Segfault when quitting quickly after zooming.

[sebastinas]

On GitLab by @jdujava on May 3, 2023, 17:44

---

Trying to quit immediately after zooming sometimes leads to segmentation fault.

Happens reproducibly on scans or highly annotated pdfs, in particular when focusing after the zoom takes a while.

Leaves for example the following Stack trace:

systemd-coredump[13801]: Process 13764 (zathura) of user 1000 dumped core.

      Stack trace of thread 13785:
      #0  0x00007fd9f4dbe170 n/a (n/a + 0x0)
      #1  0x00007fda0ab5f18f _ZN3Gfx2goEb (libpoppler.so.126 + 0x15f18f)
      #2  0x00007fda0ab5fc37 _ZN3Gfx7displayEP6Objectb (libpoppler.so.126 + 0x15fc37)
      #3  0x00007fda0ab70a0f _ZN3Gfx8drawFormEP6ObjectP4DictPKdS5_bbP13GfxColorSpacebbbP8FunctionP8GfxColor (libpoppler.so.126 + 0x170a0f)
      #4  0x00007fda0ab710da _ZN3Gfx6doFormEP6Object (libpoppler.so.126 + 0x1710da)
      #5  0x00007fda0ab743b8 _ZN3Gfx9opXObjectEP6Objecti (libpoppler.so.126 + 0x1743b8)
      #6  0x00007fda0ab5f18f _ZN3Gfx2goEb (libpoppler.so.126 + 0x15f18f)
      #7  0x00007fda0ab5fc37 _ZN3Gfx7displayEP6Objectb (libpoppler.so.126 + 0x15fc37)
      #8  0x00007fda0abced92 _ZN4Page12displaySliceEP9OutputDevddibbiiiibPFbPvES2_PFbP5AnnotS2_ES2_b (libpoppler.so.126 + 0x1ced92)
      #9  0x00007fda0c9671f2 n/a (libpoppler-glib.so.8 + 0x2d1f2)
      #10 0x00007fda0cd36996 n/a (libpdf-poppler.so + 0x2996)
      #11 0x00005575bba30902 n/a (zathura + 0x2e902)
      #12 0x00007fda103709a3 n/a (libglib-2.0.so.0 + 0x8c9a3)
      #13 0x00007fda1036b315 n/a (libglib-2.0.so.0 + 0x87315)
      #14 0x00007fda0ffccbb5 n/a (libc.so.6 + 0x85bb5)
      #15 0x00007fda1004ed90 n/a (libc.so.6 + 0x107d90)

      Stack trace of thread 13764:
      #0  0x00007fda0ffc993b __lll_lock_wait_private (libc.so.6 + 0x8293b)
      #1  0x00007fda0ffda850 n/a (libc.so.6 + 0x93850)
      #2  0x00007fda0ffdce63 __libc_free (libc.so.6 + 0x95e63)
      #3  0x00007fda0abc1e97 _ZN6Object4freeEv (libpoppler.so.126 + 0x1c1e97)
      #4  0x00007fda0abc1e5a _ZN6Object4freeEv (libpoppler.so.126 + 0x1c1e5a)
      #5  0x00007fda0abfddd8 n/a (libpoppler.so.126 + 0x1fddd8)
      #6  0x00007fda0abfe041 _ZN4XRefD1Ev (libpoppler.so.126 + 0x1fe041)
      #7  0x00007fda0abd1878 _ZN6PDFDocD1Ev (libpoppler.so.126 + 0x1d1878)
      #8  0x00007fda0c95b760 n/a (libpoppler-glib.so.8 + 0x21760)
      #9  0x00007fda104514a4 g_object_unref (libgobject-2.0.so.0 + 0x224a4)
      #10 0x00007fda0cd3645b n/a (libpdf-poppler.so + 0x245b)
      #11 0x00005575bba16d87 zathura_document_free (zathura + 0x14d87)
      #12 0x00005575bba1b38b n/a (zathura + 0x1938b)
      #13 0x00005575bba1b46f n/a (zathura + 0x1946f)
      #14 0x00005575bba0eebc main (zathura + 0xcebc)
      #15 0x00007fda0ff6a790 n/a (libc.so.6 + 0x23790)
      #16 0x00007fda0ff6a84a __libc_start_main (libc.so.6 + 0x2384a)
      #17 0x00005575bba0f615 _start (zathura + 0xd615)

      Stack trace of thread 13771:
      #0  0x00007fda100470dd syscall (libc.so.6 + 0x1000dd)
      #1  0x00007fda103947b5 g_cond_wait (libglib-2.0.so.0 + 0xb07b5)
      #2  0x00007fda10308fb4 n/a (libglib-2.0.so.0 + 0x24fb4)
      #3  0x00007fda1036ff9e n/a (libglib-2.0.so.0 + 0x8bf9e)
      #4  0x00007fda1036b315 n/a (libglib-2.0.so.0 + 0x87315)
      #5  0x00007fda0ffccbb5 n/a (libc.so.6 + 0x85bb5)
      #6  0x00007fda1004ed90 n/a (libc.so.6 + 0x107d90)

      Stack trace of thread 13770:
      #0  0x00007fda100419df __poll (libc.so.6 + 0xfa9df)
      #1  0x00007fda1039b17f n/a (libglib-2.0.so.0 + 0xb717f)
      #2  0x00007fda1033d1a2 g_main_context_iteration (libglib-2.0.so.0 + 0x591a2)
      #3  0x00007fda1033d1f2 n/a (libglib-2.0.so.0 + 0x591f2)
      #4  0x00007fda1036b315 n/a (libglib-2.0.so.0 + 0x87315)
      #5  0x00007fda0ffccbb5 n/a (libc.so.6 + 0x85bb5)
      #6  0x00007fda1004ed90 n/a (libc.so.6 + 0x107d90)

      Stack trace of thread 13772:
      #0  0x00007fda100470dd syscall (libc.so.6 + 0x1000dd)
      #1  0x00007fda10394d03 g_cond_wait_until (libglib-2.0.so.0 + 0xb0d03)
      #2  0x00007fda10308f83 n/a (libglib-2.0.so.0 + 0x24f83)
      #3  0x00007fda10309127 g_async_queue_timeout_pop (libglib-2.0.so.0 + 0x25127)
      #4  0x00007fda10370846 n/a (libglib-2.0.so.0 + 0x8c846)
      #5  0x00007fda1036b315 n/a (libglib-2.0.so.0 + 0x87315)
      #6  0x00007fda0ffccbb5 n/a (libc.so.6 + 0x85bb5)
      #7  0x00007fda1004ed90 n/a (libc.so.6 + 0x107d90)

      Stack trace of thread 13780:
      #0  0x00007fda100419df __poll (libc.so.6 + 0xfa9df)
      #1  0x00007fda1039b17f n/a (libglib-2.0.so.0 + 0xb717f)
      #2  0x00007fda1033dc7f g_main_loop_run (libglib-2.0.so.0 + 0x59c7f)
      #3  0x00007fda1059ed5c n/a (libgio-2.0.so.0 + 0x10ed5c)
      #4  0x00007fda1036b315 n/a (libglib-2.0.so.0 + 0x87315)
      #5  0x00007fda0ffccbb5 n/a (libc.so.6 + 0x85bb5)
      #6  0x00007fda1004ed90 n/a (libc.so.6 + 0x107d90)
      ELF object binary architecture: AMD x86-64
systemd[1]: Started Process Core Dump (PID 13800/UID 0).
kernel: Code: 00 00 80 f0 ff ff ff ff ff ff 40 1c 00 00 00 00 00 00 80 09 00 00 00 00 00 00 d0 a8 8d f6 d9 7f 00 00 a1 05 00 00 00 00 00 00 <00> 9d 84 f4 d9 7f 00 00 e0 59 7c f6 d9 7f 00 00 00 00 00 00 00 00
kernel: pool-org.pwmt.z[13785]: segfault at 7fd9f4dbe170 ip 00007fd9f4dbe170 sp 00007fda01dfcd48 error 15 likely on CPU 7 (core 3, socket 0)

[sebastinas]

On GitLab by @iyzana on Oct 17, 2023, 12:37

---

I have found similar bugs:

• Quitting zathura while the view still shows Loading... causes a segfault
• Clicking to select text while the view still shows Loading... causes a segfault
• Clicking to select text quickly after zooming causes a segfault

If required I can provide a large (8.8MiB) PDF to reliably reproduce this

[castilma]

I found another segfault trigger: Scroll down with the mouse and then, while scrolling, hold ctrl to turn into zooming out.

Thread 7 "pool-org.pwmt.z" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd9bff6c0 (LWP 2044)]
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ??? ()
#1  0x00007fffdd104b01 in fz_find_item () at /usr/lib/libmupdf.so.24.2
#2  0x00007fffdd058b0f in fz_find_icc_link () at /usr/lib/libmupdf.so.24.2
#3  0x00007fffdd058e28 in ??? () at /usr/lib/libmupdf.so.24.2
#4  0x00007fffdd058fe9 in fz_convert_color () at /usr/lib/libmupdf.so.24.2
#5  0x00007fffdd0847f7 in ??? () at /usr/lib/libmupdf.so.24.2
#6  0x00007fffdd087d93 in ??? () at /usr/lib/libmupdf.so.24.2
#7  0x00007fffdd05fb41 in fz_fill_text () at /usr/lib/libmupdf.so.24.2
#8  0x00007fffdd0c2cd9 in fz_run_display_list () at /usr/lib/libmupdf.so.24.2
#9  0x00007ffff40ce8e1 in ??? () at /usr/lib/zathura/libpdf-mupdf.so
#10 0x000055555556c75f in ??? ()
#11 0x00007ffff714f2d3 in ??? () at /usr/lib/libglib-2.0.so.0
#12 0x00007ffff7149425 in ??? () at /usr/lib/libglib-2.0.so.0
#13 0x00007ffff6d5a55a in start_thread (arg=<optimized out>) at pthread_create.c:447
#14 0x00007ffff6dd7a5c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
(gdb)