Bug 690506 - Regression: Segmentation fault with nightly regression files
Summary: Regression: Segmentation fault with nightly regression files
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PS Interpreter (show other bugs)
Version: master
Hardware: PC Linux
: P1 normal
Assignee: Ray Johnston
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-29 21:54 UTC by Marcos H. Woehrmann
Modified: 2012-09-26 20:57 UTC (History)
3 users (show)

See Also:
Customer:
Word Size: ---


Attachments
vlog-u64-r9931-r9772.txt (10.24 KB, text/plain)
2009-08-03 21:43 UTC, Masaki Ushizaka
Details
script (375 bytes, text/plain)
2010-03-12 00:02 UTC, Marcos H. Woehrmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcos H. Woehrmann 2009-05-29 21:54:45 UTC
I can't duplicate this problem on peeves, but on my 64 bit Linux boxes running head (r9772) the nightly 
regression files 23-12C.PS and 23-12J.PS core dump when writing to a 72 DPI pkmraw file:

bin/gs -sOutputFile=test.pkm -dMaxBitmap=30000000 -sDEVICE=pkmraw -r72 -q -dNOPAUSE -
dBATCH -K1000000 -dNOOUTERSAVE -c false 0 startjob pop -f %rom%Resource/Init/gs_cet.ps - < 
/home/marcos/artifex/nightly/testfiles/23-12C.PS
Comment 1 Marcos H. Woehrmann 2009-06-11 13:03:21 UTC
Stack trace from gdb:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47478172782224 (LWP 1985)]
0x00000000004bb417 in dict_put (pdref=0x17bec48, pkey=0x17a7fe8, pvalue=0x17a7ff8, 
pds=0x17bf188) at ./psi/idict.c:504
504		    ref_assign_old_in(mem, &pdict->keys, kp, pkey,
(gdb) where
#0  0x00000000004bb417 in dict_put (pdref=0x17bec48, pkey=0x17a7fe8, pvalue=0x17a7ff8, 
pds=0x17bf188) at ./psi/idict.c:504
#1  0x00000000004d8e28 in zop_def (i_ctx_p=0x17bf090) at ./psi/zdict.c:142
#2  0x00000000004c06cb in interp (pi_ctx_p=0x1780348, pref=0x7fff50624e60, 
perror_object=0x7fff50624f30) at ./psi/interp.c:1006
#3  0x00000000004bf67d in gs_call_interp (pi_ctx_p=0x1780348, pref=0x7fff50624e60, 
user_errors=1, pexit_code=0x7fff50624f48, perror_object=0x7fff50624f30) at ./psi/interp.c:496
#4  0x00000000004bf4b5 in gs_interpret (pi_ctx_p=0x1780348, pref=0x7fff50624e60, 
user_errors=1, pexit_code=0x7fff50624f48, perror_object=0x7fff50624f30) at ./psi/interp.c:454
#5  0x00000000004b2f5c in gs_main_interpret (minst=0x17802b0, pref=0x7fff50624e60, 
user_errors=1, pexit_code=0x7fff50624f48, perror_object=0x7fff50624f30) at ./psi/imain.c:214
#6  0x00000000004b3b1a in gs_main_run_string_end (minst=0x17802b0, user_errors=1, 
pexit_code=0x7fff50624f48, perror_object=0x7fff50624f30) at ./psi/imain.c:526
#7  0x00000000004b39d7 in gs_main_run_string_with_length (minst=0x17802b0, str=0x8fa16e 
".runstdin", length=9, user_errors=1, pexit_code=0x7fff50624f48, perror_object=0x7fff50624f30)
    at ./psi/imain.c:484
#8  0x00000000004b3944 in gs_main_run_string (minst=0x17802b0, str=0x8fa16e ".runstdin", 
user_errors=1, pexit_code=0x7fff50624f48, perror_object=0x7fff50624f30) at ./psi/imain.c:466
#9  0x00000000004b695b in run_string (minst=0x17802b0, str=0x8fa16e ".runstdin", options=2) at 
./psi/imainarg.c:798
#10 0x00000000004b5087 in swproc (minst=0x17802b0, arg=0x7fff50627d01 "USER=marcos", 
pal=0x7fff506254d0) at ./psi/imainarg.c:267
#11 0x00000000004b4dcc in gs_main_init_with_args (minst=0x17802b0, argc=15, 
argv=0x7fff50625fd8) at ./psi/imainarg.c:200
#12 0x000000000040b369 in main (argc=15, argv=0x7fff50625fd8) at ./psi/gs.c:77
(gdb) 
Comment 2 Marcos H. Woehrmann 2009-06-11 13:09:22 UTC
Valgrind output:

marcos@amd64:[19]% valgrind /home/marcos/artifex/ghostscript/gs/debugobj/gs -
I/home/marcos/artifex/ghostscript/gs/lib -I/home/marcos/artifex/fonts -o test.pkm -
sDEVICE=pkmraw -dNOOUTERSAVE -c false 0 startjob pop -f %rom%Resource/Init/gs_cet.ps - < ./23-
12C.PS
==2023== Memcheck, a memory error detector.
==2023== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==2023== Using LibVEX rev 1732, a library for dynamic binary translation.
==2023== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==2023== Using valgrind-3.2.3-Debian, a dynamic binary instrumentation framework.
==2023== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==2023== For more details, rerun with: -v
==2023== 
GPL Ghostscript SVN PRE-RELEASE 8.65 (2009-02-04)
Copyright (C) 2009 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
==2023== Conditional jump or move depends on uninitialised value(s)
==2023==    at 0x51332F: ptr_struct_mark (igc.c:1067)
==2023==    by 0x512B3B: gc_trace (igc.c:857)
==2023==    by 0x51105E: gs_gc_reclaim (igc.c:326)
==2023==    by 0x5B60C9: context_reclaim (zcontext.c:283)
==2023==    by 0x4C6C96: gs_vmreclaim (ireclaim.c:153)
==2023==    by 0x4C69FA: ireclaim (ireclaim.c:75)
==2023==    by 0x4BF41E: interp_reclaim (interp.c:427)
==2023==    by 0x4C36A6: interp (interp.c:1690)
==2023==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2023==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2023==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2023==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2023== 
==2023== Conditional jump or move depends on uninitialised value(s)
==2023==    at 0x5126DA: gc_trace_chunk (igc.c:742)
==2023==    by 0x511101: gs_gc_reclaim (igc.c:335)
==2023==    by 0x5B60C9: context_reclaim (zcontext.c:283)
==2023==    by 0x4C6C96: gs_vmreclaim (ireclaim.c:153)
==2023==    by 0x4C69FA: ireclaim (ireclaim.c:75)
==2023==    by 0x4BF41E: interp_reclaim (interp.c:427)
==2023==    by 0x4C36A6: interp (interp.c:1690)
==2023==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2023==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2023==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2023==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2023==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2023== 
==2023== Conditional jump or move depends on uninitialised value(s)
==2023==    at 0x5126EC: gc_trace_chunk (igc.c:743)
==2023==    by 0x511101: gs_gc_reclaim (igc.c:335)
==2023==    by 0x5B60C9: context_reclaim (zcontext.c:283)
==2023==    by 0x4C6C96: gs_vmreclaim (ireclaim.c:153)
==2023==    by 0x4C69FA: ireclaim (ireclaim.c:75)
==2023==    by 0x4BF41E: interp_reclaim (interp.c:427)
==2023==    by 0x4C36A6: interp (interp.c:1690)
==2023==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2023==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2023==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2023==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
marcos@amd64:[1]% validlocale 
marcos@amd64:[1]% valgr
valgrind           valgrind-listener  valgrind.bin       
marcos@amd64:[1]% valgrind /home/marcos/artifex/ghostscript/gs/debugobj/gs -
I/home/marcos/artifex/ghostscript/gs/lib -I/home/marcos/artifex/fonts  -o test.pkm -
sDEVICE=pkmraw -dNOOUTERSAVE -c false 0 startjob pop -f %rom%Resource/Init/gs_cet.ps - < ./23-
12C.PS
==2071== Memcheck, a memory error detector.
==2071== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==2071== Using LibVEX rev 1732, a library for dynamic binary translation.
==2071== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==2071== Using valgrind-3.2.3-Debian, a dynamic binary instrumentation framework.
==2071== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==2071== For more details, rerun with: -v
==2071== 
GPL Ghostscript SVN PRE-RELEASE 8.65 (2009-02-04)
Copyright (C) 2009 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
==2071== Conditional jump or move depends on uninitialised value(s)
==2071==    at 0x51332F: ptr_struct_mark (igc.c:1067)
==2071==    by 0x512B3B: gc_trace (igc.c:857)
==2071==    by 0x51105E: gs_gc_reclaim (igc.c:326)
==2071==    by 0x5B60C9: context_reclaim (zcontext.c:283)
==2071==    by 0x4C6C96: gs_vmreclaim (ireclaim.c:153)
==2071==    by 0x4C69FA: ireclaim (ireclaim.c:75)
==2071==    by 0x4BF41E: interp_reclaim (interp.c:427)
==2071==    by 0x4C36A6: interp (interp.c:1690)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071== 
==2071== Conditional jump or move depends on uninitialised value(s)
==2071==    at 0x5126DA: gc_trace_chunk (igc.c:742)
==2071==    by 0x511101: gs_gc_reclaim (igc.c:335)
==2071==    by 0x5B60C9: context_reclaim (zcontext.c:283)
==2071==    by 0x4C6C96: gs_vmreclaim (ireclaim.c:153)
==2071==    by 0x4C69FA: ireclaim (ireclaim.c:75)
==2071==    by 0x4BF41E: interp_reclaim (interp.c:427)
==2071==    by 0x4C36A6: interp (interp.c:1690)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071== 
==2071== Conditional jump or move depends on uninitialised value(s)
==2071==    at 0x5126EC: gc_trace_chunk (igc.c:743)
==2071==    by 0x511101: gs_gc_reclaim (igc.c:335)
==2071==    by 0x5B60C9: context_reclaim (zcontext.c:283)
==2071==    by 0x4C6C96: gs_vmreclaim (ireclaim.c:153)
==2071==    by 0x4C69FA: ireclaim (ireclaim.c:75)
==2071==    by 0x4BF41E: interp_reclaim (interp.c:427)
==2071==    by 0x4C36A6: interp (interp.c:1690)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
Loading NimbusSanL-Bold font from %rom%Resource/Font/NimbusSanL-Bold... 2988504 1533456 
13703120 12396882 1 done.
% _Pg checksums collected from PhotoPRINT SE 5.0v2 version 3017.102 
23-12c RANGE 1 
Loading NimbusRomNo9L-Regu font from %rom%Resource/Font/NimbusRomNo9L-Regu... 3049904 
1701348 13783856 12458048 1 done.
23-12c RANGE 1 = 29106 Text 13940 ms 
23-12c RANGE 2 
23-12c RANGE 2 = 29106 Text 13370 ms 
/23-12c_Pg01 58212 def %matching 58212 
23-12c RANGE 3 
23-12c RANGE 3 = 29106 Text 13020 ms 
23-12c RANGE 4 
23-12c RANGE 4 = 29106 Text 19400 ms 
/23-12c_Pg02 58212 def %matching 58212 
23-12c RANGE 5 
23-12c RANGE 5 = 29106 Text 13130 ms 
23-12c RANGE 6 
==2071== 
==2071== Invalid read of size 1
==2071==    at 0x4BADA6: real_dict_find (idict.c:377)
==2071==    by 0x4B9F0D: dict_find (idict.c:87)
==2071==    by 0x4D8E00: zop_def (zdict.c:141)
==2071==    by 0x4C06CA: interp (interp.c:1006)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==  Address 0xA1EA841 is 609 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 8
==2071==    at 0x4BADC8: real_dict_find (idict.c:378)
==2071==    by 0x4B9F0D: dict_find (idict.c:87)
==2071==    by 0x4D8E00: zop_def (zdict.c:141)
==2071==    by 0x4C06CA: interp (interp.c:1006)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==  Address 0xA1EA848 is 616 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 2
==2071==    at 0x4BADD3: real_dict_find (idict.c:378)
==2071==    by 0x4B9F0D: dict_find (idict.c:87)
==2071==    by 0x4D8E00: zop_def (zdict.c:141)
==2071==    by 0x4C06CA: interp (interp.c:1006)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==  Address 0xA1EA842 is 610 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 2
==2071==    at 0x4BADF9: real_dict_find (idict.c:378)
==2071==    by 0x4B9F0D: dict_find (idict.c:87)
==2071==    by 0x4D8E00: zop_def (zdict.c:141)
==2071==    by 0x4C06CA: interp (interp.c:1006)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==  Address 0xA1EA842 is 610 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 1
==2071==    at 0x4BDBC8: real_dstack_find_name_by_index (idstack.c:151)
==2071==    by 0x4BD54F: dstack_find_name_by_index (idstack.c:50)
==2071==    by 0x4C1D8D: interp (interp.c:1210)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==    by 0x4B4DCB: gs_main_init_with_args (imainarg.c:200)
==2071==  Address 0xA1EA891 is 689 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 8
==2071==    at 0x4BDBDA: real_dstack_find_name_by_index (idstack.c:152)
==2071==    by 0x4BD54F: dstack_find_name_by_index (idstack.c:50)
==2071==    by 0x4C1D8D: interp (interp.c:1210)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==    by 0x4B4DCB: gs_main_init_with_args (imainarg.c:200)
==2071==  Address 0xA1EA898 is 696 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 2
==2071==    at 0x4BDBE5: real_dstack_find_name_by_index (idstack.c:152)
==2071==    by 0x4BD54F: dstack_find_name_by_index (idstack.c:50)
==2071==    by 0x4C1D8D: interp (interp.c:1210)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==    by 0x4B4DCB: gs_main_init_with_args (imainarg.c:200)
==2071==  Address 0xA1EA892 is 690 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 2
==2071==    at 0x4BDC0B: real_dstack_find_name_by_index (idstack.c:152)
==2071==    by 0x4BD54F: dstack_find_name_by_index (idstack.c:50)
==2071==    by 0x4C1D8D: interp (interp.c:1210)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==    by 0x4B4DCB: gs_main_init_with_args (imainarg.c:200)
==2071==  Address 0xA1EA892 is 690 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 1
==2071==    at 0x4BDCC0: real_dstack_find_name_by_index (idstack.c:156)
==2071==    by 0x4BD54F: dstack_find_name_by_index (idstack.c:50)
==2071==    by 0x4C1D8D: interp (interp.c:1210)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==    by 0x4B4DCB: gs_main_init_with_args (imainarg.c:200)
==2071==  Address 0xA1EA9E1 is 1,025 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071== 
==2071== Invalid read of size 2
==2071==    at 0x4BDCD2: real_dstack_find_name_by_index (idstack.c:158)
==2071==    by 0x4BD54F: dstack_find_name_by_index (idstack.c:50)
==2071==    by 0x4C1D8D: interp (interp.c:1210)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
==2071==    by 0x4BF4B4: gs_interpret (interp.c:454)
==2071==    by 0x4B2F5B: gs_main_interpret (imain.c:214)
==2071==    by 0x4B3B19: gs_main_run_string_end (imain.c:526)
==2071==    by 0x4B39D6: gs_main_run_string_with_length (imain.c:484)
==2071==    by 0x4B3943: gs_main_run_string (imain.c:466)
==2071==    by 0x4B695A: run_string (imainarg.c:798)
==2071==    by 0x4B5086: swproc (imainarg.c:267)
==2071==    by 0x4B4DCB: gs_main_init_with_args (imainarg.c:200)
==2071==  Address 0xA1EA9E0 is 1,024 bytes inside a block of size 20,048 free'd
==2071==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==2071==    by 0x84A208: gs_heap_free_object (gsmalloc.c:335)
==2071==    by 0x822443: alloc_free_chunk (gsalloc.c:1825)
==2071==    by 0x81E91F: i_free_all (gsalloc.c:411)
==2071==    by 0x51B46A: restore_free (isave.c:987)
==2071==    by 0x51AFB3: restore_space (isave.c:851)
==2071==    by 0x51ADA4: alloc_restore_step_in (isave.c:788)
==2071==    by 0x4EEA56: zrestore (zvmem.c:155)
==2071==    by 0x4A117C: z2restore (zdevice2.c:319)
==2071==    by 0x4BEFC7: call_operator (interp.c:111)
==2071==    by 0x4C2CFA: interp (interp.c:1538)
==2071==    by 0x4BF67C: gs_call_interp (interp.c:496)
23-12c RANGE 6 = 29106 Text 16870 ms 
/23-12c_Pg03 58212 def %matching 58212 

Final backchannel utterance: Test Done.
==2071== 
==2071== ERROR SUMMARY: 28616 errors from 13 contexts (suppressed: 8 from 1)
==2071== malloc/free: in use at exit: 6 bytes in 2 blocks.
==2071== malloc/free: 157,730 allocs, 157,728 frees, 935,812,133 bytes allocated.
==2071== For counts of detected errors, rerun with: -v
==2071== searching for pointers to 2 not-freed blocks.
==2071== checked 11,553,816 bytes.
==2071== 
==2071== LEAK SUMMARY:
==2071==    definitely lost: 6 bytes in 2 blocks.
==2071==      possibly lost: 0 bytes in 0 blocks.
==2071==    still reachable: 0 bytes in 0 blocks.
==2071==         suppressed: 0 bytes in 0 blocks.
==2071== Rerun with --leak-check=full to see details of leaked memory.
marcos@amd64:[2]% 
Comment 3 Alex Cherepanov 2009-06-12 04:49:29 UTC
On peeves, the tests run without significant Valgring warnings.
With the following change in igc.c
  static const bool I_FORCE_GLOBAL_GC = true;
there's no warnings at all.
Comment 4 Ray Johnston 2009-06-12 06:51:10 UTC
Thanks, Alex!

Based on Alex's determination, I am assigning this to Ralph as a memory
problem.

Ralph, if you disagree, or want to work on this together, let me (ray) know.

Comment 5 Alex Cherepanov 2009-06-13 10:33:35 UTC
I've tested the same files on MacOS X with i686-apple-darwin9-gcc-4.0.1 in
32-bit and 64-bit models. The 32-bit model was also tested under Valgrind.
Everything works just file.

I think, this is a local problem that requires debugging on the same box where
it was observed.
Comment 6 Marcos H. Woehrmann 2009-06-13 12:26:33 UTC
This bugs is very sensitive to the command line.  For example, this command line
seg faults:

head/bin/gs -I/home/marcos/artifex/ghostscript/gs/lib
-I/home/marcos/artifex/fonts -sOutputFile=test.pkm -dMaxBitmap=30000000
-sDEVICE=pkmraw -r72 -q -dNOPAUSE -dBATCH -K1000000 -dNOOUTERSAVE -c false 0
startjob pop -f %rom%Resource/Init/gs_cet.ps - < /home/marcos/artifex/23-12C.PS

This one does not:

cd /home/marcos/artifex
head/bin/gs -I./ghostscript/gs/lib -I/home/marcos/artifex/fonts
-sOutputFile=test.pkm -dMaxBitmap=30000000 -sDEVICE=pkmraw -r72 -q -dNOPAUSE
-dBATCH -K1000000 -dNOOUTERSAVE -c false 0 startjob pop -f
%rom%Resource/Init/gs_cet.ps - < /home/marcos/artifex/23-12C.PS

The only difference is the -I is specified absolutely in the first command line
and relative to the current directory in the second.

Since the COMPILE_INITS flag is set to 1 the inclusion of the lib directory
shouldn't matter in any case (and in fact the command runs without it).
Comment 7 Marcos H. Woehrmann 2009-06-13 12:50:06 UTC
BTW, this is is a regression, it first failed in r9772:

r9772 | ray | 2009-05-29 17:22:20 -0700 (Fri, 29 May 2009) | 16 lines

Fix the file stream opening logic so that when the open failed, it did not leave
buffers and other structures up to the GC for collection. This only affected PS
and PDF, but happened on files that needed fonts that were not immediately in the
Fontmap. This resulted in up to on the files from bug 690422.

Comment 8 Marcos H. Woehrmann 2009-06-13 12:54:56 UTC
On my computer the change to igc.c mentioned in comment #3 removes the first
three valgrind warnings (the ones related to gc_trace and gc_trace_chunk), but
the rest remain and the command still seg faults.
Comment 9 Alex Cherepanov 2009-06-14 07:25:34 UTC
I've reproduced Valgrind warning (but not crash) on peeves with the following
command line.

alexcher@peeves:~$ valgrind --db-attach=no gs_svn/gs/debugobj/gs
-I/home/alexcher/assssssssssaa -I/home/alexcher/gs_svn/
gs/Resource/Font/aaaa/aaaaa -sOutputFile=test.pkm -dMaxBitmap=30000000
-sDEVICE=pkmraw -r72 -q -dNOPAUSE -dBATCH -K10000
00 -dNOOUTERSAVE -c false 0 startjob pop -f %rom%Resource/Init/gs_cet.ps
/home/regression/tests_private/ps/ps3cet/23-12C
.PS

Both -I directories don't exist.
Comment 10 Ray Johnston 2009-07-08 00:24:10 UTC
please re-test with rev 9846.
Comment 11 Alex Cherepanov 2009-08-03 19:04:14 UTC
I cannot reproduce Valgrind warning in rev. 9846 or current HEAD (rev. 9920)
on the same host and the same command line.
Comment 12 Masaki Ushizaka 2009-08-03 21:43:05 UTC
Created attachment 5268 [details]
vlog-u64-r9931-r9772.txt

On my machine it still shows 3 warnings (Conditional jump or move) with r9931. 
I have 64-bit ubuntu 9.04 running on vmware fusion.  gcc version is (Ubuntu
4.3.3-5ubuntu4).  Command line was:

  $ valgrind bin/gs -Ilib -Ifonts -o test.pkm -sDEVICE=pkmraw -dNOOUTERSAVE -c
false 0 startjob pop -f %rom%Resource/Init/gs_cet.ps - <23-12C.PS

NOTE: I do NOT have fonts directory in my current directory.  I_FORCE_GLOBAL_GC
is false (untouched).

Revision 9772 shows similar warnings.  Both didn't crash though.
Comment 13 Alex Cherepanov 2009-08-04 05:56:12 UTC
The 3 messages about gc_trace_chunk() happen in most files.
This issue is tracked as a bug 690176. 

All these warnings disappear when I_FORCE_GLOBAL_GC is set to true in igc.c .
The error itself appears to be harmless and I usually run Valgrind with
forced global GC to reduce the noise.
Comment 14 Marcos H. Woehrmann 2009-08-05 13:42:39 UTC
I've disabled 23-12C.PS and 23-12J.PS from the nightly regression by renaming them in the repository; 
please re-enable them when this issue is resolved.
Comment 15 Henry Stiles 2009-08-17 14:13:30 UTC
Marcos can you still reproduce this problem?  Alex and Masaki indicate it fixed
and I can't reproduce it, only the usual UMR's with smark which is being worked
on separately.    Maybe there is still a problem on 64 bit linux?
Comment 16 Marcos H. Woehrmann 2009-08-17 21:40:05 UTC
It appears to have been fixed; no more seg faults on 64 bit linux and the errors
that valgrind reported are gone.

I'm closing and will re-enable the appropriate regression files.
Comment 17 Marcos H. Woehrmann 2009-08-19 23:26:43 UTC
I'm sorry to say the seg fault is back, at least with 23-12J.PS:

./gs/bin/gs -sOutputFile='|md5sum 
>>./temp/tests_private__ps__ps3cet__23-12J.PS.pbmraw.72.0.md5'
-dMaxBitmap=30000000 -sDEVICE=pbmraw -r72 -q -dNOPAUSE -dBATCH -K1000000
-dNOOUTERSAVE -dJOBSERVER -c false 0 startjob pop -f
%rom%Resource/Init/gs_cet.ps - <  ./tests_private/ps/ps3cet/23-12J.PS

% _Pg checksums collected from PhotoPRINT SE 5.0v2 version 3017.102 ^M
23-12j RANGE 7 ^M
23-12j RANGE 7 = 29106 Text 280 ms ^M
23-12j RANGE 8 ^M
Segmentation fault

Comment 18 Marcos H. Woehrmann 2009-08-21 21:34:04 UTC
The good news is that I've been able to make this happen running under a debugger:

(gdb) run  -sOutputFile=test.out -dMaxBitmap=30000000 -sDEVICE=pbmraw -r72 -q
-dNOPAUSE -dBATCH -K1000000 -dNOOUTERSAVE -dJOBSERVER -c false 0 startjob pop -f
%rom%Resource/Init/gs_cet.ps - < ../../tests_private/ps/ps3cet/23-12J.PS
Starting program: /home/marcos/artifex/nightly.pcl/ghostpdl/gs/debugobj/gs
-sOutputFile=test.out -dMaxBitmap=30000000 -sDEVICE=pbmraw -r72 -q -dNOPAUSE
-dBATCH -K1000000 -dNOOUTERSAVE -dJOBSERVER -c false 0 startjob pop -f
%rom%Resource/Init/gs_cet.ps - < ../../tests_private/ps/ps3cet/23-12J.PS
[Thread debugging using libthread_db enabled]
% _Pg checksums collected from PhotoPRINT SE 5.0v2 version 3017.102 
23-12j RANGE 7 
23-12j RANGE 7 = 29106 Text 360 ms 
23-12j RANGE 8 
[New Thread 0x7f1aff05b750 (LWP 7249)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f1aff05b750 (LWP 7249)]
0x00000000004b9201 in real_dstack_find_name_by_index (pds=0x1b140e8, nidx=6089)
at ./psi/idstack.c:152
152                         if (name_index(_mem_not_used, kp) == nidx) {
(gdb) where
#0  0x00000000004b9201 in real_dstack_find_name_by_index (pds=0x1b140e8,
nidx=6089) at ./psi/idstack.c:152
#1  0x00000000004b8b10 in dstack_find_name_by_index (pds=0x1b140e8, nidx=6089)
at ./psi/idstack.c:50
#2  0x00000000004bd3a4 in interp (pi_ctx_p=0x1ad5318, pref=0x7fff0707d4e0,
perror_object=0x7fff0707d5b0) at ./psi/interp.c:1210
#3  0x00000000004bac9f in gs_call_interp (pi_ctx_p=0x1ad5318,
pref=0x7fff0707d4e0, user_errors=1, pexit_code=0x7fff0707d5cc,
perror_object=0x7fff0707d5b0) at ./psi/interp.c:496
#4  0x00000000004baad9 in gs_interpret (pi_ctx_p=0x1ad5318, pref=0x7fff0707d4e0,
user_errors=1, pexit_code=0x7fff0707d5cc, perror_object=0x7fff0707d5b0) at
./psi/interp.c:454
#5  0x00000000004ae590 in gs_main_interpret (minst=0x1ad5280,
pref=0x7fff0707d4e0, user_errors=1, pexit_code=0x7fff0707d5cc,
perror_object=0x7fff0707d5b0) at ./psi/imain.c:214
#6  0x00000000004af14d in gs_main_run_string_end (minst=0x1ad5280,
user_errors=1, pexit_code=0x7fff0707d5cc, perror_object=0x7fff0707d5b0) at
./psi/imain.c:526
#7  0x00000000004af00a in gs_main_run_string_with_length (minst=0x1ad5280,
str=0x8ead8e ".runstdin", length=9, user_errors=1, pexit_code=0x7fff0707d5cc, 
    perror_object=0x7fff0707d5b0) at ./psi/imain.c:484
#8  0x00000000004aef77 in gs_main_run_string (minst=0x1ad5280, str=0x8ead8e
".runstdin", user_errors=1, pexit_code=0x7fff0707d5cc, perror_object=0x7fff0707d5b0)
    at ./psi/imain.c:466
#9  0x00000000004b1f78 in run_string (minst=0x1ad5280, str=0x8ead8e ".runstdin",
options=2) at ./psi/imainarg.c:798
#10 0x00000000004b06a9 in swproc (minst=0x1ad5280, arg=0x7fff0707fa07
"USER=marcos", pal=0x7fff0707db50) at ./psi/imainarg.c:267
#11 0x00000000004b03ee in gs_main_init_with_args (minst=0x1ad5280, argc=19,
argv=0x7fff0707e648) at ./psi/imainarg.c:200
#12 0x00000000004053fd in main (argc=19, argv=0x7fff0707e648) at ./psi/gs.c:77
(gdb) 
Comment 19 Marcos H. Woehrmann 2009-08-21 22:15:11 UTC
Curiouser and curiouser...

This command builds a gs that fails:

  make distclean ; ./autogen.sh --prefix=/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ; make

this one works:

  make distclean ; ./autogen.sh --prefix=/XXXXXXXXXXXXXXXXXXXXXXXXXXX ; make

Note that in either case I never run 'make install', I just execute Ghostscript
via 'bin/gs'.

The executable contains the string given by the --prefix option eight times, so
varying the length of the string does cause things to move around in memory.
Comment 20 Henry Stiles 2009-08-28 15:01:53 UTC
This is probably not an issue on your linux machine but on the mac pro I use the
following to build 64 bit:

make XCFLAGS="-arch x86_64" XLDFLAGS="-arch x86_64"

but the flags are not propagated to genarch so the arch.h file is wrong,
resulting in many problems.  I guess that should be a separate bug for Ralph.

If there is some prescription for building a 64 bit gs app on mac os let me
know, for now I'll hack up the Makefile.
Comment 21 Henry Stiles 2009-08-28 15:24:34 UTC
After fixing the problem explained in comment #20 by changing the Makefile

to:

  CCAUX=$(CC) $(CFLAGS)

from:

  CCAUX=$(CC) $(GCFLAGS)

the file works (I did verify longs and ptrs are 8 bytes), so I guess I'll need
login information emailed to me to work on this further.
Comment 22 Marcos H. Woehrmann 2009-08-28 18:32:57 UTC
In answer to comment #20 I use:

  ./autogen.sh CC="gcc -m64" ; make

to force 64 bit builds and the same with -m32 for 32 bit builds.

The GhostPDL build system doesn't use autogen.sh so instead I use:

  make pcl "CC=gcc -m64" "CCLD=gcc -m64" 
Comment 23 Henry Stiles 2009-08-29 11:36:29 UTC
I really can't make progress on this without a machine to reproduce it, I can't
even use mac valgrind because it doesn't work with 64-bit Mach-O exes.  Assign
it back when you have a machine available.

I will say we desperately need to integrate valgrind into gs, the problems being
reported are severely understated.  More specifically there are many
uninitialized problems with respect the ghostscript allocator that valgrind
never sees.  For example, in studying the ptr_struct_mark() issue there are
hundreds of problems not reported by valgrind because the memory is recycled
through the gs allocator without every returning to the system's malloc and free
where it would be tracked by valgrind.
Comment 24 Marcos H. Woehrmann 2009-08-29 18:30:52 UTC
I tried but can't get the problem to occur with the current head.  When (if?) I'm able reproduce it I'll setup 
an account for testing.
Comment 25 Alex Cherepanov 2009-08-29 19:30:12 UTC
I can reproduce valgrind warnings in the current revision on i7a with the
following command line.

valgrind gs/debugobj/gs -IBBBBBBBBBBBBBBBBBBBBBB -dNOGC -sOutputFile=/dev/null
-dMaxBitmap=30000000 -sDEVICE=pbmraw -r72
 -dNOPAUSE -dBATCH -K1000000 -dNOOUTERSAVE -dJOBSERVER -c false 0 startjob pop
-f ./gs/Resource/Init/gs_cet.ps -
</home/ghostscript/tests_private/ps/ps3cet/23-12J.PS.disabled
Comment 26 Alex Cherepanov 2009-08-29 19:32:10 UTC
Please take out -dNOGC from the command line above. The warnings
disappear with -dNOGC.
Comment 27 Ralph Giles 2009-08-31 10:03:19 UTC
While I agree Marcos' override of CC in comment #22 is the safer approach, I've
committed Henry's change from #21 as r10030, so XCFLAGS should work for changing
the target width now.
Comment 28 Marcos H. Woehrmann 2009-09-01 19:06:11 UTC
Good news!  I can reliably make this happen on peeves with the current head (r10039).  To reproduce 
follow these steps precisely:

svn co http://svn.ghostscript.com/ghostscript/trunk/gs -r10039 gs.10039

cd gs.10039

autogen.sh CC="gcc -m64" --disable-cups --disable-fontconfig \
  --disable-cairo --prefix=/home/marcos/cluster/gs
 
make

./bin/gs -sOutputFile=test.pgm -sDEVICE=pgmraw \
  -dNOOUTERSAVE -dJOBSERVER -c false 0 startjob pop \
  -f %rom%Resource/Init/gs_cet.ps - < /home/marcos/23-12C.PS
Comment 29 Marcos H. Woehrmann 2009-09-01 19:31:05 UTC
And it also fails with 'make debug':

marcos@peeves:[45]% gdb debugobj/gs
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run  -sOutputFile=test.pgm -sDEVICE=pgmraw -dNOOUTERSAVE -dJOBSERVER -c false 0 
startjob pop -f %rom%Resource/Init/gs_cet.ps - < /home/marcos/23-12C.PS
Starting program: /home/marcos/gs.10039/debugobj/gs -sOutputFile=test.pgm -sDEVICE=pgmraw -
dNOOUTERSAVE -dJOBSERVER -c false 0 startjob pop -f %rom%Resource/Init/gs_cet.ps - < 
/home/marcos/23-12C.PS
[Thread debugging using libthread_db enabled]
GPL Ghostscript SVN PRE-RELEASE 8.71 (2009-08-01)
Copyright (C) 2009 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusSanL-Bold font from %rom%Resource/Font/NimbusSanL-Bold... 3017944 1553289 
3633112 2312210 1 done.
% _Pg checksums collected from PhotoPRINT SE 5.0v2 version 3017.102 
23-12c RANGE 1 
Loading NimbusRomNo9L-Regu font from %rom%Resource/Font/NimbusRomNo9L-Regu... 3059160 
1717765 3713848 2372836 1 done.
23-12c RANGE 1 = 29106 Text 250 ms 
23-12c RANGE 2 
23-12c RANGE 2 = 29106 Text 230 ms 
/23-12c_Pg01 58212 def %matching 58212 
23-12c RANGE 3 
23-12c RANGE 3 = 29106 Text 230 ms 
23-12c RANGE 4 
23-12c RANGE 4 = 29106 Text 380 ms 
/23-12c_Pg02 58212 def %matching 58212 
23-12c RANGE 5 
23-12c RANGE 5 = 29106 Text 230 ms 
23-12c RANGE 6 
[New Thread 0x7fe365af5750 (LWP 18915)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fe365af5750 (LWP 18915)]
0x00000000004b63e2 in real_dict_find (pdref=0x32adba8, pkey=0x3296f48, 
ppvalue=0x7fff6db1d580) at ./psi/idict.c:378
378			if (name_index(mem, kp) == nidx) {
(gdb) where
#0  0x00000000004b63e2 in real_dict_find (pdref=0x32adba8, pkey=0x3296f48, 
ppvalue=0x7fff6db1d580) at ./psi/idict.c:378
#1  0x00000000004b54d2 in dict_find (pdref=0x32adba8, pkey=0x3296f48, 
ppvalue=0x7fff6db1d580) at ./psi/idict.c:87
#2  0x00000000004d4553 in zop_def (i_ctx_p=0x32adff0) at ./psi/zdict.c:141
#3  0x00000000004bbce2 in interp (pi_ctx_p=0x326f318, pref=0x7fff6db1df90, 
perror_object=0x7fff6db1e060) at ./psi/interp.c:1006
#4  0x00000000004bac97 in gs_call_interp (pi_ctx_p=0x326f318, pref=0x7fff6db1df90, 
user_errors=1, pexit_code=0x7fff6db1e07c, perror_object=0x7fff6db1e060) at ./psi/interp.c:496
#5  0x00000000004baad1 in gs_interpret (pi_ctx_p=0x326f318, pref=0x7fff6db1df90, user_errors=1, 
pexit_code=0x7fff6db1e07c, perror_object=0x7fff6db1e060) at ./psi/interp.c:454
#6  0x00000000004ae588 in gs_main_interpret (minst=0x326f280, pref=0x7fff6db1df90, 
user_errors=1, pexit_code=0x7fff6db1e07c, perror_object=0x7fff6db1e060) at ./psi/imain.c:214
#7  0x00000000004af145 in gs_main_run_string_end (minst=0x326f280, user_errors=1, 
pexit_code=0x7fff6db1e07c, perror_object=0x7fff6db1e060) at ./psi/imain.c:526
#8  0x00000000004af002 in gs_main_run_string_with_length (minst=0x326f280, str=0x8ead0e 
".runstdin", length=9, user_errors=1, pexit_code=0x7fff6db1e07c, perror_object=0x7fff6db1e060) at 
./psi/imain.c:484
#9  0x00000000004aef6f in gs_main_run_string (minst=0x326f280, str=0x8ead0e ".runstdin", 
user_errors=1, pexit_code=0x7fff6db1e07c, perror_object=0x7fff6db1e060) at ./psi/imain.c:466
#10 0x00000000004b1f70 in run_string (minst=0x326f280, str=0x8ead0e ".runstdin", options=2) at 
./psi/imainarg.c:798
#11 0x00000000004b06a1 in swproc (minst=0x326f280, arg=0x7fff6db1f8eb 
"REMOTEHOST=67.169.4.146", pal=0x7fff6db1e600) at ./psi/imainarg.c:267
#12 0x00000000004b03e6 in gs_main_init_with_args (minst=0x326f280, argc=13, 
argv=0x7fff6db1f0f8) at ./psi/imainarg.c:200
#13 0x00000000004053fd in main (argc=13, argv=0x7fff6db1f0f8) at ./psi/gs.c:77
(gdb) 
Comment 30 Marcos H. Woehrmann 2009-09-01 20:10:45 UTC
And here's the valgrind output:

marcos@peeves:[46]% valgrind ./debugobj/gs -sOutputFile=test.pgm -sDEVICE=pgmraw -
dNOOUTERSAVE -dJOBSERVER -c false 0 startjob pop -f %rom%Resource/Init/gs_cet.ps - < 
/home/marcos/23-12C.PS
==19091== Memcheck, a memory error detector.
==19091== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==19091== Using LibVEX rev 1884, a library for dynamic binary translation.
==19091== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==19091== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==19091== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==19091== For more details, rerun with: -v
==19091== 
GPL Ghostscript SVN PRE-RELEASE 8.71 (2009-08-01)
Copyright (C) 2009 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusSanL-Bold font from %rom%Resource/Font/NimbusSanL-Bold... 3017944 1553289 
3633112 2312210 1 done.
% _Pg checksums collected from PhotoPRINT SE 5.0v2 version 3017.102 
23-12c RANGE 1 
Loading NimbusRomNo9L-Regu font from %rom%Resource/Font/NimbusRomNo9L-Regu... 3059160 
1717765 3713848 2372836 1 done.
23-12c RANGE 1 = 29106 Text 7820 ms 
23-12c RANGE 2 
23-12c RANGE 2 = 29106 Text 7270 ms 
/23-12c_Pg01 58212 def %matching 58212 
23-12c RANGE 3 
23-12c RANGE 3 = 29106 Text 7200 ms 
23-12c RANGE 4 
23-12c RANGE 4 = 29106 Text 11050 ms 
/23-12c_Pg02 58212 def %matching 58212 
23-12c RANGE 5 
23-12c RANGE 5 = 29106 Text 7360 ms 
23-12c RANGE 6 
==19091== Invalid read of size 1
==19091==    at 0x4B639E: real_dict_find (idict.c:377)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==  Address 0x7b5f119 is 193 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 8
==19091==    at 0x4B63C0: real_dict_find (idict.c:378)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==  Address 0x7b5f120 is 200 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B63CB: real_dict_find (idict.c:378)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==  Address 0x7b5f11a is 194 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B63EF: real_dict_find (idict.c:378)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==  Address 0x7b5f11a is 194 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4B91C5: real_dstack_find_name_by_index (idstack.c:151)
==19091==    by 0x4B8B07: dstack_find_name_by_index (idstack.c:50)
==19091==    by 0x4BD39B: interp (interp.c:1210)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  Address 0x7b5f169 is 273 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 8
==19091==    at 0x4B91D7: real_dstack_find_name_by_index (idstack.c:152)
==19091==    by 0x4B8B07: dstack_find_name_by_index (idstack.c:50)
==19091==    by 0x4BD39B: interp (interp.c:1210)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  Address 0x7b5f170 is 280 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B91E2: real_dstack_find_name_by_index (idstack.c:152)
==19091==    by 0x4B8B07: dstack_find_name_by_index (idstack.c:50)
==19091==    by 0x4BD39B: interp (interp.c:1210)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  Address 0x7b5f16a is 274 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B9206: real_dstack_find_name_by_index (idstack.c:152)
==19091==    by 0x4B8B07: dstack_find_name_by_index (idstack.c:50)
==19091==    by 0x4BD39B: interp (interp.c:1210)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  Address 0x7b5f16a is 274 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4B92CB: real_dstack_find_name_by_index (idstack.c:156)
==19091==    by 0x4B8B07: dstack_find_name_by_index (idstack.c:50)
==19091==    by 0x4BD39B: interp (interp.c:1210)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  Address 0x7b5f2b9 is 609 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B92DD: real_dstack_find_name_by_index (idstack.c:158)
==19091==    by 0x4B8B07: dstack_find_name_by_index (idstack.c:50)
==19091==    by 0x4BD39B: interp (interp.c:1210)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  Address 0x7b5f2b8 is 608 bytes inside a block of size 20,048 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x80F7AF: i_free_all (gsalloc.c:411)
==19091==    by 0x516A88: restore_free (isave.c:987)
==19091==    by 0x5165BE: restore_space (isave.c:851)
==19091==    by 0x51638B: alloc_restore_step_in (isave.c:788)
==19091==    by 0x4EA15B: zrestore (zvmem.c:155)
==19091==    by 0x49A974: z2restore (zdevice2.c:319)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BE2F3: interp (interp.c:1538)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4B63B3: real_dict_find (idict.c:377)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4B6446: real_dict_find (idict.c:382)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4C8231: obj_eq (iutil.c:94)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4C824F: obj_eq (iutil.c:100)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4C83EE: obj_eq (iutil.c:134)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4C8221: obj_eq (iutil.c:94)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f049 is 15 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4C823F: obj_eq (iutil.c:100)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f049 is 15 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4C83E7: obj_eq (iutil.c:134)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f048 is 16 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4C83F8: obj_eq (iutil.c:134)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f049 is 15 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B64B1: real_dict_find (idict.c:391)
==19091==    by 0x4B54D1: dict_find (idict.c:87)
==19091==    by 0x4D4552: zop_def (zdict.c:141)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==  Address 0x7b5edb8 is 15,856 bytes inside a block of size 16,480 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x810B2D: i_free_object (gsalloc.c:820)
==19091==    by 0x49178E: s_LZW_release (slzwc.c:38)
==19091==    by 0x4CD2EA: sclose (stream.c:425)
==19091==    by 0x4CD438: spgetcc (stream.c:457)
==19091==    by 0x4CD7A5: sgets (stream.c:541)
==19091==    by 0x4D9E42: zreadstring_at (zfileio.c:287)
==19091==    by 0x4D9F2F: zreadstring (zfileio.c:316)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4B63B3: real_dict_find (idict.c:377)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4B6446: real_dict_find (idict.c:382)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4C8231: obj_eq (iutil.c:94)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4C824F: obj_eq (iutil.c:100)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091== 
==19091== Conditional jump or move depends on uninitialised value(s)
==19091==    at 0x4C83EE: obj_eq (iutil.c:134)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4B639E: real_dict_find (idict.c:377)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==  Address 0x7b5f049 is 15 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4C8221: obj_eq (iutil.c:94)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f049 is 15 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4C823F: obj_eq (iutil.c:100)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f049 is 15 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4C83E7: obj_eq (iutil.c:134)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f048 is 16 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 1
==19091==    at 0x4C83F8: obj_eq (iutil.c:134)
==19091==    by 0x4B64F1: real_dict_find (idict.c:397)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==  Address 0x7b5f049 is 15 bytes before a block of size 16,480 alloc'd
==19091==    at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==19091==    by 0x83A85F: gs_heap_alloc_bytes (gsmalloc.c:179)
==19091==    by 0x812A9F: alloc_acquire_chunk (gsalloc.c:1678)
==19091==    by 0x8118DA: alloc_obj (gsalloc.c:1146)
==19091==    by 0x810325: i_alloc_struct_array (gsalloc.c:650)
==19091==    by 0x49094D: s_LZWD_init (slzwd.c:74)
==19091==    by 0x4D8919: filter_open (zfile.c:1095)
==19091==    by 0x4DCA67: filter_read (zfilter.c:238)
==19091==    by 0x48AA7D: filter_read_predictor (zfdecode.c:139)
==19091==    by 0x48AE8E: zLZWD (zfdecode.c:229)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B64B1: real_dict_find (idict.c:391)
==19091==    by 0x4B672D: dict_put (idict.c:451)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==  Address 0x7b5edb8 is 15,856 bytes inside a block of size 16,480 free'd
==19091==    at 0x4C265AF: free (vg_replace_malloc.c:323)
==19091==    by 0x83AF15: gs_heap_free_object (gsmalloc.c:335)
==19091==    by 0x813260: alloc_free_chunk (gsalloc.c:1831)
==19091==    by 0x810B2D: i_free_object (gsalloc.c:820)
==19091==    by 0x49178E: s_LZW_release (slzwc.c:38)
==19091==    by 0x4CD2EA: sclose (stream.c:425)
==19091==    by 0x4CD438: spgetcc (stream.c:457)
==19091==    by 0x4CD7A5: sgets (stream.c:541)
==19091==    by 0x4D9E42: zreadstring_at (zfileio.c:287)
==19091==    by 0x4D9F2F: zreadstring (zfileio.c:316)
==19091==    by 0x4BA5E3: call_operator (interp.c:111)
==19091==    by 0x4BCF22: interp (interp.c:1162)
==19091== 
==19091== Invalid read of size 2
==19091==    at 0x4B6A0F: dict_put (idict.c:504)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  Address 0x1007b5edb8 is not stack'd, malloc'd or (recently) free'd
==19091== 
==19091== Process terminating with default action of signal 11 (SIGSEGV)
==19091==  Access not within mapped region at address 0x1007B5EDB8
==19091==    at 0x4B6A0F: dict_put (idict.c:504)
==19091==    by 0x4D4579: zop_def (zdict.c:142)
==19091==    by 0x4BBCE1: interp (interp.c:1006)
==19091==    by 0x4BAC96: gs_call_interp (interp.c:496)
==19091==    by 0x4BAAD0: gs_interpret (interp.c:454)
==19091==    by 0x4AE587: gs_main_interpret (imain.c:214)
==19091==    by 0x4AF144: gs_main_run_string_end (imain.c:526)
==19091==    by 0x4AF001: gs_main_run_string_with_length (imain.c:484)
==19091==    by 0x4AEF6E: gs_main_run_string (imain.c:466)
==19091==    by 0x4B1F6F: run_string (imainarg.c:798)
==19091==    by 0x4B06A0: swproc (imainarg.c:267)
==19091==    by 0x4B03E5: gs_main_init_with_args (imainarg.c:200)
==19091==  If you believe this happened as a result of a stack overflow in your
==19091==  program's main thread (unlikely but possible), you can try to increase
==19091==  the size of the main thread stack using the --main-stacksize= flag.
==19091==  The main thread stack size used in this run was 8388608.
==19091== 
==19091== ERROR SUMMARY: 26201 errors from 32 contexts (suppressed: 8 from 1)
==19091== malloc/free: in use at exit: 5,146,573 bytes in 432 blocks.
==19091== malloc/free: 142,824 allocs, 142,392 frees, 885,824,933 bytes allocated.
==19091== For counts of detected errors, rerun with: -v
==19091== Use --track-origins=yes to see where uninitialised values come from
==19091== searching for pointers to 432 not-freed blocks.
==19091== checked 12,928,272 bytes.
==19091== 
==19091== LEAK SUMMARY:
==19091==    definitely lost: 0 bytes in 0 blocks.
==19091==      possibly lost: 0 bytes in 0 blocks.
==19091==    still reachable: 5,146,573 bytes in 432 blocks.
==19091==         suppressed: 0 bytes in 0 blocks.
==19091== Rerun with --leak-check=full to see details of leaked memory.
Segmentation fault
marcos@peeves:[47]% 
Comment 31 Marcos H. Woehrmann 2009-09-30 10:44:47 UTC
I'm tired of the these files showing up in the regression report; I'm re-disabling them.  Please re-re-
enable when this is fixed.
Comment 32 Ray Johnston 2009-12-11 11:36:37 UTC
I'll try to replicate this on peeves -- if so, I'll have a look.
Comment 33 Ray Johnston 2010-03-11 23:20:22 UTC
I tried this again (on peeves) and even did a shell 'while' loop on the
stated revision with 8 to 8 character long prefixes in the autogen
parameters (doing a make each time) and did not get any misbehavior.

what now ???
Comment 34 Marcos H. Woehrmann 2010-03-12 00:02:51 UTC
Created attachment 6053 [details]
script

(In reply to comment #33)
> I tried this again (on peeves) and even did a shell 'while' loop on the
> stated revision with 8 to 8 character long prefixes in the autogen
> parameters (doing a make each time) and did not get any misbehavior.
> 
> what now ???

If by stated revision you mean r10039 I just tried it again and it still happens.  I'm not sure how you were able to test the commands given in Comment #28, the file /home/marcos/23-12C.PS was missing, I had to copy it from another location.

Please try running the attached shell script.  If it doesn't seg fault for you please try running from my account via tcsh (i.e. sudo su marcos ; tcsh; ./source).  Perhaps it's somehow related to an environment variable and/or the account name.
Comment 35 Ray Johnston 2010-03-12 00:14:55 UTC
I had a copy of 23-12C.PS

There was a typo in my previous comment. The prefix I used was from 8 to 80
(not from 8 to 8) character long prefixes.

I'll try again with your suggestions.
Comment 36 Ray Johnston 2010-03-13 21:18:22 UTC
I am able to reproduce the segfault as well as with -Z@$? am able to
see error messages:
    GPL Ghostscript SVN PRE-RELEASE 8.71: ./psi/ilocate.c(462): At 0x30fdcc0, 
    array 0x3102548[65] element 0 is not a ref
on up to:
    element 64 is not a ref
and then:
    GPL Ghostscript SVN PRE-RELEASE 8.71: ./psi/ilocate.c(452): At 0x30fdcd0, array 0x31080d0 not in any chunk

Note it runs EXTREMELY slowly with these debug switches (more slowly than most
files I've used these on). I'm able to get to a breakpoint immediately before
the problem by breaking in the dict_alloc gs_alloc call and ignoring the first
13879 hits. Then I can turn on more gs_debug flags (such as 'I', '?' and '@').
Hopefully I can see what is going on here shortly.
Comment 37 Ray Johnston 2010-03-14 19:05:20 UTC
Sorry -- the 'ignore' count for right before the failure is 13379

Also, I ONLY get the failure if I am logged in as 'marcos'.

I see the error message in ialloc_validate_ref (ilocate.c:452) and it is due
to the chunk containing the refs is freed. The snapshot is:
[a12:+<.]dict_create_unpacked_keys refs*(1056=66*16) = 0x19c80d0
[a12:+< ]alloc_save_change alloc_change(40) = 0x19c8500
[a12:-$#]dict_resize(old values)(33) 0x19bf1c8
[a12:-$#]dict_resize(old keys)(33) 0x19bf448
[a12:-oF]file_close(buffer) bytes(2048) 0x19c19e8
[a12:-oL]LZW(close) lzw_decode(16388) 0x19c4028
[a-]gs_free(alloc_free_chunk(data)) 0x19c4000(16432)
[a-]gs_free(alloc_free_chunk(chunk struct)) 0x1644300(184)
[a12:-of]s_std_close LZWDecode state(176) 0x19c17b8
[a12:-of]int_grestore int_gstate(464) 0x19c1388
[a12:-of]gstate_free_contents gx_device_color(744) 0x19c1090
[a12:-of]gstate_free_contents gs_client_color(40) 0x19c1058
[a12:-of]gstate_free_contents clip_path(296) 0x19c0f20
[a13:-o ]gstate_free_contents path(128) 0x1619090
[a12:-oF]gs_grestore gs_state(1344) 0x19c09d0
[a12:-of]gs_grestoreall_for_restore clip_path(296) 0x19bfd00
[a12:-of]int_grestore int_gstate(464) 0x19c07f0
[a12:-of]gstate_free_contents gx_device_color(744) 0x19c04f8
[a12:-of]gstate_free_contents gs_client_color(40) 0x19c04c0
[a12:-of]gstate_free_contents clip_path(296) 0x19c0388
[a13:-o ]gstate_free_contents path(128) 0x1619000
[a12:-oF]gs_grestore gs_state(1344) 0x19bfe38
[a12]closing chunk 0x16443f0 (0x19c8088..0x19c8528, 0x19cc208..0x19cc208..0x19cce90)
[a-]gs_free(alloc_free_chunk(data)) 0x19c8070(20000)
[a-]gs_free(alloc_free_chunk(chunk struct)) 0x16443f0(184)
[a-]gs_free(alloc_free_chunk(chunk struct)) 0x1644210(184)
[a12]opening chunk 0x1644120 (0x19bf1b8..0x19bf6b8, 0x19c3338..0x19c3338..0x19c3fc0)
[a12:-o ]zrestore savetype(8) 0x19bf6b0

GPL Ghostscript SVN PRE-RELEASE 8.71: ./psi/ilocate.c(452): At 0x19bdcd0, array 0x19c80d0 not in any chunk

I have to look into this, but from the above, it seems that there is a 
'restore' that is causing the chunk to be freed. I'll look at the PS code
being run here and see what's going wrong in the allocation/restore logic
(possibly a global dict with local contents).
Comment 38 Henry Stiles 2012-09-26 05:43:40 UTC
Reassigning to Ray who commented on this last over 2 years ago, it might be fixed by now, several relevant changes have happened since the comment.
Comment 39 Ray Johnston 2012-09-26 20:57:58 UTC
fixed somewhere along the way. Can't get it to fail and -Z@$? doesn't show
the 'ilocate' error.