| Bug #40578 | Thread safety issue with imagettftext | ||||
|---|---|---|---|---|---|
| Submitted: | 21 Feb 2007 2:25pm UTC | Modified: | 23 Feb 2007 8:18am UTC | ||
| From: | scottmacvicar at ntlworld dot com | Assigned to: | pajoye | ||
| Status: | Closed | Category: | GD related | ||
| Version: | 5.2.1 | OS: | RHEL 4 | ||
[21 Feb 2007 2:25pm UTC] scottmacvicar at ntlworld dot com
[21 Feb 2007 2:40pm UTC] scottmacvicar at ntlworld dot com
Should probably class this as a crash.
[21 Feb 2007 3:00pm UTC] tony2001@php.net
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. And again - very nice reproduce case & report, thanks.
[21 Feb 2007 3:42pm UTC] pajoye@php.net
I reported the issue in GD too: http://bugs.libgd.org/?do=details&task_id=48 Will be fixed in 2.0.35. Thanks for your patch and nice reproduce case!
[21 Feb 2007 6:24pm UTC] scottmacvicar at ntlworld dot com
Any chance of having this backported to the PHP_4_4 branch? It's a fairly minor patch to apply.
[21 Feb 2007 6:41pm UTC] tony2001@php.net
Also backported to 4_4.
[22 Feb 2007 12:39am UTC] scottmacvicar at ntlworld dot com
Has this potentially caused a regression?
I applied the patch that was checked in CVS this afternoon
and recompiled PHP.
Had another segfault in GD, here is the backtrace.
Unfortunately it wasn't a debug build.
Thread 13 (process 27300):
#0 0x009457a2 in _dl_sysinfo_int80 () from /lib/ld-
linux.so.2
No symbol table info available.
#1 0x00985c46 in kill () from /lib/tls/libc.so.6
No symbol table info available.
#2 0x0807e646 in sig_coredump (sig=11) at mpm_common.c:1170
No locals.
#3 <signal handler called>
No symbol table info available.
#4 0x009bf652 in malloc_consolidate () from /lib/tls/
libc.so.6
No symbol table info available.
#5 0x009bfd30 in _int_free () from /lib/tls/libc.so.6
No symbol table info available.
#6 0x009c033a in free () from /lib/tls/libc.so.6
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#7 0x003d5b8a in ?? () from /usr/lib/libfreetype.so.6
No symbol table info available.
#8 0x9e418dc0 in ?? ()
No symbol table info available.
#9 0x00431b2c in ?? () from /usr/lib/libfreetype.so.6
No symbol table info available.
#10 0xa6629868 in ?? ()
No symbol table info available.
#11 0x003d5fc0 in FT_Free () from /usr/lib/libfreetype.so.6
No symbol table info available.
#12 0x003d5fc0 in FT_Free () from /usr/lib/libfreetype.so.6
No symbol table info available.
#13 0x003d88e9 in FT_GlyphLoader_Reset () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#14 0x003d8948 in FT_GlyphLoader_Done () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#15 0x003dc1de in FT_Remove_Module () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#16 0x003dc72b in FT_Done_Library () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#17 0x003d5ee0 in FT_Done_FreeType () from /usr/lib/
libfreetype.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#18 0x00fa4518 in php_gd_gdFontCacheShutdown ()
at /www/src/php-5.2.1/ext/gd/libgd/gdft.c:724
No locals.
#19 0x00f8c7eb in zm_deactivate_gd (type=1,
module_number=26,
tsrm_ls=0x94aea70) at /www/src/php-5.2.1/ext/gd/gd.c:
1303
No locals.
#20 0x0113434a in module_registry_cleanup (module=0x8b5d1b0,
tsrm_ls=0x94aea70)
at /www/src/php-5.2.1/Zend/zend_API.c:1945
No locals.
#21 0x0113986c in zend_hash_apply (ht=0x14274e0,
apply_func=0x1134328 <module_registry_cleanup>,
tsrm_ls=0x94aea70)
at /www/src/php-5.2.1/Zend/zend_hash.c:673
result = 0
p = (Bucket *) 0x8b5d180
#22 0x0112fb33 in zend_deactivate_modules
(tsrm_ls=0x94aea70)
at /www/src/php-5.2.1/Zend/zend.c:839
__orig_bailout = (jmp_buf *) 0x0
__bailout = {{__jmpbuf = {144334232, 144334256,
19764252, -1503487368,
-1503487568, 18021115}, __mask_was_saved = 0,
__saved_mask = {__val = {
149310844, 10232833, 4294967294, 4294967295,
149310844, 165552858, 0,
0, 165552848, 165159443, 0, 0, 149809548, 0,
11036764, 24, 56, 88, 0,
11, 11536181, 144334232, 0, 2791479928, 17752220, 3,
165552848,
135009633, 2, 0, 165552808, 165552848}}}}
---Type <return> to continue, or q <return> to quit---
#23 0x010f19c5 in php_request_shutdown (dummy=0x0)
at /www/src/php-5.2.1/main/main.c:1293
__orig_bailout = Variable "__orig_bailout" is not
available.
I can try a debug build but the segfaults are occuring less
frequently now.
[22 Feb 2007 12:57am UTC] pajoye@php.net
It looks like something else. Can you try: http://pecl.php.net/~pierre/40568.txt
[22 Feb 2007 1:48am UTC] scottmacvicar at ntlworld dot com
Applied now to one of our production boxes, When I'm back in the office tomorrow I'll see if I can spend a little time working out a test case to reproduce it.
[23 Feb 2007 12:52am UTC] scottmacvicar at ntlworld dot com
Been going for almost 24 hours now without any more crashes, the patch makes sense though. Since there was another race condition on shutdown if one thread is accessing the cache while another is trying to delete it.
[23 Feb 2007 1:04am UTC] pajoye@php.net
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Fixed in 5.2 and HEAD. Thanks for the tests
[23 Feb 2007 1:12am UTC] scottmacvicar at ntlworld dot com
Antony backported the initial fix to PHP_4_4, can this be backported too please.
[23 Feb 2007 8:18am UTC] derick@php.net
Yes, sure.
