Ticket #3823 (closed defect: invalid)

Opened 2 years ago

Last modified 2 years ago

imagetype gif causes segmentation fault in trunk

Reported by: havatv Owned by: tbonfort
Priority: normal Milestone: 6.0 release
Component: MapServer C Library Version: 6.0
Severity: normal Keywords: gif, gd, segmentation fault
Cc: havatv

Description

I get a segmentation fault with imagetype GIF (GD). I have tested trunk (r11512) and 6 beta 1 with the same result. PNG (AGG) is OK.

gdb output: 

$ gdb mapserver/svn/mapserver/shp2img
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run -m test.map -o test.gif
Starting program: mapserver/svn/mapserver/shp2img -m test.map -o test.gif
[Thread debugging using libthread_db enabled]
[New Thread 0x7f9001bc5710 (LWP 23488)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9001bc5710 (LWP 23488)]
0x00007f8ffc4660b0 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x00007f8ffc4660b0 in strlen () from /lib/libc.so.6
#1  0x00007f8ffc465de6 in strdup () from /lib/libc.so.6
#2  0x00007f9001bf7752 in fontFetch (error=0x1586c10, key=0x7fffdcdc7810) at gdft.c:456
#3  0x00007f9001bf5c56 in gdCacheGet (head=0x1586c00, keydata=0x7fffdcdc7810) at gdcache.c:128
#4  0x00007f9001bf613d in gdImageStringFTEx (im=0x0, brect=0x7fffdcdc7930, fg=2, fontlist=0x0, ptsize=1, angle=0, x=0, y=0, string=0x0, strex=0x0)
    at gdft.c:911
#5  0x00007f9001bf76cb in gdImageStringFT (im=0x0, brect=0x28, fg=28612128, fontlist=0x0, ptsize=1, angle=1.05, x=-16843009, y=3, string=0x0)
    at gdft.c:813
#6  0x000000000053c376 in renderTruetypeSymbolGD (img=0x15ddb20, x=164.66745161290328, y=591.72393548387106, symbol=0x15918f0, s=0x7fffdcdc7b20)
    at mapgd.c:620
#7  0x00000000004ce138 in msImagePolylineMarkers (image=0x15ddb20, p=0x7fffdcdc81a0, symbol=0x15918f0, style=0x7fffdcdc7b20, spacing=1.2727272727272727, 
    auto_angle=0) at maprendering.c:379
#8  0x00000000004ce883 in msDrawLineSymbol (symbolset=0x1586ca0, image=0x15ddb20, p=0x7fffdcdc81a0, style=0x15c19f0, scalefactor=0.024095278207187761)
    at maprendering.c:480
#9  0x0000000000464127 in msDrawShape (map=0x1586c70, layer=0x15b56e0, shape=0x7fffdcdc81a0, image=0x15ddb20, style=-1, querymapMode=0) at mapdraw.c:1887
#10 0x000000000045eb90 in msDrawVectorLayer (map=0x1586c70, layer=0x15b56e0, image=0x15ddb20) at mapdraw.c:949
#11 0x000000000045de7f in msDrawLayer (map=0x1586c70, layer=0x15b56e0, image=0x15dd950) at mapdraw.c:730
#12 0x000000000045ce9a in msDrawMap (map=0x1586c70, querymap=0) at mapdraw.c:422
#13 0x0000000000414d02 in main (argc=5, argv=0x7fffdcdc8628) at shp2img.c:299

mapserver/svn/mapserver/mapserv -v

MapServer version 6.0.0-beta5 OUTPUT=GIF OUTPUT=PNG OUTPUT=JPEG SUPPORTS=PROJ SUPPORTS=AGG SUPPORTS=CAIRO SUPPORTS=FREETYPE SUPPORTS=ICONV SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT SUPPORTS=WFS_SERVER SUPPORTS=WFS_CLIENT SUPPORTS=WCS_SERVER SUPPORTS=FASTCGI SUPPORTS=THREADS SUPPORTS=GEOS INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE

64 bit Debian Lenny.

