_emit_unlocked_R (gsignal.c:3174)
==20374==    by 0xB34E718: g_signal_emit_valist (gsignal.c:2977)
==20374==    by 0xB34EC82: g_signal_emit (gsignal.c:3034)
==20374==    by 0x5C4B92E: gnome_client_connect (gnome-client.c:1627)
==20374==    by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==20374==  Address 0x10b3343c is 12 bytes inside a block of size 1,024 alloc'd
==20374==    at 0x4C24384: calloc (vg_replace_malloc.c:397)
==20374==    by 0x60C5373: IceOpenConnection (connect.c:211)
==20374==    by 0x5EB8CB0: SmcOpenConnection (sm_client.c:135)
==20374==    by 0x5C4B8AC: gnome_client_connect (gnome-client.c:1595)
==20374==    by 0x5C4CC8E: gnome_client_post_args_parse (gnome-client.c:1210)
==20374==    by 0x69F6DBD: gnome_program_postinit (in /usr/lib/libgnome-2.so.0.2303.2)
==20374==    by 0x69F718A: (within /usr/lib/libgnome-2.so.0.2303.2)
==20374==    by 0x69F740C: gnome_program_initv (in /usr/lib/libgnome-2.so.0.2303.2)
==20374==    by 0x69F7503: gnome_program_init (in /usr/lib/libgnome-2.so.0.2303.2)
==20374==    by 0x44B5CC: main (main.c:346)
==20374== 
==20374== Process terminating with default action of signal 8 (SIGFPE)
==20374==  Integer divide by zero at address 0x40940F1C3
==20374==    at 0x9A5DED1: (within /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x9A5E02F: (within /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x9A5E2AA: (within /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x9A6259C: (within /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x9A6298D: (within /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x9A428AF: (within /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x9A44D3D: FT_Open_Face (in /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x9A45B21: FT_New_Face (in /usr/lib/libfreetype.so.6.3.18)
==20374==    by 0x8A15F1C: CairoFont::create(GfxFont*, XRef*, FT_LibraryRec_*, int) (in /usr/lib/libpoppler-glib.so.3.0.0)
==20374==    by 0x8A162FF: CairoFontEngine::getFont(GfxFont*, XRef*) (in /usr/lib/libpoppler-glib.so.3.0.0)
==20374==    by 0x8A191D9: CairoOutputDev::updateFont(GfxState*) (in /usr/lib/libpoppler-glib.so.3.0.0)
==20374==    by 0xE1E6B84: Gfx::opShowText(Object*, int) (in /usr/lib/libpoppler.so.3.0.0)
==20374== 
==20374== ERROR SUMMARY: 6 errors from 1 contexts (suppressed: 11 from 1)
==20374== malloc/free: in use at exit: 42,212,469 bytes in 70,875 blocks.
==20374== malloc/free: 526,710 allocs, 455,835 frees, 278,338,485 bytes allocated.
==20374== For counts of detected errors, rerun with: -v
==20374== searching for pointers to 70,875 not-freed blocks.
==20374== checked 58,694,552 bytes.
==20374== 
==20374== LEAK SUMMARY:
==20374==    definitely lost: 361,827 bytes in 7,454 blocks.
==20374==      possibly lost: 333,754 bytes in 276 blocks.
==20374==    still reachable: 41,516,888 bytes in 63,145 blocks.
==20374==         suppressed: 0 bytes in 0 blocks.
==20374== Rerun with --leak-check=full to see details of leaked memory.
Killed

Revision history for this message

Daniel J Blueman (danielblueman) wrote on 2008-09-01:

Correction - LP#27189 is not a dup. I got the bug report number wrong, but can't find the other one I was looking at.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #277294 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntufreetype package

evince crashed with SIGFPE

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
freetype package