Bug#533759: evince: Segfault when opening dvi files

Emilio Pozuelo Monfort pochu27 at gmail.com
Tue Aug 4 10:05:58 UTC 2009 

reassign 533759 libgs8 8.70~dfsg-1
thanks

Alessio Botta wrote:
> Creating the example I realized that this happens only if the dvi
> contains a picture. 
> 
> I am attaching to this mail a latex file, the included picture in eps
> format, the produced dvi (the one causing the segfault), and the
> postscript created from that with dvips, which opens perfectly in
> evince.

Thanks. After rebuilding ghostscript with debugging symbols, I managed to get a
backtrace with useful output:

(gdb) r temp_report.dvi
Starting program: /usr/bin/evince temp_report.dvi
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 0xb5f29b90 (LWP 6063)]
[New Thread 0xb490db90 (LWP 6064)]
GPL Ghostscript 8.70: ./psi/iinit.c(98): initial_enter failed (-7), entering
/MaxBitmap in -dict:10/1123-
GPL Ghostscript 8.70: Initialization file gs_init.ps does not begin with an integer.
fatal internal error -100
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb5f29b90 (LWP 6063)]
0xb50c7e92 in i_unregister_root (mem=0xb56d5f0c, rp=0xb56d5f0c, cname=0x0) at
./base/gsalloc.c:1574
1574		rpp = &(*rpp)->next;
(gdb) bt
#0  0xb50c7e92 in i_unregister_root (mem=0xb56d5f0c, rp=0xb56d5f0c, cname=0x0)
at ./base/gsalloc.c:1574
#1  0xb4e9204c in interp (pi_ctx_p=0xb56b465c, pref=0xb5f28ca8,
perror_object=0xb5f28d70) at ./psi/interp.c:843
#2  0xb4e94311 in gs_call_interp (pi_ctx_p=0xb56b465c, pref=0xb5f28ca8,
user_errors=0, pexit_code=0xb5f28d88, perror_object=0xb5f28d70) at
./psi/interp.c:496
#3  gs_interpret (pi_ctx_p=0xb56b465c, pref=0xb5f28ca8, user_errors=0,
pexit_code=0xb5f28d88, perror_object=0xb5f28d70) at ./psi/interp.c:454
#4  0xb4e88579 in gs_main_interpret (minst=0xb56b4608, user_errors=0,
pexit_code=0xb5f28d88, perror_object=0xb5f28d70) at ./psi/imain.c:214
#5  gs_main_run_string_begin (minst=0xb56b4608, user_errors=0,
pexit_code=0xb5f28d88, perror_object=0xb5f28d70) at ./psi/imain.c:500
#6  0xb4e885ea in gs_main_run_string_with_length (minst=0xb56b4608,
str=0xb5159968 ".uninstallpagedevice serverdict /.jobsavelevel get 0 eq {/quit}
{/stop} ifelse .systemvar exec", length=94, user_errors=0,
    pexit_code=0xb5f28d88, perror_object=0xb5f28d70) at ./psi/imain.c:476
#7  0xb4e8869a in gs_main_run_string (minst=0xb56b4608, str=0xb5159968
".uninstallpagedevice serverdict /.jobsavelevel get 0 eq {/quit} {/stop} ifelse
.systemvar exec", user_errors=0, pexit_code=0xb5f28d88,
    perror_object=0xb5f28d70) at ./psi/imain.c:466
#8  0xb4e88782 in gs_main_finit (minst=0xb56b4608, exit_status=0, code=0) at
./psi/imain.c:765
#9  0xb4e88be3 in gs_to_exit_with_code (mem=0xb56b11c8, exit_status=0, code=0)
at ./psi/imain.c:827
#10 0xb4e88c1c in gs_to_exit (mem=0xb56b11c8, exit_status=0) at ./psi/imain.c:832
#11 0xb4e8c680 in gsapi_exit (lib=0x30b56bb4) at ./psi/iapi.c:262
#12 0xb55b8620 in spectre_gs_cleanup (gs=0xb56b2a18, flag=3) at spectre-gs.c:297
#13 0xb55b866e in spectre_gs_free (gs=0xb56b2a18) at spectre-gs.c:311
#14 0xb55b9709 in spectre_device_render (device=0xb56af950, page=0,
