Debian Bug report logs - #665432
gnuplot: using stdin makes gnuplot crash

version graph

Package: gnuplot; Maintainer for gnuplot is Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>; Source for gnuplot is src:gnuplot.

Reported by: Vincent Lefevre <vincent@vinc17.net>

Date: Sat, 24 Mar 2012 03:09:08 UTC

Severity: grave

Tags: fixed-upstream

Merged with 665832

Found in version gnuplot/4.6.0-1

Fixed in version gnuplot/4.6.0-2

Done: Anton Gladky <gladky.anton@gmail.com>

Bug is archived. No further changes may be made.

Forwarded to http://sourceforge.net/tracker/?func=detail&aid=3524063&group_id=2055&atid=102055

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Sat, 24 Mar 2012 03:09:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Sat, 24 Mar 2012 03:09:11 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnuplot: using stdin makes gnuplot crash
Date: Sat, 24 Mar 2012 04:07:12 +0100
Package: gnuplot
Version: 4.6.0-1
Severity: important

Using stdin (whether the command makes sense or not), which is the
common way to call gnuplot from a script, makes gnuplot crash. For
instance:

$ echo "foo" | gnuplot -
Segmentation fault (core dumped)

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnuplot depends on:
ii  gnuplot-nox  4.6.0-1
ii  gnuplot-x11  4.6.0-1

gnuplot recommends no packages.

Versions of packages gnuplot suggests:
ii  gnuplot-doc  4.6.0-1

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Mon, 26 Mar 2012 16:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Agustin Martin <agmartin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Mon, 26 Mar 2012 16:15:04 GMT) Full text and rfc822 format available.

Message #10 received at 665432@bugs.debian.org (full text, mbox):

From: Agustin Martin <agmartin@debian.org>
To: Vincent Lefevre <vincent@vinc17.net>, 665432@bugs.debian.org
Subject: Re: Bug#665432: gnuplot: using stdin makes gnuplot crash
Date: Mon, 26 Mar 2012 18:10:02 +0200
On Sat, Mar 24, 2012 at 04:07:12AM +0100, Vincent Lefevre wrote:
> Package: gnuplot
> Version: 4.6.0-1
> Severity: important
> 
> Using stdin (whether the command makes sense or not), which is the
> common way to call gnuplot from a script, makes gnuplot crash. For
> instance:
> 
> $ echo "foo" | gnuplot -
> Segmentation fault (core dumped)

Hi, Vincent

In i386

$ echo "foo" | gnuplot

gnuplot> foo
         ^
         line 0: invalid command

while as you write

$ echo "foo" | gnuplot -
Segmentation fault

which is indeed a bug, if '-' is supported should work, otherwise should
fail gracefully.

> Architecture: amd64 (x86_64)

By the way, just noticed about 

#665832 gnuplot: Crashes with "Segmentation fault" on every command

happening in x86_64 (this may make things different from i386, where
things mostly work).

Regards,

-- 
Agustin




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Mon, 26 Mar 2012 20:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Mon, 26 Mar 2012 20:54:04 GMT) Full text and rfc822 format available.

Message #15 received at 665432@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Agustin Martin <agmartin@debian.org>
Cc: 665432@bugs.debian.org
Subject: Re: Bug#665432: gnuplot: using stdin makes gnuplot crash
Date: Mon, 26 Mar 2012 22:52:01 +0200
Hi Agustin,

On 2012-03-26 18:10:02 +0200, Agustin Martin wrote:
> In i386
> 
> $ echo "foo" | gnuplot
> 
> gnuplot> foo
>          ^
>          line 0: invalid command

However this form is not officially supported: from the gnuplot
man page:

       If file names are given on the command line,  gnuplot  loads
       each file with the load command, in the order specified, and
       exits after the last file is processed.   If  no  files  are
       given, gnuplot prompts for interactive commands.
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

(which is actually not what occurs).

> while as you write
> 
> $ echo "foo" | gnuplot -
> Segmentation fault
> 
> which is indeed a bug, if '-' is supported should work, otherwise should
> fail gracefully.

It was supported in the past, at least up to 4.4 (by convention, '-'
generally means stdin in command arguments when a filename is expected,
even though this is not always documented). However I've just noticed
that there's no such problem if I replace '-' by '/dev/stdin'. So,
I suspect a parsing bug of the command line arguments.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Mon, 26 Mar 2012 21:12:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Mon, 26 Mar 2012 21:12:27 GMT) Full text and rfc822 format available.

Message #20 received at 665432@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Agustin Martin <agmartin@debian.org>
Cc: 665432@bugs.debian.org
Subject: Re: Bug#665432: gnuplot: using stdin makes gnuplot crash
Date: Mon, 26 Mar 2012 23:11:47 +0200
On 2012-03-26 22:52:01 +0200, Vincent Lefevre wrote:
> It was supported in the past, at least up to 4.4 (by convention, '-'
> generally means stdin in command arguments when a filename is expected,
> even though this is not always documented). However I've just noticed
> that there's no such problem if I replace '-' by '/dev/stdin'. So,
> I suspect a parsing bug of the command line arguments.

Something more complex, as

  echo | gnuplot -

does not crash.

FYI,

$ echo "foo" | valgrind gnuplot -
==11357== Memcheck, a memory error detector
==11357== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==11357== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==11357== Command: gnuplot -
==11357== 
==11357== Invalid read of size 8
==11357==    at 0x41EB76: ??? (in /usr/bin/gnuplot)
==11357==    by 0x4226BB: ??? (in /usr/bin/gnuplot)
==11357==    by 0x4166E4: ??? (in /usr/bin/gnuplot)
==11357==    by 0x70A0EAC: (below main) (libc-start.c:228)
==11357==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==11357== 
==11357== 
==11357== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==11357==  Access not within mapped region at address 0x0
==11357==    at 0x41EB76: ??? (in /usr/bin/gnuplot)
==11357==    by 0x4226BB: ??? (in /usr/bin/gnuplot)
==11357==    by 0x4166E4: ??? (in /usr/bin/gnuplot)
==11357==    by 0x70A0EAC: (below main) (libc-start.c:228)
==11357==  If you believe this happened as a result of a stack
==11357==  overflow in your program's main thread (unlikely but
==11357==  possible), you can try to increase the size of the
==11357==  main thread stack using the --main-stacksize= flag.
==11357==  The main thread stack size used in this run was 8388608.
[...]

A null pointer dereference?

The plot.c file contains:

    if (argc > 1) {
#ifdef _Windows
        TBOOLEAN noend = persist_cl;
#endif

        /* load filenames given as arguments */
        while (--argc > 0) {
            ++argv;
            c_token = 0;
#ifdef _Windows
            if (stricmp(*argv, "-noend") == 0 || stricmp(*argv, "/noend") == 0
                || stricmp(*argv, "-persist") == 0)
                noend = TRUE;
            else
#endif
            if (!strncmp(*argv, "-persist", 2) || !strcmp(*argv, "--persist")) {
                FPRINTF((stderr,"'persist' command line option recognized\n"));

            } else if (strcmp(*argv, "-") == 0) {
                interactive = TRUE;
                while (!com_line());
                interactive = FALSE;

            } else if (strcmp(*argv, "-e") == 0) {
                --argc; ++argv;
                if (argc <= 0) {
                    fprintf(stderr, "syntax:  gnuplot -e \"commands\"\n");
                    return 0;
                }
                do_string(*argv);

            } else {
                load_file(loadpath_fopen(*argv, "r"), gp_strdup(*argv), FALSE);
            }
        }
#ifdef _Windows
        if (noend) {
            interactive = TRUE;
            while (!com_line());
        }
#endif
    } else {
        /* take commands from stdin */
        while (!com_line());
    }

So, there seems to be a problem with com_line() while interactive
is TRUE (and I wonder what the intent is...).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Wed, 28 Mar 2012 18:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Anton Gladky <gladky.anton@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Wed, 28 Mar 2012 18:36:03 GMT) Full text and rfc822 format available.

Message #25 received at 665432@bugs.debian.org (full text, mbox):

From: Anton Gladky <gladky.anton@gmail.com>
To: Vincent Lefevre <vincent@vinc17.net>, 665432@bugs.debian.org
Cc: Agustin Martin <agmartin@debian.org>
Subject: Re: Bug#665432: gnuplot: using stdin makes gnuplot crash
Date: Wed, 28 Mar 2012 20:33:57 +0200
Vincent, are you affected with the bug #665832?

Thanks.

Anton




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Wed, 28 Mar 2012 23:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Wed, 28 Mar 2012 23:27:03 GMT) Full text and rfc822 format available.

Message #30 received at 665432@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Anton Gladky <gladky.anton@gmail.com>
Cc: 665432@bugs.debian.org, Agustin Martin <agmartin@debian.org>, 665832@bugs.debian.org
Subject: Re: Bug#665432: gnuplot: using stdin makes gnuplot crash
Date: Thu, 29 Mar 2012 01:22:06 +0200
On 2012-03-28 20:33:57 +0200, Anton Gladky wrote:
> Vincent, are you affected with the bug #665832?

No (FYI, my machine is an x86_64).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Fri, 30 Mar 2012 12:36:32 GMT) Full text and rfc822 format available.

Acknowledgement sent to Agustin Martin <agmartin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Fri, 30 Mar 2012 12:36:34 GMT) Full text and rfc822 format available.

Message #35 received at 665432@bugs.debian.org (full text, mbox):

From: Agustin Martin <agmartin@debian.org>
To: 665432@bugs.debian.org
Cc: Vincent Lefevre <vincent@vinc17.net>
Subject: Re: Bug#665432: gnuplot: using stdin makes gnuplot crash
Date: Fri, 30 Mar 2012 14:21:13 +0200
[Message part 1 (text/plain, inline)]
On Mon, Mar 26, 2012 at 11:11:47PM +0200, Vincent Lefevre wrote:
> Something more complex, as
> 
>   echo | gnuplot -
> 
> does not crash.
> 
> FYI,
> 
> $ echo "foo" | valgrind gnuplot -
> ==11357== Memcheck, a memory error detector
...
> A null pointer dereference?

> So, there seems to be a problem with com_line() while interactive
> is TRUE (and I wonder what the intent is...).

Just for the records,

I have been trying to track this "the dumb way" (putting messages here and
there) and seems that the problem is in a call to gp_get_string called
from read_line called from com_line (all in command.c).

I had no time to go further and do not know when I will have it. I am
attaching a diff with a minimal fprintf set around the problem.

Hope this helps,

-- 
Agustin
[test-with-flags-command.c.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Fri, 30 Mar 2012 19:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Anton Gladky <gladky.anton@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Fri, 30 Mar 2012 19:06:02 GMT) Full text and rfc822 format available.

Message #40 received at 665432@bugs.debian.org (full text, mbox):

From: Anton Gladky <gladky.anton@gmail.com>
To: control@bugs.debian.org
Cc: 665832@bugs.debian.org, 665432@bugs.debian.org
Subject: Merging
Date: Fri, 30 Mar 2012 21:02:21 +0200
[Message part 1 (text/plain, inline)]
forcemerge 665832 665432
thanks

Both bugs are having the same nature.

Anton.

[signature.asc (application/pgp-signature, attachment)]

Severity set to 'grave' from 'important' Request was from Anton Gladky <gladky.anton@gmail.com> to control@bugs.debian.org. (Fri, 30 Mar 2012 19:06:06 GMT) Full text and rfc822 format available.

Merged 665432 665832 Request was from Anton Gladky <gladky.anton@gmail.com> to control@bugs.debian.org. (Fri, 30 Mar 2012 19:06:06 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Anton Gladky <gladky.anton@gmail.com> to control@bugs.debian.org. (Fri, 30 Mar 2012 19:15:05 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Apr 2012 07:35:46 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Agustin Martin Domingo <agmartin@debian.org> to control@bugs.debian.org. (Mon, 07 May 2012 10:27:29 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#665432; Package gnuplot. (Mon, 07 May 2012 10:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Agustin Martin <agmartin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Mon, 07 May 2012 10:39:04 GMT) Full text and rfc822 format available.

Message #55 received at 665432@bugs.debian.org (full text, mbox):

From: Agustin Martin <agmartin@debian.org>
To: 665432@bugs.debian.org, 665832@bugs.debian.org
Subject: Re: Bug#665432: Merging
Date: Mon, 7 May 2012 12:36:48 +0200
package   gnuplot
forwarded 665432 http://sourceforge.net/tracker/?func=detail&aid=3524063&group_id=2055&atid=102055
tag       665432 +fixed-upstream
thanks

On Fri, Mar 30, 2012 at 09:02:21PM +0200, Anton Gladky wrote:
> forcemerge 665832 665432
> thanks
> 
> Both bugs are having the same nature.

Hi Anton,

I forwarded this bug report upstream to also know his POV. While he applied
your patch he thinks this is related to yet another problem in BSD
libedit, quoting upstream:

Sender: sfeam

  If the patch fixes this problem, then it clearly must have something to
  do with use of the BSD libedit for input. Probably we should deprecate
  this anyhow, since libedit can't handle UTF-8 and has other deficiencies
  as well. Either gnu libreadline or gnuplot's own readline equivalent are
  better choices at this point. Note that in version 4.6, several
  weaknesses of the builtin readline equivalent have been removed. I don't
  think there is a good case for choosing libedit any more.

Regards,

-- 
Agustin




Set Bug forwarded-to-address to 'http://sourceforge.net/tracker/?func=detail&aid=3524063&group_id=2055&atid=102055'. Request was from Agustin Martin <agmartin@debian.org> to control@bugs.debian.org. (Mon, 07 May 2012 10:39:35 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Agustin Martin <agmartin@debian.org> to control@bugs.debian.org. (Mon, 07 May 2012 10:39:37 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 05 Jun 2012 07:38:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:54:52 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.