Change History

Changed 2 years ago by tbonfort

  • owner changed from sdlime to tbonfort
  • status changed from new to assigned

Havard, can you supply the mapfile and symbol to reproduce this please?

thanks, thomas

Changed 2 years ago by havatv

The original map file is a bit too complex, and relies on postgis. I managed to isolate something that produces a crash (although not exactly the same error messages): 

MAP
  SIZE 1000 800
  IMAGETYPE gif
  EXTENT -15000 26500 15000 57500
  LAYER  # Kart - Line
    STATUS DEFAULT
    TYPE LINE
    FEATURE
      POINTS -15000 26500 15000 57500  END
    END # feature
    SYMBOLSCALEDENOM 2650
    CLASS
      STYLE
        COLOR 102 102 102
        MINWIDTH 2
        WIDTH 35
        PATTERN
         300 25
        END # pattern
      END # style
    END # CLASS
  END # LAYER # kart - lines
END

Run using svn/mapserver/shp2img -m test.map -o test.gif

Removing MINWIDTH or SYMBOLSCALEDENOM will hinder the crash. Changing the PATTERN to for instance 30 25 will hinder the crash.

Changed 2 years ago by tbonfort

It seems to me those are two unrelated issues:

  • first case is with a truetype symbol using GAP ?
  • second case is a simple line with a dash pattern ?

I'll try to run the second test case today to see if I can reproduce. For the first one, I will at least need your symbol and layer definition.

Changed 2 years ago by tbonfort

second issue is fixed in r11525.

please check if it also solves the first issue, as it was a memory overflow that might have had some obscure side-effects.

if the first issue is not fixed, we'll have to go a bit deeper in the debugging output

Changed 2 years ago by havatv

The first issue is still there. Identical error message and gdb backtrace: 

$ gdb svn/mapserver/shp2img
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run -m test.map -o test.gif
Starting program: svn/mapserver/shp2img -m test.map -o test.gif
[Thread debugging using libthread_db enabled]
[New Thread 0x7f005a98e710 (LWP 2003)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f005a98e710 (LWP 2003)]
0x00007f005522f0b0 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x00007f005522f0b0 in strlen () from /lib/libc.so.6
#1  0x00007f005522ede6 in strdup () from /lib/libc.so.6
#2  0x00007f005a9c0752 in fontFetch (error=0xed0c10, key=0x7fffac3215a0) at gdft.c:456
#3  0x00007f005a9bec56 in gdCacheGet (head=0xed0c00, keydata=0x7fffac3215a0) at gdcache.c:128
#4  0x00007f005a9bf13d in gdImageStringFTEx (im=0x0, brect=0x7fffac3216c0, fg=2, fontlist=0x0, ptsize=1, angle=0, x=0, y=0, string=0x0, strex=0x0) at gdft.c:911
#5  0x00007f005a9c06cb in gdImageStringFT (im=0x0, brect=0x28, fg=15893072, fontlist=0x0, ptsize=1, angle=1.05, x=-16843009, y=3, string=0x0) at gdft.c:813
#6  0x000000000053c707 in renderTruetypeSymbolGD (img=0xf28200, x=164.66745161290328, y=591.72393548387106, symbol=0xedb8f0, s=0x7fffac3218b0) at mapgd.c:620
#7  0x00000000004ce464 in msImagePolylineMarkers (image=0xf28200, p=0x7fffac321f30, symbol=0xedb8f0, style=0x7fffac3218b0, spacing=1.2727272727272727, auto_angle=0)
    at maprendering.c:379
#8  0x00000000004cebaf in msDrawLineSymbol (symbolset=0xed0ca0, image=0xf28200, p=0x7fffac321f30, style=0xf0c0c0, scalefactor=0.024095278207187761) at maprendering.c:480
#9  0x00000000004643a7 in msDrawShape (map=0xed0c70, layer=0xeffe90, shape=0x7fffac321f30, image=0xf28200, style=-1, querymapMode=0) at mapdraw.c:1887
#10 0x000000000045ee10 in msDrawVectorLayer (map=0xed0c70, layer=0xeffe90, image=0xf28200) at mapdraw.c:949
#11 0x000000000045e0ff in msDrawLayer (map=0xed0c70, layer=0xeffe90, image=0xf1b140) at mapdraw.c:730
#12 0x000000000045d11a in msDrawMap (map=0xed0c70, querymap=0) at mapdraw.c:422
#13 0x0000000000414d02 in main (argc=5, argv=0x7fffac3223b8) at shp2img.c:299

Changed 2 years ago by havatv

This mapfile causes the crash with Segmentation fault. 

MAP
  SIZE 1000 800
  IMAGETYPE gif
  EXTENT -15000 26500 15000 57500 # UTM33

  SYMBOL
    NAME "circlef"
    TYPE ellipse
    FILLED true
    POINTS
      1 1
    END
  END

  LAYER
    STATUS DEFAULT
    TYPE LINE
    FEATURE
       POINTS -18186 41851 -18182 41783 END
    END

    SYMBOLSCALEDENOM 2650

    CLASS
      NAME "dots"
      STYLE
        COLOR 0 0 0
        SYMBOL "circlef"
        SIZE 40
        GAP 210
      END # style
    END # CLASS
  END # LAYER
END

gdb: 

$ gdb svn/mapserver/shp2img
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run  -m gif-6-segmviol2.map -o gif-6-segmviol2.gif
Starting program: svn/mapserver/shp2img -m gif-6-segmviol2.map -o gif-6-segmviol2.gif
[Thread debugging using libthread_db enabled]
[New Thread 0x7fda99123710 (LWP 8065)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fda99123710 (LWP 8065)]
0x00007fda939c40b0 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x00007fda939c40b0 in strlen () from /lib/libc.so.6
#1  0x00007fda939c3de6 in strdup () from /lib/libc.so.6
#2  0x00007fda99155752 in fontFetch (error=0x1f74c10, key=0x7fff6bf14e70) at gdft.c:456
#3  0x00007fda99153c56 in gdCacheGet (head=0x1f74c00, keydata=0x7fff6bf14e70) at gdcache.c:128
#4  0x00007fda9915413d in gdImageStringFTEx (im=0x0, brect=0x7fff6bf14f90, fg=1, fontlist=0x0, ptsize=0.96381112828751048, angle=0, x=0, y=0, string=0x0, strex=0x0)
    at gdft.c:911
#5  0x00007fda991556cb in gdImageStringFT (im=0x0, brect=0x28, fg=48, fontlist=0x0, ptsize=0.96381112828751048, angle=1.05, x=-16843009, y=3, string=0x0) at gdft.c:813
#6  0x000000000053c707 in renderTruetypeSymbolGD (img=0x1f78330, x=31, y=404, symbol=0x1f7c530, s=0x7fff6bf15180) at mapgd.c:620
#7  0x00000000004ce464 in msImagePolylineMarkers (image=0x1f78330, p=0x7fff6bf15800, symbol=0x1f7c530, style=0x7fff6bf15180, spacing=5.06000842350943, auto_angle=0)
    at maprendering.c:379
#8  0x00000000004cebaf in msDrawLineSymbol (symbolset=0x1f74ca0, image=0x1f78330, p=0x7fff6bf15800, style=0x1f7e7e0, scalefactor=0.024095278207187761)
    at maprendering.c:480
#9  0x00000000004643a7 in msDrawShape (map=0x1f74c70, layer=0x1f7cfd0, shape=0x7fff6bf15800, image=0x1f78330, style=-1, querymapMode=0) at mapdraw.c:1887
#10 0x000000000045ee10 in msDrawVectorLayer (map=0x1f74c70, layer=0x1f7cfd0, image=0x1f78330) at mapdraw.c:949
#11 0x000000000045e0ff in msDrawLayer (map=0x1f74c70, layer=0x1f7cfd0, image=0x1f78330) at mapdraw.c:730
#12 0x000000000045d11a in msDrawMap (map=0x1f74c70, querymap=0) at mapdraw.c:422
#13 0x0000000000414d02 in main (argc=5, argv=0x7fff6bf15c88) at shp2img.c:299

Changed 2 years ago by tbonfort

  • status changed from assigned to closed
  • resolution set to fixed

thanks Havard, there was a serious bug when placing a marker symbol on lines that are too short for accomodating the initial gap/2 start offset.

fixed in r11536, closing

Changed 2 years ago by havatv

  • status changed from closed to reopened
  • resolution fixed deleted

New segmentation fault.

gdb: 

(gdb) run -m test.map -o test.gif
Starting program: svn/mapserver/shp2img -m test.map -o test.gif
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffd707a4710 (LWP 16305)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffd707a4710 (LWP 16305)]
0x000000000050c582 in msFreeSymbol (s=0x27be3b0) at mapsymbol.c:128
128               s->renderer->freeSymbol(s);
(gdb) bt
#0  0x000000000050c582 in msFreeSymbol (s=0x27be3b0) at mapsymbol.c:128
#1  0x000000000050d59d in msFreeSymbolSet (symbolset=0x27bbca0)
    at mapsymbol.c:397
#2  0x00000000004a4e43 in msFreeMap (map=0x27bbc70) at mapobject.c:102
#3  0x0000000000414d6a in main (argc=5, argv=0x7fffbfffc058) at shp2img.c:314

I hope it is OK to continue this ticket.

Changed 2 years ago by tbonfort

  • status changed from reopened to closed
  • resolution set to invalid

opened #3828

Note: See TracTickets for help on using tickets.