Bug 692533 - Regression: seg fault with Bug690676.pdf and psdcmyk output
Summary: Regression: seg fault with Bug690676.pdf and psdcmyk output
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: master
Hardware: PC All
: P1 normal
Assignee: Alex Cherepanov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-22 20:44 UTC by Marcos H. Woehrmann
Modified: 2011-10-29 03:25 UTC (History)
2 users (show)

See Also:
Customer:
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcos H. Woehrmann 2011-09-22 20:44:06 UTC 
The following command line seg faults with master (65092efad87):

  bin/gs -sDEVICE=psdcmyk -o test.psd ./Bug690676.pdf
Comment 1 Marcos H. Woehrmann 2011-09-22 20:48:48 UTC 
Program received signal SIGSEGV, Segmentation fault.
0x0000000000595f58 in ialloc_validate_object (ptr=0x131700001b8b, cp=0x0, gcst=0x7fffffffc990) at ./psi/ilocate.c:523
523	    ulong size = pre_obj_contents_size(pre);
(gdb) where
#0  0x0000000000595f58 in ialloc_validate_object (ptr=0x131700001b8b, cp=0x0, gcst=0x7fffffffc990) at ./psi/ilocate.c:523
#1  0x00000000005958b4 in ialloc_validate_chunk (cp=0x2846a10, gcst=0x7fffffffc990) at ./psi/ilocate.c:335
#2  0x000000000059549f in ialloc_validate_memory (mem=0x17fe938, gcst=0x7fffffffc990) at ./psi/ilocate.c:248
#3  0x000000000058ecb2 in gc_validate_spaces (spaces=0x7fffffffca00, max_space=5, gcst=0x7fffffffc990) at ./psi/igc.c:145
#4  0x000000000058fffa in gs_gc_reclaim (pspaces=0x183d248, global=0) at ./psi/igc.c:551
#5  0x000000000065bc90 in context_reclaim (pspaces=0x183d248, global=0) at ./psi/zcontext.c:278
#6  0x0000000000544f86 in gs_vmreclaim (dmem=0x183d240, global=0) at ./psi/ireclaim.c:153
#7  0x0000000000544cd6 in ireclaim (dmem=0x183d240, space=-1) at ./psi/ireclaim.c:75
#8  0x000000000053e290 in interp_reclaim (pi_ctx_p=0x17fe3e8, space=-1) at ./psi/interp.c:421
#9  0x00000000005418a2 in interp (pi_ctx_p=0x17fe3e8, pref=0x7fffffffdb00, perror_object=0x7fffffffdd70) at ./psi/interp.c:1691
#10 0x000000000053e51c in gs_call_interp (pi_ctx_p=0x17fe3e8, pref=0x7fffffffdc70, user_errors=1, pexit_code=0x7fffffffdd8c, perror_object=0x7fffffffdd70) at ./psi/interp.c:490
#11 0x000000000053e338 in gs_interpret (pi_ctx_p=0x17fe3e8, pref=0x7fffffffdc70, user_errors=1, pexit_code=0x7fffffffdd8c, perror_object=0x7fffffffdd70) at ./psi/interp.c:448
#12 0x0000000000531681 in gs_main_interpret (minst=0x17fe350, pref=0x7fffffffdc70, user_errors=1, pexit_code=0x7fffffffdd8c, perror_object=0x7fffffffdd70) at ./psi/imain.c:239
#13 0x0000000000532460 in gs_main_run_string_end (minst=0x17fe350, user_errors=1, pexit_code=0x7fffffffdd8c, perror_object=0x7fffffffdd70) at ./psi/imain.c:591
#14 0x0000000000532311 in gs_main_run_string_with_length (minst=0x17fe350, str=0x2848820 "<2f686f6d652f6d6172636f732f617274696665782f72656772657373696f6e2f4275673639303637362e706466>.runfile", length=100, 
    user_errors=1, pexit_code=0x7fffffffdd8c, perror_object=0x7fffffffdd70) at ./psi/imain.c:549
#15 0x0000000000532276 in gs_main_run_string (minst=0x17fe350, str=0x2848820 "<2f686f6d652f6d6172636f732f617274696665782f72656772657373696f6e2f4275673639303637362e706466>.runfile", user_errors=1, 
    pexit_code=0x7fffffffdd8c, perror_object=0x7fffffffdd70) at ./psi/imain.c:531
#16 0x0000000000535570 in run_string (minst=0x17fe350, str=0x2848820 "<2f686f6d652f6d6172636f732f617274696665782f72656772657373696f6e2f4275673639303637362e706466>.runfile", options=3) at ./psi/imainarg.c:822
#17 0x0000000000535515 in runarg (minst=0x17fe350, pre=0xa505fb "", arg=0x1845020 "/home/marcos/artifex/regression/Bug690676.pdf", post=0xa506fd ".runfile", options=3) at ./psi/imainarg.c:813
#18 0x000000000053517a in argproc (minst=0x17fe350, arg=0x7fffffffec6e "/home/marcos/artifex/regression/Bug690676.pdf") at ./psi/imainarg.c:746
#19 0x0000000000533941 in gs_main_init_with_args (minst=0x17fe350, argc=5, argv=0x7fffffffe9a8) at ./psi/imainarg.c:221
#20 0x0000000000466d13 in main (argc=5, argv=0x7fffffffe9a8) at ./psi/gs.c:94
(gdb)
Comment 2 Marcos H. Woehrmann 2011-09-22 20:57:30 UTC 
marcos@amd64:[14]% valgrind debugbin/gs -sDEVICE=psdcmyk -o test.psd ~/artifex/regression/Bug690676.pdf
==29771== Memcheck, a memory error detector
==29771== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==29771== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==29771== Command: debugbin/gs -sDEVICE=psdcmyk -o test.psd /home/marcos/artifex/regression/Bug690676.pdf
==29771== 
GPL Ghostscript GIT PRERELEASE 9.05 (2011-03-30)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
==29771== Conditional jump or move depends on uninitialised value(s)
==29771==    at 0x5915D8: ptr_struct_mark (igc.c:1071)
==29771==    by 0x590DB0: gc_trace (igc.c:861)
==29771==    by 0x58F364: gs_gc_reclaim (igc.c:328)
==29771==    by 0x65BC8F: context_reclaim (zcontext.c:278)
==29771==    by 0x544F85: gs_vmreclaim (ireclaim.c:153)
==29771==    by 0x544CD5: ireclaim (ireclaim.c:75)
==29771==    by 0x53E28F: interp_reclaim (interp.c:421)
==29771==    by 0x5418A1: interp (interp.c:1691)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==    by 0x53E337: gs_interpret (interp.c:448)
==29771==    by 0x531680: gs_main_interpret (imain.c:239)
==29771==    by 0x532209: gs_run_init_file (imain.c:522)
==29771== 
==29771== Conditional jump or move depends on uninitialised value(s)
==29771==    at 0x5915D8: ptr_struct_mark (igc.c:1071)
==29771==    by 0x590DB0: gc_trace (igc.c:861)
==29771==    by 0x5909CE: gc_trace_chunk (igc.c:757)
==29771==    by 0x58F3EF: gs_gc_reclaim (igc.c:337)
==29771==    by 0x65BC8F: context_reclaim (zcontext.c:278)
==29771==    by 0x544F85: gs_vmreclaim (ireclaim.c:153)
==29771==    by 0x544CD5: ireclaim (ireclaim.c:75)
==29771==    by 0x53E28F: interp_reclaim (interp.c:421)
==29771==    by 0x5418A1: interp (interp.c:1691)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==    by 0x53E337: gs_interpret (interp.c:448)
==29771==    by 0x531680: gs_main_interpret (imain.c:239)
==29771== 
==29771== Conditional jump or move depends on uninitialised value(s)
==29771==    at 0x590935: gc_trace_chunk (igc.c:746)
==29771==    by 0x58F3EF: gs_gc_reclaim (igc.c:337)
==29771==    by 0x65BC8F: context_reclaim (zcontext.c:278)
==29771==    by 0x544F85: gs_vmreclaim (ireclaim.c:153)
==29771==    by 0x544CD5: ireclaim (ireclaim.c:75)
==29771==    by 0x53E28F: interp_reclaim (interp.c:421)
==29771==    by 0x5418A1: interp (interp.c:1691)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==    by 0x53E337: gs_interpret (interp.c:448)
==29771==    by 0x531680: gs_main_interpret (imain.c:239)
==29771==    by 0x532209: gs_run_init_file (imain.c:522)
==29771==    by 0x53177C: gs_main_init2 (imain.c:274)
==29771== 
==29771== Conditional jump or move depends on uninitialised value(s)
==29771==    at 0x590947: gc_trace_chunk (igc.c:747)
==29771==    by 0x58F3EF: gs_gc_reclaim (igc.c:337)
==29771==    by 0x65BC8F: context_reclaim (zcontext.c:278)
==29771==    by 0x544F85: gs_vmreclaim (ireclaim.c:153)
==29771==    by 0x544CD5: ireclaim (ireclaim.c:75)
==29771==    by 0x53E28F: interp_reclaim (interp.c:421)
==29771==    by 0x5418A1: interp (interp.c:1691)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==    by 0x53E337: gs_interpret (interp.c:448)
==29771==    by 0x531680: gs_main_interpret (imain.c:239)
==29771==    by 0x532209: gs_run_init_file (imain.c:522)
==29771==    by 0x53177C: gs_main_init2 (imain.c:274)
==29771== 
==29771== Conditional jump or move depends on uninitialised value(s)
==29771==    at 0x590E3E: gc_trace (igc.c:876)
==29771==    by 0x5909CE: gc_trace_chunk (igc.c:757)
==29771==    by 0x58F3EF: gs_gc_reclaim (igc.c:337)
==29771==    by 0x65BC8F: context_reclaim (zcontext.c:278)
==29771==    by 0x544F85: gs_vmreclaim (ireclaim.c:153)
==29771==    by 0x544CD5: ireclaim (ireclaim.c:75)
==29771==    by 0x53E28F: interp_reclaim (interp.c:421)
==29771==    by 0x5418A1: interp (interp.c:1691)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==    by 0x53E337: gs_interpret (interp.c:448)
==29771==    by 0x531680: gs_main_interpret (imain.c:239)
==29771==    by 0x532209: gs_run_init_file (imain.c:522)
==29771== 
Processing pages 1 through 1.
Page 1
==29771== Syscall param write(buf) points to uninitialised byte(s)
==29771==    at 0x757151D: ??? (syscall-template.S:82)
==29771==    by 0x750C132: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1276)
==29771==    by 0x750BFDC: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:530)
==29771==    by 0x7501FBC: fwrite (iofwrite.c:45)
==29771==    by 0x78ABD9: clist_fwrite_chars (gxclfile.c:68)
==29771==    by 0x770FB2: cmd_write_band (gxclutil.c:165)
==29771==    by 0x771308: cmd_write_buffer (gxclutil.c:252)
==29771==    by 0x771961: cmd_put_range_op (gxclutil.c:375)
==29771==    by 0x77D40F: clist_create_compositor (gxclimag.c:1047)
==29771==    by 0x609ACA: pdf14_clist_update_params (gdevp14.c:6551)
==29771==    by 0x609374: pdf14_clist_create_compositor (gdevp14.c:6372)
==29771==    by 0x607345: send_pdf14trans (gdevp14.c:5496)
==29771==  Address 0xf445c12 is 646,098 bytes inside a block of size 4,000,048 alloc'd
==29771==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==29771==    by 0x98E487: gs_heap_alloc_bytes (gsmalloc.c:181)
==29771==    by 0x7536DD: gdev_prn_setup_as_command_list (gdevprn.c:129)
==29771==    by 0x7540EE: gdev_prn_allocate (gdevprn.c:356)
==29771==    by 0x754542: gdev_prn_allocate_memory (gdevprn.c:442)
==29771==    by 0x753598: gdev_prn_open (gdevprn.c:76)
==29771==    by 0x86A596: psd_prn_open (gdevpsd.c:340)
==29771==    by 0x9719EB: gs_opendevice (gsdevice.c:373)
==29771==    by 0x971D5C: gs_setdevice_no_erase (gsdevice.c:489)
==29771==    by 0x586B7D: zputdeviceparams (zdevice.c:432)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x541161: interp (interp.c:1539)
==29771== 
==29771== Syscall param write(buf) points to uninitialised byte(s)
==29771==    at 0x757151D: ??? (syscall-template.S:82)
==29771==    by 0x750C132: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1276)
==29771==    by 0x750D784: _IO_do_write@@GLIBC_2.2.5 (fileops.c:530)
==29771==    by 0x750BD9D: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1358)
==29771==    by 0x7501FBC: fwrite (iofwrite.c:45)
==29771==    by 0x78ABD9: clist_fwrite_chars (gxclfile.c:68)
==29771==    by 0x770FB2: cmd_write_band (gxclutil.c:165)
==29771==    by 0x771308: cmd_write_buffer (gxclutil.c:252)
==29771==    by 0x771961: cmd_put_range_op (gxclutil.c:375)
==29771==    by 0x77D40F: clist_create_compositor (gxclimag.c:1047)
==29771==    by 0x609ACA: pdf14_clist_update_params (gdevp14.c:6551)
==29771==    by 0x609374: pdf14_clist_create_compositor (gdevp14.c:6372)
==29771==  Address 0x4024272 is not stack'd, malloc'd or (recently) free'd
==29771== 
==29771== Invalid read of size 1
==29771==    at 0x4C28B79: strncmp (mc_replace_strmem.c:398)
==29771==    by 0x60C480: check_pcm_and_separation_names (gdevdevn.c:180)
==29771==    by 0x60B55F: pdf14_cmykspot_get_color_comp_index (gdevp14.c:7240)
==29771==    by 0x5BC9C0: check_Separation_component_name (gscsepr.c:449)
==29771==    by 0x5BBE8F: gx_install_Separation (gscsepr.c:119)
==29771==    by 0x520DD2: gs_setcolorspace_only (gscolor2.c:44)
==29771==    by 0x520E85: gs_setcolorspace (gscolor2.c:62)
==29771==    by 0x57BAB6: setseparationspace (zcolor.c:3464)
==29771==    by 0x58387A: setcolorspace_cont (zcolor.c:6033)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x5401F4: interp (interp.c:1163)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==  Address 0xdb962d8 is 10,856 bytes inside a block of size 20,048 free'd
==29771==    at 0x4C270BD: free (vg_replace_malloc.c:366)
==29771==    by 0x98EB8D: gs_heap_free_object (gsmalloc.c:345)
==29771==    by 0x9637F5: alloc_free_chunk (gsalloc.c:1910)
==29771==    by 0x95FAD5: i_free_all (gsalloc.c:416)
==29771==    by 0x59988D: restore_free (isave.c:970)
==29771==    by 0x5993A3: restore_space (isave.c:834)
==29771==    by 0x5991D4: alloc_restore_step_in (isave.c:771)
==29771==    by 0x56BF53: zrestore (zvmem.c:155)
==29771==    by 0x51B7AB: z2restore (zdevice2.c:319)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x541161: interp (interp.c:1539)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771== 
==29771== Invalid read of size 1
==29771==    at 0x4C28B95: strncmp (mc_replace_strmem.c:398)
==29771==    by 0x60C480: check_pcm_and_separation_names (gdevdevn.c:180)
==29771==    by 0x60B55F: pdf14_cmykspot_get_color_comp_index (gdevp14.c:7240)
==29771==    by 0x5BC9C0: check_Separation_component_name (gscsepr.c:449)
==29771==    by 0x5BBE8F: gx_install_Separation (gscsepr.c:119)
==29771==    by 0x520DD2: gs_setcolorspace_only (gscolor2.c:44)
==29771==    by 0x520E85: gs_setcolorspace (gscolor2.c:62)
==29771==    by 0x57BAB6: setseparationspace (zcolor.c:3464)
==29771==    by 0x58387A: setcolorspace_cont (zcolor.c:6033)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x5401F4: interp (interp.c:1163)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==  Address 0xdb962d8 is 10,856 bytes inside a block of size 20,048 free'd
==29771==    at 0x4C270BD: free (vg_replace_malloc.c:366)
==29771==    by 0x98EB8D: gs_heap_free_object (gsmalloc.c:345)
==29771==    by 0x9637F5: alloc_free_chunk (gsalloc.c:1910)
==29771==    by 0x95FAD5: i_free_all (gsalloc.c:416)
==29771==    by 0x59988D: restore_free (isave.c:970)
==29771==    by 0x5993A3: restore_space (isave.c:834)
==29771==    by 0x5991D4: alloc_restore_step_in (isave.c:771)
==29771==    by 0x56BF53: zrestore (zvmem.c:155)
==29771==    by 0x51B7AB: z2restore (zdevice2.c:319)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x541161: interp (interp.c:1539)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771== 
==29771== Invalid read of size 1
==29771==    at 0x4C28BAD: strncmp (mc_replace_strmem.c:398)
==29771==    by 0x60C480: check_pcm_and_separation_names (gdevdevn.c:180)
==29771==    by 0x60B55F: pdf14_cmykspot_get_color_comp_index (gdevp14.c:7240)
==29771==    by 0x5BC9C0: check_Separation_component_name (gscsepr.c:449)
==29771==    by 0x5BBE8F: gx_install_Separation (gscsepr.c:119)
==29771==    by 0x520DD2: gs_setcolorspace_only (gscolor2.c:44)
==29771==    by 0x520E85: gs_setcolorspace (gscolor2.c:62)
==29771==    by 0x57BAB6: setseparationspace (zcolor.c:3464)
==29771==    by 0x58387A: setcolorspace_cont (zcolor.c:6033)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x5401F4: interp (interp.c:1163)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==  Address 0xdb962d9 is 10,857 bytes inside a block of size 20,048 free'd
==29771==    at 0x4C270BD: free (vg_replace_malloc.c:366)
==29771==    by 0x98EB8D: gs_heap_free_object (gsmalloc.c:345)
==29771==    by 0x9637F5: alloc_free_chunk (gsalloc.c:1910)
==29771==    by 0x95FAD5: i_free_all (gsalloc.c:416)
==29771==    by 0x59988D: restore_free (isave.c:970)
==29771==    by 0x5993A3: restore_space (isave.c:834)
==29771==    by 0x5991D4: alloc_restore_step_in (isave.c:771)
==29771==    by 0x56BF53: zrestore (zvmem.c:155)
==29771==    by 0x51B7AB: z2restore (zdevice2.c:319)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x541161: interp (interp.c:1539)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771== 
==29771== Invalid read of size 1
==29771==    at 0x4C28BBB: strncmp (mc_replace_strmem.c:398)
==29771==    by 0x60C480: check_pcm_and_separation_names (gdevdevn.c:180)
==29771==    by 0x60B55F: pdf14_cmykspot_get_color_comp_index (gdevp14.c:7240)
==29771==    by 0x5BC9C0: check_Separation_component_name (gscsepr.c:449)
==29771==    by 0x5BBE8F: gx_install_Separation (gscsepr.c:119)
==29771==    by 0x520DD2: gs_setcolorspace_only (gscolor2.c:44)
==29771==    by 0x520E85: gs_setcolorspace (gscolor2.c:62)
==29771==    by 0x57BAB6: setseparationspace (zcolor.c:3464)
==29771==    by 0x58387A: setcolorspace_cont (zcolor.c:6033)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x5401F4: interp (interp.c:1163)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771==  Address 0xdb962d9 is 10,857 bytes inside a block of size 20,048 free'd
==29771==    at 0x4C270BD: free (vg_replace_malloc.c:366)
==29771==    by 0x98EB8D: gs_heap_free_object (gsmalloc.c:345)
==29771==    by 0x9637F5: alloc_free_chunk (gsalloc.c:1910)
==29771==    by 0x95FAD5: i_free_all (gsalloc.c:416)
==29771==    by 0x59988D: restore_free (isave.c:970)
==29771==    by 0x5993A3: restore_space (isave.c:834)
==29771==    by 0x5991D4: alloc_restore_step_in (isave.c:771)
==29771==    by 0x56BF53: zrestore (zvmem.c:155)
==29771==    by 0x51B7AB: z2restore (zdevice2.c:319)
==29771==    by 0x53DD70: do_call_operator (interp.c:84)
==29771==    by 0x541161: interp (interp.c:1539)
==29771==    by 0x53E51B: gs_call_interp (interp.c:490)
==29771== 
=
Comment 3 Marcos H. Woehrmann 2011-09-22 21:04:31 UTC 
Starting program: /home/marcos/artifex/ghostpdl/gs/debugbin/gs -sDEVICE=psdcmyk -o test.psd ~/artifex/regression/Bug690676.pdf
[Thread debugging using libthread_db enabled]
GPL Ghostscript GIT PRERELEASE 9.05 (2011-03-30)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Attempt to free block 0x0x290a098(size=-1465341784,num=-1482184793) not on allocated list!

Breakpoint 1, Memento_breakpoint () at ./base/memento.c:130
130	}
(gdb) where
#0  Memento_breakpoint () at ./base/memento.c:130
#1  0x000000000098fc57 in checkBlock (memblk=0x290a098, action=0xca2b79 "free") at ./base/memento.c:651
#2  0x000000000098fd6e in Memento_free (blk=0x290a0c0) at ./base/memento.c:685
#3  0x0000000000467055 in gp_defaultpapersize (ptr=0x0, plen=0x7fffffffc81c) at ./base/gp_upapr.c:60
#4  0x0000000000565e47 in zdefaultpapersize (i_ctx_p=0x185e9f0) at ./psi/zmisc.c:249
#5  0x000000000053ded1 in do_call_operator (op_proc=0x565e13 <zdefaultpapersize>, i_ctx_p=0x185e9f0) at ./psi/interp.c:84
#6  0x0000000000540355 in interp (pi_ctx_p=0x18094f0, pref=0x7fffffffd640, perror_object=0x7fffffffdd70) at ./psi/interp.c:1163
#7  0x000000000053e67c in gs_call_interp (pi_ctx_p=0x18094f0, pref=0x7fffffffd7c0, user_errors=1, pexit_code=0x7fffffffdd94, perror_object=0x7fffffffdd70) at ./psi/interp.c:490
#8  0x000000000053e498 in gs_interpret (pi_ctx_p=0x18094f0, pref=0x7fffffffd7c0, user_errors=1, pexit_code=0x7fffffffdd94, perror_object=0x7fffffffdd70) at ./psi/interp.c:448
#9  0x00000000005317e1 in gs_main_interpret (minst=0x1809458, pref=0x7fffffffd7c0, user_errors=1, pexit_code=0x7fffffffdd94, perror_object=0x7fffffffdd70) at ./psi/imain.c:239
#10 0x000000000053236a in gs_run_init_file (minst=0x1809458, pexit_code=0x7fffffffdd94, perror_object=0x7fffffffdd70) at ./psi/imain.c:522
#11 0x00000000005318dd in gs_main_init2 (minst=0x1809458) at ./psi/imain.c:274
#12 0x0000000000535588 in runarg (minst=0x1809458, pre=0xa51d3b "", arg=0x184b698 "/home/marcos/artifex/regression/Bug690676.pdf", post=0xa51e3d ".runfile", options=3) at ./psi/imainarg.c:799
#13 0x00000000005352da in argproc (minst=0x1809458, arg=0x7fffffffec6e "/home/marcos/artifex/regression/Bug690676.pdf") at ./psi/imainarg.c:746
#14 0x0000000000533aa1 in gs_main_init_with_args (minst=0x1809458, argc=5, argv=0x7fffffffe9a8) at ./psi/imainarg.c:221
#15 0x0000000000466e73 in main (argc=5, argv=0x7fffffffe9a8) at ./psi/gs.c:94
(gdb)
Comment 4 Marcos H. Woehrmann 2011-09-23 02:59:04 UTC 
This appears to have started with b3ee2cd07fc:

Bug 692352: excessive memory use by shading
Comment 5 Robin Watts 2011-09-23 14:45:57 UTC 
The memento detected error appears to be that we are trying to free a buffer returned from systempapername(), and are being told that it's not a malloced buffer. This may well be unrelated to the real cause of the bug.

Anyone with libpaper knowledge know if this is a reasonable thing to do?
Comment 6 Chris Liddell (chrisl) 2011-09-23 14:51:22 UTC 
That's correct. libpaper malloc's it's own memory from the system malloc, but then relies on the calling application to free it - it's pretty poor, IMHO.

I'd like to get in touch with the libpaper devs about it, but so far haven't managed.
Comment 7 Alex Cherepanov 2011-10-29 03:25:33 UTC 
This bug seems to be fixed.
Current version works just fine.