evince crashed with SIGFPE, trying to seek in KXTGA930.PDF

StacktraceTop:?? ()

This bug is not present on Hardy (just tested it), so I've marked it a regression. Also setting Importance to Medium since it's a crasher on a default app.

Thanks for your bug report. Please try to obtain a backtrace http://wiki.ubuntu.com/DebuggingProgramCrash and attach the file to the bug report. This will greatly help us in tracking down your problem.

Pedro,

How do I obtain a backtrace in Intrepid?

The page

http://wiki.ubuntu.com/DebuggingProgramCrash

does not mention Intrepid. Nevertheless, I tried using:

deb http://ddebs.ubuntu.com intrepid main universe

deb http://ddebs.ubuntu.com intrepid-updates main universe

deb http://ddebs.ubuntu.com intrepid-proposed main universe

deb http://ddebs.ubuntu.com intrepid-security main universe

That does not work; it gives me 404s when I try to update.

Garrett

Pedro Villavicencio wrote:
> Thanks for your bug report. Please try to obtain a backtrace
> http://wiki.ubuntu.com/DebuggingProgramCrash and attach the file to the
> bug report. This will greatly help us in tracking down your problem.
>
> ** Summary changed:
>
> - [Regression] evince crashed with SIGFPE, trying to seek in KXTGA930.PDF
> + evince crashed with SIGFPE, trying to seek in KXTGA930.PDF
>
> ** Tags removed: regression
>
> ** Attachment removed: "CoreDump.gz"
>
> http://launchpadlibrarian.net/18142370/CoreDump.gz
>
> ** Changed in: evince (Ubuntu)
> Assignee: (unassigned) => Ubuntu Desktop Bugs (desktop-bugs)
> Status: New => Incomplete
>
> ** Visibility changed to: Public
>
>

This may be the same as 267324
( https://bugs.launchpad.net/ubuntu/+source/evince/+bug/267324 )
supposed to be fixed upstream in libpoppler.
Garrett

you just need the intrepid sources, updates etc are not available while the distribution is not stable

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

I get the same floating point exception when opening this document: http://www.focus-campus.de/download.html?f=FC_0849.pdf
Here's the backtrace with evince and libpoppler symbols installed. Let me know if you need more information.

I get the same error. Running Ubuntu 8.10 with all latest updates.

evince:
  Installed: 2.24.1-0ubuntu1
  Candidate: 2.24.1-0ubuntu1
  Version table:
 *** 2.24.1-0ubuntu1 0
        500 http://us.archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

Backtrace attached

Here is the pdf that produces the crash

the crash is likely a poppler or cairo issue

https://bugs.freedesktop.org/show_bug.cgi?id=17045 indicates that's a freetype or gcc issue

The issue has been discussed on http://lists.gnu.org/archive/html/freetype-devel/2008-08/msg00023.html

if it is a miscompilation, the miscompiled file needs to be determined. if a freetype compiled with -O0 works, but not with -O2, build the library with half of the files built with -O0, the other half with -O2, and so on ... If you know the miscompiled file, add the -f options which are turned on for -O1/-O2 separately and find out which option triggers the miscompilation (or a coding error).

Trying to build with newer compiler versions (gcc-4.3, gcc-snapshot) and optimization turned on helps as well to diagnose the bug, if it is one.

I also see a floating point exception whenever I just open this file: http://scitation.aip.org/getabs/servlet/GetabsServlet?prog=normal&id=PRBMDO000076000004041301000001&idtype=cvips&gifs=yes

Acroread opens it just fine, though.

Yes, I reproduced it as well.....except that now this is a FC10, 64bit
- when I load in the KXTGA930.PDF.

