Bug#974937: evince: crashes then runs

Bernhard Übelacker bernhardu at mailbox.org
Fri Dec 18 15:23:00 GMT 2020 

Dear Maintainer,
from the dmesg line from the submitter I think the crash happens
save_thumbnail_in_cache_thread in [1], between the calls to
cairo_image_surface_get_height and -width.

Tried to reach that function just showing some random PDF
but did not get there.

@Nicolas: I assume Simon asked for a backtrace of the crash.
There are several ways described in the link in his last mail.
The easiest might be to install systemd-coredump and when
the next crash happens look at the end of the output
of 'journalctl --no-pager'.

Kind regards,
Bernhard

[1] https://gitlab.gnome.org/GNOME/evince/-/blob/master/shell/ev-recent-view.c#L351
-------------- next part --------------


# Bullseye/testing i386 qemu VM 2020-12-18


apt update
apt dist-upgrade


apt install systemd-coredump gnome gdb evince libgdk-pixbuf2.0-0


systemctl stop sddm
systemctl start sddm


wget https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/evince_3.38.0-2_i386.deb
wget https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/evince-common_3.38.0-2_all.deb
wget https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/libevdocument3-4_3.38.0-2_i386.deb
wget https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/libevview3-3_3.38.0-2_i386.deb
wget https://snapshot.debian.org/archive/debian-debug/20201013T145001Z/pool/main/e/evince/evince-dbgsym_3.38.0-2_i386.deb
wget https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/gir1.2-evince-3.0_3.38.0-2_i386.deb
dpkg -i *.deb

cd Dokumente/
wget https://www.debian.org/doc/manuals/debian-faq/debian-faq.de.pdf



https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash



nov. 16 20:33:38 nicolas.home kernel: pool-evince[16278]: segfault at fffffdd4 ip 004de186 sp afbfa034 error 5 in evince[4cd000+3a000]
nov. 16 20:33:38 nicolas.home kernel: Code: 89 34 24 89 44 24 1c e8 b8 08 ff ff 8b 54 24 1c 89 14 24 50 6a 00 6a 00 56 e8 06 19 ff ff 83 c4 20 ff 77 08 ff 77 04 89 c6 50 <ff> 75 14 e8 52 06 ff ff 89 34 24 e8 b2 3f ff ff 58 5a 6a 01 ff 74

"error 5" == 0b00000101 == 
 *   bit 0 ==    1: protection fault
 *   bit 1 ==    0: read access
 *   bit 2 ==    1: user-mode access


benutzer at debian:~$  echo -n "find /b ..., ..., 0x" && \
echo "89 34 24 89 44 24 1c e8 b8 08 ff ff 8b 54 24 1c 89 14 24 50 6a 00 6a 00 56 e8 06 19 ff ff 83 c4 20 ff 77 08 ff 77 04 89 c6 50 <ff> 75 14 e8 52 06 ff ff 89 34 24 e8 b2 3f ff ff 58 5a 6a 01 ff 74" \
 | sed 's/[<>]//g' | sed 's/ /, 0x/g'
find /b ..., ..., 0x89, 0x34, 0x24, 0x89, 0x44, 0x24, 0x1c, 0xe8, 0xb8, 0x08, 0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x89, 0x14, 0x24, 0x50, 0x6a, 0x00, 0x6a, 0x00, 0x56, 0xe8, 0x06, 0x19, 0xff, 0xff, 0x83, 0xc4, 0x20, 0xff, 0x77, 0x08, 0xff, 0x77, 0x04, 0x89, 0xc6, 0x50, 0xff, 0x75, 0x14, 0xe8, 0x52, 0x06, 0xff, 0xff, 0x89, 0x34, 0x24, 0xe8, 0xb2, 0x3f, 0xff, 0xff, 0x58, 0x5a, 0x6a, 0x01, 0xff, 0x74


gdb -q
set width 0
set pagination off
set environment DISPLAY=:0
file /usr/bin/evince
tb main
run
info target
...
        0x0042c150 - 0x00460924 is .text
...

(gdb) find /b 0x0042c150, 0x00460924, 0x89, 0x34, 0x24, 0x89, 0x44, 0x24, 0x1c, 0xe8, 0xb8, 0x08, 0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x89, 0x14, 0x24, 0x50, 0x6a, 0x00, 0x6a, 0x00, 0x56, 0xe8, 0x06, 0x19, 0xff, 0xff, 0x83, 0xc4, 0x20, 0xff, 0x77, 0x08, 0xff, 0x77, 0x04, 0x89, 0xc6, 0x50, 0xff, 0x75, 0x14, 0xe8, 0x52, 0x06, 0xff, 0xff, 0x89, 0x34, 0x24, 0xe8, 0xb2, 0x3f, 0xff, 0xff, 0x58, 0x5a, 0x6a, 0x01, 0xff, 0x74
0x43815c <save_thumbnail_in_cache_thread+60>
1 pattern found.

(gdb) b *0x43815c
Breakpoint 2 at 0x43815c: file ../shell/ev-recent-view.c, line 351.
(gdb) info b
Num     Type           Disp Enb Address    What
2       breakpoint     keep y   0x0043815c in save_thumbnail_in_cache_thread at ../shell/ev-recent-view.c:351


(gdb) disassemble save_thumbnail_in_cache_thread
Dump of assembler code for function save_thumbnail_in_cache_thread:
   0x00438120 <+0>:     push   %ebp
   0x00438121 <+1>:     push   %edi
   0x00438122 <+2>:     push   %esi
   0x00438123 <+3>:     push   %ebx
   0x00438124 <+4>:     call   0x42c780 <__x86.get_pc_thunk.bx>
   0x00438129 <+9>:     add    $0x57a2f,%ebx
   0x0043812f <+15>:    sub    $0x1c,%esp
   0x00438132 <+18>:    mov    0x38(%esp),%edi
   0x00438136 <+22>:    call   0x42af10 <ev_job_thumbnail_get_type at plt>
   0x0043813b <+27>:    mov    0x181c(%ebx),%ebp
   0x00438141 <+33>:    sub    $0x8,%esp
   0x00438144 <+36>:    add    0x3c(%esp),%ebp
   0x00438148 <+40>:    push   %eax
   0x00438149 <+41>:    push   0x14(%edi)
   0x0043814c <+44>:    call   0x427df0 <g_type_check_instance_cast at plt>
   0x00438151 <+49>:    mov    0x4c(%eax),%esi
   0x00438154 <+52>:    mov    %esi,(%esp)
   0x00438157 <+55>:    call   0x42aa00 <cairo_image_surface_get_height at plt>
   0x0043815c <+60>:    mov    %esi,(%esp)                                    <<<<<<<<<<<<
   0x0043815f <+63>:    mov    %eax,0x1c(%esp)
   0x00438163 <+67>:    call   0x428a20 <cairo_image_surface_get_width at plt>
   0x00438168 <+72>:    mov    0x1c(%esp),%edx
   0x0043816c <+76>:    mov    %edx,(%esp)
   0x0043816f <+79>:    push   %eax
   0x00438170 <+80>:    push   $0x0
   0x00438172 <+82>:    push   $0x0
   0x00438174 <+84>:    push   %esi
   0x00438175 <+85>:    call   0x429a80 <gdk_pixbuf_get_from_surface at plt>
   0x0043817a <+90>:    add    $0x20,%esp
   0x0043817d <+93>:    push   0x8(%edi)
   0x00438180 <+96>:    push   0x4(%edi)
   0x00438183 <+99>:    mov    %eax,%esi
   0x00438185 <+101>:   push   %eax
   0x00438186 <+102>:   push   0x14(%ebp)
   0x00438189 <+105>:   call   0x4287e0 <gnome_desktop_thumbnail_factory_save_thumbnail at plt>
   0x0043818e <+110>:   mov    %esi,(%esp)
   0x00438191 <+113>:   call   0x42c148 <g_object_unref at plt>
   0x00438196 <+118>:   pop    %eax
   0x00438197 <+119>:   pop    %edx
   0x00438198 <+120>:   push   $0x1
   0x0043819a <+122>:   push   0x3c(%esp)
   0x0043819e <+126>:   call   0x4296d0 <g_task_return_boolean at plt>
   0x004381a3 <+131>:   add    $0x2c,%esp
   0x004381a6 <+134>:   pop    %ebx
   0x004381a7 <+135>:   pop    %esi
   0x004381a8 <+136>:   pop    %edi
   0x004381a9 <+137>:   pop    %ebp
   0x004381aa <+138>:   ret    
End of assembler dump.


(gdb) b save_thumbnail_in_cache_thread
Breakpoint 3 at 0x438120: file ../shell/ev-recent-view.c, line 348.


https://sources.debian.org/src/evince/3.38.0-3/shell/ev-recent-view.c/#L351
https://gitlab.gnome.org/GNOME/evince/-/blob/master/shell/ev-recent-view.c#L351

https://buildd.debian.org/status/fetch.php?pkg=evince&arch=i386&ver=3.38.0-2&stamp=1602587776&raw=0

More information about the pkg-gnome-maintainers mailing list