693612 – Indeterministic seg fault with 32 bit build

Bug 693612 - Indeterministic seg fault with 32 bit build

Summary: Indeterministic seg fault with 32 bit build

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	General (show other bugs)
Version:	master
Hardware:	PC All

Importance:	P1 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-02-04 04:11 UTC by Marcos H. Woehrmann
Modified:	2013-03-19 10:03 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	32

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcos H. Woehrmann 2013-02-04 04:11:00 UTC

With the 32 bit build of Ghostscript the following command seg faults:

  bin/gs -o test.pgm -dMaxBitmap=400000000 -sDEVICE=pgmraw -r300 ./Bug692368.pdf

This appears to be an indeterminism, looking through the logs the segfault has come and gone with various commits.

Bisecting shows the last time the seg fault didn't happen was with the commit before:

commit 2740bef445c51680d831ec40753436291f01760a
Author: Alex Cherepanov <alex.cherepanov@artifex.com>
Date:   Thu Aug 23 02:10:20 2012 -0400

    Bug 693268: reinstate big references.
    
    To make big references compatible with 8-byte alignment on 32-bit Windows
    force ref structure to take 16 bytes by adding a dummy uint64_t member
    to the union.

Comment 1 Marcos H. Woehrmann 2013-02-04 04:11:26 UTC

gdb says:

Program received signal SIGSEGV, Segmentation fault.
0x081b3a68 in do_validate_object (ptr=0x80808, cp=0x0, gcst=0xffffbfa4) at ./psi/ilocate.c:578
578	    ulong size = pre_obj_contents_size(pre);
(gdb) where
#0  0x081b3a68 in do_validate_object (ptr=0x80808, cp=0x0, gcst=0xffffbfa4) at ./psi/ilocate.c:578
#1  0x081b32ec in do_validate_chunk (cp=0x93a1cb8, gcst=0xffffbfa4) at ./psi/ilocate.c:359
#2  0x081b2ca9 in ialloc_validate_memory (mem=0x9074654, gcst=0xffffbfa4) at ./psi/ilocate.c:255
#3  0x081acdfd in gc_validate_spaces (spaces=0xffffbfdc, max_space=5, gcst=0xffffbfa4) at ./psi/igc.c:151
#4  0x081ad048 in gs_gc_reclaim (pspaces=0x90bc0c4, global=1) at ./psi/igc.c:252
#5  0x08284b8e in context_reclaim (pspaces=0x90bc0c4, global=1) at ./psi/zcontext.c:280
#6  0x08166d66 in gs_vmreclaim (dmem=0x90bc0c0, global=1) at ./psi/ireclaim.c:155
#7  0x08166b55 in ireclaim (dmem=0x90bc0c0, space=-1) at ./psi/ireclaim.c:77
#8  0x08160483 in interp_reclaim (pi_ctx_p=0x9074234, space=-1) at ./psi/interp.c:432
#9  0x08163b39 in interp (pi_ctx_p=0x9074234, pref=0xffffce84, perror_object=0xffffd038) at ./psi/interp.c:1704
#10 0x08160697 in gs_call_interp (pi_ctx_p=0x9074234, pref=0xffffcf80, user_errors=1, pexit_code=0xffffd04c, 
    perror_object=0xffffd038) at ./psi/interp.c:501
#11 0x0816050f in gs_interpret (pi_ctx_p=0x9074234, pref=0xffffcf80, user_errors=1, pexit_code=0xffffd04c, 
    perror_object=0xffffd038) at ./psi/interp.c:459
#12 0x081542e2 in gs_main_interpret (minst=0x90741c8, pref=0xffffcf80, user_errors=1, pexit_code=0xffffd04c, 
    perror_object=0xffffd038) at ./psi/imain.c:235
#13 0x08154fe4 in gs_main_run_string_end (minst=0x90741c8, user_errors=1, pexit_code=0xffffd04c, 
    perror_object=0xffffd038) at ./psi/imain.c:609
#14 0x08154ed8 in gs_main_run_string_with_length (minst=0x90741c8, 
    str=0x91f9130 "<2f686f6d652f6d6172636f732f636c75737465722f74657374735f707269766174652f636f6d7061726566696c65732f4275673639323336382e706466>.runfile", length=132, user_errors=1, pexit_code=0xffffd04c, perror_object=0xffffd038)
    at ./psi/imain.c:567
#15 0x08154e46 in gs_main_run_string (minst=0x90741c8, 
    str=0x91f9130 "<2f686f6d652f6d6172636f732f636c75737465722f74657374735f707269766174652f636f6d7061726566696c65732f4275673639323336382e706466>.runfile", user_errors=1, pexit_code=0xffffd04c, perror_object=0xffffd038) at ./psi/imain.c:549
#16 0x081581be in run_string (minst=0x90741c8, 
    str=0x91f9130 "<2f686f6d652f6d6172636f732f636c75737465722f74657374735f707269766174652f636f6d7061726566696c65732f4275673639323336382e706466>.runfile", options=3) at ./psi/imainarg.c:865
#17 0x08158151 in runarg (minst=0x90741c8, pre=0x86398a3 "", 
    arg=0xffffdcb7 "/home/marcos/cluster/tests_private/comparefiles/Bug692368.pdf", post=0x86399a5 ".runfile", options=3)
    at ./psi/imainarg.c:855
#18 0x08157dbe in argproc (minst=0x90741c8, 
    arg=0xffffdcb7 "/home/marcos/cluster/tests_private/comparefiles/Bug692368.pdf") at ./psi/imainarg.c:788
#19 0x081563f9 in gs_main_init_with_args (minst=0x90741c8, argc=7, argv=0xffffdb04) at ./psi/imainarg.c:226
#20 0x080a065a in main (argc=7, argv=0xffffdb04) at ./psi/gs.c:96
(gdb)