rc=0xb56b2a88, x=0, y=0, width=504, height=504, page_data=0xb5f28f78,
row_length=0xb5f28f74) at spectre-device.c:280
#15 0xb55b9e54 in spectre_page_render (page=0xb56b79b0, rc=0xb56b2a88,
page_data=0xb5f28f78, row_length=0xb5f28f74) at spectre-page.c:164
#16 0xb55b8155 in spectre_document_render_full (document=0xb56af140,
rc=0xb56b2a88, page_data=0xb5f28f78, row_length=0xb5f28f74) at
spectre-document.c:337
#17 0xb55e4c6f in dvi_cairo_draw_ps (dvi=0x82e6168, filename=0xb56b3ad0
"/home/emilio/Desktop/exampleReport/someFigure.eps", x=176, y=181,
width=817195956, height=817195956)
    at /tmp/buildd/evince-2.26.2/./backend/dvi/cairo-device.c:159
#18 0xb55f3d45 in epsf_special (dvi=0x82e6168, prefix=0xb56b51f0 "PSfile",
arg=0xb56b51f8 "someFigure.eps") at
/tmp/buildd/evince-2.26.2/./backend/dvi/mdvi-lib/sp-epsf.c:284
#19 0xb55f2fb6 in mdvi_do_special (dvi=0x82e6168, string=0xb56b51f0 "PSfile") at
/tmp/buildd/evince-2.26.2/./backend/dvi/mdvi-lib/special.c:208
#20 0xb55e8d0e in special (dvi=0x82e6168, opcode=239) at
/tmp/buildd/evince-2.26.2/./backend/dvi/mdvi-lib/dviread.c:1543
#21 0xb55ea80d in mdvi_dopage (dvi=0x82e6168, pageno=1) at
/tmp/buildd/evince-2.26.2/./backend/dvi/mdvi-lib/dviread.c:1091
#22 0xb55e4aee in mdvi_cairo_device_render (dvi=0x82e6168) at
/tmp/buildd/evince-2.26.2/./backend/dvi/cairo-device.c:346
#23 0xb55e3a8e in dvi_document_render (document=0x83198c0, rc=0x830a140) at
/tmp/buildd/evince-2.26.2/./backend/dvi/dvi-document.c:193
#24 0xb7fb7920 in ev_document_render (document=0x83198c0, rc=0x830a140) at
/tmp/buildd/evince-2.26.2/./libdocument/ev-document.c:257
#25 0xb7f920c7 in ev_job_render_run (job=0x819d2a0) at
/tmp/buildd/evince-2.26.2/./libview/ev-jobs.c:516
#26 0xb7f8f7b1 in ev_job_run (job=0x819d2a0) at
/tmp/buildd/evince-2.26.2/./libview/ev-jobs.c:207
#27 0xb7f92e90 in ev_job_thread (data=0x0) at
/tmp/buildd/evince-2.26.2/./libview/ev-job-scheduler.c:183
#28 ev_job_thread_proxy (data=0x0) at
/tmp/buildd/evince-2.26.2/./libview/ev-job-scheduler.c:213
#29 0xb762854f in g_thread_create_proxy (data=0x81324a0) at
/build/buildd-glib2.0_2.20.4-1-i386-6KfM1O/glib2.0-2.20.4/glib/gthread.c:635
#30 0xb794d4b5 in start_thread () from /lib/i686/cmov/libpthread.so.0
#31 0xb7546a5e in clone () from /lib/i686/cmov/libc.so.6
(gdb) l
1569	    gs_gc_root_t **rpp = &imem->roots;
1570	
1571	    if_debug2('8', "[8]unregister root(%s) 0x%lx\n",
1572		      client_name_string(cname), (ulong) rp);
1573	    while (*rpp != rp)
1574		rpp = &(*rpp)->next;
1575	    *rpp = (*rpp)->next;
1576	    if (rp->free_on_unregister)
1577		gs_free_object(imem->non_gc_memory, rp, "i_unregister_root");
1578	}
(gdb)


This code:

1573	    while (*rpp != rp)
1574		rpp = &(*rpp)->next;

is where it crashes. It seems rp is not in the rpp list (whatever rp and rpp
are), and so it goes to the end and then crashes.

I'm reassigning to ghostscript, if that's wrong please reassign as appropriate
(or reassign back).

Best,
Emilio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090804/53ece905/attachment.pgp>

More information about the pkg-gnome-maintainers mailing list