Bug#974937: Re : Bug#974937: evince: crashes then runs

[nicolas . patrois]

Le 25/12/2020 20:33:14, Bernhard Übelacker a écrit :

> But still a proper backtrace would be helpful.

Hi,

I did not see this bug for a while but when evince will crash again, I’ll try 
to send the backtrace.

Yours,
nicolas patrois : pts noir asocial
-- 
RÉALISME

M : Qu'est-ce qu'il nous faudrait pour qu'on nous considère comme des humains ? 
Un cerveau plus gros ?
P : Non... Une carte bleue suffirait...

Bug#974937: evince: crashes then runs

[Bernhard Übelacker]

Dear Maintainer,
I am sorry but I missed the offset of 42 in the kernel output,
which shows 42 bytes before the crashing instruction marked with "< >".
The location where the crash happened would therefore
not be in line 351, instead it would be in 355.

   0x00438186 <+102>:   push   0x14(%ebp)

That matches also the last three digits in ip value in the kernel output.

Then, based on the 0x14, the assumption would be that the priv
pointer might have contained an invalid value.
The segfaulting address is at 0xfdd4 kind of near 0.
Therefore might here private pointer "below" the ev_recent_view pointer by 
0x240,
and ev_recent_view be a null pointer in this crash?

But still a proper backtrace would be helpful.

Kind regards,
Bernhard


https://gitlab.gnome.org/GNOME/evince/-/blob/master/shell/ev-recent-view.c#L355

355 gnome_desktop_thumbnail_factory_save_thumbnail 
(priv->thumbnail_factory,
356 thumbnail, data->uri, 
data->mtime);

(gdb) print &((EvRecentViewPrivate *)0)->thumbnail_factory
$2 = (GnomeDesktopThumbnailFactory **) 0x14

Bug#974937: evince: crashes then runs

[Bernhard Übelacker]

Dear Maintainer,
from the dmesg line from the submitter I think the crash happens
save_thumbnail_in_cache_thread in [1], between the calls to
cairo_image_surface_get_height and -width.

Tried to reach that function just showing some random PDF
but did not get there.

@Nicolas: I assume Simon asked for a backtrace of the crash.
There are several ways described in the link in his last mail.
The easiest might be to install systemd-coredump and when
the next crash happens look at the end of the output
of 'journalctl --no-pager'.

Kind regards,
Bernhard

[1] 
https://gitlab.gnome.org/GNOME/evince/-/blob/master/shell/ev-recent-view.c#L351


# Bullseye/testing i386 qemu VM 2020-12-18


apt update
apt dist-upgrade


apt install systemd-coredump gnome gdb evince libgdk-pixbuf2.0-0


systemctl stop sddm
systemctl start sddm


wget 
https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/evince_3.38.0-2_i386.deb
wget 
https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/evince-common_3.38.0-2_all.deb
wget 
https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/libevdocument3-4_3.38.0-2_i386.deb
wget 
https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/libevview3-3_3.38.0-2_i386.deb
wget 
https://snapshot.debian.org/archive/debian-debug/20201013T145001Z/pool/main/e/evince/evince-dbgsym_3.38.0-2_i386.deb
wget 
https://snapshot.debian.org/archive/debian/20201013T145646Z/pool/main/e/evince/gir1.2-evince-3.0_3.38.0-2_i386.deb
dpkg -i *.deb

cd Dokumente/
wget https://www.debian.org/doc/manuals/debian-faq/debian-faq.de.pdf



https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash



nov. 16 20:33:38 nicolas.home kernel: pool-evince[16278]: segfault at fdd4 
ip 004de186 sp afbfa034 error 5 in evince[4cd000+3a000]
nov. 16 20:33:38 nicolas.home kernel: Code: 89 34 24 89 44 24 1c e8 b8 08 ff ff 
8b 54 24 1c 89 14 24 50 6a 00 6a 00 56 e8 06 19 ff ff 83 c4 20 ff 77 08 ff 77 
04 89 c6 50  75 14 e8 52 06 ff ff 89 34 24 e8 b2 3f ff ff 58 5a 6a 01 ff 74

