Bug 689698

Summary: scan_token symbol might collide with other libraries
Product: Ghostscript Reporter: Diego Pettenò <flameeyes>
Component: GeneralAssignee: Robin Watts <robin.watts>
Status: RESOLVED FIXED    
Severity: normal CC: henry.stiles, htl10, robin.watts, twaugh
Priority: P4    
Version: 0.00   
Hardware: Other   
OS: Linux   
Customer: Word Size: ---
Attachments: patch
patch

Description Diego Pettenò 2008-02-10 11:41:41 UTC
The scan_token symbol, present in libgs.so.8.61, might collide with libXfont 
or libt1, both of which export a symbol by that name, but, as far as I can 
see, with a totally different meaning:

Symbol scan_token@@ (64-bit UNIX System V ABI AMD x86-64 architecture) present 
3 times
  /usr/lib64/libgs.so.8.61
  /usr/lib64/libXfont.so.1.4.1
  /usr/lib64/libt1.so.5.1.1
Comment 1 Ralph Giles 2008-02-12 18:39:50 UTC
Thanks for the report.

As far as I can see, scan_token() isn't part of the public API of any of the
three libraries, so the duplicate symbol shouldn't present a problem. Linking to
a library version instead of the same symbol in your own application, on the
other hand, is no fun, but link order usually takes care of that.

We could rename the symbol in gs, but there are a bunch of related symbols that
should change too, so I'd rather not without a real conflict.
Comment 2 Diego Pettenò 2008-02-13 04:29:37 UTC
The fact that it's not part of the public API does not really influence the 
issue of symbol collision at all. It's not just the third party application 
that might use the wrong symbol, it's also your own library, that might load 
the symbol from either libt1 or libXfont, rather than its own. The way to fix 
that for _just_ your own library is to use -Bsymbolic. The proper way to fix 
this is to rename the symbol, and make sure that it doesn't collide with other 
libraries.

There's also another solution, maybe easier to handle than renaming, if you 
don't want to rename, and it is to hide the symbol, either using GCC's 
visibility (which could also help the compiler in optimisation, and is 
supported by other compilers like ICC and Sun's CC) or through ld scripts. 
Hiding all the symbols that are not part of public API this way would in all 
effects solve the problem, as then collisions between them and other libraries 
wouldn't be possible anymore, it would also improve startup times, as the 
symbols wouldn't have dynamic binding anymore. The problem with this solution 
is that you need GCC 4 (or 3.4 backported, which is unsafe) to have visibility 
support, or a GNU-compatible ld. It's still better than leaving the collision 
in place, though.
Comment 3 Ralph Giles 2008-02-13 18:46:09 UTC
Please don't reopen WONTFIX bugs.

> The fact that it's not part of the public API does not really influence the 
> issue of symbol collision at all. It's not just the third party application 
> that might use the wrong symbol, it's also your own library, that might load 
> the symbol from either libt1 or libXfont, rather than its own.

Do you have an example of this? Given that the GNU toolchain has historically
exported everything, I can't imagine modern software functioning if this were
actually the case.

I am glad to hear gcc 4 has visibility support; that will be much nicer than the
old version script method, and I look forward to it becoming widespread enough
to be worthwhile. :)
Comment 4 Hin-Tak Leung 2008-02-16 18:39:54 UTC
Yes, gcc 4.x has visibility support... but OTOH, ghostscript runs on more
platforms where the compiler is not gcc. 

The actual possibility of collision is quite small though, because there 
are not many applications which uses libgs plus one of the others - try naming one? 
Comment 5 Paul de Vrieze 2008-02-17 18:21:10 UTC
On those platforms that support it, you might want to use the '--default-symver'
linker flag. This will make all symbols versioned by the soname of the library.
It should not break anything, but will make sure that collisions in the names do
not actually occur (it also fixes the multiple versions of the same library
issue). Then again, using visibility where applicable is a speedup as well.
Comment 6 Hin-Tak Leung 2010-05-04 22:40:41 UTC
It appeared that Ralph already closed this as WONTFIX (but was re-opened).

In general, I think WONTFIX bugs should only be re-opened if the person re-opening it is willing to provide a patch for review (and we will review it if that happens), but we will not spend further time on it ourselves. 

Since this has already happened once, I am afraid if somebody re-opens this bug report without providing a patch, I'll considered disabling that person's bugzilla account. You have been warned.
Comment 7 Tim Waugh 2011-01-12 17:23:27 UTC
Surely providing an example of a situation where this is a real problem would be sufficient grounds for re-opening this bug?  Threatening in advance to close people's accounts seems rather draconian.

So, here's a real-world example where this actually causes applications to crash:
https://bugzilla.redhat.com/show_bug.cgi?id=590914
Comment 8 Hin-Tak Leung 2011-01-12 17:57:43 UTC
 (In reply to comment #7)
> Surely providing an example of a situation where this is a real problem would
> be sufficient grounds for re-opening this bug?

> 
> So, here's a real-world example where this actually causes applications to
> crash:
> https://bugzilla.redhat.com/show_bug.cgi?id=590914

Sure - I take your point. It appearred Ralph has closed it twice before I did a 3rd time. Ralph is no longer active, so re-assign to support for decisions - there is no gaurantee that support won't close it a 4th time though...
Comment 9 Robin Watts 2011-01-12 21:14:39 UTC
Created attachment 7122 [details]
patch

It doesn't seem unreasonable (to me) for us to rename the function to 'scanner_get_token' (after all, the init function is scanner_init, not scan_init).

Here is a patch that does exactly that. Cluster testing now.
Comment 10 Henry Stiles 2011-01-12 21:25:13 UTC
(In reply to comment #9)
> Created an attachment (id=7122) [details]
> patch
> 
> It doesn't seem unreasonable (to me) for us to rename the function to
> 'scanner_get_token' (after all, the init function is scanner_init, not
> scan_init).
> 
> Here is a patch that does exactly that. Cluster testing now.

Why aren't the exported/global functions prefixed with gs_
Comment 11 Diego Pettenò 2011-01-12 21:32:22 UTC
Henry I guess the answer is "Ralph wouldn't bother even listening to me until an application crashed", and after not being listened to I really couldn't get myself to create an artificial example of an application miscalling the functions. As it happens, Evince did so already.

In general yes I suggest you do prefix all the exported symbols with something like gs_, maybe gs_x_ or something for those that are not supposed to be used (and that could also help you as GNU ld, Apple's and (I think) Sun's allows you to hide symbols from the public table based on their prefix — not a problem for Windows since there you have to list explicitly what you do export).

The less generic a symbol name is the less likely it is to collide (and lead to crashes at one point or another).
Comment 12 Robin Watts 2011-01-13 00:26:56 UTC
Created attachment 7125 [details]
patch

Fixed patch. Passes cluster testing.
Comment 13 Robin Watts 2011-01-13 14:38:06 UTC
Fixed in revision 12023.
Comment 14 Robin Watts 2011-01-13 14:39:09 UTC
Thanks to the committers/commenters for their persistence on this - please let us know if this doesn't solve the issue for you.