Bug 880375

Summary: [abrt] ghostscript-9.05-4.fc17: alloc_free_chunk: Process /usr/bin/gs was killed by signal 6 (SIGABRT)
Product: [Fedora] Fedora Reporter: augustinus354
Component: ghostscriptAssignee: Tim Waugh <twaugh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:93cd6f461948121e3bb8bd51fb5946875a021641
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-01 12:49:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: core_backtrace
none
File: environ
none
File: limits
none
File: backtrace
none
File: cgroup
none
File: smolt_data
none
File: xsession_errors
none
File: executable
none
File: maps
none
File: dso_list
none
File: proc_pid_status
none
File: open_fds
none
encapsulated postscript that caused the crash none

Description augustinus354 2012-11-26 20:40:34 UTC 
Description of problem:
It happened the first time, probably during the
attempt to process an engineered 
postscript file.


Version-Release number of selected component:
ghostscript-9.05-4.fc17

Additional info:
libreport version: 2.0.18
abrt_version:   2.0.18
backtrace_rating: 4
crash_function: alloc_free_chunk
kernel:         3.6.7-4.fc17.x86_64

truncated backtrace:
:Thread no. 1 (10 frames)
: #5 alloc_free_chunk at base/gsalloc.c:1910
: #6 gc_free_empty_chunks at psi/igc.c:1356
: #7 gs_gc_reclaim at psi/igc.c:486
: #8 context_reclaim at psi/zcontext.c:278
: #9 gs_vmreclaim at psi/ireclaim.c:153
: #10 ireclaim at psi/ireclaim.c:75
: #11 interp_reclaim at psi/interp.c:421
: #12 gs_main_finit at psi/imain.c:828
: #13 gs_to_exit_with_code at psi/imain.c:915
: #14 gs_to_exit at psi/imain.c:920
Comment 1 augustinus354 2012-11-26 20:40:37 UTC 
Created attachment 652256 [details]
File: core_backtrace
Comment 2 augustinus354 2012-11-26 20:40:39 UTC 
Created attachment 652257 [details]
File: environ
Comment 3 augustinus354 2012-11-26 20:40:41 UTC 
Created attachment 652258 [details]
File: limits
Comment 4 augustinus354 2012-11-26 20:40:43 UTC 
Created attachment 652259 [details]
File: backtrace
Comment 5 augustinus354 2012-11-26 20:40:45 UTC 
Created attachment 652260 [details]
File: cgroup
Comment 6 augustinus354 2012-11-26 20:40:47 UTC 
Created attachment 652261 [details]
File: smolt_data
Comment 7 augustinus354 2012-11-26 20:40:49 UTC 
Created attachment 652262 [details]
File: xsession_errors
Comment 8 augustinus354 2012-11-26 20:40:51 UTC 
Created attachment 652263 [details]
File: executable
Comment 9 augustinus354 2012-11-26 20:40:54 UTC 
Created attachment 652264 [details]
File: maps
Comment 10 augustinus354 2012-11-26 20:40:56 UTC 
Created attachment 652265 [details]
File: dso_list
Comment 11 augustinus354 2012-11-26 20:41:00 UTC 
Created attachment 652266 [details]
File: proc_pid_status
Comment 12 augustinus354 2012-11-26 20:41:01 UTC 
Created attachment 652267 [details]
File: open_fds
Comment 13 Tim Waugh 2012-11-27 10:30:16 UTC 
Please try the test update for ghostscript:
https://admin.fedoraproject.org/updates/FEDORA-2012-17885

yum --enablerepo=updates-testing update 'ghostscript*'

Does the problem still occur?
Comment 14 augustinus354 2012-11-27 17:30:17 UTC 
The problem occured only during the attempt to view
a tex-dvi containing a manually modified
encapsulated postscript file. Okular was unable to
show it but did not crash. Some other similarly
modified eps-files had no problems with ghostscript.

The update to the test-version of
ghostscript led to the same crash 
in trying to handle the modified eps.
Comment 15 Tim Waugh 2012-11-27 17:38:20 UTC 
Thanks.

Are you able to attach the file that causes the crash?  Alternatively, are you able to reduce it to a small test case which still causes the crash?
Comment 16 augustinus354 2012-11-27 20:40:13 UTC 
Created attachment 653103 [details]
encapsulated postscript that caused the crash
Comment 17 augustinus354 2012-11-27 20:44:44 UTC 
After examination of the source, I guess
the problem could turn out to be trivial, because the eps
apparently has been corrupted during
transfer from a MAC to the Linux-machine.
Comment 19 Tim Waugh 2013-02-21 22:27:00 UTC 
*** Bug 913674 has been marked as a duplicate of this bug. ***
Comment 21 Tim Waugh 2013-05-16 17:11:37 UTC 
I was able to get upstream gs to segfault on bug.eps occasionally -- it was non-deterministic(!).  I used git bisect to narrow down the fix for the segfault to this one:

commit 86f9af6937e76e10a7adad201b06c337b1a9240b
Author: Alex Cherepanov <alex.cherepanov>
Date:   Fri Aug 10 15:59:15 2012 -0400

    Increase max object size to 16M.
    
    Increase the size of rsize member of the ref structure from ushort
    to uint_32. This is needed to support large composite objects permitted by c
    PDF specification. On 64-bit systems the actual size of ref didn't change.
    On 32-bit systems the ref has grown to 12 bytes, which caused a couple of
    changes in the alignment and padding code. Finally, the max size of all
    composite objects has been increased to 16M.
    
    This patch leaves large objects exposed PS interpreter.
    Traditional PS limits can be re-imposed on the PS interpreter if
    needed.
    
    The patch results in a couple of progressions on the PDF test base,
    and a few expected differences on PS test files that test traditional
    limits on composite PS objects.

However, building a package with this patch didn't fix the original problem.  I realised that a major difference was that I didn't build the upstream sources with FORTIFY_SOURCE enabled; however, when I did that the upstream code won't crash at all. :-/
Comment 22 Fedora End Of Life 2013-07-04 04:09:10 UTC 
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 23 Fedora End Of Life 2013-08-01 12:49:43 UTC 
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.