"error 5" == 0b0101 == 
 *   bit 0 ==1: protection fault
 *   bit 1 ==0: read access
 *   bit 2 ==1: user-mode access


benutzer@debian:~$  echo -n "find /b ..., ..., 0x" && \
echo "89 34 24 89 44 24 1c e8 b8 08 ff ff 8b 54 24 1c 89 14 24 50 6a 00 6a 00 
56 e8 06 19 ff ff 83 c4 20 ff 77 08 ff 77 04 89 c6 50  75 14 e8 52 06 ff ff 
89 34 24 e8 b2 3f ff ff 58 5a 6a 01 ff 74" \
 | sed 's/[<>]//g' | sed 's/ /, 0x/g'
find /b ..., ..., 0x89, 0x34, 0x24, 0x89, 0x44, 0x24, 0x1c, 0xe8, 0xb8, 0x08, 
0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x89, 0x14, 0x24, 0x50, 0x6a, 0x00, 0x6a, 
0x00, 0x56, 0xe8, 0x06, 0x19, 0xff, 0xff, 0x83, 0xc4, 0x20, 0xff, 0x77, 0x08, 
0xff, 0x77, 0x04, 0x89, 0xc6, 0x50, 0xff, 0x75, 0x14, 0xe8, 0x52, 0x06, 0xff, 
0xff, 0x89, 0x34, 0x24, 0xe8, 0xb2, 0x3f, 0xff, 0xff, 0x58, 0x5a, 0x6a, 0x01, 
0xff, 0x74


gdb -q
set width 0
set pagination off
set environment DISPLAY=:0
file /usr/bin/evince
tb main
run
info target
...
0x0042c150 - 0x00460924 is .text
...

(gdb) find /b 0x0042c150, 0x00460924, 0x89, 0x34, 0x24, 0x89, 0x44, 0x24, 0x1c, 
0xe8, 0xb8, 0x08, 0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x89, 0x14, 0x24, 0x50, 
0x6a, 0x00, 0x6a, 0x00, 0x56, 0xe8, 0x06, 0x19, 0xff, 0xff, 0x83, 0xc4, 0x20, 
0xff, 0x77, 0x08, 0xff, 0x77, 0x04, 0x89, 0xc6, 0x50, 0xff, 0x75, 0x14, 0xe8, 
0x52, 0x06, 0xff, 0xff, 0x89, 0x34, 0x24, 0xe8, 0xb2, 0x3f, 0xff, 0xff, 0x58, 
0x5a, 0x6a, 0x01, 0xff, 0x74
0x43815c 
1 pattern found.

(gdb) b *0x43815c
Breakpoint 2 at 0x43815c: file ../shell/ev-recent-view.c, line 351.
(gdb) info b
Num Type   Disp Enb AddressWhat
2   breakpoint keep y   0x0043815c in save_thumbnail_in_cache_thread at 
../shell/ev-recent-view.c:351


(gdb) disassemble save_thumbnail_in_cache_thread
Dump of assembler code for function save_thumbnail_in_cache_thread:
   0x00438120 <+0>: push   %ebp
   0x00438121 <+1>: push   %edi
   0x00438122 <+2>: push   %esi
   0x00438123 <+3>: push   %ebx
   0x00438124 <+4>: call   0x42c780 <__x86.get_pc_thunk.bx>
   0x00438129 <+9>: add$0x57a2f,%ebx
   0x0043812f <+15>:sub$0x1c,%esp
   0x00438132 <+18>:mov0x38(%esp),%edi
   0x00438136 <+22>:call   0x42af10 
   0x0043813b <+27>:mov0x181c(%ebx),%ebp
   0x00438141 <+33>:sub$0x8,%esp
   0x00438144 <+36>:add0x3c(%esp),%ebp
   0x00438148 <+40>:push   %eax
   0x00438149 <+41>:push   0x14(%edi)
   0x0043814c <+44>:call   0x427df0 
   0x00438151 <+49>:mov0x4c(%eax),%esi
   0x00438154 <+52>:mov%esi,(%esp)
   0x00438157 <+55>:call   0x42aa00 
   0x0043815c <+60>:mov%esi,(%esp)

   0x0043815f <+63>:mov%eax,0x1c(%esp)
   0x00438163 <+67>:call   0x428a20 
   0x00438168 <+72>:mov0x1c(%esp),%edx
   0x0043816c <+76>:mov%edx,(%esp)
   0x0043816f <+79>:push   %eax
   0x00438170 

Bug#974937: Re : Bug#974937: evince: crashes then runs

[nicolas . patrois]

Le 17/11/2020 11:20:59, Simon McVittie a écrit :

> Control: tags -1 + moreinfo

> Does this happen for *all* files, or only for specific files?

