View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000141MetaPostbugpublic2008-12-17 13:442009-05-11 11:12
ReporterTaco Assigned ToTaco  
PrioritynormalSeverityminorReproducibilityunable to reproduce
Status closedResolutionfixed 
Target Version1.200 
Summary0000141: Crash with complex concatenation of outputformat
DescriptionReported by Troy:

This is MetaPost, version 1.110 (kpathsea version 3.5.7)
(./preview.mpMemory size overflow!
 [0
Transcript written on preview.log.

Steps To ReproduceTroy: All four of the machines where this overflow occurs are 64 bit machines. Specifically, they are Intel Core 2 Duo machines all running Gentoo Linux with the following compiler variables

CHOST="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"

TH: The crash is at mp.w, line 25909

  if (mp->internal[mp_output_format]>0)
    s = str(mp->internal[mp_output_format]); // HERE

And caused because length(mp->internal[mp_output_format]) is negative.
Additional InformationThe only two files that this command left were jobname.log and
jobname.mpx. The output of running `mpost preview.mp` was

This is MetaPost, version 1.110 (kpathsea version 3.5.7)
(./preview.mpMemory size overflow!
 [0
Transcript written on preview.log.

I'll paste the contents of the .mp, .log, and .mpx below.

Thanks in advance,

Troy
preview.mp
=== begin cut here ===
prologues:=3;
outputformat:="mps";
outputtemplate:=("%j" & "." & outputformat);
verbatimtex
%&latex
\documentclass{minimal}
\begin{document}
etex
beginfig(0);
   u:=216;
   h:=1;
   r:=1;
   d:=1/4*r;
   D:=d*r;
   x:=r*sqrt(h*h-D*D)/h*u;
   y:=D*D/h*u;
   label.bot(btex $(0,0)$ etex,(0,0));
   label(btex $\bullet$ etex,(0,0)) scaled (1/2) shifted (r*u,0);
   label.rt(btex $(r,0)$ etex,(r*u,0));
   label.bot(btex $r$ etex,(r/2*u,0));
   label.top(btex $(0,\delta r)$ etex,(0,D*u));
   label.urt(btex $\left(\frac{r\sqrt{h2-\delta2
r2}}{h},\frac{\delta2 r2}{h}\right)$ etex,(x,y));
endfig;
end
=== end cut here ===
TagsNo tags attached.

Activities

tlhiv

2009-04-18 15:33

reporter   ~0000179

After running

> valgrind -v mpost preview.mp

I get the following fro valgrind:

=== begin valgrind output here ===

==5739== Memcheck, a memory error detector.
==5739== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==5739== Using LibVEX rev 1878, a library for dynamic binary translation.
==5739== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==5739== Using valgrind-3.4.0, a dynamic binary instrumentation framework.
==5739== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==5739==
--5739-- Command line
--5739-- mpost
--5739-- preview.mp
--5739-- Startup, with flags:
--5739-- -v
--5739-- Contents of /proc/version:
--5739-- Linux version 2.6.27-gentoo-r7 (root@wicket) (gcc version 4.1.2 (Gentoo 4.1.2)) 0000004 SMP Tue Mar 3 12:35:05 CST 2009
--5739-- Arch and hwcaps: AMD64, amd64-sse2
--5739-- Page sizes: currently 4096, max supported 4096
--5739-- Valgrind library directory: /usr/lib64/valgrind
--5739-- Reading syms from /usr/bin/mpost-mplib-1.110 (0x400000)
--5739-- Reading syms from /lib64/ld-2.8.so (0x4000000)
--5739-- object doesn't have a symbol table
--5739-- Reading syms from /usr/lib64/valgrind/amd64-linux/memcheck (0x38000000)
--5739-- object doesn't have a symbol table
--5739-- object doesn't have a dynamic symbol table
--5739-- Reading suppressions file: /usr/lib64/valgrind/default.supp
--5739-- Reading syms from /usr/lib64/valgrind/amd64-linux/vgpreload_core.so (0x4a1c000)
--5739-- object doesn't have a symbol table
--5739-- Reading syms from /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so (0x4c1e000)
--5739-- object doesn't have a symbol table
--5739-- Reading syms from /lib64/libm-2.8.so (0x4e26000)
--5739-- object doesn't have a symbol table
--5739-- Reading syms from /lib64/libc-2.8.so (0x50a7000)
--5739-- object doesn't have a symbol table
--5739-- REDIR: 0x511f880 (rindex) redirected to 0x4c22100 (rindex)
--5739-- REDIR: 0x511c1c0 (malloc) redirected to 0x4c21465 (malloc)
--5739-- REDIR: 0x511ed50 (index) redirected to 0x4c221bb (index)
--5739-- REDIR: 0x511f470 (strlen) redirected to 0x4c22345 (strlen)
--5739-- REDIR: 0x511ef40 (strcpy) redirected to 0x4c236e7 (strcpy)
--5739-- REDIR: 0x511f6f0 (strncmp) redirected to 0x4c22397 (strncmp)
--5739-- REDIR: 0x511f7e0 (strncpy) redirected to 0x4c235de (strncpy)
--5739-- REDIR: 0x511eb90 (strcat) redirected to 0x4c22a91 (strcat)
--5739-- REDIR: 0x5119b70 (free) redirected to 0x4c2103c (free)
--5739-- REDIR: 0x50da280 (putenv) redirected to 0x4c2269a (putenv)
--5739-- REDIR: 0x511f560 (strnlen) redirected to 0x4c22319 (strnlen)
--5739-- REDIR: 0x5121b90 (memcpy) redirected to 0x4c23483 (memcpy)
--5739-- REDIR: 0x511c680 (realloc) redirected to 0x4c2151c (realloc)
--5739-- REDIR: 0x511ef00 (strcmp) redirected to 0x4c223f9 (strcmp)
--5739-- REDIR: 0x511ffc0 (memchr) redirected to 0x4c224b3 (memchr)
--5739-- REDIR: 0xffffffffff600400 (???) redirected to 0x38038409 (???)
--5739-- REDIR: 0x5120790 (memset) redirected to 0x4c225c2 (memset)
--5739-- REDIR: 0x5121290 (mempcpy) redirected to 0x4c22d3c (mempcpy)
This is MetaPost, version 1.110 (kpathsea version 3.5.7dev)
(./preview.mp--5739-- REDIR: 0x5122910 (strchrnul) redirected to 0x4c2265a (strchrnul)
--5739-- REDIR: 0x51205f0 (memmove) redirected to 0x4c22605 (memmove)
==5739== Conditional jump or move depends on uninitialised value(s)
==5739== at 0x419DFF: mp_xmalloc (mp.w:3922)
==5739== by 0x4167E7: mp_str (mp.w:1113)
==5739== by 0x462132: mp_shipout_backend (mp.w:25950)
==5739== by 0x462068: mp_ship_out (mp.w:25933)
==5739== by 0x45C020: mp_do_ship_out (mp.w:23731)
==5739== by 0x454790: mp_do_statement (mp.w:23716)
==5739== by 0x46286C: mp_scan_primary (mp.w:17598)
==5739== by 0x4639A3: mp_scan_secondary (mp.w:18139)
==5739== by 0x463B0F: mp_scan_tertiary (mp.w:18187)
==5739== by 0x463CA4: mp_scan_expression (mp.w:18231)
==5739== by 0x454476: mp_do_statement (mp.w:21610)
==5739== by 0x456175: mp_main_control (mp.w:22098)
Memory size overflow!
 [0
Transcript written on preview.log.
==5739==
==5739== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 1)
==5739==
==5739== 1 errors in context 1 of 1:
==5739== Conditional jump or move depends on uninitialised value(s)
==5739== at 0x419DFF: mp_xmalloc (mp.w:3922)
==5739== by 0x4167E7: mp_str (mp.w:1113)
==5739== by 0x462132: mp_shipout_backend (mp.w:25950)
==5739== by 0x462068: mp_ship_out (mp.w:25933)
==5739== by 0x45C020: mp_do_ship_out (mp.w:23731)
==5739== by 0x454790: mp_do_statement (mp.w:23716)
==5739== by 0x46286C: mp_scan_primary (mp.w:17598)
==5739== by 0x4639A3: mp_scan_secondary (mp.w:18139)
==5739== by 0x463B0F: mp_scan_tertiary (mp.w:18187)
==5739== by 0x463CA4: mp_scan_expression (mp.w:18231)
==5739== by 0x454476: mp_do_statement (mp.w:21610)
==5739== by 0x456175: mp_main_control (mp.w:22098)
--5739--
--5739-- supp: 4 dl-hack3-cond-1
==5739==
==5739== IN SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 1)
==5739==
==5739== malloc/free: in use at exit: 2,006,686 bytes in 87,508 blocks.
==5739== malloc/free: 139,578 allocs, 52,070 frees, 66,408,564 bytes allocated.
==5739==
==5739== Use --track-origins=yes to see where uninitialised values come from
==5739== searching for pointers to 87,508 not-freed blocks.
==5739== checked 1,927,896 bytes.
==5739==
==5739== LEAK SUMMARY:
==5739== definitely lost: 12,551 bytes in 543 blocks.
==5739== possibly lost: 0 bytes in 0 blocks.
==5739== still reachable: 1,994,135 bytes in 86,965 blocks.
==5739== suppressed: 0 bytes in 0 blocks.
==5739== Rerun with --leak-check=full to see details of leaked memory.
--5739-- memcheck: sanity checks: 181 cheap, 8 expensive
--5739-- memcheck: auxmaps: 0 auxmap entries (0k, 0M) in use
--5739-- memcheck: auxmaps_L1: 0 searches, 0 cmps, ratio 0:10
--5739-- memcheck: auxmaps_L2: 0 searches, 0 nodes
--5739-- memcheck: SMs: n_issued = 1047 (16752k, 16M)
--5739-- memcheck: SMs: n_deissued = 821 (13136k, 12M)
--5739-- memcheck: SMs: max_noaccess = 524287 (8388592k, 8191M)
--5739-- memcheck: SMs: max_undefined = 366 (5856k, 5M)
--5739-- memcheck: SMs: max_defined = 167 (2672k, 2M)
--5739-- memcheck: SMs: max_non_DSM = 1043 (16688k, 16M)
--5739-- memcheck: max sec V bit nodes: 0 (0k, 0M)
--5739-- memcheck: set_sec_vbits8 calls: 0 (new: 0, updates: 0)
--5739-- memcheck: max shadow mem size: 20832k, 20M
--5739-- translate: fast SP updates identified: 6,483 ( 86.1%)
--5739-- translate: generic_known SP updates identified: 661 ( 8.7%)
--5739-- translate: generic_unknown SP updates identified: 384 ( 5.1%)
--5739-- tt/tc: 15,999 tt lookups requiring 16,799 probes
--5739-- tt/tc: 15,999 fast-cache updates, 2 flushes
--5739-- transtab: new 6,964 (236,751 -> 3,495,415; ratio 147:10) [0 scs]
--5739-- transtab: dumped 0 (0 -> ??)
--5739-- transtab: discarded 0 (0 -> ??)
--5739-- scheduler: 18,140,514 jumps (bb entries).
--5739-- scheduler: 181/200,981 major/minor sched events.
--5739-- sanity: 182 cheap, 8 expensive checks.
--5739-- exectx: 3,079 lists, 2,043 contexts (avg 0 per list)
--5739-- exectx: 192,699 searches, 192,070 full compares (996 per 1000)
--5739-- exectx: 0 cmp2, 10 cmp4, 0 cmpAll
--5739-- errormgr: 5 supplist searches, 106 comparisons during search
--5739-- errormgr: 5 errlist searches, 10 comparisons during search

=== end valgrind output here ===

Taco

2009-04-18 18:05

administrator   ~0000181

Fixed by 0000938 (the refcount for string internals was off)

Issue History

Date Modified Username Field Change
2008-12-17 13:44 Taco New Issue
2009-03-26 10:51 Taco Category => bug
2009-04-17 12:45 Taco Status new => assigned
2009-04-17 12:45 Taco Assigned To => Taco
2009-04-17 14:40 Taco Reproducibility have not tried => unable to reproduce
2009-04-18 15:33 tlhiv Note Added: 0000179
2009-04-18 18:05 Taco Status assigned => resolved
2009-04-18 18:05 Taco Resolution open => fixed
2009-04-18 18:05 Taco Note Added: 0000181
2009-04-20 13:14 Taco Target Version => 1.150
2009-04-21 19:07 Taco Target Version 1.150 => 1.200
2009-05-11 11:12 Taco Status resolved => closed