(gdb) bt
#0 0x000000378682e36f in ?? () from /usr/lib64/libfreetype.so.6
#1 0x000000378682e4c0 in ?? () from /usr/lib64/libfreetype.so.6
#2 0x000000378682e73b in ?? () from /usr/lib64/libfreetype.so.6
#3 0x0000003786832a1d in ?? () from /usr/lib64/libfreetype.so.6
#4 0x0000003786832e0e in ?? () from /usr/lib64/libfreetype.so.6
#5 0x0000003786812930 in ?? () from /usr/lib64/libfreetype.so.6
#6 0x0000003786814da6 in FT_Open_Face () from /usr/lib64/libfreetype.so.6
#7 0x0000003786815b62 in FT_New_Face () from /usr/lib64/libfreetype.so.6
#8 0x000000378d61a72d in CairoFont::create ()
   from /usr/lib64/libpoppler-glib.so.3
#9 0x000000378d61ab10 in CairoFontEngine::getFont ()
   from /usr/lib64/libpoppler-glib.so.3
#10 0x000000378d61d9fa in CairoOutputDev::updateFont ()
   from /usr/lib64/libpoppler-glib.so.3
#11 0x000000378cab47e5 in Gfx::opShowText () from /usr/lib64/libpoppler.so.3
#12 0x000000378caabbdc in Gfx::go () from /usr/lib64/libpoppler.so.3
#13 0x000000378cab22c6 in Gfx::display () from /usr/lib64/libpoppler.so.3
#14 0x000000378caf7da0 in Page::displaySlice () from /usr/lib64/libpoppler.so.3
#15 0x000000378d615be5 in ?? () from /usr/lib64/libpoppler-glib.so.3
#16 0x000000378d616797 in poppler_page_render_to_pixbuf ()
   from /usr/lib64/libpoppler-glib.so.3
#17 0x00007ffff0b09b3e in ?? ()
   from /usr/lib64/evince/backends/libpdfdocument.so
---Type <return> to continue, or q <return> to quit---
#18 0x00000000004205f4 in gtk_icon_view_set_pixbuf_column ()
#19 0x000000000041e130 in gtk_icon_view_set_pixbuf_column ()
#20 0x0000003783460d44 in ?? () from /lib64/libglib-2.0.so.0
#21 0x00000037828073da in start_thread () from /lib64/libpthread.so.0
#22 0x0000003781ce62bd in clone () from /lib64/libc.so.6

Looking at the point where it crashed:

(gdb) x /20i $rip
0x378682e36f: idiv %rsi
0x378682e372: cmp $0x7fff,%rax
0x378682e378: jg 0x378682e0f3
0x378682e37e: mov %r8,%rdi
0x378682e381: callq 0x378680be90 <FT_DivFix@plt>
0x378682e386: mov %rax,%rcx
0x378682e389: jmpq 0x378682e28e
0x378682e38e: mov $0xa,%esi
0x378682e393: mov %r8,%rdi
0x378682e396: callq 0x378680be90 <FT_DivFix@plt>
0x378682e39b: mov %rax,%rcx
0x378682e39e: mov %ebp,%eax
0x378682e3a0: sub %ebx,%eax
0x378682e3a2: add $0x1,%eax
0x378682e3a5: mov %eax,(%r12)
0x378682e3a9: jmpq 0x378682e28e
0x378682e3ae: movslq %ebx,%rax
0x378682e3b1: mov %rbp,%rsi
0x378682e3b4: sub %rax,%rsi
0x378682e3b7: jmpq 0x378682e1e5
(gdb)

and the register for RSI:

(gdb) info registers rsi
rsi 0x0 0

So here we go....RSI is zero.

And the address range is for freetype shared library:

0x000000378680c560 0x0000003786874138 Yes /usr/lib64/libfreetype.so.6

And looking at the neighboring logic happening before the crash:

  378682e311: 89 c0 mov %eax,%eax
  378682e313: 41 83 c2 01 add $0x1,%r10d
  378682e317: 4c 8d 04 50 lea (%rax,%rdx,2),%r8
  378682e31b: e9 e0 fe ff ff jmpq 378682e200 <TT_RunIns+0xa3e0>
  378682e320: 4c 89 c7 mov %r8,%...

cff.c has the issue when building -O1 or -O2 but not -O0

cffparse.c l359:

      if ( fraction_length > 0 )
      {
        if ( ( number / power_tens[fraction_length] ) > 0x7FFFL )

adding a printf there shows that it enter the loop with fraction_length == 0 apparently when using -O1

ignore the previous comment that was an error, when crashing fraction_length == 10 and power_tens[fraction_length]==0

the issue seems to be a freetype one, fraction_length == 10 when it crashes or the power_tens has only 10 items to power_tens[10] is out of scope

when adding some printf in the code:

printf("%li\n", power_tens[10]);
 -O0 -> 174681125
 -O1 -> 0

the gcc behaviour change but that's still a code error to have an index over the table