> Sorry, we can't do anything with this amount of information. If you
> can get a backtrace from the crash, that might provide enough information
> to find the bug: please see .

It’s for all files.
Do you want the end of strace’s output?

nicolas patrois : pts noir asocial
-- 
RÉALISME

M : Qu'est-ce qu'il nous faudrait pour qu'on nous considère comme des humains ? 
Un cerveau plus gros ?
P : Non... Une carte bleue suffirait...

Bug#974937: evince: crashes then runs

[Simon McVittie]

Control: tags -1 + moreinfo

On Mon, 16 Nov 2020 at 20:38:22 +0100, Nicolas Patrois wrote:
> When I open a file in evince, evince crashes.

Does this happen for *all* files, or only for specific files?

If it happens for specific files, is there a file you can share that
reproduces the crash and does not contain any private information?

> I read this in the logs:
> nov. 16 20:33:38 nicolas.home kernel: pool-evince[16278]: segfault at fdd4
> ip 004de186 sp afbfa034 error 5 in evince[4cd000+3a000]
> nov. 16 20:33:38 nicolas.home kernel: Code: 89 34 24 89 44 24 1c e8 b8 08 ff 
> ff
> 8b 54 24 1c 89 14 24 50 6a 00 6a 00 56 e8 06 19 ff ff 83 c4 20 ff 77 08 ff 77
> 04 89 c6 50  75 14 e8 52 06 ff ff 89 34 24 e8 b2 3f ff ff 58 5a 6a 01 ff 
> 74

Sorry, we can't do anything with this amount of information. If you can
get a backtrace from the crash, that might provide enough information to
find the bug: please see .

smcv

Bug#974937: evince: crashes then runs

[Nicolas Patrois]

Package: evince
Version: 3.38.0-2
Severity: normal

Dear Maintainer,

When I open a file in evince, evince crashes. I read this in the logs:
nov. 16 20:33:38 nicolas.home kernel: pool-evince[16278]: segfault at fdd4
ip 004de186 sp afbfa034 error 5 in evince[4cd000+3a000]
nov. 16 20:33:38 nicolas.home kernel: Code: 89 34 24 89 44 24 1c e8 b8 08 ff ff
8b 54 24 1c 89 14 24 50 6a 00 6a 00 56 e8 06 19 ff ff 83 c4 20 ff 77 08 ff 77
04 89 c6 50  75 14 e8 52 06 ff ff 89 34 24 e8 b2 3f ff ff 58 5a 6a 01 ff 74

Then, I can re-open evince and read the file without crash.

Yours,



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 5.7.0-1-686-pae (SMP w/3 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR:fr:en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages evince depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.38.0-1
ii  evince-common3.38.0-2
ii  gconf-gsettings-backend [gsettings-backend]  3.2.6-6
ii  gsettings-desktop-schemas3.38.0-2
ii  libatk1.0-0  2.36.0-2
ii  libc62.31-4
ii  libcairo-gobject21.16.0-4
ii  libcairo21.16.0-4
ii  libevdocument3-4 3.38.0-2
ii  libevview3-3 3.38.0-2
ii  libgdk-pixbuf2.0-0   2.40.0+dfsg-5
ii  libglib2.0-0 2.66.2-1
ii  libgnome-desktop-3-193.38.1-2
ii  libgtk-3-0   3.24.23-2
ii  libnautilus-extension1a  3.38.1-1
ii  libpango-1.0-0   1.46.2-3
ii  libpangocairo-1.0-0  1.46.2-3
ii  libsecret-1-00.20.3-1
ii  shared-mime-info 2.0-1

Versions of packages evince recommends:
ii  dbus-user-session [default-dbus-session-bus]  1.12.20-1
ii  dbus-x11 [dbus-session-bus]   1.12.20-1

Versions of packages evince suggests:
ii  gvfs   1.46.1-1
ii  nautilus-sendto3.8.6-3
ii  poppler-data   0.4.10-1
ii  unrar-nonfree [unrar]  3.3.6-2

-- no debconf information