Comment 2 Marcos H. Woehrmann 2013-02-04 04:15:03 UTC

And valgrind output:
marcos@i7:[8]% valgrind bin/gs -o test.ppm -dMaxBitmap=400000000 -sDEVICE=pgmraw -r300 ~/cluster/tests_private/comparefiles/Bug692368.pdf
==27775== Memcheck, a memory error detector
==27775== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==27775== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==27775== Command: bin/gs -o test.ppm -dMaxBitmap=400000000 -sDEVICE=pgmraw -r300 /home/marcos/cluster/tests_private/comparefiles/Bug692368.pdf
==27775== 
GPL Ghostscript GIT PRERELEASE 9.08 (2013-01-29)
Copyright (C) 2012 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 1.
Page 1
==27775== Conditional jump or move depends on uninitialised value(s)
==27775==    at 0x81676F2: gs_gc_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8218485: context_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813599E: ireclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8131241: interp_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813281E: interp (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813342D: gs_interpret (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812781F: gs_main_run_string_end (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8127C69: gs_main_run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8128984: run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812914B: runarg (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812939F: argproc (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812B03B: gs_main_init_with_args (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775== 
==27775== Conditional jump or move depends on uninitialised value(s)
==27775==    at 0x81676F7: gs_gc_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8218485: context_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813599E: ireclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8131241: interp_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813281E: interp (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813342D: gs_interpret (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812781F: gs_main_run_string_end (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8127C69: gs_main_run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8128984: run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812914B: runarg (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812939F: argproc (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812B03B: gs_main_init_with_args (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775== 
==27775== Conditional jump or move depends on uninitialised value(s)
==27775==    at 0x8166FB0: gc_trace (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8167746: gs_gc_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8218485: context_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813599E: ireclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8131241: interp_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813281E: interp (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813342D: gs_interpret (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812781F: gs_main_run_string_end (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8127C69: gs_main_run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8128984: run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812914B: runarg (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812939F: argproc (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775== 
==27775== Conditional jump or move depends on uninitialised value(s)
==27775==    at 0x8166FB0: gc_trace (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8167633: gs_gc_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8218485: context_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813599E: ireclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8131241: interp_reclaim (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813281E: interp (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813342D: gs_interpret (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812781F: gs_main_run_string_end (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8127C69: gs_main_run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8128984: run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812914B: runarg (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812939F: argproc (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775== 
==27775== Invalid read of size 4
==27775==    at 0x83EB782: i_free_object (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840F16C: gstate_free_parts (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840F93A: gstate_free_contents (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840FA00: gs_grestore_only (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840FABB: gs_grestore (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813286A: interp (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813342D: gs_interpret (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812781F: gs_main_run_string_end (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8127C69: gs_main_run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8128984: run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812914B: runarg (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812939F: argproc (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==27775== 
==27775== 
==27775== Process terminating with default action of signal 11 (SIGSEGV)
==27775==  Access not within mapped region at address 0x18
==27775==    at 0x83EB782: i_free_object (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840F16C: gstate_free_parts (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840F93A: gstate_free_contents (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840FA00: gs_grestore_only (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x840FABB: gs_grestore (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813286A: interp (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x813342D: gs_interpret (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812781F: gs_main_run_string_end (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8127C69: gs_main_run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x8128984: run_string (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812914B: runarg (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==    by 0x812939F: argproc (in /home/marcos/artifex/ghostpdl32/gs/bin/gs)
==27775==  If you believe this happened as a result of a stack
==27775==  overflow in your program's main thread (unlikely but
==27775==  possible), you can try to increase the size of the
==27775==  main thread stack using the --main-stacksize= flag.
==27775==  The main thread stack size used in this run was 8388608.
==27775== 
==27775== HEAP SUMMARY:
==27775==     in use at exit: 250,330,829 bytes in 1,124 blocks
==27775==   total heap usage: 6,692 allocs, 5,568 frees, 932,897,602 bytes allocated
==27775== 
==27775== LEAK SUMMARY:
==27775==    definitely lost: 0 bytes in 0 blocks
==27775==    indirectly lost: 0 bytes in 0 blocks
==27775==      possibly lost: 250,314,009 bytes in 1,119 blocks
==27775==    still reachable: 16,820 bytes in 5 blocks
==27775==         suppressed: 0 bytes in 0 blocks
==27775== Rerun with --leak-check=full to see details of leaked memory
==27775== 
==27775== For counts of detected and suppressed errors, rerun with: -v
==27775== Use --track-origins=yes to see where uninitialised values come from
==27775== ERROR SUMMARY: 798 errors from 5 contexts (suppressed: 84 from 9)
Segmentation fault
Exit 139
marcos@i7:[9]%

Comment 3 Marcos H. Woehrmann 2013-02-04 04:18:37 UTC

I'm assigning this to Ray, since it feels like a clist issue.

Comment 4 Ray Johnston 2013-02-04 18:01:39 UTC

I am not sure why you think this is a clist issue. Ths use of -dMaxBitmap=400m
makes this use page buffer mode (I verified on Windows using -Z: on a debug
build that shows nbands if in clist mode). BTW, this does not segfault on
Windows 32-bit.

The SEGV is during gc (which NEVER happens during clist playback), and the
valgrind "gripes" are mainly in the gc as well.

This seems like it should be Alex's since the "reinstate big references"
probably is at fault (based on the bisect). If you agree, please assign to
Alex.

Comment 5 Chris Liddell (chrisl) 2013-03-19 10:03:05 UTC

I believe this is fixed by:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0ce37163

But as it's a memory problem, and that commit will have resulted in a slightly different memory layout, I can't be absolutely sure. This file does exercise the same are of the code, so it is likely to be the same issue.

If it reappears, reopen.