This bug was fixed in the package freetype - 2.3.9-3

---------------
freetype (2.3.9-3) unstable; urgency=low

  * Drop spurious Suggests: on libfreetype6-dev. Closes: #363937.
  * debian/patches-freetype/enable-subpixel-rendering.patch: enable subpixel
    rendering features, used by libcairo and xft to provide LCD colour
    filtering. This is considered no more or less evil than the bytecode
    interpreter which we also enable.
  * Move debian/libfreetype6.copyright to debian/copyright, and selectively
    install it to the single binary package in debian/rules; the same
    copyright file is used for all the binaries anyway via symlinks, so
    there's no reason it shouldn't ship as debian/copyright.
    Closes: #381228.
  * Clip redundant LICENSE.TXT and GPL.TXT files from the
    libfreetype6-dev package. Closes: #459802.

freetype (2.3.9-2) unstable; urgency=low

  * debian/rules: bump the shlibs version, since 2.3.9 introduces a handful
    of new symbols
  * debian/libfreetype6.symbols: add a new symbols file, which should cause
    most packages to have relaxed dependencies of libfreetype6 now.

freetype (2.3.9-1) unstable; urgency=low

  * New upstream version; closes: #519168.
    * fixes a SIGFPE in evince when displaying some PDFs. Closes: #494350,
      LP: #277294.
    * fix a rendering issue with embedded Myriad_Pro fonts in some PDFs.
      LP: #330438.
    * fix a rendering issue with some glyphs not rendering in PDFs when
      an embedded font uses CID 0. LP: #252250.
    * drop patches-freetype/no-segfault-on-load_mac_face, included
      upstream.
    * patches-ft2demos/ft2demos-2.1.7-ftbench.patch: drop unused
      patch chunk
  * fix up the get-orig-source target to autodetect the upstream version
    using the changelog by default.

 -- Steve Langasek <email address hidden> Sat, 14 Mar 2009 18:54:19 +0000

The bug is fixed for me in jaunty. Thanks a lot!

Could you please fix it for intrepid, too?

I confirm... it crashes on my PC also and I use Ubuntu 8.10 desktop. What can I say ? Until the bug is fixed tray to use Adobe Reader 8 ..:) with this one is ok !

--- On Sun, 4/19/09, Daniel Silverstone <email address hidden> wrote:

From: Daniel Silverstone <email address hidden>
Subject: [Bug 277294] Re: evince crashed with SIGFPE, trying to seek in KXTGA930.PDF
To: <email address hidden>
Date: Sunday, April 19, 2009, 3:30 PM

** Also affects: freetype (Ubuntu Intrepid)
   Importance: Undecided
       Status: New

--
evince crashed with SIGFPE, trying to seek in KXTGA930.PDF
https://bugs.launchpad.net/bugs/277294
You received this bug notification because you are a direct subscriber
of a duplicate bug.

Status in “freetype” source package in Ubuntu: Fix Released
Status in freetype in Ubuntu Intrepid: New
Status in “freetype” source package in Debian: Confirmed

Bug description:
Binary package hint: evince

I have one document, which always produces the floating point exception. You can dl and view it as follows:

  wget http://service.us.panasonic.com/OPERMANPDF/KXTGA930.PDF
  evince KXTGA930.PDF

As soon as I try to seek to page 2, or to any page past page 1, evince crashes and reports "Floating point exception (core dumped)"

I am using Evince 2.24.0 as automatically included with Xubuntu Intrepid Ibex (currently in Alpha).

Garrett Derner
<email address hidden>

ProblemType: Crash
Architecture: i386
CrashCounter: 1
Disassembly: 0xb77f9b57:
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/evince
Package: evince 2.24.0-0ubuntu1
ProcAttrCurrent: unconfined
ProcCmdline: evince KXTGA930.PDF
ProcEnviron:
 SHELL=/bin/bash
 PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_US.UTF-8
Signal: 8
SourcePackage: evince
Stacktrace: #0  0xb77f9b57 in ?? ()
StacktraceTop: ?? ()
ThreadStacktrace:

Title: evince crashed with SIGFPE
Uname: Linux 2.6.27-4-generic i686
UserGroups: adm admin cdrom dialout fuse lpadmin plugdev sambashare

Synaptic has not option to upgrade Freetype in Ubuntu.
Where can I download the Fix for Evidence / Freetype Bug?

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.