Ubuntu
freetype package

  1. Bug #277294
  2. Comment #17

Comment 17 for bug 277294

Revision history for this message
htmldeveloper@gmail.com (htmldeveloper) wrote : Re: [Bug 277294] Re: evince crashed with SIGFPE, trying to seek in KXTGA930.PDF

Yes, I reproduced it as well.....except that now this is a FC10, 64bit
- when I load in the KXTGA930.PDF.

(gdb) bt
#0 0x000000378682e36f in ?? () from /usr/lib64/libfreetype.so.6
#1 0x000000378682e4c0 in ?? () from /usr/lib64/libfreetype.so.6
#2 0x000000378682e73b in ?? () from /usr/lib64/libfreetype.so.6
#3 0x0000003786832a1d in ?? () from /usr/lib64/libfreetype.so.6
#4 0x0000003786832e0e in ?? () from /usr/lib64/libfreetype.so.6
#5 0x0000003786812930 in ?? () from /usr/lib64/libfreetype.so.6
#6 0x0000003786814da6 in FT_Open_Face () from /usr/lib64/libfreetype.so.6
#7 0x0000003786815b62 in FT_New_Face () from /usr/lib64/libfreetype.so.6
#8 0x000000378d61a72d in CairoFont::create ()
   from /usr/lib64/libpoppler-glib.so.3
#9 0x000000378d61ab10 in CairoFontEngine::getFont ()
   from /usr/lib64/libpoppler-glib.so.3
#10 0x000000378d61d9fa in CairoOutputDev::updateFont ()
   from /usr/lib64/libpoppler-glib.so.3
#11 0x000000378cab47e5 in Gfx::opShowText () from /usr/lib64/libpoppler.so.3
#12 0x000000378caabbdc in Gfx::go () from /usr/lib64/libpoppler.so.3
#13 0x000000378cab22c6 in Gfx::display () from /usr/lib64/libpoppler.so.3
#14 0x000000378caf7da0 in Page::displaySlice () from /usr/lib64/libpoppler.so.3
#15 0x000000378d615be5 in ?? () from /usr/lib64/libpoppler-glib.so.3
#16 0x000000378d616797 in poppler_page_render_to_pixbuf ()
   from /usr/lib64/libpoppler-glib.so.3
#17 0x00007ffff0b09b3e in ?? ()
   from /usr/lib64/evince/backends/libpdfdocument.so
---Type <return> to continue, or q <return> to quit---
#18 0x00000000004205f4 in gtk_icon_view_set_pixbuf_column ()
#19 0x000000000041e130 in gtk_icon_view_set_pixbuf_column ()
#20 0x0000003783460d44 in ?? () from /lib64/libglib-2.0.so.0
#21 0x00000037828073da in start_thread () from /lib64/libpthread.so.0
#22 0x0000003781ce62bd in clone () from /lib64/libc.so.6

Looking at the point where it crashed:

(gdb) x /20i $rip
0x378682e36f: idiv %rsi
0x378682e372: cmp $0x7fff,%rax
0x378682e378: jg 0x378682e0f3
0x378682e37e: mov %r8,%rdi
0x378682e381: callq 0x378680be90 <FT_DivFix@plt>
0x378682e386: mov %rax,%rcx
0x378682e389: jmpq 0x378682e28e
0x378682e38e: mov $0xa,%esi
0x378682e393: mov %r8,%rdi
0x378682e396: callq 0x378680be90 <FT_DivFix@plt>
0x378682e39b: mov %rax,%rcx
0x378682e39e: mov %ebp,%eax
0x378682e3a0: sub %ebx,%eax
0x378682e3a2: add $0x1,%eax
0x378682e3a5: mov %eax,(%r12)
0x378682e3a9: jmpq 0x378682e28e
0x378682e3ae: movslq %ebx,%rax
0x378682e3b1: mov %rbp,%rsi
0x378682e3b4: sub %rax,%rsi
0x378682e3b7: jmpq 0x378682e1e5
(gdb)

and the register for RSI:

(gdb) info registers rsi
rsi 0x0 0

So here we go....RSI is zero.

And the address range is for freetype shared library:

0x000000378680c560 0x0000003786874138 Yes /usr/lib64/libfreetype.so.6

And looking at the neighboring logic happening before the crash:

  378682e311: 89 c0 mov %eax,%eax
  378682e313: 41 83 c2 01 add $0x1,%r10d
  378682e317: 4c 8d 04 50 lea (%rax,%rdx,2),%r8
  378682e31b: e9 e0 fe ff ff jmpq 378682e200 <TT_RunIns+0xa3e0>
  378682e320: 4c 89 c7 mov %r8,%rdi
  378682e323: e8 68 db fd ff callq 378680be90 <FT_DivFix@plt>
  378682e328: 48 89 c1 mov %rax,%rcx
  378682e32b: 8d 45 fb lea -0x5(%rbp),%eax
  378682e32e: 41 89 04 24 mov %eax,(%r12)
  378682e332: e9 57 ff ff ff jmpq 378682e28e <TT_RunIns+0xa46e>
  378682e337: 89 d1 mov %edx,%ecx
  378682e339: 42 8d 04 19 lea (%rcx,%r11,1),%eax
  378682e33d: 89 c2 mov %eax,%edx
  378682e33f: c1 fa 1f sar $0x1f,%edx
  378682e342: 31 d0 xor %edx,%eax
  378682e344: 29 d0 sub %edx,%eax
  378682e346: 83 f8 05 cmp $0x5,%eax
  378682e349: 0f 8f a4 fd ff ff jg 378682e0f3 <TT_RunIns+0xa2d3>
  378682e34f: 44 89 d0 mov %r10d,%eax
  378682e352: 29 c8 sub %ecx,%eax
  378682e354: 85 c0 test %eax,%eax
  378682e356: 7e 75 jle 378682e3cd <TT_RunIns+0xa5ad>
  378682e358: 48 8d 15 81 6d 04 00 lea 0x46d81(%rip),%rdx
  # 37868750e0 <tt_default_graphics_state+0xa00>
  378682e35f: 48 98 cltq
  378682e361: 48 8b 34 c2 mov (%rdx,%rax,8),%rsi
  378682e365: 4c 89 c2 mov %r8,%rdx
  378682e368: 4c 89 c0 mov %r8,%rax
  378682e36b: 48 c1 fa 3f sar $0x3f,%rdx
------------------------------>>>>>>>>>>>>>crashed here.
  378682e36f: 48 f7 fe idiv %rsi
  378682e372: 48 3d ff 7f 00 00 cmp $0x7fff,%rax
  378682e378: 0f 8f 75 fd ff ff jg 378682e0f3 <TT_RunIns+0xa2d3>
  378682e37e: 4c 89 c7 mov %r8,%rdi
  378682e381: e8 0a db fd ff callq 378680be90 <FT_DivFix@plt>
  378682e386: 48 89 c1 mov %rax,%rcx
  378682e389: e9 00 ff ff ff jmpq 378682e28e <TT_RunIns+0xa46e>
  378682e38e: be 0a 00 00 00 mov $0xa,%esi
  378682e393: 4c 89 c7 mov %r8,%rdi
  378682e396: e8 f5 da fd ff callq 378680be90 <FT_DivFix@plt>
  378682e39b: 48 89 c1 mov %rax,%rcx
  378682e39e: 89 e8 mov %ebp,%eax
  378682e3a0: 29 d8 sub %ebx,%eax
  378682e3a2: 83 c0 01 add $0x1,%eax
  378682e3a5: 41 89 04 24 mov %eax,(%r12)
  378682e3a9: e9 e0 fe ff ff jmpq 378682e28e <TT_RunIns+0xa46e>
  378682e3ae: 48 63 c3 movslq %ebx,%rax
  378682e3b1: 48 89 ee mov %rbp,%rsi
  378682e3b4: 48 29 c6 sub %rax,%rsi
  378682e3b7: e9 29 fe ff ff jmpq 378682e1e5 <TT_RunIns+0xa3c5>
  378682e3bc: 48 89 d0 mov %rdx,%rax
  378682e3bf: 48 f7 d8 neg %rax
  378682e3c2: 85 ed test %ebp,%ebp
  378682e3c4: 48 0f 45 d0 cmovne %rax,%rdx
  378682e3c8: e9 88 fd ff ff jmpq 378682e155 <TT_RunIns+0xa335>
  378682e3cd: f7 d8 neg %eax
  378682e3cf: 48 63 d0 movslq %eax,%rdx
  378682e3d2: 48 8d 05 07 6d 04 00 lea 0x46d07(%rip),%rax
  # 37868750e0 <tt_default_graphics_state+0xa00>
  378682e3d9: 4c 0f af 04 d0 imul (%rax,%rdx,8),%r8
  378682e3de: 49 81 f8 ff 7f 00 00 cmp $0x7fff,%r8

Not sure how u are going to debug this, no symbols available from
freetype library, but it is definitely an application specific
problem.....I am doing all these from FC10-x68_64, not Ubuntu.

On Thu, Feb 12, 2009 at 3:15 AM, GiuseppeVerde <email address hidden> wrote:
> I also see a floating point exception whenever I just open this file:
> http://scitation.aip.org/getabs/servlet/GetabsServlet?prog=normal&id=PRBMDO000076000004041301000001&idtype=cvips&gifs=yes
>
> Acroread opens it just fine, though.
>
> --
> evince crashed with SIGFPE, trying to seek in KXTGA930.PDF
> https://bugs.launchpad.net/bugs/277294
> You received this bug notification because you are a direct subscriber
> of a duplicate bug.
>
> Status in "freetype" source package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: evince
>
> I have one document, which always produces the floating point exception. You can dl and view it as follows:
>
> wget http://service.us.panasonic.com/OPERMANPDF/KXTGA930.PDF
> evince KXTGA930.PDF
>
> As soon as I try to seek to page 2, or to any page past page 1, evince crashes and reports "Floating point exception (core dumped)"
>
> I am using Evince 2.24.0 as automatically included with Xubuntu Intrepid Ibex (currently in Alpha).
>
> Garrett Derner
> <email address hidden>
>
> ProblemType: Crash
> Architecture: i386
> CrashCounter: 1
> Disassembly: 0xb77f9b57:
> DistroRelease: Ubuntu 8.10
> ExecutablePath: /usr/bin/evince
> Package: evince 2.24.0-0ubuntu1
> ProcAttrCurrent: unconfined
> ProcCmdline: evince KXTGA930.PDF
> ProcEnviron:
> SHELL=/bin/bash
> PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> LANG=en_US.UTF-8
> Signal: 8
> SourcePackage: evince
> Stacktrace: #0 0xb77f9b57 in ?? ()
> StacktraceTop: ?? ()
> ThreadStacktrace:
>
> Title: evince crashed with SIGFPE
> Uname: Linux 2.6.27-4-generic i686
> UserGroups: adm admin cdrom dialout fuse lpadmin plugdev sambashare
>

--
Regards,
Peter Teoh