Reproducible SIGBART in mantiuk06_matrix_free()
Environment/Versions
- GIMP version: git master at
917506d16e3851437a120c47e201679838401aa0
- Package:
- Operating System: Fedora 40
Reproduction
Is the bug reproducible? Always
Steps to reproduce
- Open a PNG image
- Select
Colors > Tone Mapping > Mantiuk 2006...
Expected result:
No crash
Actual result:
ak@ac:~/coding/gimp299install/bin$ gdb ./gimp-2.99
GNU gdb (Fedora Linux) 14.1-9.fc40
(gdb) run
Starting program: /home/ak/coding/gimp299install/bin/gimp-2.99
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7fffe64006c0 (LWP 17902)]
[New Thread 0x7fffe5a006c0 (LWP 17903)]
[New Thread 0x7fffe50006c0 (LWP 17904)]
[New Thread 0x7fffdfe006c0 (LWP 17905)]
[New Thread 0x7fffdf4006c0 (LWP 17906)]
[New Thread 0x7fffdea006c0 (LWP 17907)]
[New Thread 0x7fffde0006c0 (LWP 17908)]
[New Thread 0x7fffdd6006c0 (LWP 17909)]
[New Thread 0x7fffdcc006c0 (LWP 17910)]
[New Thread 0x7fffd3e006c0 (LWP 17911)]
[New Thread 0x7fffc74006c0 (LWP 17912)]
[New Thread 0x7fffc6a006c0 (LWP 17913)]
This is a development version of GIMP. Debug messages may appear here.
[New Thread 0x7fffc50006c0 (LWP 17914)]
[New Thread 0x7fffc46006c0 (LWP 17915)]
[New Thread 0x7fffbbe006c0 (LWP 17916)]
[New Thread 0x7fffbba006c0 (LWP 17917)]
[New Thread 0x7fffbb6006c0 (LWP 17918)]
[New Thread 0x7fffbb2006c0 (LWP 17919)]
[New Thread 0x7fffbae006c0 (LWP 17920)]
[New Thread 0x7fffbaa006c0 (LWP 17921)]
[New Thread 0x7fffba6006c0 (LWP 17922)]
[New Thread 0x7fffba2006c0 (LWP 17923)]
[New Thread 0x7fffb98006c0 (LWP 17924)]
[Thread 0x7fffb98006c0 (LWP 17924) exited]
[New Thread 0x7fffb98006c0 (LWP 17925)]
[New Thread 0x7fffb8e006c0 (LWP 17926)]
[Thread 0x7fffb98006c0 (LWP 17925) exited]
gimp_font_factory_load_names: 100 unsupported fonts were ignored. Set the GIMP_DEBUG_FONTS environment variable for a listing.
set device 'Wayland Pointer' to mode: disabled
[Detaching after vfork from child process 17927]
[Detaching after vfork from child process 17928]
[Detaching after vfork from child process 17929]
[Detaching after vfork from child process 17931]
[Detaching after vfork from child process 17933]
[Detaching after vfork from child process 17937]
[Detaching after vfork from child process 17944]
[New Thread 0x7fffb98006c0 (LWP 17949)]
[Thread 0x7fffb98006c0 (LWP 17949) exited]
[Detaching after vfork from child process 17952]
[New Thread 0x7fffb98006c0 (LWP 17973)]
GUI new func match: generic fallback
[New Thread 0x7fff616006c0 (LWP 17978)]
[New Thread 0x7fff60c006c0 (LWP 17979)]
[New Thread 0x7fff54a006c0 (LWP 17980)]
[New Thread 0x7fff4be006c0 (LWP 17981)]
[New Thread 0x7fff4b4006c0 (LWP 17982)]
[New Thread 0x7fff4aa006c0 (LWP 17983)]
[New Thread 0x7fff4a0006c0 (LWP 17984)]
double free or corruption (out)
Thread 1 "gimp-2.99" received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
warning: 44 pthread_kill.c: No such file or directory
(gdb) bt full
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
tid = <optimized out>
ret = 0
pd = <optimized out>
old_mask = {__val = {140737488340672}}
ret = <optimized out>
#1 0x00007ffff647e1f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007ffff642665e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
ret = <optimized out>
#3 0x00007ffff640e902 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {83793920, 0, 4294967297, 1, 0, 0, 0, 0, 83795232, 75529488, 0, 139637976727552, 140734827071168, 140736513705380, 140737488342032, 83793664}}, sa_flags = -2001523968, sa_restorer = 0x0}
#4 0x00007ffff640f767 in __libc_message_impl (fmt=fmt@entry=0x7ffff65952f7 "%s\n") at ../sysdeps/posix/libc_fatal.c:132
ap = {{gp_offset = 16, fp_offset = 0, overflow_arg_area = 0x7fffffffc8e0, reg_save_area = 0x7fffffffc870}}
fd = 2
iov = {{iov_base = 0x7ffff6598458, iov_len = 31}, {iov_base = 0x7ffff65952f9, iov_len = 1}, {iov_base = 0x0, iov_len = 140737026773152}, {iov_base = 0x1, iov_len = 140737026773152}, {iov_base = 0x0, iov_len = 0}, {iov_base = 0x0, iov_len = 140737026773152}, {iov_base = 0x8, iov_len = 0}}
iovcnt = <optimized out>
total = <optimized out>
cp = <optimized out>
#5 0x00007ffff64881b5 in malloc_printerr (str=str@entry=0x7ffff6598458 "double free or corruption (out)") at malloc.c:5772
#6 0x00007ffff648a2f0 in _int_free_merge_chunk (av=av@entry=0x7ffff65c9ac0 <main_arena>, p=0x545f430, size=4290772992) at malloc.c:4676
nextchunk = 0x10505f430
nextsize = <optimized out>
#7 0x00007ffff648a5fa in _int_free (av=0x7ffff65c9ac0 <main_arena>, p=p@entry=0x545f430, have_lock=<optimized out>, have_lock@entry=0) at malloc.c:4646
size = <optimized out>
fb = <optimized out>
#8 0x00007ffff648ce0e in __GI___libc_free (mem=mem@entry=0x545f440) at malloc.c:3398
ar_ptr = <optimized out>
p = 0x545f430
err = 34
#9 0x00007ffff794ee55 in g_free (mem=0x545f440) at ../glib/gmem.c:208
#10 0x00007fffc5e7c3ab in mantiuk06_matrix_free (m=0x545f440) at ../operations/common/mantiuk06.c:433
#11 0x00007fffc5e7c5f1 in mantiuk06_pyramid_calculate_divergence_sum (pyramid=0x0, divG_sum=0x541f430) at ../operations/common/mantiuk06.c:560
temp = 0x545f440
levels = 7
#12 0x00007fffc5e7cbe5 in mantiuk06_multiplyA (px=0x3d5c6a0, pC=0x4baa250, x=0x53df420, divG_sum=0x541f430) at ../operations/common/mantiuk06.c:801
#13 0x00007fffc5e7d551 in mantiuk06_lincg (pyramid=0x3d5c6a0, pC=0x4baa250, b=0x531f3f0, x=0x4bd4000, itmax=200, tol=0.00100000005, progress_cb=0x0) at ../operations/common/mantiuk06.c:1034
i = <optimized out>
alpha = -nan(0x400000)
old_rdotr = -nan(0x400000)
rows = 256
cols = 256
n = 65536
iter = 171
num_backwards = 0
num_backwards_ceiling = 3
tol2 = 1.00000011e-06
x_save = 0x535f400
r = 0x539f410
p = 0x53df420
Ap = 0x541f430
bnrm2 = 2.06251661e+09
rdotr = -nan(0x400000)
irdotr = 7.06451307e+15
saved_rdotr = inf
percent_sf = -3.46474195
#14 0x00007fffc5e7dd7f in mantiuk06_transform_to_luminance (pp=0x3d5c6a0, x=0x4bd4000, progress=0x0, bcg=0, itmax=200, tol=0.00100000005) at ../operations/common/mantiuk06.c:1304
b = 0x531f3f0
pC = 0x4baa250
#15 0x00007fffc5e7e2cc in mantiuk06_contmap (c=256, r=256, rgb=0x4fef360, Y=0x4bd4000, contrastFactor=0.100000001, saturationFactor=0.800000012, bcg=0, itmax=200, tol=0.00100000005, progress=0x0) at ../operations/common/mantiuk06.c:1487
pp = 0x3d5c6a0
tY = 0x527f3b0
n = 65536
j = 65536
Ymax = 0.991102159
clip_min = 9.91102169e-08
#16 0x00007fffc5e7e975 in mantiuk06_process (operation=0x42fe340, input=0x4816310, output=0x4ba89c0, result=0x4c84070, level=0) at ../operations/common/mantiuk06.c:1598
space = 0x7ffff7557d40 <space_db>
o = 0x312a6f0
pix_stride = 4
lum = 0x4bd4000
pix = 0x4fef360
__func__ = "mantiuk06_process"
#17 0x00007ffff785c316 in gegl_operation_filter_process (operation=0x42fe340, context=0x4c84060, output_prop=0x7ffff78d2f59 "output", result=0x4c84070, level=0) at ../gegl/operation/gegl-operation-filter.c:212
klass = 0x10ccff0
input = 0x4816310
output = 0x4ba89c0
success = 0
__func__ = "gegl_operation_filter_process"
#18 0x00007fffc5e7eac6 in mantiuk06_operation_process (operation=0x42fe340, context=0x4c84060, output_prop=0x7ffff78d2f59 "output", result=0x4c84070, level=0) at ../operations/common/mantiuk06.c:1632
operation_class = 0x1110410
in_rect = 0x4fb8fd0
#19 0x00007ffff7861884 in gegl_operation_process (operation=0x42fe340, context=0x4c84060, output_pad=0x7ffff78d2f59 "output", result=0x4c84070, level=0) at ../gegl/operation/gegl-operation.c:176
klass = 0x10ccff0
t = 1291507167
n_pixels = 65536
update_pixel_time = 1
success = -12544
__func__ = "gegl_operation_process"
#20 0x00007ffff7866b7d in gegl_graph_process (path=0xe558e0, level=0) at ../gegl/process/gegl-graph-traversal.c:486
_gegl_instrument_ticks = 0
node = 0x4acd850
operation = 0x42fe340
list_iter = 0x4bb6590 = {0x4acd850, 0x4fb5320, 0x4fb5940, 0x4fb2040, 0x4f9f8a0, 0x4fa08d0, 0x4af58a0, 0x4fd2b30, 0x4fbe6e0, 0x4fbed20, 0x4fa3290, 0x4c7f190, 0x41d0ed0, 0x4c843a0, 0x38e6460, 0x4c99920, 0x4c85290, 0x4b966f0, 0x4b96eb0, 0x4b97420, 0xe54db0}
result = 0x0
context = 0x4c84060
last_context = 0xe55b10
operation_result = 0x0
__func__ = "gegl_graph_process"
#21 0x00007ffff7865739 in gegl_eval_manager_apply (self=0xe55850, roi=0x7fffffffd080, level=0) at ../gegl/process/gegl-eval-manager.c:128
_gegl_instrument_ticks = 0
object = 0xfffffffffffffb78
__func__ = "gegl_eval_manager_apply"
#22 0x00007ffff7843952 in gegl_node_blit_buffer (self=0x481c900, buffer=0x4b7f670, roi=0x7fffffffd1d0, level=0, abyss_policy=GEGL_ABYSS_NONE) at ../gegl/graph/gegl-node.c:1172
eval_manager = 0xe55850
result = 0x58e309
request = {x = 0, y = 0, width = 128, height = 128}
#23 0x000000000065c076 in gimp_tile_handler_validate_real_validate_buffer (validate=0x481c830, rect=0x7fffffffd1d0, buffer=0x4b7f670) at ../app/gegl/gimptilehandlervalidate.c:257
klass = 0x481c720
#24 0x000000000065d1fd in gimp_tile_handler_validate_validate (validate=0x481c830, buffer=0x4b7f670, rect=0x7fffffffd1d0, intersect=0, chunked=0) at ../app/gegl/gimptilehandlervalidate.c:616
klass = 0x481c720
region = 0x0
__func__ = "gimp_tile_handler_validate_validate"
#25 0x000000000058e4e3 in gimp_projection_paint_area (proj=0x487c280, now=1, x=0, y=0, w=128, h=128) at ../app/core/gimpprojection.c:865
off_x = 0
off_y = 0
bounding_box = {x = 0, y = 0, width = 256, height = 256}
rect = {x = 0, y = 0, width = 128, height = 128}
#26 0x000000000058e39f in gimp_projection_chunk_render_iteration (proj=0x487c280) at ../app/core/gimpprojection.c:817
rect = {x = 0, y = 0, width = 128, height = 128}
#27 0x000000000058e321 in gimp_projection_chunk_render_callback (proj=0x487c280) at ../app/core/gimpprojection.c:794
#28 0x00007ffff795498d in g_idle_dispatch (source=0x4fca9d0, callback=0x58e309 <gimp_projection_chunk_render_callback>, user_data=0x487c280) at ../glib/gmain.c:6150
idle_source = 0x4fca9d0
again = <optimized out>
#29 0x00007ffff794e26c in g_main_dispatch (context=0xe29040) at ../glib/gmain.c:3344
dispatch = 0x7ffff7954960 <g_idle_dispatch>
prev_source = 0x0
begin_time_nsec = 1291507045344
was_in_call = 0
user_data = 0x487c280
callback = 0x58e309 <gimp_projection_chunk_render_callback>
cb_funcs = 0x7ffff7a3d280 <g_source_callback_funcs>
cb_data = 0x43be720
need_destroy = <optimized out>
source = 0x4fca9d0
current = 0xe324d0
i = <optimized out>
__func__ = {<optimized out> <repeats 16 times>}
#30 g_main_context_dispatch_unlocked (context=0xe29040) at ../glib/gmain.c:4152
#31 0x00007ffff79af2a8 in g_main_context_iterate_unlocked.isra.0 (context=context@entry=0xe29040, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4217
max_priority = 122
timeout = 0
some_ready = 1
nfds = 4
allocated_nfds = <optimized out>
fds = 0x3178860
begin_time_nsec = 1291507041904
#32 0x00007ffff794f6e3 in g_main_context_iteration (context=context@entry=0xe29040, may_block=may_block@entry=1) at ../glib/gmain.c:4282
retval = <optimized out>
#33 0x00007ffff769937d in g_application_run (application=0x10ad500, argc=<optimized out>, argv=0x0) at ../gio/gapplication.c:2613
arguments = 0x11e1a80
status = 0
context = 0xe29040
acquired_context = <optimized out>
__func__ = "g_application_run"
#34 0x00000000007f42bf in app_run
(full_prog_name=0xe0da20 "/home/ak/coding/gimp299install/bin/gimp-2.99", filenames=0x0, alternate_system_gimprc=0x0, alternate_gimprc=0x0, session_name=0x0, batch_interpreter=0x0, batch_commands=0x0, quit=0, as_new=0, no_interface=0, no_data=0, no_fonts=0, no_splash=0, be_verbose=0, use_shm=1, use_cpu_accel=1, console_messages=0, use_debug_handler=0, show_playground=1, show_debug_menu=1, stack_trace_mode=GIMP_STACK_TRACE_QUERY, pdb_compat_mode=GIMP_PDB_COMPAT_WARN, backtrace_file=0xdf1ef0 "/home/ak/.config/GIMP/2.99/CrashLog/gimp-crash-1710415820.txt") at ../app/app.c:317
gimp = 0xfaf300
app = 0x10ad500
default_folder = 0x0
gimpdir = 0xf9da50
abort_message = 0x0
retval = 0
__func__ = "app_run"
#35 0x0000000000519533 in main (argc=1, argv=0xe0d620) at ../app/main.c:786
context = 0xe0da80
error = 0x0
abort_message = 0x0
basename = 0xe0da60 "[FILE|URI...]"
system_gimprc_file = 0x0
user_gimprc_file = 0x0
gimp_group = 0xe0e130
backtrace_file = 0xdf1ef0 "/home/ak/.config/GIMP/2.99/CrashLog/gimp-crash-1710415820.txt"
retval = 0
i = 1
(gdb)