php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40578 Thread safety issue with imagettftext
Submitted: 2007-02-21 14:25 UTC Modified: 2007-02-23 08:18 UTC
From: scottmacvicar at ntlworld dot com Assigned: pajoye (profile)
Status: Closed Package: GD related
PHP Version: 5.2.1 OS: RHEL 4
Private report: No CVE-ID: None
 [2007-02-21 14:25 UTC] scottmacvicar at ntlworld dot com
Description:
------------
There appears to be a race condition with the truetype font support of GD. I can see mutexes in the code for the font cache so there must be a code path that's missed.

Backtrace: http://public.vbulletin.com/bugs/php/gd_thread_safety-bt.txt

Reproduce code: http://public.vbulletin.com/bugs/php/gd_thread_safety.phps
http://public.vbulletin.com/bugs/php/HECK.TTF

Command: ab -c 30 -n 10000 http://localhost/~scott/gd_thread_safety.php

Using Apache 2 with the Worker MPM.

Only patch applied to the build is a thread safety patch for zend_strtod.c


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-21 14:40 UTC] scottmacvicar at ntlworld dot com
Should probably class this as a crash.
 [2007-02-21 15:00 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

And again - very nice reproduce case & report, thanks.
 [2007-02-21 15:42 UTC] pajoye@php.net
I reported the issue in GD too:

http://bugs.libgd.org/?do=details&task_id=48

Will be fixed in 2.0.35.

Thanks for your patch and nice reproduce case!
 [2007-02-21 18:24 UTC] scottmacvicar at ntlworld dot com
Any chance of having this backported to the PHP_4_4 branch? It's a fairly minor patch to apply.
 [2007-02-21 18:41 UTC] tony2001@php.net
Also backported to 4_4.
 [2007-02-22 00:39 UTC] scottmacvicar at ntlworld dot com
Has this potentially caused a regression?

I applied the patch that was checked in CVS this afternoon 
and  recompiled PHP.

Had another segfault in GD, here is the backtrace. 
Unfortunately it wasn't a debug build.

Thread 13 (process 27300):
#0  0x009457a2 in _dl_sysinfo_int80 () from /lib/ld-
linux.so.2
No symbol table info available.
#1  0x00985c46 in kill () from /lib/tls/libc.so.6
No symbol table info available.
#2  0x0807e646 in sig_coredump (sig=11) at mpm_common.c:1170
No locals.
#3  <signal handler called>
No symbol table info available.
#4  0x009bf652 in malloc_consolidate () from /lib/tls/
libc.so.6
No symbol table info available.
#5  0x009bfd30 in _int_free () from /lib/tls/libc.so.6
No symbol table info available.
#6  0x009c033a in free () from /lib/tls/libc.so.6
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#7  0x003d5b8a in ?? () from /usr/lib/libfreetype.so.6
No symbol table info available.
#8  0x9e418dc0 in ?? ()
No symbol table info available.
#9  0x00431b2c in ?? () from /usr/lib/libfreetype.so.6
No symbol table info available.
#10 0xa6629868 in ?? ()
No symbol table info available.
#11 0x003d5fc0 in FT_Free () from /usr/lib/libfreetype.so.6
No symbol table info available.
#12 0x003d5fc0 in FT_Free () from /usr/lib/libfreetype.so.6
No symbol table info available.
#13 0x003d88e9 in FT_GlyphLoader_Reset () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#14 0x003d8948 in FT_GlyphLoader_Done () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#15 0x003dc1de in FT_Remove_Module () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#16 0x003dc72b in FT_Done_Library () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#17 0x003d5ee0 in FT_Done_FreeType () from /usr/lib/
libfreetype.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#18 0x00fa4518 in php_gd_gdFontCacheShutdown ()
    at /www/src/php-5.2.1/ext/gd/libgd/gdft.c:724
No locals.
#19 0x00f8c7eb in zm_deactivate_gd (type=1, 
module_number=26, 
    tsrm_ls=0x94aea70) at /www/src/php-5.2.1/ext/gd/gd.c:
1303
No locals.
#20 0x0113434a in module_registry_cleanup (module=0x8b5d1b0, 
tsrm_ls=0x94aea70)
    at /www/src/php-5.2.1/Zend/zend_API.c:1945
No locals.
#21 0x0113986c in zend_hash_apply (ht=0x14274e0, 
    apply_func=0x1134328 <module_registry_cleanup>, 
tsrm_ls=0x94aea70)
    at /www/src/php-5.2.1/Zend/zend_hash.c:673
        result = 0
        p = (Bucket *) 0x8b5d180
#22 0x0112fb33 in zend_deactivate_modules 
(tsrm_ls=0x94aea70)
    at /www/src/php-5.2.1/Zend/zend.c:839
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {144334232, 144334256, 
19764252, -1503487368, 
      -1503487568, 18021115}, __mask_was_saved = 0, 
__saved_mask = {__val = {
        149310844, 10232833, 4294967294, 4294967295, 
149310844, 165552858, 0, 
        0, 165552848, 165159443, 0, 0, 149809548, 0, 
11036764, 24, 56, 88, 0, 
        11, 11536181, 144334232, 0, 2791479928, 17752220, 3, 
165552848, 
        135009633, 2, 0, 165552808, 165552848}}}}
---Type <return> to continue, or q <return> to quit---
#23 0x010f19c5 in php_request_shutdown (dummy=0x0)
    at /www/src/php-5.2.1/main/main.c:1293
        __orig_bailout = Variable "__orig_bailout" is not 
available.

I can try a debug build but the segfaults are occuring less 
frequently now.
 [2007-02-22 00:57 UTC] pajoye@php.net
It looks like something else.

Can you try:

http://pecl.php.net/~pierre/40568.txt


 [2007-02-22 01:48 UTC] scottmacvicar at ntlworld dot com
Applied now to one of our production boxes, When I'm back in 
the office tomorrow I'll see if I can spend a little time 
working out a test case to reproduce it.
 [2007-02-23 00:52 UTC] scottmacvicar at ntlworld dot com
Been going for almost 24 hours now without any more crashes, 
the patch makes sense though. Since there was another race 
condition on shutdown if one thread is accessing the cache 
while another is trying to delete it.
 [2007-02-23 01:04 UTC] pajoye@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2 and HEAD.

Thanks for the tests
 [2007-02-23 01:12 UTC] scottmacvicar at ntlworld dot com
Antony backported the initial fix to PHP_4_4, can this be 
backported too please.
 [2007-02-23 08:18 UTC] derick@php.net
Yes, sure.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC