Graphviz Issue Tracker
Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001114graphvizDotpublic2006-04-26 23:122011-04-28 04:03
ReporterSampo Kellomaki 
Assigned Toerg 
PlatformOSx86-Linux-2.6.15OS Version
Summary0001114: use of ports cases segfault in dot

gcc-3.4.5, gdb-6.3

dot seg faults in attribs.c:53, function agcopyattr(), on statement

  Agsym_t **list = d->list;

Immediate cause is null pointer dereference, with d being NULL. This
apparently happens because TAG_OF(oldobj) is not one of the ones
handled by agdictof(). I added a default clause and a debug print
to that switch so I could breakpoint where the problem starts
happening (n.b. line numbers will be off by one because of this
new debug print line).

(gdb) r
Starting program: /d/apps/bin/dot -Tps ~/s5066d/ >/tmp/

Breakpoint 1, agdictof (obj=0x8068a78) at attribs.c:40
(gdb) n
Bad tag of obj(0x8068a78): 0
(gdb) bt
#0 agdictof (obj=0xffffff01) at attribs.c:43
0000001 0xb7f6dbaf in agcopyattr (oldobj=0x8068a78, newobj=0x806b4b0) at attribs.c:360
0000002 0xb7c275b2 in cloneEdge (g=0x1c, tn=0x1c, hn=0xffffff01, orige=0x8068a78) at dotsplines.c:724
0000003 0xb7c2bc7c in make_flat_edge (sp=0xbffff560, P=0x8061e18, edges=0x8069480, ind=0x2, cnt=0x1) at dotsplines.c:814
0000004 0xb7c2a3eb in dot_splines (g=0x8051648) at dotsplines.c:368
0000005 0xb7c1fa86 in dot_layout (g=0x8051648) at dotinit.c:232
0000006 0xb7f876ac in gvLayoutJobs (gvc=0x804b640, g=0x8051648) at gvlayout.c:68
0000007 0x08048a9a in main (argc=0x1c, argv=0x1c) at dot.c:176

Perhaps some funky optimization is happening because althoug obj
is 0x8068a78 the bt shows it as obj=0xffffff01. At any rate, the
print I added ("Bad tag of...") clearly evidences that the tag
is zero which is no good.

(gdb) p *(((Agraph_t*)(obj)))
Cannot access memory at address 0xffffff01
(gdb) up
0000001 0xb7f6dbaf in agcopyattr (oldobj=0x8068a78, newobj=0x806b4b0) at attribs.c:360
(gdb) p *(((Agraph_t*)(oldobj)))
$1 = {tag = 0x0, kind = 0x0, handle = 0x0, attr = 0x0, name = 0x8053780 "\001", univ = 0x8053660, nodes = 0x2c, inedges = 0x0, outedges = 0x0, root = 0x12, meta_node = 0x54442d18, proto = 0x3ff921fb, u = {notused = 0xa0}}

Here we can see that the oldobj argument to agcopyattr() indeed
has tag == 0. This is clearly wrong.

(gdb) n
agcopyattr (oldobj=0x8068a78, newobj=0x806b4b0) at attribs.c:364
(gdb) n
(gdb) n
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
agcopyattr (oldobj=0x8068a78, newobj=0x806b4b0) at attribs.c:361
(gdb) p d
$2 = (Agdict_t *) 0x0

And voila, here we have the crash.

The problem does not reproduce with smaller graphs (or at least
I have not been able to find a smaller graph that would reproduce
this). Commenting out the last two lines (the ones starting smtp_)
makes the problem go away. Moving the

connect -> dts_dec [style=invis]

line from beginning to end also seems to make the problem go away.

I tried compiling graphviz without -O2 using
make distclean
CFLAGS='-g' ./configure --prefix=/apps/graphviz/2.8

This triggered following error

if /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../lib/cdt -I/apps/graphviz/2.8/include -g -Wno-unused-parameter -Wno-unknown-pragmas -Wstrict-prototypes -Wpointer-arith -Wall -ffast-math -MT scan.lo -MD -MP -MF ".deps/scan.Tpo" -c -o scan.lo scan.c; \
then mv -f ".deps/scan.Tpo" ".deps/scan.Plo"; else rm -f ".deps/scan.Tpo"; exit 1; fi
 gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../lib/cdt -I/apps/graphviz/2.8/include -g -Wno-unused-parameter -Wno-unknown-pragmas -Wstrict-prototypes -Wpointer-arith -Wall -ffast-math -MT scan.lo -MD -MP -MF .deps/scan.Tpo -c scan.c -fPIC -DPIC -o .libs/scan.o
./../lib/agraph/scan.l: In function `aglexeof':
./../lib/agraph/scan.l:162: error: `aagtext_ptr' undeclared (first use in this function)
./../lib/agraph/scan.l:162: error: (Each undeclared identifier is reported only once
./../lib/agraph/scan.l:162: error: for each function it appears in.)
make[3]: *** [scan.lo] Error 1
make[3]: Leaving directory `/d/src/graphviz-2.8/lib/agraph'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/d/src/graphviz-2.8/lib'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/d/src/graphviz-2.8'
make: *** [all] Error 2

I think your `make distclean' target is broken. I then unpacked
a fresh tarball and rerun the build without optimization and
it completed.

THe original problem repeats with unoptimized build. Thus this is
unlikely to be compiler optimization issue (despite the scary
bt output).

Additional Information

[ellson] Re the problem with "make distclean"

"make distclean" removes bison and flex products. If you don't have a compatible yacc and lex then
problems can arise. Suggest that you use just "make clean"

I think can replicate the main problem, but I get a segfault on your graph at a different place.
(gdb) run
Starting program: /home/ellson/FIX/Linux.x86_64/bin/dot

Program received signal SIGSEGV, Segmentation fault.
0x00002aaaaad54edd in agcopyattr (oldobj=0x54a650, newobj=0x54b7c0)
    at attribs.c:358
358 Agdict_t *d = agdictof(oldobj);
TagsNo tags attached.
STATUS-COMMENTFixed (27 April 2006)
VERSION     2.8
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2011-04-28 04:03 user1 New Issue
2011-04-28 04:03 user1 Assigned To => erg

MantisBT 1.2.5[^]
Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker