Bug 689723 - Ghostscript crashes reading PDF file (valgrind reports problems)
Summary: Ghostscript crashes reading PDF file (valgrind reports problems)
Status: NOTIFIED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: master
Hardware: PC Linux
: P2 normal
Assignee: Ray Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-26 16:22 UTC by Marcos H. Woehrmann
Modified: 2008-12-19 08:31 UTC (History)
1 user (show)

See Also:
Customer: 661
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcos H. Woehrmann 2008-02-26 16:22:17 UTC 
The customer reports the attached PDF file causes Ghostscript to crash; I'm able
to duplicate this issue with gs8.61, but not reliably (i.e. changing the DEVICE
or resolution makes the problem go away).  Running the file with gshead (r8548)
and valgrind shows some issues:

==28860== Memcheck, a memory error detector.
==28860== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==28860== Using LibVEX rev 1732, a library for dynamic binary translation.
==28860== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==28860== Using valgrind-3.2.3-Debian, a dynamic binary instrumentation framework.
==28860== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==28860== For more details, rerun with: -v
==28860==
GPL Ghostscript SVN PRE-RELEASE 8.62 (2007-11-22)
Copyright (C) 2007 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 2.
Page 1
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x4A17B1: ptr_struct_mark (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4A1C6A: gc_trace (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4A22F2: gs_gc_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x517171: context_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47F913: ireclaim (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47B63E: interp_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47D11B: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4758EB: gs_main_init_with_args (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x4A23C7: gs_gc_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x517171: context_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47F913: ireclaim (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47B63E: interp_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47D11B: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4758EB: gs_main_init_with_args (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x40A030: main (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x4A23CC: gs_gc_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x517171: context_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47F913: ireclaim (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47B63E: interp_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47D11B: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4758EB: gs_main_init_with_args (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x40A030: main (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x4A17B1: ptr_struct_mark (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4A1C6A: gc_trace (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4A242F: gs_gc_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x517171: context_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47F913: ireclaim (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47B63E: interp_reclaim (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47D11B: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4758EB: gs_main_init_with_args (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x6C0AE3: memflip8x8 (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E53DD: copy_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E604E: image_render_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E4A3F: gx_image1_plane_data (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6B37CF: gs_image_next_planes (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x49F726: image_file_continue (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47C3E7: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4758EB: gs_main_init_with_args (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x70CF27: mem_true24_copy_mono (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E5058: copy_portrait (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E543E: copy_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E604E: image_render_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E4A3F: gx_image1_plane_data (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6B37CF: gs_image_next_planes (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x49F726: image_file_continue (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47C3E7: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x6C0BB2: memflip8x8 (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E53DD: copy_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E604E: image_render_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E4A3F: gx_image1_plane_data (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6B37CF: gs_image_next_planes (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x49F726: image_file_continue (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47C3E7: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4758EB: gs_main_init_with_args (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
Page 2
==28860==
==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x6C0BC5: memflip8x8 (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E53DD: copy_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E604E: image_render_landscape (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6E4A3F: gx_image1_plane_data (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x6B37CF: gs_image_next_planes (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x49F726: image_file_continue (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x47C3E7: gs_interpret (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x472B6D: gs_main_run_string_end (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x473B1F: run_string (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x474205: runarg (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4743BB: argproc (in /home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==    by 0x4758EB: gs_main_init_with_args (in
/home/marcos/Desktop/artifex/gs.8548/bin/gs)
==28860==
==28860== ERROR SUMMARY: 2649 errors from 8 contexts (suppressed: 8 from 1)
==28860== malloc/free: in use at exit: 1,584 bytes in 66 blocks.
==28860== malloc/free: 29,205 allocs, 29,139 frees, 88,691,192 bytes allocated.
==28860== For counts of detected errors, rerun with: -v
==28860== searching for pointers to 66 not-freed blocks.
==28860== checked 9,517,432 bytes.
==28860==
==28860== LEAK SUMMARY:
==28860==    definitely lost: 1,584 bytes in 66 blocks.
==28860==      possibly lost: 0 bytes in 0 blocks.
==28860==    still reachable: 0 bytes in 0 blocks.
==28860==         suppressed: 0 bytes in 0 blocks.
==28860== Rerun with --leak-check=full to see details of leaked memory.
                                                                               
                                                                  
The command line I'm using:

valgrind bin/gs -I./lib:/Users/marcos/Desktop/artifex/fonts -sDEVICE=ppmraw
-sOutputFile=test.ppm -dNOPAUSE -dBATCH ../Invoices001.PDF
Comment 1 Marcos H. Woehrmann 2008-02-26 16:22:59 UTC 
Created attachment 3820 [details]
Invoices001.PDF
Comment 2 Marcos H. Woehrmann 2008-02-28 11:56:48 UTC 
*** Bug 688845 has been marked as a duplicate of this bug. ***
Comment 3 leonardo 2008-03-31 11:57:37 UTC 
I think the most informating issue here is this one :

==28860== Conditional jump or move depends on uninitialised value(s)
==28860==    at 0x70CF27: mem_true24_copy_mono (in

Assigning to its owner.
Comment 4 Ray Johnston 2008-04-18 12:43:52 UTC 
While I do see a 'Segmentation Violation' on Windows with 8.61, 8.62 and
head do not crash.

I looked at this with a debugger, and it crashed in 'jbig2_find_segment'.
I don't know, but suspect that this was fixed by Ken's r8456 patch (12/21/2007).

Closing as "FIXED" since 8.62 works and has been released.