Graphviz Issue Tracker
Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000967graphvizDotpublic2005-09-11 12:252011-04-28 04:03
ReporterMark RISON 
Assigned Toerg 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS*-*-OS Version
Summary0000967: Corrupt code output for user-defined PostScript shapes
Description



Using the test file below,
<CD>
dot -Tps -l sdl.ps sdl2.dot -o sdl2.ps ; grep -n 'false $' sdl2.ps
</CD>



(where sdl.ps contains appropriate definitions) demonstrates that
corrupt PostScript code can be output.



The corruption is very input-dependent. The test file below is the
result of more than an hour of trying to cut down a failure case to a
minimal size (it would probably be possible to cut it down further,
but I'd lost the will to live after removing dozens of lines by trial
and error!). Sometimes the corruption takes the form of a missing
shape procedure name, sometimes it takes the form of a corrupt shape
procedure name. The most innocuous-looking change can have an effect!
Steps To Reproduce

digraph dg1
{
state36 [ shape = sdl_state ];
transition37 [ shape = sdl_save ];
state36 -> transition37;
transition38 [ shape = sdl_input_from_right ];
transition39 [ shape = box ];
transition40 [ shape = sdl_output_to_right ];
transition41 [ shape = sdl_state ];
transition40 -> transition41 [ arrowhead = normal ];
}

digraph dg2
{
state42 [ shape = sdl_state ];
transition43 [ shape = sdl_save ];
state42 -> transition43;
transition44 [ shape = sdl_input_from_right ];
state42 -> transition44;
transition46 [ shape = diamond ];
label45 -> transition46;
transition48 [ shape = triangle ];
transition52 [ shape = box ];
transition51 -> transition52;
transition56 [ shape = box ];
transition57 [ shape = box, label = "z" ];
transition58 [ shape = diamond, label = "z" ];
comment59 [ shape = box, style = dashed, label = "z" ];
transition58 -> comment59 [ style = dashed, arrowhead = none ];
transition60 [ shape = box, label = "zzzzzzzzzzzzz" ];
transition58 -> transition60 [ arrowhead = none , label = "zzzzzz" ];
comment61 [ shape = box ];
transition60 -> comment61 [ style = dashed, arrowhead = none ];
transition62 [ shape = diamond ];
transition58 -> transition62;
comment65 [ shape = box ];
transition68 [ shape = diamond ];
transition76 [ shape = sdl_output_to_right, peripheries = 0, label = "zzzzzzzzzzzzzzzzzzzzzzzzz" ];
transition77 [ shape = box, label = "zzzzzzzzzzzzz" ];
comment78 [ shape = box, style = dashed, label = "zzzzzzzzzzzzzzzzzzzzzzzzzzzz" ];
transition77 -> comment78 [ style = dashed, arrowhead = none ];
transition79 [ shape = sdl_state, peripheries = 0, label = "zzzzzzzzzzzzzzzzzzzz" ];
transition77 -> transition79 [ arrowhead = normal ];
}

digraph dg3
{
state91 [ shape = sdl_state ];
}

digraph dg4
{
transition32 [ shape = diamond ];
transition34 [ shape = sdl_output_to_right, peripheries = 0 ];
}
Additional Information

[north] It is really a heisenbug (not repeatable?)

I hate to say this, but it is working OK for me.
I have a script that runs dot -l sdl.ps -Tps sdlbad2.dot >> out.ps
for 50 times, then another 50 times, and diffs the output, and
does that forever. It never reports any difference.

In the driver, the shape name (like "sdl_input_from_right")
is obtained from the node, (ND_shape(v)->name) where it
was set at node initialization time by getting the string pointer
from the underlying graph library vua the "shape" attribute,
and from there the string pointer is just printed.

So if there is heap corruption, it is not obvious how.

Does valgrind help at all? Any other heap corruption tools?

What if you disable the Linux kernel stack/heap
randomization stuff that's intended to thwart
stack smashing and other virus activity? I use this script,
e.g. malloc-shield 0
(Note that brilliantly this is a system-wide setting in Linux.)
<CD>
htdag<1220> cat bin/malloc-shield
case "$1" in
        "") cat /proc/sys/kernel/exec-shield \
                 /proc/sys/kernel/randomize_va_space
            ;;
        0|1) echo "$1" > /proc/sys/kernel/exec-shield
                echo "$1" > /proc/sys/kernel/randomize_va_space
            ;;
        *) echo "$0: bad argument $1"
esac
htdag<1221>
</CD>

[mark]
<CD>
> It is really a heisenbug (not repeatable?)
> I hate to say this, but it is working OK for me.
> I have a script that runs dot -l sdl.ps -Tps sdlbad2.dot >> out.ps
> for 50 times, then another 50 times, and diffs the output, and
> does that forever. It never reports any difference.
</CD>


I'm sorry, I wasn't clear enough. It is repeatable in that I always
get the same failure at the same point for a given bad input file;
it's not necessary to run multiple times on the bad input to tickle
the bug. What's not predictable is, for a random .dot file, which of
the nodes will have a broken custom shape invocation.

Are you testing with dot 2.4? I've tried to run dot 2.6 but I've hit
the problem that I don't have the glibc version dot 2.6 expects.

<CD>
> In the driver, the shape name (like "sdl_input_from_right")
> is obtained from the node, (ND_shape(v)->name) where it
> was set at node initialization time by getting the string pointer
> from the underlying graph library vua the "shape" attribute,
> and from there the string pointer is just printed.
> So if there is heap corruption, it is not obvious how.
> Does valgrind help at all? Any other heap corruption tools?
</CD>


valgrind?

<goes off and finds out about, downloads, makes and installs valgrind>

Wow, valgrind is great!

