Bug 691478

Summary: Seg. fault in gs_vmreclaim
Product: Ghostscript Reporter: Marcos H. Woehrmann <marcos.woehrmann>
Component: GeneralAssignee: Michael Vrhel <michael.vrhel>
Status: RESOLVED FIXED    
Severity: blocker CC: alex
Priority: P1    
Version: master   
Hardware: PC   
OS: All   
Customer: Word Size: ---
Attachments: valgrind_18-02F_PS.log
valgrind_Bug690208_pdf.log

Description Marcos H. Woehrmann 2010-07-19 04:04:20 UTC
Starting with r11517 there are seg. faults in Ghostscript when writing pgmraw files.  I don't believe the changes made in r11517 are the problem, things just moved around.

The good news is that it happens even with the debug build.

Example command lines:

  bin/gs -sDEVICE=pgmraw -o test.pgm -r72 ./Bug690208.pdf
  bin/gs -sDEVICE=pgmraw -o test.pgm -r300 ./18-02F.PS

if this turns out to be hard to duplicate I have a copy of r11517 on peeves in /home/marcos/gs.11517 that can be used:


marcos@peeves:[18]% gs.11517/bin/gs -sDEVICE=pgmraw -o test.pgm -r300 ./18-02F.PS
GPL Ghostscript SVN PRE-RELEASE 9.00 (2010-07-31)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusSanL-Bold font from %rom%Resource/Font/NimbusSanL-Bold... 3339304 1972567 2121672 827062 1 done.
% _Pg checksums collected from GPL Ghostscript SVN PRE-RELEASE version 3010 
18-2f GSTATE 
Loading NimbusRomNo9L-Regu font from %rom%Resource/Font/NimbusRomNo9L-Regu... 3469672 2154904 2182224 856047 1 done.
18-2f GSTATE = 0 Graphic 160 ms 
/18-2f__Pg01 0 def %matching 0 
18-2f Special Test A 
18-2f Special Test A = 29185 Graphic 40 ms 
Segmentation fault
marcos@peeves:[19]%
Comment 1 Marcos H. Woehrmann 2010-07-19 04:13:42 UTC
Example gdb output:

marcos@peeves:[36]% gdb gs.11517/debugobj/gs
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/marcos/gs.11517/debugobj/gs...done.
(gdb) run -sDEVICE=pgmraw -o test.pgm -r300 ./18-02F.PS 
Starting program: /home/marcos/gs.11517/debugobj/gs -sDEVICE=pgmraw -o test.pgm -r300 ./18-02F.PS
[Thread debugging using libthread_db enabled]
GPL Ghostscript SVN PRE-RELEASE 9.00 (2010-07-31)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusSanL-Bold font from %rom%Resource/Font/NimbusSanL-Bold... 3339304 1972567 2121672 827062 1 done.
% _Pg checksums collected from GPL Ghostscript SVN PRE-RELEASE version 3010 
18-2f GSTATE 
Loading NimbusRomNo9L-Regu font from %rom%Resource/Font/NimbusRomNo9L-Regu... 3469672 2154904 2182224 856047 1 done.
18-2f GSTATE = 0 Graphic 380 ms 
/18-2f__Pg01 0 def %matching 0 
18-2f Special Test A 
18-2f Special Test A = 29185 Graphic 70 ms 

Program received signal SIGSEGV, Segmentation fault.
0x00000000005728bf in igc_reloc_struct_ptr (obj=0x1dd52b8, gcst=0x7fffffffc570) at ./psi/igc.c:1282
1282			robj = chead->dest +
(gdb) where
#0  0x00000000005728bf in igc_reloc_struct_ptr (obj=0x1dd52b8, gcst=0x7fffffffc570) at ./psi/igc.c:1282
#1  0x00000000009ad42a in basic_reloc_ptrs (vptr=0x1a3df80, size=128, pstype=0xa9eae0, gcst=0x7fffffffc570) at ./base/gsmemory.c:346
#2  0x000000000057267c in gc_do_reloc (cp=0x1a3dd50, mem=0x19ffff8, pstate=0x7fffffffc570) at ./psi/igc.c:1222
#3  0x0000000000570190 in gs_gc_reclaim (pspaces=0x1a3e198, global=1) at ./psi/igc.c:441
#4  0x0000000000632c3c in context_reclaim (pspaces=0x1a3e198, global=1) at ./psi/zcontext.c:278
#5  0x0000000000525762 in gs_vmreclaim (dmem=0x1a3e190, global=1) at ./psi/ireclaim.c:153
#6  0x00000000005254b2 in ireclaim (dmem=0x1a3e190, space=-1) at ./psi/ireclaim.c:75
#7  0x000000000051ea9a in interp_reclaim (pi_ctx_p=0x19ff388, space=-1) at ./psi/interp.c:415
#8  0x0000000000522080 in interp (pi_ctx_p=0x19ff388, pref=0x7fffffffd830, perror_object=0x7fffffffd930) at ./psi/interp.c:1678
#9  0x000000000051ed26 in gs_call_interp (pi_ctx_p=0x19ff388, pref=0x7fffffffd830, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/interp.c:484
#10 0x000000000051eb42 in gs_interpret (pi_ctx_p=0x19ff388, pref=0x7fffffffd830, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/interp.c:442
#11 0x0000000000512125 in gs_main_interpret (minst=0x19ff2f0, pref=0x7fffffffd830, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/imain.c:240
#12 0x0000000000512d7b in gs_main_run_string_end (minst=0x19ff2f0, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/imain.c:556
#13 0x0000000000512c2c in gs_main_run_string_with_length (minst=0x19ff2f0, str=0x1bbdf30 "<2e2f31382d3032462e5053>.runfile", length=32, user_errors=1, 
    pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930) at ./psi/imain.c:514
#14 0x0000000000512b91 in gs_main_run_string (minst=0x19ff2f0, str=0x1bbdf30 "<2e2f31382d3032462e5053>.runfile", user_errors=1, pexit_code=0x7fffffffd94c, 
    perror_object=0x7fffffffd930) at ./psi/imain.c:496
#15 0x0000000000515e71 in run_string (minst=0x19ff2f0, str=0x1bbdf30 "<2e2f31382d3032462e5053>.runfile", options=3) at ./psi/imainarg.c:814
#16 0x0000000000515e16 in runarg (minst=0x19ff2f0, pre=0xa5a7db "", arg=0x1a45eb0 "./18-02F.PS", post=0xa5a8dd ".runfile", options=3) at ./psi/imainarg.c:805
#17 0x0000000000515a7b in argproc (minst=0x19ff2f0, arg=0x7fffffffe82f "./18-02F.PS") at ./psi/imainarg.c:738
#18 0x000000000051425d in gs_main_init_with_args (minst=0x19ff2f0, argc=6, argv=0x7fffffffe568) at ./psi/imainarg.c:215
#19 0x0000000000464db3 in main (argc=6, argv=0x7fffffffe568) at ./psi/gs.c:96
(gdb) 




(gdb) run -sDEVICE=pgmraw -o test.pgm -r72 ./Bug690208.pdf
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/marcos/gs.11517/debugobj/gs -sDEVICE=pgmraw -o test.pgm -r72 ./Bug690208.pdf
[Thread debugging using libthread_db enabled]
GPL Ghostscript SVN PRE-RELEASE 9.00 (2010-07-31)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Processing pages 1 through 3.
Page 1
Page 2

Program received signal SIGSEGV, Segmentation fault.
0x00000000005728bf in igc_reloc_struct_ptr (obj=0x1e65168, gcst=0x7fffffffc570) at ./psi/igc.c:1282
1282			robj = chead->dest +
(gdb) where
#0  0x00000000005728bf in igc_reloc_struct_ptr (obj=0x1e65168, gcst=0x7fffffffc570) at ./psi/igc.c:1282
#1  0x00000000009ad42a in basic_reloc_ptrs (vptr=0x1a3df80, size=128, pstype=0xa9eae0, gcst=0x7fffffffc570) at ./base/gsmemory.c:346
#2  0x000000000057267c in gc_do_reloc (cp=0x1a3dd50, mem=0x19ffff8, pstate=0x7fffffffc570) at ./psi/igc.c:1222
#3  0x0000000000570190 in gs_gc_reclaim (pspaces=0x1a3e198, global=1) at ./psi/igc.c:441
#4  0x0000000000632c3c in context_reclaim (pspaces=0x1a3e198, global=1) at ./psi/zcontext.c:278
#5  0x0000000000525762 in gs_vmreclaim (dmem=0x1a3e190, global=1) at ./psi/ireclaim.c:153
#6  0x00000000005254b2 in ireclaim (dmem=0x1a3e190, space=-1) at ./psi/ireclaim.c:75
#7  0x000000000051ea9a in interp_reclaim (pi_ctx_p=0x19ff388, space=-1) at ./psi/interp.c:415
#8  0x0000000000522080 in interp (pi_ctx_p=0x19ff388, pref=0x7fffffffd6c0, perror_object=0x7fffffffd930) at ./psi/interp.c:1678
#9  0x000000000051ed26 in gs_call_interp (pi_ctx_p=0x19ff388, pref=0x7fffffffd830, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/interp.c:484
#10 0x000000000051eb42 in gs_interpret (pi_ctx_p=0x19ff388, pref=0x7fffffffd830, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/interp.c:442
#11 0x0000000000512125 in gs_main_interpret (minst=0x19ff2f0, pref=0x7fffffffd830, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/imain.c:240
#12 0x0000000000512d7b in gs_main_run_string_end (minst=0x19ff2f0, user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930)
    at ./psi/imain.c:556
#13 0x0000000000512c2c in gs_main_run_string_with_length (minst=0x19ff2f0, str=0x1bbdf30 "<2e2f4275673639303230382e706466>.runfile", length=40, 
    user_errors=1, pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930) at ./psi/imain.c:514
#14 0x0000000000512b91 in gs_main_run_string (minst=0x19ff2f0, str=0x1bbdf30 "<2e2f4275673639303230382e706466>.runfile", user_errors=1, 
    pexit_code=0x7fffffffd94c, perror_object=0x7fffffffd930) at ./psi/imain.c:496
#15 0x0000000000515e71 in run_string (minst=0x19ff2f0, str=0x1bbdf30 "<2e2f4275673639303230382e706466>.runfile", options=3) at ./psi/imainarg.c:814
#16 0x0000000000515e16 in runarg (minst=0x19ff2f0, pre=0xa5a7db "", arg=0x1a45eb0 "./Bug690208.pdf", post=0xa5a8dd ".runfile", options=3)
    at ./psi/imainarg.c:805
#17 0x0000000000515a7b in argproc (minst=0x19ff2f0, arg=0x7fffffffe82b "./Bug690208.pdf") at ./psi/imainarg.c:738
#18 0x000000000051425d in gs_main_init_with_args (minst=0x19ff2f0, argc=6, argv=0x7fffffffe568) at ./psi/imainarg.c:215
#19 0x0000000000464db3 in main (argc=6, argv=0x7fffffffe568) at ./psi/gs.c:96
(gdb)
Comment 2 Marcos H. Woehrmann 2010-07-19 05:24:58 UTC
Created attachment 6510 [details]
valgrind_18-02F_PS.log
Comment 3 Marcos H. Woehrmann 2010-07-19 05:25:14 UTC
Created attachment 6511 [details]
valgrind_Bug690208_pdf.log
Comment 4 Ray Johnston 2010-07-19 15:34:34 UTC
Please re-run with -Z@$?  Note, on linux you need to use escapes: -Z@\$\? when
running a debug build.

I am attempting to duplicate it on Win 7
Comment 5 Ray Johnston 2010-07-19 16:06:35 UTC
I ran with -Z@$?  Note, on linux you need to use escapes: -Z@\$\? when
running a debug build.

I was able to duplicate it on Win 7 with a 32-bit DEBUG build.

Setting a breakpoint in ilocate.c:535 (in ialloc_validate_object) I get a
breakpoint before it later gets a segfault that is probably related. This
scan of objects is performed as part of a 'restore' (zrestore).

The contents of the object being searched for has funky contents, in that
the o_type is 0xfeeefeee as is the size.

Going up one level from the breakpoint, into ialloc_validate_chunk, I see
the value of pre has some useful information. The value of: pre->d.f.o.t.type
points to the st_gsicc_manager struct descriptor and the value if 'index' is
8 (I think it has already been incremented past the pointer that was to
the bogus area of memory that ialloc_validate_object can't find).

If the bogus index was 7, then that is the pointer to the 'lab_profile'
filename (consulting the list of pointers in st_gsicc_manager in
gsicc_manage.c:83-87).

This may or may not be related to the other issue found with the psdcmyk
device that I worked with Michael on recently, but it smells the same.

Assigning to Michael. Please let me know if the changes we discussed w.r.t.
the filename strings set via userparams don't fix this as well.
Comment 6 Michael Vrhel 2010-07-20 06:13:38 UTC
I am able to duplicate also.  The common theme in the two example files is that they both have patterns.   I am suspicious that there is something going wrong with the pattern instance saved entry which has a pointer to an icc manager.  Clearly it should be traced, but this will take a bit of time to dig through.
Comment 7 Michael Vrhel 2010-07-21 18:18:18 UTC
*** Bug 691482 has been marked as a duplicate of this bug. ***
Comment 8 Michael Vrhel 2010-07-21 19:26:45 UTC
Fixed with rev 11532.