Bug 138644 - (IT_53780) crash running "pdf2ps"
crash running "pdf2ps"
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: ghostscript (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
Mike McLean
:
Depends On:
Blocks: 132992
  Show dependency treegraph
 
Reported: 2004-11-10 09:37 EST by Bastien Nocera
Modified: 2007-11-30 17:06 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-25 05:39:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ghostscript-6.52-fixes.patch (741 bytes, patch)
2004-12-23 08:07 EST, Tim Waugh
no flags Details | Diff

  None (edit)
Description Bastien Nocera 2004-11-10 09:37:23 EST
$ rpm -q ghostscript
ghostscript-6.51-16.3
$ pdf2ps plop.pdf
Segmentation fault (core dumped)

And the backtrace:
(gdb) bt
#0  0x080d8d63 in igc_reloc_struct_ptr ()
#1  0x081da39b in basic_reloc_ptrs ()
#2  0x080d8d12 in gc_do_reloc ()
#3  0x080d7cf1 in gs_gc_reclaim ()
#4  0x080f455a in context_reclaim ()
#5  0x080bbea0 in gs_vmreclaim ()
#6  0x080bbd5b in ireclaim ()
#7  0x080b800e in interp_reclaim ()
#8  0x080ba0a1 in interp ()
#9  0x080b8178 in gs_call_interp ()
#10 0x080b807e in gs_interpret ()
#11 0x080b1dd7 in gs_main_run_string_end ()
#12 0x080b1c4e in gs_main_run_string ()
#13 0x080b3992 in run_string ()
#14 0x080b36f8 in argproc ()
#15 0x080b275c in gs_main_init_with_args ()
#16 0x0806e311 in main ()

Test file attached below.
Comment 2 Tim Waugh 2004-11-12 06:28:55 EST
Confirmed.

#0  igc_reloc_struct_ptr (obj=0x913cea0, gcst=0xfee67220) at ./src/igc.c:1256
#1  0x081c581f in basic_reloc_ptrs (vptr=0x9212054, size=132,
    pstype=0x81fb700, gcst=0xfee67220) at ./src/gsmemory.c:311
#2  0x080d0445 in gc_do_reloc (cp=0xf3f6c0, mem=0xf3f6c0, pstate=0xfee67220)
    at ./src/igc.c:1209
#3  0x080d1929 in gs_gc_reclaim (pspaces=0xfee67220, global=0)
    at ./src/igc.c:432
#4  0x080eb1a6 in context_reclaim (pspaces=0x8f2f8f8, global=0)
    at ./src/zcontext.c:289
#5  0x080b72b7 in ireclaim (dmem=0x8f2f8f4, space=15988416)
    at ./src/ireclaim.c:155
#6  0x080b395f in interp_reclaim (pi_ctx_p=0x8376358, space=-1)
    at ./src/interp.c:420
#7  0x080b58de in gs_interpret (pi_ctx_p=0x8376358, pref=0xf3f6c0,
    user_errors=1, pexit_code=0xfee6799c, perror_object=0xfee679a0)
    at ./src/interp.c:1640
#8  0x080adbda in gs_main_run_string_end (minst=0x8376300, user_errors=1,
    pexit_code=0xfee6799c, perror_object=0xfee679a0) at ./src/imain.c:486
#9  0x080adc7d in gs_main_run_string (minst=0x8376300,
    str=0x8f52110 "<2f746d702f74696d2f706c6f702e706466>.runfile",
    user_errors=1, pexit_code=0xfee6799c, perror_object=0xfee679a0)
    at ./src/imain.c:426
#10 0x080ae179 in run_string (minst=0x8376300,
    str=0xf3f6c0 <Address 0xf3f6c0 out of bounds>, options=3)
    at ./src/imainarg.c:701
#11 0x080ae445 in argproc (minst=0x8376300, arg=0xfef34573 "/tmp/tim/plop.pdf")
    at ./src/imainarg.c:631
#12 0x080af91b in gs_main_init_with_args (minst=0x8376300, argc=12,
    argv=0xfee687b4) at ./src/imainarg.c:201
#13 0x0806e27b in main (argc=12, argv=0xfee687b4) at ./src/gs.c:45
(gdb) info locals
pfree = (const obj_header_t *) 0xf3f6c0
chead = (const chunk_head_t *) 0xf3f6c0
back = 15988416
robj = (const void *) 0xf3f6c0
(gdb) p *pfree
Cannot access memory at address 0xf3f6c0
(gdb) p *(const obj_header_t*) obj
$8 = {d = {o = {f = {h = {alone = 0}, m = {_ = 0, smark = 68148096}, b = {
          _ = 0, back = 68148096}}, size = 134805104, t = {type = 0x808f6f0,
        reloc = 134805232}}, _pad = "\000�\037\bp�\b\b��\b\b"}}
Comment 3 Tim Waugh 2004-11-12 06:49:36 EST
None of the source files in the stack trace have any code changes between 6.51
and 6.53.
Comment 4 Tim Waugh 2004-11-12 10:19:30 EST
Compiling with -DDEBUG and setting gs_debug['6']=1 in main() reveals this
message immediately before the segfault:

GNU Ghostscript 6.51: ./src/igc.c(1248): Invalid back pointer 68250272 at 0x9689320!
Comment 6 Tim Waugh 2004-11-12 11:31:27 EST
Looks like the 7.3 package (rebuilt) handles this fine.  It's 6.52-based. 
Investigating.
Comment 8 Tim Waugh 2004-12-23 08:07:54 EST
Created attachment 109071 [details]
ghostscript-6.52-fixes.patch

This appears to fix it.
Comment 10 Tim Waugh 2004-12-23 08:14:25 EST
Hang on a minute.  This is a RHEL2.1 bug -- how is it on the RHEL3 U5 tracker?
Comment 11 Tim Waugh 2004-12-23 09:55:25 EST
Someone needs to let me know where this is supposed to be built.
Comment 14 Tim Waugh 2005-01-21 06:24:05 EST
RHBA-2005:063
Comment 16 Tim Waugh 2005-02-25 05:39:27 EST
The patch causes a regression on ia64, which is also seen in 6.52.  A fix for
this would be too invasive to include at this point (U7 onward).
Comment 17 Bastien Nocera 2005-02-28 09:49:49 EST
Packages for x86 AS 2.1 uploaded as they actually fix this particular problem:
http://people.redhat.com/bnocera/ghostscript-as2.1/

Note You need to log in before you can comment on or make changes to this bug.