OK, valgrind supports my hunch that it's a problem with access to a
malloc block which has been reused:
<CD>
==1777== Memcheck, a memory error detector.
==1777== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==1777== Using LibVEX rev 1367, a library for dynamic binary translation.
==1777== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==1777== Using valgrind-3.0.1, a dynamic binary instrumentation framework.
==1777== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==1777== For more details, rerun with: -v
==1777==
Error: No or improper shapefile="<nil>" for node "state36"
Error: No or improper shapefile="<nil>" for node "transition37"
Error: No or improper shapefile="<nil>" for node "transition38"
Error: No or improper shapefile="<nil>" for node "transition40"
Error: No or improper shapefile="<nil>" for node "transition41"
Error: No or improper shapefile="<nil>" for node "state42"
Error: No or improper shapefile="<nil>" for node "transition43"
Error: No or improper shapefile="<nil>" for node "transition44"
Error: No or improper shapefile="<nil>" for node "transition70"
Error: No or improper shapefile="<nil>" for node "transition71"
Error: No or improper shapefile="<nil>" for node "transition72"
Error: No or improper shapefile="<nil>" for node "transition73"
Error: No or improper shapefile="<nil>" for node "transition74"
Error: No or improper shapefile="<nil>" for node "transition75"
Error: No or improper shapefile="<nil>" for node "transition76"
Error: No or improper shapefile="<nil>" for node "transition79"
Error: No or improper shapefile="<nil>" for node "state91"
Error: No or improper shapefile="<nil>" for node "state25"
==1777== Invalid read of size 1
==1777== at 0x1B929AFC: find_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B929B4C: user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B929D11: bind_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B92BD3D: common_init_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1BD3E80B: dot_init_node (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1BD3EA38: dot_init_node_edge (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1BD3EEDB: dot_layout (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1B90FEEA: gvlayout_layout (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C64: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B900748: strcmp (mac_replace_strmem.c:332)
==1777== by 0x1B929B0C: find_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B929B4C: user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B929D11: bind_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B92BD3D: common_init_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1BD3E80B: dot_init_node (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1BD3EA38: dot_init_node_edge (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1BD3EEDB: dot_layout (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1B90FEEA: gvlayout_layout (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C64: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
Error: No or improper shapefile="<nil>" for node "transition26"
Error: No or improper shapefile="<nil>" for node "transition27"
Error: No or improper shapefile="<nil>" for node "transition31"
Warning: node 'transition33', graph 'mlme_mib4' size too small for label
Error: No or improper shapefile="<nil>" for node "transition34"
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B943878: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B929AE0: find_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9438C3: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B90074A: strcmp (mac_replace_strmem.c:332)
==1777== by 0x1B929B0C: find_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9438C3: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B929AFC: find_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9438C3: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B900748: strcmp (mac_replace_strmem.c:332)
==1777== by 0x1B929B0C: find_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9438C3: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B9004E0: strlen (mac_replace_strmem.c:243)
==1777== by 0x1BB113F0: vfprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1BB17DEE: fprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1B943973: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1B9004E9: strlen (mac_replace_strmem.c:243)
==1777== by 0x1BB113F0: vfprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1BB17DEE: fprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1B943973: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452D is 13 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1BB36BB0: [email protected]@GLIBC_2.1 (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1BB11396: vfprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1BB17DEE: fprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1B943973: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452C is 12 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== Invalid read of size 1
==1777== at 0x1BB36BB8: [email protected]@GLIBC_2.1 (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1BB11396: vfprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1BB17DEE: fprintf (in /lib/tls/libc-2.3.2.so)
==1777== by 0x1B943973: ps_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B90FE2F: gvrender_user_shape (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B9282D8: poly_gencode (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B930DA3: emit_node (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932DDE: emit_view (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B932FF7: emit_graph (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B933DD1: emit_job (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1B934481: emit_jobs (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C79: main (in /usr/bin/dot)
==1777== Address 0x1BC1452E is 14 bytes inside a block of size 24 free'd
==1777== at 0x1B8FF54C: free (vg_replace_malloc.c:235)
==1777== by 0x1B96A221: agstrfree (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B968AD7: agFREEnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B9688D8: agDELnode (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x1B966301: agclose (in /usr/lib/graphviz/libgraph.so.0.0.0)
==1777== by 0x8048C4B: main (in /usr/bin/dot)
==1777==
==1777== ERROR SUMMARY: 326 errors from 11 contexts (suppressed: 51 from 1)
==1777== malloc/free: in use at exit: 74117 bytes in 474 blocks.
==1777== malloc/free: 6556 allocs, 6082 frees, 508035 bytes allocated.
==1777== For counts of detected errors, rerun with: -v
==1777== searching for pointers to 474 not-freed blocks.
==1777== checked 528428 bytes.
==1777==
==1777==
==1777== 268 bytes in 4 blocks are definitely lost in loss record 26 of 46
==1777== at 0x1B8FEA39: malloc (vg_replace_malloc.c:149)
==1777== by 0x1B929E80: zmalloc (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x1BD409FA: allocate_ranks (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1BD40544: init_mincross (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1BD3EF72: dot_mincross (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1BD3EEEB: dot_layout (in /usr/lib/graphviz/libgvplugin_dot_layout.so.0.0.0)
==1777== by 0x1B90FEEA: gvlayout_layout (in /usr/lib/graphviz/libgvc.so.0.0.0)
==1777== by 0x8048C64: main (in /usr/bin/dot)
==1777==
==1777== LEAK SUMMARY:
==1777== definitely lost: 268 bytes in 4 blocks.
==1777== possibly lost: 0 bytes in 0 blocks.
==1777== still reachable: 73849 bytes in 470 blocks.
==1777== suppressed: 0 bytes in 0 blocks.
==1777== Reachable blocks (those to which a pointer was found) are not shown.
==1777== To see them, rerun with: --show-reachable=yes
</CD>

<CD>
> What if you disable the Linux kernel stack/heap
> randomization stuff that's intended to thwart
> stack smashing and other virus activity? I use this script,
> e.g. malloc-shield 0
> (Note that brilliantly this is a system-wide setting in Linux.)
</CD>


Can't do this: I don't have root privileges.

<CD>
> "") cat /proc/sys/kernel/exec-shield \
> /proc/sys/kernel/randomize_va_space
</CD>


Are these new to 2.6 kernels? They don't seem to exist on the kernel
I'm using (2.4.21-4.ELsmp).

[north] Er, it is possible that user shapes are cached for the
lifetime of the current job, but using a string that
was obtained from the current graph and the graph
is closed when it is finished (or at least before
working on the next one in a stream). Can anyone
look at this quickly? I have to go to a meeting.

However this bug would only emerge when
more than one graph in a stream is processed.
(I think)

TagsNo tags attached.
AUXILLARY-FILES
DATE-FIXED
FIX-COMMENT
FORMER-ID788
INPUT-FILE
OUTPUT-FILE
STATUS-COMMENTFixed (23 Sept 2005)
VERSION     2.4 (Wed Jul 20 20:58:38 UTC 2005)
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2011-04-28 04:03 user1 New Issue
2011-04-28 04:03 user1 Assigned To => erg


MantisBT 1.2.5[^]
Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker