b***@ghostscript.com
2013-06-01 14:39:55 UTC
http://bugs.ghostscript.com/show_bug.cgi?id=694283
Bug ID: 694283
Summary: segfault in cs_adjust_counts_icc just before exit of
pcl6.
Product: Ghostscript
Version: master
Hardware: PC
OS: Linux
Status: UNCONFIRMED
Severity: minor
Priority: P4
Component: Color
Assignee: ***@artifex.com
Reporter: ***@ghostscript.com
QA Contact: gs-***@ghostscript.com
Classification: Unclassified
Word Size: ---
Created attachment 9917
--> http://bugs.ghostscript.com/attachment.cgi?id=9917&action=edit
the broken pxl file that gives a segfault before the expected error message
On top of 1eef08f4aaf485a18422e9fbcfd6ac8cbfb03cdb, I have a patch (attached to
bug 694282) which does some partial screen drawing, on a few broken files I
made up. My code figures that the files are broken, returns IllegalDataValue to
the pcl6's parser (just to make sure that my code gives the exact same error
message as a real printer, rather than any other error message). The pcl6
parser is supposed to simply display a PXL IllegalDataValue message on both the
console and a page, before exit cleanly.
pcl6 does most of that, except it segfaults just before exit. On one broken
file, it does so before the expected message, on another file, it does so after
showing the expected message.
Given that (1) the files themselves are invalid data, (2) on top of my
"experimental" patch, (3) on top of dev head, this isn't a priority and may go
away as (2) or (3) progresses. So this is mostly a place-holder, and possibly a
question to see if anybody is aware of a segfault in cs_adjust_counts_icc,
especially on cleaning up after incomplete drawing instructions.
One call stack (segfault before expected message):
(gdb) bt
#0 0x00000000006edd49 in cs_adjust_counts_icc (pgs=0x2884728, delta=1) at
../gs/base/gscspace.c:337
#1 0x000000000071b54c in gstate_clone (pfrom=0x1325f38, mem=0x1302320,
cname=0xa694e8 "gs_gsave", reason=copy_for_gsave)
at ../gs/base/gsstate.c:1034
#2 0x0000000000719dcc in gs_gsave (pgs=0x1325f38) at ../gs/base/gsstate.c:355
#3 0x00000000007152f8 in gs_erasepage (pgs=0x1325f38) at
../gs/base/gspaint.c:61
#4 0x000000000085adf1 in px_begin_error_page (pxs=0x1335ba8) at
../pxl/pxerrors.c:234
#5 0x0000000000405f20 in pxl_impl_report_errors (instance=0x1325e38,
code=-984, file_position=7089, force_to_cout=0)
at ../pxl/pxtop.c:533
#6 0x000000000085a627 in pl_report_errors (instance=0x1325e38, code=-984,
file_position=7089, force_to_cout=0) at ../pl/pltop.c:184
#7 0x00000000008c0b74 in pl_main_aux (argc=2, argv=0x7fffffffd828, disp=0x0)
at ../pl/plmain.c:512
#8 0x00000000008c0cea in pl_main (argc=2, argv=0x7fffffffd828) at
../pl/plmain.c:564
#9 0x00000000008bfde4 in main (argc=2, argv=0x7fffffffd828) at
../pl/realmain.c:21
Another call stack (segfault after the expected console message, before exit):
(gdb) bt
#0 0x00000000005a33cd in chunk_free_object (mem=0x1302320, ptr=0x28745c8,
cname=0xa60d88 "cs_adjust_counts")
at ../gs/base/gsmchunk.c:680
#1 0x0000000000711fc0 in rc_free_struct_only (mem=0x1302320, data=0x28745c8,
cname=0xa60d88 "cs_adjust_counts")
at ../gs/base/gsmemory.c:286
#2 0x00000000006edea5 in cs_adjust_counts_icc (pgs=0x1325f38, delta=-1) at
../gs/base/gscspace.c:337
#3 0x000000000071bb88 in gstate_free_contents (pgs=0x1325f38) at
../gs/base/gsstate.c:1072
#4 0x000000000071a141 in gs_grestore_only (pgs=0x1325f38) at
../gs/base/gsstate.c:437
#5 0x000000000071a1fb in gs_grestore (pgs=0x1325f38) at
../gs/base/gsstate.c:458
#6 0x0000000000862272 in pxPopGS (par=0x0, pxs=0x1335ba8) at
../pxl/pxgstate.c:455
#7 0x000000000086a97e in px_end_page_cleanup (pxs=0x1335ba8) at
../pxl/pxsessio.c:147
#8 0x000000000086c51f in pxEndPage (par=0x7fffffffbff0, pxs=0x1335ba8) at
../pxl/pxsessio.c:706
#9 0x000000000040601e in pxl_impl_report_errors (instance=0x1325e38,
code=-984, file_position=6027, force_to_cout=0)
at ../pxl/pxtop.c:549
#10 0x000000000085a627 in pl_report_errors (instance=0x1325e38, code=-984,
file_position=6027, force_to_cout=0) at ../pl/pltop.c:184
#11 0x00000000008c0b74 in pl_main_aux (argc=2, argv=0x7fffffffd828, disp=0x0)
at ../pl/plmain.c:512
#12 0x00000000008c0cea in pl_main (argc=2, argv=0x7fffffffd828) at
../pl/plmain.c:564
#13 0x00000000008bfde4 in main (argc=2, argv=0x7fffffffd828) at
../pl/realmain.c:21
Bug ID: 694283
Summary: segfault in cs_adjust_counts_icc just before exit of
pcl6.
