php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76045 Performance problem when rotating image with large degrees value
Submitted: 2018-03-02 17:40 UTC Modified: 2019-04-15 16:24 UTC
From: lee at lboynton dot com Assigned: danack (profile)
Status: Closed Package: imagick (PECL)
PHP Version: 7.2.3 OS: Ubuntu 16.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lee at lboynton dot com
New email:
PHP Version: OS:

 

 [2018-03-02 17:40 UTC] lee at lboynton dot com 
Description:
------------
Large rotate values passed to Imagick's rotateImage() method cause the PHP process to run indefinitely (at least on CLI) and cause high CPU usage.

Flagged as potential security issue since it could be used for denial of service? The rotation degrees value could quite easily be user input. However PHP's maximum execution limit is hit when I try this via apache so perhaps not a DoS?

Imagick details:

imagick module version => 3.4.3
imagick classes => Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator, ImagickKernel
imagick.locale_fix => 0 => 0
imagick.progress_monitor => 0 => 0
imagick.skip_version_check => 0 => 0

Test script:
---------------
<?php

$base64 = "iVBORw0KGgoAAAANSUhEUgAAAM0AAAD
NCAMAAAAsYgRbAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5c
cllPAAAABJQTFRF3NSmzMewPxIG//ncJEJsldTou1jHgAAAARBJREFUeNrs2EEK
gCAQBVDLuv+V20dENbMY831wKz4Y/VHb/5RGQ0NDQ0NDQ0NDQ0NDQ0NDQ
0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0PzMWtyaGhoaGhoaGhoaGhoaGhoxtb0QGho
aGhoaGhoaGhoaGhoaMbRLEvv50VTQ9OTQ5OpyZ01GpM2g0bfmDQaL7S+ofFC6x
v3ZpxJiywakzbvd9r3RWPS9I2+MWk0+kbf0Hih9Y17U0nTHibrDDQ0NDQ0NDQ0
NDQ0NDQ0NTXbRSL/AK72o6GhoaGhoRlL8951vwsNDQ0NDQ1NDc0WyHtDTEhD
Q0NDQ0NTS5MdGhoaGhoaGhoaGhoaGhoaGhoaGhoaGposzSHAAErMwwQ2HwRQ
AAAAAElFTkSuQmCC";

$imageBlob = base64_decode($base64);

$imagick = new Imagick();
$imagick->readImageBlob($imageBlob);
$imagick->rotateImage('#000000', 9999999999);

Expected result:
----------------
I would either expect the rotation to happen after a certain amount of time, or for an error/warning to be thrown straight away if the rotation value is too high.

Actual result:
--------------
On the CLI, after calling rotateImage() the process continues indefinitely. When executed via Apache, the maximum execution time of 30 seconds is reached.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-02 22:03 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-03-02 22:03 UTC] stas@php.net 
Not a security issue. If you perform an expensive computational operation, it may take a long time. If you allow the users to control how the operation is performed, you should put limits on what you allow the users to do. PHP engine can not assume how long each operation takes and what is allowable in your scenario.
 [2018-03-05 09:36 UTC] lee at lboynton dot com 
OK, fair enough. There is something odd though, the processing time doesn't seem to correlate to the rotation value you supply. This completes in about 100ms for me: 

$imagick->rotateImage('#000000', 2147483776);

Increasing the rotation by 1 degree to:

$imagick->rotateImage('#000000', 2147483777);

Causes the PHP process to hang. I've tried on PHP 5.6 and 7.2 in a docker container and get the same result.
 [2018-11-29 03:18 UTC] danack@php.net
-Status: Open +Status: Feedback
 [2018-11-29 03:18 UTC] danack@php.net 
Apologies for the slow response, but please can you provide a working docker container that shows this problem.

You're not the only person to report a slowness on effectively rotation, e.g. https://github.com/mkoppanen/imagick/pull/232

however.......I have a strong suspicion this is going to be something peculiar to the maths library on the system, rather than an issue with Imagick or ImageMagick.
 [2018-12-09 04:22 UTC] pecl-dev at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2018-12-09 14:17 UTC] danack@php.net
-Status: No Feedback +Status: Open
 [2018-12-09 14:17 UTC] danack@php.net 
Lee provided some feedback elsewhere:

Dockerfile
FROM php:7.2.12
RUN apt update && apt install -y libmagickwand-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*
RUN pecl install imagick && docker-php-ext-enable imagick

Instructions:
Create a directory
Save Dockerfile
Save test.php
Build docker file docker build . -t php-imagick
Run script: docker run -v $PWD/test.php:/test.php php-imagick php /test.php
This will hang indefinitely and use a lot of CPU, at least for me
Running docker run -v $PWD/test.php:/test.php php-imagick php /test.php 5 returns immediately.


test.php
<?php
$rotate = (int) $argv[1] ?? 9999999999;
echo sprintf('Rotating by %d%s', $rotate, PHP_EOL);
$base64 = "iVBORw0KGgoAAAANSUhEUgAAAM0AAAD
NCAMAAAAsYgRbAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5c
cllPAAAABJQTFRF3NSmzMewPxIG//ncJEJsldTou1jHgAAAARBJREFUeNrs2EEK
gCAQBVDLuv+V20dENbMY831wKz4Y/VHb/5RGQ0NDQ0NDQ0NDQ0NDQ0NDQ
0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0PzMWtyaGhoaGhoaGhoaGhoaGhoxtb0QGho
aGhoaGhoaGhoaGhoaMbRLEvv50VTQ9OTQ5OpyZ01GpM2g0bfmDQaL7S+ofFC6x
v3ZpxJiywakzbvd9r3RWPS9I2+MWk0+kbf0Hih9Y17U0nTHibrDDQ0NDQ0NDQ0
NDQ0NDQ0NTXbRSL/AK72o6GhoaGhoRlL8951vwsNDQ0NDQ1NDc0WyHtDTEhD
Q0NDQ0NTS5MdGhoaGhoaGhoaGhoaGhoaGhoaGhoaGposzSHAAErMwwQ2HwRQ
AAAAAElFTkSuQmCC";
$imageBlob = base64_decode($base64);
$imagick = new Imagick();
$imagick->readImageBlob($imageBlob);
$imagick->rotateImage('#000000', $rotate);
 [2018-12-09 14:35 UTC] danack@php.net 
I can reproduce what you are seeing on the docker image. 

I extracted all of the maths that appears relevant in the ImageMagick extension relating to rotation, but it doesn't show the same issue. It also doesn't look like the code should be possible to hang - which implies something weird is happening.

I think the next step in debugging this would be one of two things:

i) Install gdb or strace in the docker image, and run the php scrip through that, and see if it is hanging on a system call, or find where it is hanging.

ii) Recompile ImageMagick with "printf debugging" (i.e. a whole load of printf("Got here: 1\n")); and find what step it is failing at.


Run example below with:
# gcc -lm math_test.c -o main
# ./main


math_test.c

#include <stdio.h>
#include <math.h>

#define MagickPI  3.14159265358979323846264338327950288419716939937510

static inline double DegreesToRadians(const double degrees)
{
  return((double) (MagickPI*degrees/180.0));
}

void letsRotate(const double degrees)
{
    double angle;
    size_t rotations;

    angle=fmod(degrees,360.0);
    while (angle < -45.0) {
        angle+=360.0;
    }

    for (rotations=0; angle > 45.0; rotations++) {
        angle-=90.0;
    }

    float shear_x = (-tan((double) DegreesToRadians(angle)/2.0));
    float shear_y = sin((double) DegreesToRadians(angle));

    printf("angle = %f, rotations = %d \n", angle, rotations);
    printf("shear_x = %f, shear_y = %f \n", shear_x, shear_y);

    double coeff[20];
    double cosine, sine, x,y,sx,sy,a,nx,ny;

