690915 – Another hard to reproduce seg fault

Bug 690915 - Another hard to reproduce seg fault

Summary: Another hard to reproduce seg fault

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	General (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P1 normal
Assignee:	Ray Johnston

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-11-12 20:53 UTC by Marcos H. Woehrmann
Modified:	2009-12-01 09:09 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcos H. Woehrmann 2009-11-12 20:53:49 UTC

I've found another strange seg fault; this one is dependent on the number of characters on the 
command line.  At first I thought it might me another manifestation of Bug 690506 but the stack trace 
shows it happening in a different place and it doesn't "feel" like the same issue.

So far I've only been able to get it to seg fault on my amd64 linux box, but I'm still trying to find a test 
case that fails on peeves.

The version I'm using is r10319 and this command line fails:

bin/gs -I/home/marcos/artifex/ghostscript/gs/lib \
-IXXXXXXXXXXXXXXXXXXXXXXXX -sDEVICE=tiff32nc \
-o test.tif -dEPSCrop ./Booth_D_face-L25500.eps

and this one works:

bin/gs -I/home/marcos/artifex/ghostscript/gs/lib \
-IXXXXXXXXXXXXXXXXXXXXXXX -sDEVICE=tiff32nc \
-o test.tif -dEPSCrop ./Booth_D_face-L25500.eps

(the only difference is the second one has one less X).

The test file is too big to attach, it can be found on casper in /home/support/690915

Comment 1 Marcos H. Woehrmann 2009-11-12 20:58:32 UTC

The good news is that the problem is reproducible under gdb:

