Bug 695822

Summary: Regression: errors with --saved-pages-test and -dJOBSERVER starting with 9108db24fef88855199038a257bf935a698af2f4
Product: Ghostscript Reporter: Marcos H. Woehrmann <marcos.woehrmann>
Component: RegressionAssignee: Ray Johnston <ray.johnston>
Status: RESOLVED FIXED    
Severity: normal CC: robin.watts
Priority: P2    
Version: master   
Hardware: PC   
OS: All   
Customer: Word Size: ---

Description Marcos H. Woehrmann 2015-02-06 11:20:14 UTC 
Starting with 9108db24fef88855199038a257bf935a698af2f4 all of the ps3cet test files fail with an exit code 255 when run with the --saved-pages-test and -dJOBSEREVER options.

Sample command line:

  ./bin/gs -o test.ppm -sDEVICE=ppmraw --saved-pages-test \
    -dJOBSERVER %rom%Resource/Init/gs_cet.ps \
    - <  ../tests_private/ps/ps3cet/27-04.PS
Comment 1 Ray Johnston 2015-02-07 09:13:26 UTC 
I was the last person to touch this area, and Paul is busy elsewhere.
Comment 2 Marcos H. Woehrmann 2015-06-05 12:30:57 UTC 
As requested here is the valgrind output:

valgrind head/debugbin/gs -o test.ppm -sDEVICE=ppmraw --saved-pages-test \
  -dJOBSERVER %rom%Resource/Init/gs_cet.ps - < ./27-04.PS

==1433== Memcheck, a memory error detector
==1433== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==1433== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==1433== Command: head/debugbin/gs -o test.ppm -sDEVICE=ppmraw --saved-pages-test -dJOBSERVER %rom%Resource/Init/gs_cet.ps -
==1433== 
GPL Ghostscript GIT PRERELEASE 9.18 (2015-04-07)
Copyright (C) 2015 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
==1433== Source and destination overlap in memcpy(0xa5d53b0, 0xa5d53b0, 48)
==1433==    at 0x4C306DD: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1433==    by 0x753978: cl_cache_load_slot (gxclfile.c:214)
==1433==    by 0x754088: clist_fread_chars (gxclfile.c:397)
==1433==    by 0x72C622: clist_find_pseudoband (gxclread.c:410)
==1433==    by 0x72C88E: clist_read_color_usage_array (gxclread.c:457)
==1433==    by 0x72C3DE: clist_close_writer_and_init_reader (gxclread.c:355)
==1433==    by 0x72FCE4: clist_fillpage (gxclrect.c:313)
==1433==    by 0x9B81E3: gs_fillpage (gspaint.c:94)
==1433==    by 0x9B80AA: gs_erasepage (gspaint.c:66)
==1433==    by 0x538565: gs_main_init2 (imain.c:347)
==1433==    by 0x53CB14: runarg (imainarg.c:955)
==1433==    by 0x53C874: argproc (imainarg.c:902)
==1433== 
==1433== Source and destination overlap in memcpy(0xa5dd420, 0xa5dd420, 33)
==1433==    at 0x4C306DD: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1433==    by 0x753978: cl_cache_load_slot (gxclfile.c:214)
==1433==    by 0x754088: clist_fread_chars (gxclfile.c:397)
==1433==    by 0x72C786: clist_read_chunk (gxclread.c:436)
==1433==    by 0x72C8BA: clist_read_color_usage_array (gxclread.c:461)
==1433==    by 0x72C3DE: clist_close_writer_and_init_reader (gxclread.c:355)
==1433==    by 0x72FCE4: clist_fillpage (gxclrect.c:313)
==1433==    by 0x9B81E3: gs_fillpage (gspaint.c:94)
==1433==    by 0x9B80AA: gs_erasepage (gspaint.c:66)
==1433==    by 0x538565: gs_main_init2 (imain.c:347)
==1433==    by 0x53CB14: runarg (imainarg.c:955)
==1433==    by 0x53C874: argproc (imainarg.c:902)
==1433== 
Loading NimbusSan-Bol font from %rom%Resource/Font/NimbusSan-Bol... 4400116 2796496 7095192 5757902 1 done.
% _Pg checksums collected from PhotoPRINT SE 5.0v2 version 3017.102 
27-4 DEFAULT1 
Loading NimbusRom-Reg font from %rom%Resource/Font/NimbusRom-Reg... 4433444 2907957 7135576 5783738 1 done.
27-4 DEFAULT1 = 4682 Text DevDep 170 ms 
27-4 DEFAULT2 
27-4 DEFAULT2 = 1092 Text DevDep 180 ms 
/27-4___Pg01 5774 def %NOT matching 36931 
27-4 GLOBINT 
Loading NimbusSan-Reg font from %rom%Resource/Font/NimbusSan-Reg... 4466772 3000357 7216344 5859946 2 done.
Querying operating system for font files...

GS>( PS)
TOP
BOTTOM

27-4 GLOBINT = 0 Graphic 6190 ms 
==1433== Syscall param pwrite64(buf) points to uninitialised byte(s)
==1433==    at 0x5D786C3: ??? (syscall-template.S:81)
==1433==    by 0x46355B: gp_fpwrite (gp_unifs.c:209)
==1433==    by 0x753E93: clist_fwrite_chars (gxclfile.c:356)
==1433==    by 0x73643E: cmd_write_band (gxclutil.c:198)
==1433==    by 0x7367CA: cmd_write_buffer (gxclutil.c:277)
==1433==    by 0x718C83: clist_end_page (gxclist.c:827)
==1433==    by 0x71D37A: gdev_prn_save_page (gxclpage.c:39)
==1433==    by 0x71DA67: gx_saved_pages_list_add (gxclpage.c:201)
==1433==    by 0x70EF8C: gdev_prn_output_page_aux (gdevprn.c:995)
==1433==    by 0x70F689: gdev_prn_bg_output_page (gdevprn.c:1151)
==1433==    by 0x855D13: ppm_output_page (gdevpbm.c:311)
==1433==    by 0x992D5B: gs_output_page (gsdevice.c:162)
==1433==  Address 0xa8873c9 is 611,209 bytes inside a block of size 4,000,048 alloc'd
==1433==    at 0x4C2BBA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1433==    by 0x9B63CE: gs_realloc (gsmisc.c:512)
==1433==    by 0x9B078B: gs_heap_resize_object (gsmalloc.c:274)
==1433==    by 0x70CA3B: gdev_prn_setup_as_command_list (gdevprn.c:215)
==1433==    by 0x70D8D4: gdev_prn_allocate (gdevprn.c:473)
==1433==    by 0x70DE39: gdev_prn_reallocate_memory (gdevprn.c:568)
==1433==    by 0x71F118: gx_saved_pages_param_process (gxclpage.c:768)
==1433==    by 0x538534: gs_main_init2 (imain.c:344)
==1433==    by 0x53CB14: runarg (imainarg.c:955)
==1433==    by 0x53C874: argproc (imainarg.c:902)
==1433==    by 0x53AA34: gs_main_init_with_args (imainarg.c:239)
==1433==    by 0x462C54: main (gs.c:96)
==1433== 
/27-4___Pg02 0 def %matching 0 

Final backchannel utterance: Test Done.
==1433== Conditional jump or move depends on uninitialised value(s)
==1433==    at 0x72C62D: clist_find_pseudoband (gxclread.c:411)
==1433==    by 0x72C88E: clist_read_color_usage_array (gxclread.c:457)
==1433==    by 0x71E1EA: gx_output_saved_page (gxclpage.c:420)
==1433==    by 0x71ECE1: gx_saved_pages_list_print (gxclpage.c:678)
==1433==    by 0x71F435: gx_saved_pages_param_process (gxclpage.c:830)
==1433==    by 0x53AE5A: swproc (imainarg.c:340)
==1433==    by 0x53A910: gs_main_init_with_args (imainarg.c:223)
==1433==    by 0x462C54: main (gs.c:96)
==1433== 
==1433== 
==1433== HEAP SUMMARY:
==1433==     in use at exit: 1,104 bytes in 2 blocks
==1433==   total heap usage: 14,964 allocs, 14,962 frees, 90,178,929 bytes allocated
==1433== 
==1433== LEAK SUMMARY:
==1433==    definitely lost: 0 bytes in 0 blocks
==1433==    indirectly lost: 0 bytes in 0 blocks
==1433==      possibly lost: 0 bytes in 0 blocks
==1433==    still reachable: 1,104 bytes in 2 blocks
==1433==         suppressed: 0 bytes in 0 blocks
==1433== Rerun with --leak-check=full to see details of leaked memory
==1433== 
==1433== For counts of detected and suppressed errors, rerun with: -v
==1433== Use --track-origins=yes to see where uninitialised values come from
==1433== ERROR SUMMARY: 19 errors from 4 contexts (suppressed: 0 from 0)
Comment 3 Marcos H. Woehrmann 2015-12-29 00:35:31 UTC 
Starting with 59c818b145474f6e8a8dc315adaaa308f8e53aac this issue changed from happening with every ps3cet test to only happening occasionally (from ~5000 errors per run to ~150 errors, so 3% of the time).

The error is now dependent on the command line and which files fail varies from commit to commit.  

With commit 34ccb87a69ed6e632468e495a54ecb69bf9f5719 this command fails with an error 255:


  ./bin/gs -o tests.pbm -sDEVICE=pbmraw --saved-pages-test -r72 \
    %rom%Resource/Init/gs_cet.ps - < ./tests_private/ps/ps3cet/12-07B.PS
Comment 4 Marcos H. Woehrmann 2015-12-29 00:41:47 UTC 
Valgrind output (I suspect the image_simple_expand and clip_runs_enumerate errors are unrelated to the problem):
==5760== Memcheck, a memory error detector
==5760== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==5760== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==5760== Command: ./head/debugbin/gs -o tests.pbm -sDEVICE=pbmraw --saved-pages-test -r72 %rom%Resource/Init/gs_cet.ps -
==5760==
GPL Ghostscript GIT PRERELEASE 9.19 (2015-09-23)
Copyright (C) 2015 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
*** Warning: CET startup is not in server default
Loading NimbusSanL-Bol font from %rom%Resource/Font/NimbusSanL-Bol... 4164540 2808271 3842568 2518396 1 done.
% _Pg checksums collected from PhotoPRINT SE 5.0v2 version 3017.102 ^M
12-7b Special Test C ^M
Loading NimbusRomNo9L-Reg font from %rom%Resource/Font/NimbusRomNo9L-Reg... 4370780 3044062 4101976 2746908 1 done.
==5760== Syscall param pwrite64(buf) points to uninitialised byte(s)
==5760==    at 0x5D786C3: ??? (syscall-template.S:81)
==5760==    by 0x464330: gp_fpwrite (gp_unifs.c:218)
==5760==    by 0x6A4D3A: clist_fwrite_chars (gxclfile.c:363)
==5760==    by 0x6843A8: cmd_write_band (gxclutil.c:198)
==5760==    by 0x684734: cmd_write_buffer (gxclutil.c:277)
==5760==    by 0x684DDF: cmd_put_range_op (gxclutil.c:401)
==5760==    by 0x694565: cmd_put_halftone (gxclimag.c:1505)
==5760==    by 0x694A31: cmd_put_color_mapping (gxclimag.c:1592)
==5760==    by 0x692F43: clist_image_plane_data (gxclimag.c:1095)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD9FC5: image_string_continue (zimage.c:609)
==5760==  Address 0xa4b6da9 is 802,153 bytes inside a block of size 4,000,048 alloc'd
==5760==    at 0x4C2BBA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5760==    by 0x8F1333: gs_realloc (gsmisc.c:512)
==5760==    by 0x8EB6F0: gs_heap_resize_object (gsmalloc.c:274)
==5760==    by 0x654387: gdev_prn_setup_as_command_list (gdevprn.c:243)
==5760==    by 0x65511C: gdev_prn_allocate (gdevprn.c:491)
==5760==    by 0x655681: gdev_prn_reallocate_memory (gdevprn.c:586)
==5760==    by 0x66CF7C: gx_saved_pages_param_process (gxclpage.c:771)
==5760==    by 0xA7BDBC: gs_main_init2 (imain.c:343)
==5760==    by 0xA804BC: runarg (imainarg.c:955)
==5760==    by 0xA8021C: argproc (imainarg.c:902)
==5760==    by 0xA7E3DC: gs_main_init_with_args (imainarg.c:239)
==5760==    by 0x463A04: main (gs.c:96)
==5760==
12-7b Special Test C = 0 Graphic 380 ms ^M
/12-7b__Pg01 0 def %matching 0 ^M
12-7b Special Test D1 ^M
12-7b Special Test D1 = 0 Graphic 260 ms ^M
/12-7b__Pg02 0 def %matching 0 ^M
12-7b Special Test D2 ^M
12-7b Special Test D2 = 0 Graphic 1460 ms ^M
/12-7b__Pg03 0 def %matching 0 ^M
12-7b Special Test D3 ^M
12-7b Special Test D3 = 0 Graphic 240 ms ^M
/12-7b__Pg04 0 def %matching 0 ^M
12-7b Special Test E1 ^M
12-7b Special Test E1 = 0 Graphic 430 ms ^M
/12-7b__Pg05 0 def %matching 0 ^M
12-7b Special Test E2 ^M
12-7b Special Test E2 = 0 Graphic 210 ms ^M
/12-7b__Pg06 0 def %matching 0 ^M
12-7b Special Test F ^M
12-7b Special Test F = 0 Graphic 110 ms ^M
/12-7b__Pg07 0 def %matching 0 ^M
12-7b Special Test G ^M
12-7b Special Test G = 0 Graphic 280 ms ^M
/12-7b__Pg08 0 def %matching 0 ^M
12-7b Special Test H ^M
12-7b Special Test H = 0 Graphic 16850 ms ^M
/12-7b__Pg09 0 def %matching 0 ^M
12-7b Special Test I ^M
12-7b Special Test I = 0 Graphic 2770 ms ^M
/12-7b__Pg10 0 def %matching 0 ^M
12-7b Special Test J ^M
12-7b Special Test J = 0 Graphic 160 ms ^M
/12-7b__Pg11 0 def %matching 0 ^M
12-7b Special Test K ^M
12-7b Special Test K = 0 Graphic 880 ms ^M
/12-7b__Pg12 0 def %matching 0 ^M
12-7b Special Test L1 ^M
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x9EB2A0: image_simple_expand (gxifast.c:370)
==5760==    by 0x9EC03F: image_render_simple (gxifast.c:629)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F7B6: gx_image3_plane_data (gximage3.c:626)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==    by 0xA8C557: interp (interp.c:1185)
==5760==    by 0xA8A70E: gs_call_interp (interp.c:510)
==5760==
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x9EB432: image_simple_expand (gxifast.c:391)
==5760==    by 0x9EC03F: image_render_simple (gxifast.c:629)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F7B6: gx_image3_plane_data (gximage3.c:626)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==    by 0xA8C557: interp (interp.c:1185)
==5760==    by 0xA8A70E: gs_call_interp (interp.c:510)
==5760==
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x46CCAF: clip_runs_enumerate (gxclipm.c:312)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x9F1657: image_render_mono (gximono.c:776)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x9EB5EF: image_simple_expand (gxifast.c:422)
==5760==    by 0x9EC03F: image_render_simple (gxifast.c:629)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F7B6: gx_image3_plane_data (gximage3.c:626)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==    by 0xA8C557: interp (interp.c:1185)
==5760==    by 0xA8A70E: gs_call_interp (interp.c:510)
==5760==
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x9EB5F8: image_simple_expand (gxifast.c:426)
==5760==    by 0x9EC03F: image_render_simple (gxifast.c:629)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F7B6: gx_image3_plane_data (gximage3.c:626)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==    by 0xA8C557: interp (interp.c:1185)
==5760==    by 0xA8A70E: gs_call_interp (interp.c:510)
==5760==
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x46CD66: clip_runs_enumerate (gxclipm.c:330)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x9F1657: image_render_mono (gximono.c:776)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==
==5760== Use of uninitialised value of size 8
==5760==    at 0x46CD84: clip_runs_enumerate (gxclipm.c:335)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x9F1657: image_render_mono (gximono.c:776)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==
==5760== Use of uninitialised value of size 8
==5760==    at 0x46CCCC: clip_runs_enumerate (gxclipm.c:316)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x9F1657: image_render_mono (gximono.c:776)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x46CCAF: clip_runs_enumerate (gxclipm.c:312)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x4AE4F5: image_render_color_icc (gxicolor.c:1035)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==
==5760== Use of uninitialised value of size 8
==5760==    at 0x46CCCC: clip_runs_enumerate (gxclipm.c:316)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x4AE4F5: image_render_color_icc (gxicolor.c:1035)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x46F01D: gx_image3_plane_data (gximage3.c:530)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x46CD66: clip_runs_enumerate (gxclipm.c:330)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x4AE4F5: image_render_color_icc (gxicolor.c:1035)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==    by 0xA8C557: interp (interp.c:1185)
==5760==
==5760== Use of uninitialised value of size 8
==5760==    at 0x46CD84: clip_runs_enumerate (gxclipm.c:335)
==5760==    by 0x46D2C3: mask_clip_strip_tile_rectangle (gxclipm.c:431)
==5760==    by 0x9E2C40: gx_dc_ht_binary_fill_rectangle (gxht.c:291)
==5760==    by 0x4AE4F5: image_render_color_icc (gxicolor.c:1035)
==5760==    by 0x9E9681: gx_image1_plane_data (gxidata.c:211)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x46F853: gx_image3_plane_data (gximage3.c:641)
==5760==    by 0x9ECA2C: gx_image_plane_data_rows (gximage.c:183)
==5760==    by 0x8E37CB: gs_image_next_planes (gsimage.c:605)
==5760==    by 0xAD97AE: image_proc_continue (zimage.c:452)
==5760==    by 0xA89E4C: do_call_operator (interp.c:86)
==5760==    by 0xA8C557: interp (interp.c:1185)
==5760==
12-7b Special Test L1 = 0 Graphic 310 ms ^M
/12-7b__Pg13 0 def %matching 0 ^M
12-7b Special Test L2 ^M
12-7b Special Test L2 = 0 Graphic 250 ms ^M
/12-7b__Pg14 0 def %matching 0 ^M
12-7b Special Test L3 ^M
12-7b Special Test L3 = 0 Graphic 240 ms ^M
/12-7b__Pg15 0 def %matching 0 ^M
^M
Final backchannel utterance: Test Done.^M
==5760== Conditional jump or move depends on uninitialised value(s)
==5760==    at 0x67A4AD: clist_find_pseudoband (gxclread.c:411)
==5760==    by 0x67A70E: clist_read_color_usage_array (gxclread.c:457)
==5760==    by 0x66C033: gx_output_saved_page (gxclpage.c:420)
==5760==    by 0x66CB2A: gx_saved_pages_list_print (gxclpage.c:678)
==5760==    by 0x66D299: gx_saved_pages_param_process (gxclpage.c:833)
==5760==    by 0xA7E802: swproc (imainarg.c:340)
==5760==    by 0xA7E2B8: gs_main_init_with_args (imainarg.c:223)
==5760==    by 0x463A04: main (gs.c:96)
==5760==
==5760==
==5760== HEAP SUMMARY:
==5760==     in use at exit: 1,104 bytes in 2 blocks
==5760==   total heap usage: 7,521 allocs, 7,519 frees, 113,355,654 bytes allocated
==5760==
==5760== LEAK SUMMARY:
==5760==    definitely lost: 0 bytes in 0 blocks
==5760==    indirectly lost: 0 bytes in 0 blocks
==5760==      possibly lost: 0 bytes in 0 blocks
==5760==    still reachable: 1,104 bytes in 2 blocks
==5760==         suppressed: 0 bytes in 0 blocks
==5760== Rerun with --leak-check=full to see details of leaked memory
==5760==
==5760== For counts of detected and suppressed errors, rerun with: -v
==5760== Use --track-origins=yes to see where uninitialised values come from
==5760== ERROR SUMMARY: 1871 errors from 14 contexts (suppressed: 0 from 0)
Comment 5 Robin Watts 2015-12-29 02:49:20 UTC 
I find that this goes wrong on peeves in a repeatable fashion.

With HEAD = 834afc2, make debug. Then:

valgrind --track-origins=yes debugbin/gs -I./lib -sOutputFile=ass -dMaxBitmap=400000000 -sDEVICE=pbmraw --saved-pages-test -r72 -Z: -sDEFAULTPAPERSIZE=letter -dNOPAUSE -K1000000 -dJOBSERVER %rom%Resource/Init/gs_cet.ps - < /home/marcos/cluster/tests_private/ps/ps3cet/23-12W.PS

The problem occurs when clist_fread_chars is called with a len=16.

We enter the if (gp_can_share_fdesc()) clause, then the if (CL_CACHE_NEEDS_INIT(icf->cache)) clause.

cl_cache_read_init is then called with an icf->filesize of 64.

We then enter the if (icf->cache != NULL) clause. The first call to n = cl_cache_read()  (len=16, nread = 0) returns n = 0.

We therefore enter the if (n == 0) clause, where: block_pos = 0, block_size = 32768, fill_len = 0, len = 16, nread = 0.

cl_cache_load_slot is then called (with no data, as fill_len == 0). Accordingly, nothing is written to slot->base.

nread and dp have 0 added to them, and we loop because nread < len (0 < 16).

Next time around the loop, cl_cache_read returns n = 16, and we exit the loop.

The net effect of this is that clist_find_pseudoband is left with cb not being initialised. In particular cb.band_min and cb.band_max have no defined values.
Comment 6 Robin Watts 2017-02-27 10:17:09 UTC 
Bisection shows that this stopped going wrong on commit:

robin@peeves:~/sauce/ghostpdl.git$ git log -1
commit 27ab71451562b815d04e71903c1feb223069c0a2
Author: Robin Watts <Robin.Watts@artifex.com>
Date:   Thu Dec 31 02:40:39 2015 -0800

    Bug 697822: clist fix

    When saving/restoring the clist state around the saved pages
    processing, ensure that the file handling is correct. Leaving
    the old filenames in play in particular is a bad thing, as the
    shared fdesc stuff gets confused by this.

    This commit reworks that so that clist files aren't closed/reopened
    as much.

I can't see why this would have affected it, but the weekly tests (of --saved-pages-test) now NEVER show an exit code of 255. I suspect that 255 may mean -1, and the ps3cet tests (from the same weekly jobs) NEVER show an exit code of -1.

I am therefore closing the bug.