Hello! I found this strange bug, which only occurs with a certain EPS. On Executing this command: gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dEPSCrop -dProcessColorModel=/DeviceCMYK -dCompatibilityLevel=1.3 -sOutputFile=test.pdf /srv/www/htdocs/testbbb/test.eps This error occurs: Error: /undefined in Start Operand stack: Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 1 3 %oparray_pop 1 3 %oparray_pop --nostringval-- 1 3 %oparray_pop 1 3 %oparray_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- Dictionary stack: --dict:1124/1686(ro)(G)-- --dict:0/20(G)-- --dict:82/200(L)-- --dict:38/60(L)-- --dict:181/205(L)-- --dict:40/60(L)-- --dict:43/65(L)-- --dict:159/190(L)-- --dict:11/17(L)-- Current allocation mode is local Last OS error: 2 Current file position is 283675 AFPL Ghostscript 8.54: Unrecoverable error, exit code 1 Segmentation fault It seems that the length of the source-path affects the outcome as well. If it is shorter than the one with testbbb, it works. There is obviously some problem with the boundary checking of some variables. get the file at: http://app.toolpark.com/testbbb/test.eps Thanks for any help. Lars
Created attachment 2427 [details] test file
I've tried duplicating this problem using Ghostscript 8.54 under Windows XP Home SP2 but can't find any problem. I used the directory name given in the report, "C:\srv\www\htdocs\testbbb", and also tried longer directory names.
Hello! thanks for taking the time to reply!;) I guess it might depend on the compiler used...because it affects the layout of the memory usage... My platform is not windows but Linux running Suse. Linux 2.6.5-7.257-smp #1 SMP Mon May 15 14:14:14 UTC 2006 x86_64 x86_64 x86_64 GNU/Linux AFPL Ghostscript 8.54 (2006-05-17) If you need any further info...just tell me. Lars
Sorry for the confusion, the Platform/OS indication in the bug report was PC with Window XP; I'll change it to Linux and see what I can find.
There was a crash that depended on the length of the path name - bug 688574 but it is fixed in gs 8.54. Since this crash can be caused by compiler errors, please provide some information about your compiler and compiler options, including the options taken from the environment variables.
don't have a problem with 8.15.2 as shipped by fc5 or 8.54 mine patched on Linux 2.6.17-1.2174_FC5 x86_64 GNU/Linux using "/home/hin-tak/private-dev/app.toolpark.com/testbbb/test.eps" as path, with the options in the initial report.
I did not compile it myself...how can i check the parameters?...
I don't know any way to get compiler options from the executable created by GCC. Perhaps, in the future, Ghostscript build process can save the options in a static string. Regarding the problem, you can try to build Ghostscript from sources. If the problem clears you can blame the vendor. Otherwise, we will get a known build, which can be debugged.
I do not know if this is a reliable way not why it does what it does, but gcc 3.x seems to writes its version into some section of the elf binary and it can be grep'ed as, on mine: $ strings /usr/bin/gs |grep 'GCC' |sort |uniq GCC: (GNU) 3.3.6 gcc 4.x compiled binaries do not show this behavior, and I have no idea about 2.9x - however, it is highly unlikely that some Suse box running a fairly recent 2.6.5-x have gcc 2.9x though (the bug noted in comment 5). It is most likely gcc 3.x or 4.x. I would also suggest using the as-Suse-shipped gs.
Actually we fixed it by opening that particular file in photoshop and saved it anew. This time it worked! and a binary comporison shows lots of differences...(as was to be expected...) perhaps it's possible to extract some info as to what caused the error. We only had the problem with the posted image...so it probably had an error or something. But I guess gs shouldn't quit with a segmentation fault either...no? Thanks for having a look at it!
Created attachment 2432 [details] this works This file works. It's the same file, opened and saved anew in photoshop.
I'm glad that you have found how to work around the problem but the bug in Ghostscript remains unfixed and may re-surface again. Please try to get the GCC version as suggested by Hin-Tak, comment #9 or re-compile Ghostscript locally. If, by some reason, recompiling Ghostscript is difficult for you, we can help. You can create an user account on a computer where this problem can be reproduced and offer an ssh access to somebody of Ghostscript developers. My public ssh key can be downloaded from http://www.ghostscript.com/~alexcher/alexcher.pub
Created attachment 2433 [details] Makefile This is the makefile used to compile the faulty version...any good?
My Compiler: /configure --enable-threads=posix --prefix=/usr --with-local-prefix=/usr/local --infodir=/usr/share/info --mandir=/usr/share/man --enable-languages=c,c++,f77,objc,java,ada --disable-checking --libdir=/usr/lib64 --enable-libgcj --with-gxx-include-dir=/usr/include/g++ --with-slibdir=/lib64 --with-system-zlib --enable-shared --enable-__cxa_atexit x86_64-suse-linux Thread model: posix gcc version 3.3.3 (SuSE Linux)
Reproduced the bug with stock 8.54 on fc5, x86_64, gcc 4.x, building for 64-bit (32-bit does not have this problem, nor 64-bit ESP 8.15.2), and also on 64-bit gs 8.54 patched for (gs688720 gs688721, gs688724, gs688725, gs688532, gs688736, gs688741, gs688764). However, 64-bit trunk (rev 7009) does not seems to be affected. So it looks as if the bug may has already been fixed. FWIW, the segmentation fault happens in the garbage collector: =============== igc_reloc_struct_ptr (obj=0xe970e8, gcst=0x7fff9e3d2500) at ./src/igc.c:1280 1280 (pfree->o_back << obj_back_shift)); (gdb) bt #0 igc_reloc_struct_ptr (obj=0xe970e8, gcst=0x7fff9e3d2500) at ./src/igc.c:1280 #1 0x0000000000602d8c in basic_reloc_ptrs (vptr=0xe96120, size=Variable "size" is not available. ) at ./src/gsmemory.c:346 #2 0x0000000000494697 in gc_do_reloc (cp=0xe970e8, mem=0x7fff9e3d2500, pstate=0x7fff9e3d2500) at ./src/igc.c:1222 #3 0x0000000000495b95 in gs_gc_reclaim (pspaces=Variable "pspaces" is not available. ) at ./src/igc.c:441 #4 0x000000000050a3d4 in context_reclaim (pspaces=0x909210, global=1) at ./src/zcontext.c:283 #5 0x0000000000473532 in ireclaim (dmem=0x909208, space=8) at ./src/ireclaim.c:153 #6 0x000000000046f74f in interp_reclaim (pi_ctx_p=0x8d66b8, space=8) at ./src/interp.c:416 #7 0x000000000046786a in gs_main_finit (minst=0x8d64a0, exit_status=1, code=-100) at ./src/imain.c:840 #8 0x0000000000404644 in main (argc=11, argv=0x7fff9e3d2988) at ./src/gs.c:117 #9 0x000000324841ce54 in __libc_start_main () from /lib64/libc.so.6 #10 0x0000000000404509 in _start () #11 0x00007fff9e3d2978 in ?? () #12 0x0000000000000000 in ?? () ================ But this is probably bogus as a side effect of the earlier "Error: /undefined in Start". At this point there are 3 alternatives: (1) build 8.54 for 32-bit (setting adding -m32 to CFLAGS and LDFLAGS) (2) wait for the next version, 8.55. (3) look through what changes between 8.54 and rev 7009 fixes the problem, and back-port the change. I think as far as the initial reporter is concerned, (1) and (2) is the way forward. (3) is really for the developers among us to look at.
Appears to be a compiler issue for which there is a work around. I'm closing this as per our support meeting discussion.
It isn't really a compiler issue - rather it appear to be a 64-bit versus 32-bit issue.
My hard-working Multia has solved the mystery. This is a duplicate of the bug 688721 fixed long ago in revision 6818. *** This bug has been marked as a duplicate of 688721 ***
Just correcting comment 15: 64-bit gs 8.54 patched for (gs688720 gs688721, gs688724, gs688725, gs688532, gs688736, gs688741, gs688764) does not segfault.
Please disregard my comment #18. It belongs to a different bug. The comment #19 is also incorrect - I've reproduced the bug in the given configuration. I've also reproduced the bug in the svn versions 6788, 6800, 6850, 6900, 6950, 5960 with the following command line alexcher@amd64-linux1:~/gs-linux-x86_64$ bin/gs -dBATCH -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dEPSCrop -dProcessColorModel=/DeviceCMYK -dCompatibilityLevel=1.3 -sOutputFile=test.pdf -daaaaaaaaaaaaaaaaa ../test.eps As it was reported earlier, the bug depends on the length of the command line and becomes increasingly difficult to reproduce in more advanced revisions, but I have not found yet a revision that clearly fixes the problem, if any. The file doesn't fail on 32-bit x86 platform but Valgrind reports rather nasty errors in the current revision - 7021. The bug is reopened. ==21439== Memcheck, a memory error detector for x86-linux. ==21439== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al. ==21439== Using valgrind-2.4.0, a program supervision framework for x86-linux. ==21439== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al. ==21439== For more details, rerun with: -v ==21439== AFPL Ghostscript SVN PRE-RELEASE 8.55 (2006-05-20) Copyright (C) 2006 artofcode LLC, Benicia, CA. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. ==21439== Conditional jump or move depends on uninitialised value(s) ==21439== at 0x80C5430: count_to_stopped (./src/zcontrol.c:1013) ==21439== by 0x80C4858: zstop (./src/zcontrol.c:595) ==21439== by 0x80B644F: call_operator (./src/interp.c:104) ==21439== by 0x80B7DF7: interp (./src/interp.c:1146) ==21439== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== by 0x80AE65C: gs_main_init2 (./src/imain.c:249) ==21439== by 0x80B0F71: runarg (./src/imainarg.c:779) ==21439== by 0x80B0DE5: argproc (./src/imainarg.c:728) ==21439== by 0x80AFC3D: gs_main_init_with_args (./src/imainarg.c:211) ==21439== ==21439== Conditional jump or move depends on uninitialised value(s) ==21439== at 0x80C5430: count_to_stopped (./src/zcontrol.c:1013) ==21439== by 0x80C4D37: zinstopped (./src/zcontrol.c:698) ==21439== by 0x80B644F: call_operator (./src/interp.c:104) ==21439== by 0x80B8A5B: interp (./src/interp.c:1518) ==21439== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== by 0x80AE65C: gs_main_init2 (./src/imain.c:249) ==21439== by 0x80B0F71: runarg (./src/imainarg.c:779) ==21439== by 0x80B0DE5: argproc (./src/imainarg.c:728) ==21439== by 0x80AFC3D: gs_main_init_with_args (./src/imainarg.c:211) ==21439== ==21439== Conditional jump or move depends on uninitialised value(s) ==21439== at 0x80C5430: count_to_stopped (./src/zcontrol.c:1013) ==21439== by 0x80C4858: zstop (./src/zcontrol.c:595) ==21439== by 0x80B644F: call_operator (./src/interp.c:104) ==21439== by 0x80B8A5B: interp (./src/interp.c:1518) ==21439== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== by 0x80AE65C: gs_main_init2 (./src/imain.c:249) ==21439== by 0x80B0F71: runarg (./src/imainarg.c:779) ==21439== by 0x80B0DE5: argproc (./src/imainarg.c:728) ==21439== by 0x80AFC3D: gs_main_init_with_args (./src/imainarg.c:211) ==21439== ==21439== Invalid write of size 4 ==21439== at 0x80DE7EC: gcst_get_memory_ptr (./src/igc.c:1365) ==21439== by 0x80E04BD: ialloc_validate_chunk (./src/ilocate.c:330) ==21439== by 0x80E01C7: ialloc_validate_memory (./src/ilocate.c:248) ==21439== by 0x80DC283: gc_validate_spaces (./src/igc.c:146) ==21439== by 0x80DC427: gs_gc_reclaim (./src/igc.c:247) ==21439== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==21439== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==21439== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==21439== by 0x80B69D0: gs_call_interp (./src/interp.c:517) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== Address 0x52BFD660 is just below %esp. Possibly a bug in GCC/G++ ==21439== v 2.96 or 3.0.X. To suppress, use: --workaround-gcc296-bugs=yes ==21439== ==21439== Invalid read of size 4 ==21439== at 0x80DE7EE: gcst_get_memory_ptr (./src/igc.c:1366) ==21439== by 0x80E04BD: ialloc_validate_chunk (./src/ilocate.c:330) ==21439== by 0x80E01C7: ialloc_validate_memory (./src/ilocate.c:248) ==21439== by 0x80DC283: gc_validate_spaces (./src/igc.c:146) ==21439== by 0x80DC427: gs_gc_reclaim (./src/igc.c:247) ==21439== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==21439== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==21439== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==21439== by 0x80B69D0: gs_call_interp (./src/interp.c:517) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== Address 0x52BFD668 is just below %esp. Possibly a bug in GCC/G++ ==21439== v 2.96 or 3.0.X. To suppress, use: --workaround-gcc296-bugs=yes ==21439== ==21439== Conditional jump or move depends on uninitialised value(s) ==21439== at 0x80C0E60: stream_enum_ptrs (./src/stream.c:35) ==21439== by 0x80E04C2: ialloc_validate_chunk (./src/ilocate.c:330) ==21439== by 0x80E01C7: ialloc_validate_memory (./src/ilocate.c:248) ==21439== by 0x80DC283: gc_validate_spaces (./src/igc.c:146) ==21439== by 0x80DC427: gs_gc_reclaim (./src/igc.c:247) ==21439== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==21439== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==21439== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==21439== by 0x80B69D0: gs_call_interp (./src/interp.c:517) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== ==21439== Invalid write of size 4 ==21439== at 0x80DE7EC: gcst_get_memory_ptr (./src/igc.c:1365) ==21439== by 0x80DD999: gc_trace (./src/igc.c:839) ==21439== by 0x80DC774: gs_gc_reclaim (./src/igc.c:326) ==21439== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==21439== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==21439== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==21439== by 0x80B69D0: gs_call_interp (./src/interp.c:517) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== by 0x80AE65C: gs_main_init2 (./src/imain.c:249) ==21439== by 0x80B0F71: runarg (./src/imainarg.c:779) ==21439== Address 0x52BFD6B0 is just below %esp. Possibly a bug in GCC/G++ ==21439== v 2.96 or 3.0.X. To suppress, use: --workaround-gcc296-bugs=yes ==21439== ==21439== Invalid read of size 4 ==21439== at 0x80DE7EE: gcst_get_memory_ptr (./src/igc.c:1366) ==21439== by 0x80DD999: gc_trace (./src/igc.c:839) ==21439== by 0x80DC774: gs_gc_reclaim (./src/igc.c:326) ==21439== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==21439== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==21439== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==21439== by 0x80B69D0: gs_call_interp (./src/interp.c:517) ==21439== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==21439== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==21439== by 0x80AEBC6: gs_run_init_file (./src/imain.c:462) ==21439== by 0x80AE65C: gs_main_init2 (./src/imain.c:249) ==21439== by 0x80B0F71: runarg (./src/imainarg.c:779) ==21439== Address 0x52BFD6B8 is just below %esp. Possibly a bug in GCC/G++ ==21439== v 2.96 or 3.0.X. To suppress, use: --workaround-gcc296-bugs=yes ==21439== ==21439== More than 30000 total errors detected. I'm not reporting any more. ==21439== Final error counts will be inaccurate. Go fix your program! ==21439== Rerun with --error-limit=no to disable this cutoff. Note ==21439== that errors may occur in your program without prior warning from ==21439== Valgrind, because errors are no longer being displayed. ==21439== ==21439== ==21439== ERROR SUMMARY: 30000 errors from 8 contexts (suppressed: 40 from 2) ==21439== malloc/free: in use at exit: 0 bytes in 0 blocks. ==21439== malloc/free: 7879 allocs, 7879 frees, 43699208 bytes allocated. ==21439== For counts of detected errors, rerun with: -v ==21439== No malloc'd blocks -- no leaks are possible.
Is this valgrind output trustworthy? The gcst_get_memory_ptr function only 'writes' to local automatic (stack based) variables. In particular line 1365 does: vm_spaces spaces = gcst->spaces; Also the 'conditional depends on uninitialized' in count_to_stopped seems suspicious since the ref macros used that reference the execution stack seem solid. Are we possibly seeing a faulty compiler ?
Sorry, yes, comment 19 seems to be incorrect (just got rather confused by 18 - seem that my comment 15 was more correct...) - got both the "Error: /undefined in Start" and segfault with 64-bit patched gs. rev 7021 seems to only have the "Error: /undefined in Start" error, and not the segfault, with "/home/hin-tak/private-dev/app.toolpark.com/testbbb/test.eps".
Created attachment 2454 [details] patch Pacify Valgrind. Fix an unitialized variable and out-of-order evaluation of a logical expression. The latter may not be a bug but the fix won't degrade the performance too much. The fixes don't address the main problem - an suspected memory corruption.
Valgrinnd log with the compiler error suppressed and trivial error fixed. ==22377== Memcheck, a memory error detector for x86-linux. ==22377== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al. ==22377== Using valgrind-2.4.0, a program supervision framework for x86-linux. ==22377== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al. ==22377== For more details, rerun with: -v ==22377== AFPL Ghostscript SVN PRE-RELEASE 8.55 (2006-05-20) Copyright (C) 2006 artofcode LLC, Benicia, CA. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. ==22377== Conditional jump or move depends on uninitialised value(s) ==22377== at 0x80DDEC0: ptr_struct_mark (./src/igc.c:1070) ==22377== by 0x80DDA50: gc_trace (./src/igc.c:860) ==22377== by 0x80DC778: gs_gc_reclaim (./src/igc.c:326) ==22377== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==22377== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==22377== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==22377== by 0x80B9092: interp (./src/interp.c:1670) ==22377== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==22377== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==22377== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==22377== by 0x80AED2F: gs_main_run_string_end (./src/imain.c:531) ==22377== by 0x80AEC4E: gs_main_run_string_with_length (./src/imain.c:489) ==22377== ==22377== Conditional jump or move depends on uninitialised value(s) ==22377== at 0x80DD786: gc_trace_chunk (./src/igc.c:745) ==22377== by 0x80DC802: gs_gc_reclaim (./src/igc.c:335) ==22377== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==22377== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==22377== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==22377== by 0x80B9092: interp (./src/interp.c:1670) ==22377== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==22377== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==22377== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==22377== by 0x80AED2F: gs_main_run_string_end (./src/imain.c:531) ==22377== by 0x80AEC4E: gs_main_run_string_with_length (./src/imain.c:489) ==22377== by 0x80AEBFA: gs_main_run_string (./src/imain.c:472) ==22377== ==22377== Conditional jump or move depends on uninitialised value(s) ==22377== at 0x80DD78B: gc_trace_chunk (./src/igc.c:746) ==22377== by 0x80DC802: gs_gc_reclaim (./src/igc.c:335) ==22377== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==22377== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==22377== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==22377== by 0x80B9092: interp (./src/interp.c:1670) ==22377== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==22377== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==22377== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==22377== by 0x80AED2F: gs_main_run_string_end (./src/imain.c:531) ==22377== by 0x80AEC4E: gs_main_run_string_with_length (./src/imain.c:489) ==22377== by 0x80AEBFA: gs_main_run_string (./src/imain.c:472) ==22377== ==22377== Conditional jump or move depends on uninitialised value(s) ==22377== at 0x80DDEC0: ptr_struct_mark (./src/igc.c:1070) ==22377== by 0x80DDA50: gc_trace (./src/igc.c:860) ==22377== by 0x80DD7D2: gc_trace_chunk (./src/igc.c:756) ==22377== by 0x80DC802: gs_gc_reclaim (./src/igc.c:335) ==22377== by 0x80BB216: gs_vmreclaim (./src/ireclaim.c:153) ==22377== by 0x80BB091: ireclaim (./src/ireclaim.c:75) ==22377== by 0x80B6758: interp_reclaim (./src/interp.c:419) ==22377== by 0x80B9092: interp (./src/interp.c:1670) ==22377== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==22377== by 0x80B67B5: gs_interpret (./src/interp.c:446) ==22377== by 0x80AE5AC: gs_main_interpret (./src/imain.c:214) ==22377== by 0x80AED2F: gs_main_run_string_end (./src/imain.c:531) ==22377== ==22377== Conditional jump or move depends on uninitialised value(s) ==22377== at 0x82666C4: gx_general_fill_path (./src/gxfill.c:173) ==22377== by 0x8266F5F: gx_default_fill_path (./src/gxfill.c:622) ==22377== by 0x825398F: gx_cpath_intersect_path_slow (./src/gxacpath.c:190) ==22377== by 0x8264189: gx_cpath_intersect_with_params (./src/gxcpath.c:651) ==22377== by 0x8264228: gx_cpath_intersect (./src/gxcpath.c:673) ==22377== by 0x8263B9A: gx_cpath_clip (./src/gxcpath.c:546) ==22377== by 0x824F8FD: common_clip (./src/gspath.c:442) ==22377== by 0x824F8C7: gs_clip (./src/gspath.c:430) ==22377== by 0x80DB8E3: zclip (./src/zpath.c:147) ==22377== by 0x80B644F: call_operator (./src/interp.c:104) ==22377== by 0x80B8A5B: interp (./src/interp.c:1518) ==22377== by 0x80B68C3: gs_call_interp (./src/interp.c:488) ==22377== ==22377== ERROR SUMMARY: 188 errors from 5 contexts (suppressed: 5375 from 4) ==22377== malloc/free: in use at exit: 0 bytes in 0 blocks. ==22377== malloc/free: 7879 allocs, 7879 frees, 43699208 bytes allocated. ==22377== For counts of detected errors, rerun with: -v ==22377== No malloc'd blocks -- no leaks are possible.
The same sample file crashes GS in a different place with the following command line: [alexcher@bufo gs_svn]$ gs/debugobj/gs -Z5 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dEPSCrop -dProcessColorModel=/DeviceCMYK -dCompatibilityLevel=1.3 -sOutputFile=test.pdf test.eps >txt.log 2>&1
The patch from the comment #23 is committed as revision 7029. Regression test shows no differences.
Hello again;) I came across another file which couldn't be converted into a PDF running into a segementation fault. Reading your discussion about the bug I couldn't quite figure out wether someone actually solved the problem, but since there is no new release available for download it seems like there was no fix? I don't know if this helps, but the same file can be converted using: AFPL Ghostscript 8.11 (2003-08-16) on an otherwise similar setup. Also, with this file, the given filepath-length does not seem to affect the error this time. I am not sure if this is in fact the same error or another one?
Created attachment 2818 [details] Troublesome EPS
Created attachment 2819 [details] Mangled Resulting PDF, not openable
The suspected memory corruption has not been fixed. An unrelated problem has been identified and fixed durin the work on this bug report. Bugs are marked as fixed when the update is committed to the source repository. It may take up to a year befor the fix appears in the next release. The current development version in source form is always available for downlosd from the repository. I cannot reproduce the crash with the new file on Win32 platform. Please provide more information about your environment. It would be great to re-submit this file as a new bug.
Bumping the priority for crashes.
Please try 8.60 release. Since many things have been changed, possibly the bug has gone.
Returning to Support. Please clarify whether the user is satisfied or not with the last release, and how to reproduce the crash for sure.
Please re-test ...
This is still in gshead (r8556); with the simplified command line: bin/gs -sDEVICE=ppmraw -o test.ppm ./test.eps I see the following valgrind errors: ==17773== Conditional jump or move depends on uninitialised value(s) ==17773== at 0x4A18A1: ptr_struct_mark (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4A1D5A: gc_trace (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4A23E2: gs_gc_reclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x5170F1: context_reclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x47FA03: ireclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x47B72E: interp_reclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x47D20B: gs_interpret (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x472C5D: gs_main_run_string_end (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x473C0F: run_string (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4742F5: runarg (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4744AB: argproc (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4759DB: gs_main_init_with_args (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== ==17773== Conditional jump or move depends on uninitialised value(s) ==17773== at 0x4A24B7: gs_gc_reclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x5170F1: context_reclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x47FA03: ireclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x47B72E: interp_reclaim (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x47D20B: gs_interpret (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x472C5D: gs_main_run_string_end (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x473C0F: run_string (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4742F5: runarg (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4744AB: argproc (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x4759DB: gs_main_init_with_args (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) ==17773== by 0x40A030: main (in /home/marcos/Desktop/artifex/ghostscript/trunk/gs/bin/gs) . . . Since these are the same as bug 689723, a customer bug, I'm marking this one a duplicate of that one. *** This bug has been marked as a duplicate of 689723 ***
I reopen this bug because I believe I observe a problem with Postscript intrepreter. It creates an image enumerator, then executes 'save', then frees the image enumeratore at another save level than it was created. Due to that the enumerator is left in memory and garbager reports a problem when running with -Z?@$? : "Reference to free object". The reference happens in pdf_image_enum::writer.data. To prove this observation, run C debugger with gswin32c.exe -IF:/AFPL/gs-hd/lib;f:\afpl\fonts -Z?@$? -dNOPAUSE -dBATCH - sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dEPSCrop - dProcessColorModel=/DeviceCMYK -dCompatibilityLevel=1.3 -sOutputFile=cur.pdf attachment.ps Set a breakpoint at $Id: gdevpdfi.c 8565 ln 538 and ln1109 - both with hit count = 15. When the 1st breakpoint is reached, set more 2 breakpoints at zvmem.c ln 71 and ln 112. See 'save' happens with no 'restore' when the enumerator is not freed. For a while I assign it to myself to know whether it is a PS document bug or something else.
The first image enumerator demonstrates same problem.
Created attachment 3866 [details] attachment-.ps An instrumented test file simplifies the analyzis. An image DataSource procedure performs 'save' and 'imageormask' executes 'restore' after 'image' is completed. The document has %%Creator: Adobe Illustrator(R) X %%AI8_CreatorVersion: 10.0 . Thus the document bellieves that DataSource may have side effects. PLRM does not. How can I know that the document is really created by Adobe software ???
We would like to fill enumeratror with zeros before freeing it (to prevent pending pointers if gs_free_object appears at another save level). Searching through gs/src for 'end_image' (not a full word) got a lot of functions, which apply gs_free_object to image enumerator, and a lot of ones which do not. So it's not so simple. Need to think what to do next.
Patch to HEAD : http://ghostscript.com/pipermail/gs-cvs/2008-June/008387.html closes Comment #38, 39.
open for review, the fix appears to be a mask or workaround for a problem not completely analyzed.
In particular, we'd like a cleaner fix than that suggested in comment #39, and documented in gx_image_free_enum() at the end of gximage1.c.
shark profile running pcl6 with args -sDEVICE=ppmraw -sOutputFile=/dev/null -r600 /Users/henrys/problem_files/39002wts.pcl demonstrates "zeroing" out the enum is a performance bottleneck. 10.7% 10.7% libSystem.B.dylib __bzero 9.4% 9.4% mach_kernel lo_alltraps 7.8% 7.8% mach_kernel ml_set_interrupts_enabled 6.1% 6.1% mach_kernel blkclr 6.0% 6.0% pcl6 gx_image_enum_begin 3.9% 3.9% libSystem.B.dylib __memcpy 3.1% 3.1% mach_kernel vm_map_enter 2.9% 2.9% mach_kernel pmap_enter 2.2% 2.2% mach_kernel pmap_get_mapwindow 2.1% 2.1% pcl6 gs_heap_free_object 2.0% 2.0% mach_kernel pmap_remove_range 1.9% 1.9% pcl6 mem_true24_fill_rectangle 1.7% 1.7% pcl6 mem_true24_copy_mono 1.5% 1.5% mach_kernel vm_map_lookup_locked 1.5% 1.5% mach_kernel vm_fault 1.2% 1.2% mach_kernel hw_lock_unlock 1.2% 1.2% mach_kernel vm_page_lookup 1.1% 1.1% mach_kernel vm_page_grab 1.0% 1.0% mach_kernel hw_lock_to 0.9% 0.9% mach_kernel vm_fault_enter 0.9% 0.9% pcl6 memflip8x8 0.9% 0.9% mach_kernel lo_unix_scall 0.9% 0.9% mach_kernel OSAddAtomic 0.7% 0.7% mach_kernel mutex_unlock 0.7% 0.7% mach_kernel usimple_lock 0.7% 0.7% mach_kernel user_trap 0.7% 0.7% pcl6 gs_heap_alloc_bytes 0.6% 0.6% mach_kernel pmap64_pdpt 0.6% 0.6% mach_kernel lck_rw_lock_shared 0.6% 0.6% pcl6 cmap_rgb_direct 0.6% 0.6% mach_kernel pmap_pte 0.6% 0.6% pcl6 clist_playback_band 0.0% 0.6% pcl6 clist_playback_file_bands 0.6% 0.6% mach_kernel thread_cancel_timer 0.5% 0.5% mach_kernel vm_fault_cleanup 0.5% 0.5% mach_kernel vm_page_insert_internal 0.5% 0.5% libSystem.B.dylib mmap 0.5% 0.5% mach_kernel mutex_lock_spin 0.5% 0.5% mach_kernel vm_page_remove 0.5% 0.5% mach_kernel vm_page_free_prepare 0.4% 0.4% pcl6 chunk_locate_ptr 0.4% 0.4% libSystem.B.dylib munmap$UNIX2003 0.4% 0.4% mach_kernel vm_page_free_list 0.4% 0.4% mach_kernel pmap64_pde 0.4% 0.4% mach_kernel lck_rw_lock_exclusive 0.3% 0.3% mach_kernel unix_syscall 0.3% 0.3% mach_kernel chudxnu_cpu_free 0.3% 0.3% mach_kernel vm_page_activate 0.3% 0.3% mach_kernel bzero_phys 0.3% 0.3% mach_kernel vm_page_alloc 0.3% 0.3% mach_kernel lck_rw_done 0.3% 0.3% pcl6 image_simple_expand 0.3% 0.3% mach_kernel kernel_preempt_check 0.3% 0.3% mach_kernel vm_map_simplify 0.3% 0.3% pcl6 gs_point_transform_inverse 0.3% 0.3% mach_kernel pmap_page_protect 0.3% 0.3% mach_kernel mutex_lock 0.3% 0.3% libSystem.B.dylib __spin_lock 0.3% 0.3% pcl6 i_free_object 0.2% 0.2% mach_kernel vm_object_lock 0.2% 0.2% mach_kernel flush_tlb64 0.2% 0.2% mach_kernel ast_pending 0.2% 0.2% libSystem.B.dylib pthread_mutex_trylock 0.2% 0.2% mach_kernel current_processor 0.2% 0.2% pcl6 copy_landscape 0.2% 0.2% libSystem.B.dylib pthread_mutex_unlock 0.2% 0.2% mach_kernel _disable_preemption 0.2% 0.2% mach_kernel lock_read 0.2% 0.2% libSystem.B.dylib szone_free 0.2% 0.2% mach_kernel lck_rw_free 0.2% 0.2% pcl6 clist_image_plane_data 0.2% 0.2% mach_kernel vm_object_lock_try_shared 0.2% 0.2% pcl6 i_alloc_struct 0.2% 0.2% pcl6 gx_image1_plane_data 0.2% 0.2% pcl6 alloc_link_chunk 0.2% 0.2% mach_kernel lck_mtx_lock 0.1% 0.1% pcl6 check_device_separable 0.1% 0.1% libSystem.B.dylib large_and_huge_malloc 0.1% 0.1% pcl6 image_band_box 0.1% 0.1% mach_kernel vm_object_hash_entry_free 0.1% 0.1% pcl6 gx_begin_image4 0.1% 0.1% pcl6 image_render_landscape 0.1% 0.1% pcl6 gx_default_remap_color 0.1% 0.1% mach_kernel pmap_put_mapwindow 0.1% 0.1% libSystem.B.dylib szone_malloc 0.1% 0.1% pcl6 gx_device_init 0.1% 0.1% mach_kernel lck_mtx_unlock 0.1% 0.1% mach_kernel zalloc_canblock 0.1% 0.1% pcl6 sgets 0.1% 0.1% mach_kernel inval_copy_windows 0.1% 0.1% pcl6 s_std_init 0.1% 0.1% mach_kernel lck_rw_done_gen 0.1% 0.1% pcl6 gx_image_free_enum 0.1% 0.1% mach_kernel pmap_remove 0.1% 0.1% libSystem.B.dylib deallocate_pages 0.1% 0.1% pcl6 sget_matrix 0.1% 0.1% pcl6 gs_next_ids 0.1% 0.1% pcl6 gs_image_class_1_simple 0.1% 0.1% mach_kernel vm_page_zero_fill 0.1% 0.1% mach_kernel vm_map_entry_insert 0.1% 0.1% mach_kernel vm_map_enter_mem_object 0.1% 0.1% mach_kernel pmap_zero_page 0.1% 0.1% pcl6 gx_device_set_target 0.1% 0.1% libSystem.B.dylib floor$fenv_access_off 0.1% 0.1% pcl6 gx_pixel_image_sget 0.1% 0.1% pcl6 gx_image_enum_alloc 0.1% 0.1% pcl6 s_init 0.1% 0.1% mach_kernel usimple_unlock 