marcos@amd64:[30]% gdb ghostscript/gs/debugobj/gs
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run -I/home/marcos/artifex/ghostscript/gs/lib -IXXXXXXXXXXXXXXXXXXXXXXXX -
sDEVICE=tiff32nc -o test.tif -dEPSCrop ./Booth_D_face-L25500.eps
Starting program: /home/marcos/artifex/ghostscript/gs/debugobj/gs -
I/home/marcos/artifex/ghostscript/gs/lib -IXXXXXXXXXXXXXXXXXXXXXXXX -sDEVICE=tiff32nc -o 
test.tif -dEPSCrop ./Booth_D_face-L25500.eps
[Thread debugging using libthread_db enabled]
[New Thread 47171638918800 (LWP 21963)]
GPL Ghostscript SVN PRE-RELEASE 8.71 (2009-08-01)
Copyright (C) 2009 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47171638918800 (LWP 21963)]
0x000000000051896b in ptr_struct_mark (pep=0x7fffaf39e560, ignored=0x7fffaf39ed90) at 
./psi/igc.c:1066
1066	    if (!o_is_unmarked(ptr))
(gdb) where
#0  0x000000000051896b in ptr_struct_mark (pep=0x7fffaf39e560, ignored=0x7fffaf39ed90) at 
./psi/igc.c:1066
#1  0x0000000000518180 in gc_trace (rp=0x7fffaf39ed10, pstate=0x7fffaf39ed90, 
pmstack=0x7fffaf39e620) at ./psi/igc.c:856
#2  0x00000000005166a3 in gs_gc_reclaim (pspaces=0x186a0f0, global=0) at ./psi/igc.c:325
#3  0x00000000005bec86 in context_reclaim (pspaces=0x186a0f0, global=0) at ./psi/zcontext.c:283
#4  0x00000000004cc0e7 in gs_vmreclaim (dmem=0x186a0e8, global=0) at ./psi/ireclaim.c:153
#5  0x00000000004cbe4b in ireclaim (dmem=0x186a0e8, space=-1) at ./psi/ireclaim.c:75
#6  0x00000000004c486f in interp_reclaim (pi_ctx_p=0x182b348, space=-1) at ./psi/interp.c:427
#7  0x00000000004c8af7 in interp (pi_ctx_p=0x182b348, pref=0x7fffaf39ff80, 
perror_object=0x7fffaf3a0190) at ./psi/interp.c:1690
#8  0x00000000004c4acd in gs_call_interp (pi_ctx_p=0x182b348, pref=0x7fffaf3a00c0, 
user_errors=1, pexit_code=0x7fffaf3a01a8, perror_object=0x7fffaf3a0190)
    at ./psi/interp.c:496
#9  0x00000000004c4905 in gs_interpret (pi_ctx_p=0x182b348, pref=0x7fffaf3a00c0, user_errors=1, 
pexit_code=0x7fffaf3a01a8, perror_object=0x7fffaf3a0190)
    at ./psi/interp.c:454
#10 0x00000000004b83ac in gs_main_interpret (minst=0x182b2b0, pref=0x7fffaf3a00c0, 
user_errors=1, pexit_code=0x7fffaf3a01a8, perror_object=0x7fffaf3a0190)
    at ./psi/imain.c:214
#11 0x00000000004b8f6a in gs_main_run_string_end (minst=0x182b2b0, user_errors=1, 
pexit_code=0x7fffaf3a01a8, perror_object=0x7fffaf3a0190) at ./psi/imain.c:526
#12 0x00000000004b8e27 in gs_main_run_string_with_length (minst=0x182b2b0, str=0x191e260 
"<2e2f426f6f74685f445f666163652d4c32353530302e657073>.runfile", 
    length=60, user_errors=1, pexit_code=0x7fffaf3a01a8, perror_object=0x7fffaf3a0190) at 
./psi/imain.c:484
#13 0x00000000004b8d94 in gs_main_run_string (minst=0x182b2b0, str=0x191e260 
"<2e2f426f6f74685f445f666163652d4c32353530302e657073>.runfile", user_errors=1, 
    pexit_code=0x7fffaf3a01a8, perror_object=0x7fffaf3a0190) at ./psi/imain.c:466
#14 0x00000000004bbdab in run_string (minst=0x182b2b0, str=0x191e260 
"<2e2f426f6f74685f445f666163652d4c32353530302e657073>.runfile", options=3)
    at ./psi/imainarg.c:798
#15 0x00000000004bbd51 in runarg (minst=0x182b2b0, pre=0x94c8bb "", arg=0x186f5c0 
"./Booth_D_face-L25500.eps", post=0x94c955 ".runfile", options=3)
    at ./psi/imainarg.c:788
#16 0x00000000004bb9f8 in argproc (minst=0x182b2b0, arg=0x7fffaf3a1ce5 "./Booth_D_face-
L25500.eps") at ./psi/imainarg.c:723
#17 0x00000000004ba27c in gs_main_init_with_args (minst=0x182b2b0, argc=8, 
argv=0x7fffaf3a0da8) at ./psi/imainarg.c:207
#18 0x000000000040e699 in main (argc=8, argv=0x7fffaf3a0da8) at ./psi/gs.c:77
(gdb)

Comment 2 Marcos H. Woehrmann 2009-11-12 21:07:14 UTC

Running the command under valgrind produces nothing unusual and no seg fault.

Comment 3 Ray Johnston 2009-11-13 10:22:39 UTC

Please post the file: Booth_D_face-L25500.eps if it is not in svn

Comment 4 Marcos H. Woehrmann 2009-11-13 15:29:29 UTC

The fie Booth_D_face-L25500.eps is too big to attach, it can be found on casper in 
/home/support/690915

Comment 5 Marcos H. Woehrmann 2009-11-25 17:07:07 UTC

Possibly an unrelated seg. fault, but with -Z? the debug build of head (r10384)
fails on peeves and my amd64 box with the command line:

  debugobj/gs -Z\? -sDEVICE=tiff32nc -o test.tif ./Booth_D_face-L25500.eps


Here's the stack trace:

#0  0x00000000008a066a in device_color_enum_ptrs (mem=0x1668708, vptr=0x1bb21e0,
size=744, index=0, pep=0x7fffffffc020, pstype=0xafa1c0, gcst=0x7fffffffc790) at
./base/gxcmap.c:38
#1  0x00000000008ca70e in image_enum_enum_ptrs (mem=0x1668708, vptr=0x1bb13a8,
size=196152, index=0, pep=0x7fffffffc020, pstype=0xafbe00, gcst=0x7fffffffc790)
at ./base/gxipixel.c:66
#2  0x00000000005115ad in ialloc_validate_chunk (cp=0x1af2790,
gcst=0x7fffffffc790) at ./psi/ilocate.c:328
#3  0x0000000000511133 in ialloc_validate_memory (mem=0x16678c8,
gcst=0x7fffffffc790) at ./psi/ilocate.c:248
#4  0x0000000000510fb7 in ialloc_validate_spaces (dmem=0x16a6058) at
./psi/ilocate.c:216
#5  0x00000000004e8270 in ivalidate_clean_spaces (i_ctx_p=0x16a6050) at
./psi/zvmem.c:56
#6  0x00000000004e8554 in zrestore (i_ctx_p=0x16a6050) at ./psi/zvmem.c:120
#7  0x000000000049b0b0 in z2restore (i_ctx_p=0x16a6050) at ./psi/zdevice2.c:319
#8  0x00000000004ba8f3 in call_operator (op_proc=0x49aff5 <z2restore>,
i_ctx_p=0x16a6050) at ./psi/interp.c:111
#9  0x00000000004bdc25 in interp (pi_ctx_p=0x1667318, pref=0x7fffffffd680,
perror_object=0x7fffffffd8f0) at ./psi/interp.c:1538
#10 0x00000000004bb038 in gs_call_interp (pi_ctx_p=0x1667318,
pref=0x7fffffffd7f0, user_errors=1, pexit_code=0x7fffffffd90c,
perror_object=0x7fffffffd8f0) at ./psi/interp.c:496
#11 0x00000000004bae54 in gs_interpret (pi_ctx_p=0x1667318, pref=0x7fffffffd7f0,
user_errors=1, pexit_code=0x7fffffffd90c, perror_object=0x7fffffffd8f0) at
./psi/interp.c:454
#12 0x00000000004ae80d in gs_main_interpret (minst=0x1667280,
pref=0x7fffffffd7f0, user_errors=1, pexit_code=0x7fffffffd90c,
perror_object=0x7fffffffd8f0) at ./psi/imain.c:214
#13 0x00000000004af435 in gs_main_run_string_end (minst=0x1667280,
user_errors=1, pexit_code=0x7fffffffd90c, perror_object=0x7fffffffd8f0) at
./psi/imain.c:526
#14 0x00000000004af2e6 in gs_main_run_string_with_length (minst=0x1667280,
str=0x16e20a0 "<2e2f426f6f74685f445f666163652d4c32353530302e657073>.runfile",
length=60, user_errors=1, pexit_code=0x7fffffffd90c, 
    perror_object=0x7fffffffd8f0) at ./psi/imain.c:484
#15 0x00000000004af24b in gs_main_run_string (minst=0x1667280, str=0x16e20a0
"<2e2f426f6f74685f445f666163652d4c32353530302e657073>.runfile", user_errors=1,
pexit_code=0x7fffffffd90c, perror_object=0x7fffffffd8f0)
    at ./psi/imain.c:466
#16 0x00000000004b23a7 in run_string (minst=0x1667280, str=0x16e20a0
"<2e2f426f6f74685f445f666163652d4c32353530302e657073>.runfile", options=3) at
./psi/imainarg.c:797
#17 0x00000000004b234c in runarg (minst=0x1667280, pre=0x92a17b "",
arg=0x16ab530 "./Booth_D_face-L25500.eps", post=0x92a215 ".runfile", options=3)
at ./psi/imainarg.c:788
#18 0x00000000004b1fc0 in argproc (minst=0x1667280, arg=0x7fffffffe827
"./Booth_D_face-L25500.eps") at ./psi/imainarg.c:723
#19 0x00000000004b0827 in gs_main_init_with_args (minst=0x1667280, argc=8,
argv=0x7fffffffe518) at ./psi/imainarg.c:207
#20 0x000000000040612d in main (argc=8, argv=0x7fffffffe518) at ./psi/gs.c:77

Comment 6 Ray Johnston 2009-11-28 19:09:45 UTC

I am able to reproduce this segfault (with this call stack) on Windows.

Assigning to myself and raising priority to repeatable segfault (P1) level.

Comment 7 Ray Johnston 2009-12-01 09:09:31 UTC

Fixed rev 10412