Bug 138644 (IT_53780)

Summary: crash running "pdf2ps"
Product: Red Hat Enterprise Linux 2.1 Reporter: Bastien Nocera <bnocera>
Component: ghostscriptAssignee: Tim Waugh <twaugh>
Status: CLOSED WONTFIX QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: barryn, mjc, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-25 10:39:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 132992    
Attachments:
Description Flags
ghostscript-6.52-fixes.patch none

Description Bastien Nocera 2004-11-10 14:37:23 UTC
$ rpm -q ghostscript
ghostscript-6.51-16.3
$ pdf2ps plop.pdf
Segmentation fault (core dumped)

And the backtrace:
(gdb) bt
#0  0x080d8d63 in igc_reloc_struct_ptr ()
#1  0x081da39b in basic_reloc_ptrs ()
#2  0x080d8d12 in gc_do_reloc ()
#3  0x080d7cf1 in gs_gc_reclaim ()
#4  0x080f455a in context_reclaim ()
#5  0x080bbea0 in gs_vmreclaim ()
#6  0x080bbd5b in ireclaim ()
#7  0x080b800e in interp_reclaim ()
#8  0x080ba0a1 in interp ()
#9  0x080b8178 in gs_call_interp ()
#10 0x080b807e in gs_interpret ()
#11 0x080b1dd7 in gs_main_run_string_end ()
#12 0x080b1c4e in gs_main_run_string ()
#13 0x080b3992 in run_string ()
#14 0x080b36f8 in argproc ()
#15 0x080b275c in gs_main_init_with_args ()
#16 0x0806e311 in main ()

Test file attached below.

Comment 2 Tim Waugh 2004-11-12 11:28:55 UTC
Confirmed.

#0  igc_reloc_struct_ptr (obj=0x913cea0, gcst=0xfee67220) at ./src/igc.c:1256
#1  0x081c581f in basic_reloc_ptrs (vptr=0x9212054, size=132,
    pstype=0x81fb700, gcst=0xfee67220) at ./src/gsmemory.c:311
#2  0x080d0445 in gc_do_reloc (cp=0xf3f6c0, mem=0xf3f6c0, pstate=0xfee67220)
    at ./src/igc.c:1209
#3  0x080d1929 in gs_gc_reclaim (pspaces=0xfee67220, global=0)
    at ./src/igc.c:432
#4  0x080eb1a6 in context_reclaim (pspaces=0x8f2f8f8, global=0)
    at ./src/zcontext.c:289
#5  0x080b72b7 in ireclaim (dmem=0x8f2f8f4, space=15988416)
    at ./src/ireclaim.c:155
#6  0x080b395f in interp_reclaim (pi_ctx_p=0x8376358, space=-1)
    at ./src/interp.c:420
#7  0x080b58de in gs_interpret (pi_ctx_p=0x8376358, pref=0xf3f6c0,
    user_errors=1, pexit_code=0xfee6799c, perror_object=0xfee679a0)
    at ./src/interp.c:1640
#8  0x080adbda in gs_main_run_string_end (minst=0x8376300, user_errors=1,
    pexit_code=0xfee6799c, perror_object=0xfee679a0) at ./src/imain.c:486
#9  0x080adc7d in gs_main_run_string (minst=0x8376300,
    str=0x8f52110 "<2f746d702f74696d2f706c6f702e706466>.runfile",
    user_errors=1, pexit_code=0xfee6799c, perror_object=0xfee679a0)
    at ./src/imain.c:426
#10 0x080ae179 in run_string (minst=0x8376300,
    str=0xf3f6c0 <Address 0xf3f6c0 out of bounds>, options=3)
    at ./src/imainarg.c:701
#11 0x080ae445 in argproc (minst=0x8376300, arg=0xfef34573 "/tmp/tim/plop.pdf")
    at ./src/imainarg.c:631
#12 0x080af91b in gs_main_init_with_args (minst=0x8376300, argc=12,
    argv=0xfee687b4) at ./src/imainarg.c:201
#13 0x0806e27b in main (argc=12, argv=0xfee687b4) at ./src/gs.c:45
(gdb) info locals
pfree = (const obj_header_t *) 0xf3f6c0
chead = (const chunk_head_t *) 0xf3f6c0
back = 15988416
robj = (const void *) 0xf3f6c0
(gdb) p *pfree
Cannot access memory at address 0xf3f6c0
(gdb) p *(const obj_header_t*) obj
$8 = {d = {o = {f = {h = {alone = 0}, m = {_ = 0, smark = 68148096}, b = {
          _ = 0, back = 68148096}}, size = 134805104, t = {type = 0x808f6f0,
        reloc = 134805232}}, _pad = "\000�\037\bp�\b\b��\b\b"}}


Comment 3 Tim Waugh 2004-11-12 11:49:36 UTC
None of the source files in the stack trace have any code changes between 6.51
and 6.53.

Comment 4 Tim Waugh 2004-11-12 15:19:30 UTC
Compiling with -DDEBUG and setting gs_debug['6']=1 in main() reveals this
message immediately before the segfault:

GNU Ghostscript 6.51: ./src/igc.c(1248): Invalid back pointer 68250272 at 0x9689320!


Comment 6 Tim Waugh 2004-11-12 16:31:27 UTC
Looks like the 7.3 package (rebuilt) handles this fine.  It's 6.52-based. 
Investigating.

Comment 8 Tim Waugh 2004-12-23 13:07:54 UTC
Created attachment 109071 [details]
ghostscript-6.52-fixes.patch

This appears to fix it.

Comment 10 Tim Waugh 2004-12-23 13:14:25 UTC
Hang on a minute.  This is a RHEL2.1 bug -- how is it on the RHEL3 U5 tracker?

Comment 11 Tim Waugh 2004-12-23 14:55:25 UTC
Someone needs to let me know where this is supposed to be built.

Comment 14 Tim Waugh 2005-01-21 11:24:05 UTC
RHBA-2005:063

Comment 16 Tim Waugh 2005-02-25 10:39:27 UTC
The patch causes a regression on ia64, which is also seen in 6.52.  A fix for
this would be too invasive to include at this point (U7 onward).

Comment 17 Bastien Nocera 2005-02-28 14:49:49 UTC
Packages for x86 AS 2.1 uploaded as they actually fix this particular problem:
http://people.redhat.com/bnocera/ghostscript-as2.1/