Product: Ghostscript
Version: master
Hardware: PC
OS: Linux
Status: UNCONFIRMED
Severity: minor
Priority: P4
Component: Color
Assignee: ***@artifex.com
Reporter: ***@ghostscript.com
QA Contact: gs-***@ghostscript.com
Classification: Unclassified
Word Size: ---
Created attachment 9917
--> http://bugs.ghostscript.com/attachment.cgi?id=9917&action=edit
the broken pxl file that gives a segfault before the expected error message
On top of 1eef08f4aaf485a18422e9fbcfd6ac8cbfb03cdb, I have a patch (attached to
bug 694282) which does some partial screen drawing, on a few broken files I
made up. My code figures that the files are broken, returns IllegalDataValue to
the pcl6's parser (just to make sure that my code gives the exact same error
message as a real printer, rather than any other error message). The pcl6
parser is supposed to simply display a PXL IllegalDataValue message on both the
console and a page, before exit cleanly.
pcl6 does most of that, except it segfaults just before exit. On one broken
file, it does so before the expected message, on another file, it does so after
showing the expected message.
Given that (1) the files themselves are invalid data, (2) on top of my
"experimental" patch, (3) on top of dev head, this isn't a priority and may go
away as (2) or (3) progresses. So this is mostly a place-holder, and possibly a
question to see if anybody is aware of a segfault in cs_adjust_counts_icc,
especially on cleaning up after incomplete drawing instructions.
One call stack (segfault before expected message):
(gdb) bt
#0 0x00000000006edd49 in cs_adjust_counts_icc (pgs=0x2884728, delta=1) at
../gs/base/gscspace.c:337
#1 0x000000000071b54c in gstate_clone (pfrom=0x1325f38, mem=0x1302320,
cname=0xa694e8 "gs_gsave", reason=copy_for_gsave)
at ../gs/base/gsstate.c:1034
#2 0x0000000000719dcc in gs_gsave (pgs=0x1325f38) at ../gs/base/gsstate.c:355
#3 0x00000000007152f8 in gs_erasepage (pgs=0x1325f38) at
../gs/base/gspaint.c:61
#4 0x000000000085adf1 in px_begin_error_page (pxs=0x1335ba8) at
../pxl/pxerrors.c:234
#5 0x0000000000405f20 in pxl_impl_report_errors (instance=0x1325e38,
code=-984, file_position=7089, force_to_cout=0)
at ../pxl/pxtop.c:533
#6 0x000000000085a627 in pl_report_errors (instance=0x1325e38, code=-984,
file_position=7089, force_to_cout=0) at ../pl/pltop.c:184
#7 0x00000000008c0b74 in pl_main_aux (argc=2, argv=0x7fffffffd828, disp=0x0)
at ../pl/plmain.c:512
#8 0x00000000008c0cea in pl_main (argc=2, argv=0x7fffffffd828) at
../pl/plmain.c:564
#9 0x00000000008bfde4 in main (argc=2, argv=0x7fffffffd828) at
../pl/realmain.c:21
Another call stack (segfault after the expected console message, before exit):
(gdb) bt
#0 0x00000000005a33cd in chunk_free_object (mem=0x1302320, ptr=0x28745c8,
cname=0xa60d88 "cs_adjust_counts")
at ../gs/base/gsmchunk.c:680
#1 0x0000000000711fc0 in rc_free_struct_only (mem=0x1302320, data=0x28745c8,
cname=0xa60d88 "cs_adjust_counts")
at ../gs/base/gsmemory.c:286
#2 0x00000000006edea5 in cs_adjust_counts_icc (pgs=0x1325f38, delta=-1) at
../gs/base/gscspace.c:337
#3 0x000000000071bb88 in gstate_free_contents (pgs=0x1325f38) at
../gs/base/gsstate.c:1072
#4 0x000000000071a141 in gs_grestore_only (pgs=0x1325f38) at
../gs/base/gsstate.c:437
#5 0x000000000071a1fb in gs_grestore (pgs=0x1325f38) at
../gs/base/gsstate.c:458
#6 0x0000000000862272 in pxPopGS (par=0x0, pxs=0x1335ba8) at
../pxl/pxgstate.c:455
#7 0x000000000086a97e in px_end_page_cleanup (pxs=0x1335ba8) at
../pxl/pxsessio.c:147
#8 0x000000000086c51f in pxEndPage (par=0x7fffffffbff0, pxs=0x1335ba8) at
../pxl/pxsessio.c:706
#9 0x000000000040601e in pxl_impl_report_errors (instance=0x1325e38,
code=-984, file_position=6027, force_to_cout=0)
at ../pxl/pxtop.c:549
#10 0x000000000085a627 in pl_report_errors (instance=0x1325e38, code=-984,
file_position=6027, force_to_cout=0) at ../pl/pltop.c:184
#11 0x00000000008c0b74 in pl_main_aux (argc=2, argv=0x7fffffffd828, disp=0x0)
at ../pl/plmain.c:512
#12 0x00000000008c0cea in pl_main (argc=2, argv=0x7fffffffd828) at
../pl/plmain.c:564
#13 0x00000000008bfde4 in main (argc=2, argv=0x7fffffffd828) at
../pl/realmain.c:21
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are receiving this mail because:
You are the QA Contact for the bug.