0.1% 0.1% libSystem.B.dylib spin_lock 0.1% 0.1% libSystem.B.dylib malloc 0.1% 0.1% mach_kernel zfree 0.1% 0.1% libSystem.B.dylib malloc_zone_free 0.1% 0.1% pcl6 i_alloc_bytes 0.1% 0.1% pcl6 gx_make_clip_device_in_heap 0.1% 0.1% pcl6 gx_image4_sget 0.1% 0.1% libSystem.B.dylib free 0.1% 0.1% pcl6 accum_fill_rectangle 0.1% 0.1% pcl6 gx_path_new 0.1% 0.1% pcl6 gx_cpath_assign_preserve 0.1% 0.1% libSystem.B.dylib allocate_pages 0.1% 0.1% pcl6 alloc_init_chunk 0.1% 0.1% pcl6 stream_move 0.1% 0.1% pcl6 gx_image1_end_image 0.1% 0.1% libSystem.B.dylib memcpy 0.1% 0.1% pcl6 large_freelist_alloc 0.1% 0.1% pcl6 gx_device_copy_color_procs 0.1% 0.1% pcl6 gx_clip_list_init 0.1% 0.1% pcl6 cpath_init_rectangle 0.1% 0.1% pcl6 alloc_acquire_chunk 0.1% 0.1% mach_kernel munmap 0.1% 0.1% pcl6 memfile_fwrite_chars 0.1% 0.1% mach_kernel mach_vm_deallocate 0.1% 0.1% mach_kernel kauth_cred_uthread_update 0.1% 0.1% pcl6 gx_image_enum_common_init 0.1% 0.1% pcl6 gx_forward_map_color_rgb 0.1% 0.1% pcl6 gs_matrix_invert_to_double 0.1% 0.1% pcl6 cmd_put_list_op 0.1% 0.1% pcl6 alloc_obj 0.1% 0.1% pcl6 gs_cspace_indexed_lookup 0.1% 0.1% pcl6 sget_variable_uint 0.1% 0.1% libSystem.B.dylib pthread_self 0.1% 0.1% mach_kernel pmap_high_map_vaddr 0.1% 0.1% pcl6 gx_unit_frac 0.1% 0.1% pcl6 gs_matrix_multiply_double 0.1% 0.1% pcl6 gs_imager_setmatrix 0.1% 0.1% mach_kernel current_map 0.0% 0.0% libSystem.B.dylib malloc_zone_malloc 0.0% 0.0% pcl6 gx_remap_concrete_DRGB 0.0% 0.0% pcl6 gx_final_Indexed 0.0% 0.0% pcl6 gx_default_DevRGB_get_color_mapping_procs 0.0% 0.0% pcl6 gx_cpath_outer_box 0.0% 0.0% pcl6 gx_concrete_space_Indexed 0.0% 0.0% pcl6 dyld_stub_memcpy 0.0% 0.0% pcl6 clip_enumerate_rest 0.0% 0.0% pcl6 clip_copy_mono 0.0% 0.0% mach_kernel vm_page_release 0.0% 0.0% mach_kernel vm_map_lookup_entry 0.0% 0.0% libSystem.B.dylib large_free_no_lock 0.0% 0.0% pcl6 image_init_map 0.0% 0.0% pcl6 gx_forward_get_color_mapping_procs 0.0% 0.0% mach_kernel get_bsdthread_info 0.0% 0.0% pcl6 sput_matrix 0.0% 0.0% pcl6 sf_free_string 0.0% 0.0% pcl6 i_stable 0.0% 0.0% pcl6 gs_image_class_0_interpolate 0.0% 0.0% mach_kernel current_thread 0.0% 0.0% pcl6 cmd_get_w 0.0% 0.0% mach_kernel _enable_preemption 0.0% 0.0% pcl6 update_strip 0.0% 0.0% pcl6 gx_path_init_contents 0.0% 0.0% pcl6 gx_image_plane_data 0.0% 0.0% pcl6 gx_default_rgb_map_rgb_color 0.0% 0.0% pcl6 gx_cpath_set_outer_box 0.0% 0.0% pcl6 gx_cpath_inner_box 0.0% 0.0% pcl6 gs_cspace_final 0.0% 0.0% pcl6 gs_color_space_num_components 0.0% 0.0% mach_kernel current_task 0.0% 0.0% mach_kernel vm_map_remove 0.0% 0.0% pcl6 rgb_cs_to_rgb_cm 0.0% 0.0% pcl6 read_begin_image 0.0% 0.0% mach_kernel munge_wwwwwwww 0.0% 0.0% mach_kernel lock_write 0.0% 0.0% pcl6 gx_num_components_1 0.0% 0.0% pcl6 gx_image1_flush 0.0% 0.0% pcl6 gx_concretize_DeviceRGB 0.0% 0.0% pcl6 gs_cspace_alloc_with_id 0.0% 0.0% pcl6 gp_monitor_leave 0.0% 0.0% mach_kernel get_threadtask 0.0% 0.0% pcl6 color_draws_b_w 0.0% 0.0% pcl6 cmd_write_unknown 0.0% 0.0% pcl6 alloc_free_chunk 0.0% 0.0% pcl6 sf_alloc_string 0.0% 0.0% pcl6 ppm_map_color_rgb 0.0% 0.0% mach_kernel phys_attribute_test 0.0% 0.0% mach_kernel lck_grp_lckcnt_decr 0.0% 0.0% pcl6 gx_path_assign_preserve 0.0% 0.0% pcl6 gx_device_retain 0.0% 0.0% pcl6 gx_cpath_accum_end 0.0% 0.0% pcl6 clist_begin_typed_image 0.0% 0.0% pcl6 alloc_unlink_chunk 0.0% 0.0% pcl6 rc_free_path_segments_local 0.0% 0.0% libSystem.B.dylib memset 0.0% 0.0% pcl6 gx_clip_list_free 0.0% 0.0% pcl6 gs_indexed_limit_and_lookup 0.0% 0.0% mach_kernel copyout_kern 0.0% 0.0% pcl6 copy_portrait 0.0% 0.0% pcl6 cmd_write_band 0.0% 0.0% pcl6 cmd_read_data 0.0% 0.0% pcl6 clip_call_copy_mono 0.0% 0.0% libSystem.B.dylib ceil 0.0% 0.0% mach_kernel x86_sysenter_arg_store_isvalid 0.0% 0.0% pcl6 write_image_end_all 0.0% 0.0% mach_kernel vm_map_submap_pmap_clean 0.0% 0.0% pcl6 sread_string 0.0% 0.0% pcl6 s_band_read_process 0.0% 0.0% pcl6 image_init_clues 0.0% 0.0% mach_kernel hw_atomic_sub 0.0% 0.0% mach_kernel hw_atomic_add 0.0% 0.0% pcl6 gx_image_plane_data_rows 0.0% 0.0% pcl6 gx_forward_encode_color 0.0% 0.0% pcl6 gx_device_raster 0.0% 0.0% pcl6 gx_device_fill_in_procs 0.0% 0.0% pcl6 gx_cpath_reset 0.0% 0.0% pcl6 gs_cspace_new_DeviceRGB 0.0% 0.0% pcl6 fwd_map_rgb_cs 0.0% 0.0% mach_kernel copyin_kern 0.0% 0.0% pcl6 clist_rasterize_lines 0.0% 0.0% mach_kernel adjust_vm_object_cache 0.0% 0.0% libSystem.B.dylib _sysenter_trap 0.0% 0.0% mach_kernel vm_map_create 0.0% 0.0% pcl6 top_up_cbuf 0.0% 0.0% pcl6 swrite_string 0.0% 0.0% pcl6 setup_image_device 0.0% 0.0% pcl6 remove_range_from_freelist 0.0% 0.0% mach_kernel pmap_disconnect 0.0% 0.0% mach_kernel munge_wwwwwl 0.0% 0.0% pcl6 memfile_fseek 0.0% 0.0% mach_kernel lock_done 0.0% 0.0% pcl6 gx_device_forward_finalize 0.0% 0.0% pcl6 gx_default_get_clipping_box 0.0% 0.0% pcl6 gx_default_begin_typed_image 0.0% 0.0% pcl6 gx_cpath_free 0.0% 0.0% pcl6 gs_point_transform 0.0% 0.0% pcl6 gp_monitor_enter 0.0% 0.0% mach_kernel get_bsdtask_info 0.0% 0.0% pcl6 dyld_stub_floor 0.0% 0.0% mach_kernel copyin 0.0% 0.0% pcl6 cmd_put_w 0.0% 0.0% libSystem.B.dylib write$NOCANCEL$UNIX2003 0.0% 0.0% mach_kernel vm_page_free 0.0% 0.0% pcl6 stell 0.0% 0.0% pcl6 sputs 0.0% 0.0% pcl6 sample_unpack_copy 0.0% 0.0% pcl6 rc_free_struct_only 0.0% 0.0% mach_kernel munge_ww 0.0% 0.0% libSystem.B.dylib mmap$UNIX2003 0.0% 0.0% libSystem.B.dylib memmove 0.0% 0.0% pcl6 memfile_fread_chars 0.0% 0.0% pcl6 gx_path_free 0.0% 0.0% pcl6 gx_default_setup_buf_device 0.0% 0.0% pcl6 gx_default_get_initial_matrix 0.0% 0.0% pcl6 gx_cpath_init_local_shared 0.0% 0.0% pcl6 gx_concretize_Indexed 0.0% 0.0% pcl6 cmd_read_matrix 0.0% 0.0% pcl6 clist_get_band_complexity 0.0% 0.0% pcl6 bbox_transform_either 0.0% 0.0% mach_kernel thread_bootstrap_return 0.0% 0.0% pcl6 sreadbuf 0.0% 0.0% libSystem.B.dylib read 0.0% 0.0% mach_kernel OSCompareAndSwap 0.0% 0.0% mach_kernel lock_read_to_write 0.0% 0.0% mach_kernel lck_rw_try_lock_exclusive 0.0% 0.0% mach_kernel lck_rw_destroy 0.0% 0.0% mach_kernel lck_mtx_lock_spin 0.0% 0.0% mach_kernel lck_grp_lckcnt_incr 0.0% 0.0% pcl6 i_object_size 0.0% 0.0% pcl6 gx_same_concrete_space 0.0% 0.0% pcl6 gx_path_init_local_shared 0.0% 0.0% pcl6 gx_cpath_accum_set_cbox 0.0% 0.0% pcl6 gs_points_bbox 0.0% 0.0% pcl6 gs_make_mem_device 0.0% 0.0% pcl6 gs_cspace_alloc 0.0% 0.0% pcl6 get_uu32 0.0% 0.0% pcl6 gdev_mem_set_line_ptrs 0.0% 0.0% mach_kernel fo_write 0.0% 0.0% pcl6 dyld_stub_memmove 0.0% 0.0% libSystem.B.dylib dyld_stub__spin_lock 0.0% 0.0% mach_kernel cpu_number 0.0% 0.0% pcl6 cpath_set_rectangle 0.0% 0.0% pcl6 consolidate_chunk_free 0.0% 0.0% pcl6 cmd_write_rect_cmd 0.0% 0.0% pcl6 clist_get_bits_rectangle 0.0% 0.0% libSystem.B.dylib __sfvwrite 0.0% 0.0% mach_kernel vnode_put_locked 0.0% 0.0% mach_kernel vm_object_lock_try 0.0% 0.0% mach_kernel vm_map_enter_cpm 0.0% 0.0% libSystem.B.dylib spin_unlock 0.0% 0.0% pcl6 put_uu32 0.0% 0.0% pcl6 process_row 0.0% 0.0% pcl6 pcl_process 0.0% 0.0% pcl6 pcl_cmap_create_remap_ary 0.0% 0.0% pcl6 pbm_print_page_loop 0.0% 0.0% pcl6 mem_get_bits_rectangle 0.0% 0.0% mach_kernel lck_rw_lock_shared_to_exclusive 0.0% 0.0% mach_kernel lck_rw_init 0.0% 0.0% mach_kernel lck_grp_reference 0.0% 0.0% pcl6 gx_image_flush 0.0% 0.0% pcl6 gx_default_create_buf_device 0.0% 0.0% pcl6 gx_dc_no_get_dev_halftone 0.0% 0.0% pcl6 gx_cpath_list 0.0% 0.0% pcl6 gx_cpath_from_rectangle 0.0% 0.0% pcl6 gs_raw_alloc_struct_immovable 0.0% 0.0% pcl6 gs_image_next_planes 0.0% 0.0% pcl6 gs_image_begin_typed 0.0% 0.0% pcl6 gs_device_is_memory 0.0% 0.0% pcl6 gs_closedevice 0.0% 0.0% pcl6 gdev_prn_colors_used 0.0% 0.0% libSystem.B.dylib flockfile 0.0% 0.0% mach_kernel copyin_user 0.0% 0.0% pcl6 cmd_put_drawing_color 0.0% 0.0% pcl6 bbox_transform_either_only 0.0% 0.0% pcl6 accum_open_device 0.0% 0.0% mach_kernel zalloc 0.0% 0.0% mach_kernel vm_object_lock_shared 0.0% 0.0% mach_kernel vm_external_destroy 0.0% 0.0% pcl6 trim_obj 0.0% 0.0% pcl6 stream_compact 0.0% 0.0% pcl6 spgetcc 0.0% 0.0% pcl6 ppgm_print_row 0.0% 0.0% pcl6 pcl_get_command_definition 0.0% 0.0% pcl6 pcl_enter_graphics_mode 0.0% 0.0% mach_kernel mac_policy_list_conditional_busy 0.0% 0.0% mach_kernel IS_64BIT_PROCESS 0.0% 0.0% pcl6 i_alloc_byte_array 0.0% 0.0% pcl6 gx_image_end 0.0% 0.0% pcl6 gx_device_forward_color_procs 0.0% 0.0% pcl6 gx_device_finalize 0.0% 0.0% pcl6 gs_struct_type_size 0.0% 0.0% pcl6 gs_setmatrix 0.0% 0.0% pcl6 gs_setcolorspace 0.0% 0.0% pcl6 gs_gsave 0.0% 0.0% pcl6 gs_currentdevice 0.0% 0.0% pcl6 gs_bbox_transform_inverse 0.0% 0.0% pcl6 gdev_prn_get_bits 0.0% 0.0% pcl6 gdev_create_buf_device 0.0% 0.0% libSystem.B.dylib fwrite$UNIX2003 0.0% 0.0% mach_kernel fp_lookup 0.0% 0.0% libSystem.B.dylib dyld_stub__spin_unlock 0.0% 0.0% pcl6 cmd_write_ctm_return_length 0.0% 0.0% pcl6 cmd_update_lop 0.0% 0.0% pcl6 cmd_put_set_data_x 0.0% 0.0% pcl6 clist_select_render_plane 0.0% 0.0% mach_kernel _rtc_nanotime_read 0.0% 0.0% mach_kernel write_nocancel 0.0% 0.0% mach_kernel VNOP_WRITE 0.0% 0.0% mach_kernel VNOP_READ 0.0% 0.0% mach_kernel vnode_getwithref 0.0% 0.0% mach_kernel vnode_getattr 0.0% 0.0% mach_kernel vn_rdwr 0.0% 0.0% mach_kernel vn_pathconf 0.0% 0.0% mach_kernel vm_page_lru 0.0% 0.0% mach_kernel vfs_context_ucred 0.0% 0.0% mach_kernel vfs_context_proc 0.0% 0.0% mach_kernel vfs_context_current 0.0% 0.0% mach_kernel uio_resid 0.0% 0.0% pcl6 uint_value 0.0% 0.0% libSystem.B.dylib tiny_malloc_from_free_list 0.0% 0.0% libSystem.B.dylib strcpy 0.0% 0.0% mach_kernel spec_strategy 0.0% 0.0% mach_kernel read_nocancel 0.0% 0.0% pcl6 rc_free_cpath_list_local 0.0% 0.0% libSystem.B.dylib pthread_mutex_lock 0.0% 0.0% pcl6 ppm_print_row 0.0% 0.0% pcl6 pcl_start_raster 0.0% 0.0% pcl6 pcl_set_drawing_color 0.0% 0.0% pcl6 pcl_palette_check_complete 0.0% 0.0% pcl6 pcl_ht_set_halftone 0.0% 0.0% pcl6 pcl_horiz_rect_size_units 0.0% 0.0% pcl6 pcl_grestore 0.0% 0.0% pcl6 pcl_fill_rect_area 0.0% 0.0% pcl6 pcl_end_graphics_mode 0.0% 0.0% pcl6 pcl_complete_raster 0.0% 0.0% pcl6 pattern_set_frgrnd 0.0% 0.0% mach_kernel munge_www 0.0% 0.0% mach_kernel mmwrite 0.0% 0.0% pcl6 memfile_get_pdata 0.0% 0.0% pcl6 memfile_free_mem 0.0% 0.0% mach_kernel mac_file_check_change_offset 0.0% 0.0% mach_kernel lck_rw_lock_exclusive_to_shared 0.0% 0.0% mach_kernel IOGeneralMemoryDescriptor::initWithOptions(void*, unsigned long, unsigned long, task*, unsigned long, IOMapper*) 0.0% 0.0% dyld ImageLoaderMachO::hasCoalescedExports() const 0.0% 0.0% pcl6 i_alloc_struct_immovable 0.0% 0.0% mach_kernel hfs_vnop_read 0.0% 0.0% pcl6 gx_set_identity_transfer 0.0% 0.0% pcl6 gx_remap_color 0.0% 0.0% pcl6 gx_pixel_image_sput 0.0% 0.0% pcl6 gx_image_planes_wanted 0.0% 0.0% pcl6 gx_image_matrix_is_default 0.0% 0.0% pcl6 gx_get_bits_return_pointer 0.0% 0.0% pcl6 gx_default_get_bits 0.0% 0.0% pcl6 gx_default_destroy_buf_device 0.0% 0.0% pcl6 gx_dc_pure_read 0.0% 0.0% pcl6 gx_cpath_assign_free 0.0% 0.0% pcl6 gstate_copy_client_data 0.0% 0.0% pcl6 gs_type42_font_init 0.0% 0.0% pcl6 gs_matrix_translate 0.0% 0.0% pcl6 gs_matrix_multiply 0.0% 0.0% pcl6 gs_imager_state_release 0.0% 0.0% pcl6 gs_grestore_only 0.0% 0.0% pcl6 gs_deviceinitialmatrix 0.0% 0.0% pcl6 gs_color_space_get_index 0.0% 0.0% pcl6 gdev_mem_device_for_bits 0.0% 0.0% libSystem.B.dylib funlockfile 0.0% 0.0% mach_kernel fo_read 0.0% 0.0% pcl6 find_first_white 0.0% 0.0% libSystem.B.dylib fabs$fenv_access_off 0.0% 0.0% pcl6 dyld_stub_pthread_self 0.0% 0.0% pcl6 dyld_stub_pthread_mutex_unlock 0.0% 0.0% pcl6 dyld_stub_pthread_mutex_trylock 0.0% 0.0% libSystem.B.dylib dyld_stub_malloc_zone_free 0.0% 0.0% pcl6 dyld_stub_ceil 0.0% 0.0% pcl6 create_image_enumerator 0.0% 0.0% mach_kernel copypv 0.0% 0.0% pcl6 convert_color_to_paint 0.0% 0.0% pcl6 cmd_put_color_mapping 0.0% 0.0% pcl6 cmd_put_color_map 0.0% 0.0% pcl6 cmd_clear_known 0.0% 0.0% mach_kernel cluster_read 0.0% 0.0% mach_kernel cluster_pageout 0.0% 0.0% pcl6 clist_image_unknowns 0.0% 0.0% pcl6 clist_get_bits_rect_mt 0.0% 0.0% pcl6 clist_fill_rectangle 0.0% 0.0% pcl6 clist_close_writer_and_init_reader 0.0% 0.0% pcl6 clip_stack_rc_adjust 0.0% 0.0% pcl6 clip_open 0.0% 0.0% pcl6 build_remap_array 0.0% 0.0% pcl6 allocateWithReserve 0.0% 0.0% pcl6 alloc_init_free_strings 0.0% 0.0% pcl6 add_raster_plane 0.0% 0.0% libSystem.B.dylib _swrite 0.0% 0.0% libSystem.B.dylib __vfprintf 0.0% 0.0% libSystem.B.dylib __srefill 0.0% 0.0% libgcc_s.1.dylib __moddi3
This bug is soooo confusing that I am closing it. The crash was probably due to stale pointers in the 'clues' structure (partly) fixed by Igor. This fix (rev 8803) did impact performance because the clearing of the (rather large) clues area now happens twice. Note that there was still a hard to reproduce segfault related to this that I just fixed, since the GC enum for the clues didn't check for zeroes. The preferred solution is to eliminate the clues altogether which will be done as part of the image color handling improvements of the ICC_work branch. Closing this messy bug and trusting that the clues will go away.