    a = DegreesToRadians(a);
    cosine=cos(a);
    sine=sin(a);

    nx = 20;
    ny = 20;

    sx = sy = 1.0;

    coeff[0]=cosine/sx;
    coeff[1]=sine/sx;
    coeff[2]=x-nx*coeff[0]-ny*coeff[1];
    coeff[3]=(-sine)/sy;
    coeff[4]=cosine/sy;
    coeff[5]=y-nx*coeff[3]-ny*coeff[4];

    for(int i=0; i<6; i++) {
        printf("Coeff %d = %f\n", i, coeff[i]);
    }
}


int main () {
   double large = 99999999999999999999.0;

   letsRotate(large);

   return(0);
}
 [2018-12-09 14:59 UTC] danack@php.net 
btw

The last number that works is 2147483776 aka 0x80000080
The first number that doesn't work and hangs is 2147483777 aka 0x80000081

Those are numbers seem quite suspicious.
 [2018-12-09 20:00 UTC] lee at lboynton dot com 
gdb output:

#0  0x00007fffeb7ec500 in RotateImage () from /usr/lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.3
#1  0x00007fffebc8a0ac in MagickRotateImage () from /usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.3
#2  0x00007fffebf438cb in zim_imagick_rotateimage () from /usr/lib/php/20170718/imagick.so
#3  0x00007ffff2a7bcf5 in xdebug_execute_internal (current_execute_data=0x7ffff321c160, return_value=0x7fffffffa4b0) at ./build-7.2/xdebug.c:2021
#4  0x000055555583a5b4 in ?? ()
#5  0x000055555589f11a in execute_ex ()
#6  0x00007ffff2a7aefe in xdebug_execute_ex (execute_data=0x7ffff321c030) at ./build-7.2/xdebug.c:1912
#7  0x00005555558a75a7 in zend_execute ()
#8  0x00005555557f6192 in zend_execute_scripts ()
#9  0x0000555555792080 in php_execute_script ()
#10 0x00005555558a99bc in ?? ()
#11 0x000055555564057b in ?? ()
#12 0x00007ffff5ebcb97 in __libc_start_main (main=0x555555640160, argc=2, argv=0x7fffffffdfc8, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffdfb8)
    at ../csu/libc-start.c:310
#13 0x000055555564071a in _start ()
 [2018-12-10 02:37 UTC] danack@php.net 
This is looking quite like a compiler error.

The function where it is getting stuck in is here: https://github.com/ImageMagick/ImageMagick6/blob/8ed8ee76dd5fcfc3d182cf00c5696508425176b4/magick/distort.c#L2890-L2894

The only way* it could get stuck is if the combination of fmod and the loop that is trying to normalise the angle just aren't compiled correctly.

Can you dump a dissassembly of the RotateImage function, so I can peer at the machine codes? This should be possible with GDB with running something like:

disas 0x00007fffeb7ec500 0x00007fffeb7ec800

Or possibly moving back 0x100 bytes to get the start of the function.

disas 0x00007fffeb7ec400 0x00007fffeb7ec800 

Once you have that, you could also step through the code and make a note of which addresses the code is looping through please. My guess is it will almost certainly be repeating the same 3-5 instructions over and over again. If that's the case, if you mark which instructions are being repeated it would make interpreting the runes be easier.





*famous. last. words.
 [2018-12-10 02:52 UTC] danack@php.net 
Oh, a dump of the registers would also be useful.
 [2018-12-30 13:06 UTC] lee at lboynton dot com 
I think this is what you asked for, hopefully you are better at interpreting the runes than I!

Dump of assembler code for function RotateImage:
   0x00007fffeb7ec460 <+0>:	push   %r12
   0x00007fffeb7ec462 <+2>:	push   %rbp
   0x00007fffeb7ec463 <+3>:	push   %rbx
   0x00007fffeb7ec464 <+4>:	sub    $0x20,%rsp
   0x00007fffeb7ec468 <+8>:	test   %rdi,%rdi
   0x00007fffeb7ec46b <+11>:	movsd  %xmm0,0x18(%rsp)
   0x00007fffeb7ec471 <+17>:	je     0x7fffeb7ec692 <RotateImage+562>
   0x00007fffeb7ec477 <+23>:	mov    $0xabacadab,%eax
   0x00007fffeb7ec47c <+28>:	cmp    %rax,0x3318(%rdi)
   0x00007fffeb7ec483 <+35>:	mov    %rdi,%rbp
   0x00007fffeb7ec486 <+38>:	jne    0x7fffeb7ec673 <RotateImage+531>
   0x00007fffeb7ec48c <+44>:	mov    0x32b0(%rdi),%eax
   0x00007fffeb7ec492 <+50>:	mov    %rsi,%r12
   0x00007fffeb7ec495 <+53>:	test   %eax,%eax
   0x00007fffeb7ec497 <+55>:	jne    0x7fffeb7ec5f0 <RotateImage+400>
   0x00007fffeb7ec49d <+61>:	test   %r12,%r12
   0x00007fffeb7ec4a0 <+64>:	je     0x7fffeb7ec654 <RotateImage+500>
   0x00007fffeb7ec4a6 <+70>:	mov    $0xabacadab,%eax
   0x00007fffeb7ec4ab <+75>:	cmp    %rax,0x30(%r12)
   0x00007fffeb7ec4b0 <+80>:	jne    0x7fffeb7ec6b1 <RotateImage+593>
   0x00007fffeb7ec4b6 <+86>:	pxor   %xmm0,%xmm0
   0x00007fffeb7ec4ba <+90>:	movss  0x15299a(%rip),%xmm1        # 0x7fffeb93ee5c
   0x00007fffeb7ec4c2 <+98>:	movss  0x152996(%rip),%xmm2        # 0x7fffeb93ee60
   0x00007fffeb7ec4ca <+106>:	cvtsd2ss 0x18(%rsp),%xmm0
   0x00007fffeb7ec4d0 <+112>:	ucomiss %xmm0,%xmm1
   0x00007fffeb7ec4d3 <+115>:	jbe    0x7fffeb7ec4e1 <RotateImage+129>
   0x00007fffeb7ec4d5 <+117>:	nopl   (%rax)
   0x00007fffeb7ec4d8 <+120>:	addss  %xmm2,%xmm0
   0x00007fffeb7ec4dc <+124>:	ucomiss %xmm0,%xmm1
   0x00007fffeb7ec4df <+127>:	ja     0x7fffeb7ec4d8 <RotateImage+120>
   0x00007fffeb7ec4e1 <+129>:	xor    %esi,%esi
   0x00007fffeb7ec4e3 <+131>:	movss  0x15297d(%rip),%xmm1        # 0x7fffeb93ee68
   0x00007fffeb7ec4eb <+139>:	ucomiss 0x152972(%rip),%xmm0        # 0x7fffeb93ee64
   0x00007fffeb7ec4f2 <+146>:	jbe    0x7fffeb7ec648 <RotateImage+488>
   0x00007fffeb7ec4f8 <+152>:	nopl   0x0(%rax,%rax,1)
   0x00007fffeb7ec500 <+160>:	subss  %xmm1,%xmm0
   0x00007fffeb7ec504 <+164>:	add    $0x1,%rsi
   0x00007fffeb7ec508 <+168>:	ucomiss 0x152955(%rip),%xmm0        # 0x7fffeb93ee64
=> 0x00007fffeb7ec50f <+175>:	ja     0x7fffeb7ec500 <RotateImage+160>
   0x00007fffeb7ec511 <+177>:	mov    %rsi,%rbx
   0x00007fffeb7ec514 <+180>:	and    $0x3,%ebx
   0x00007fffeb7ec517 <+183>:	pxor   %xmm1,%xmm1
   0x00007fffeb7ec51b <+187>:	cvtss2sd %xmm0,%xmm1
   0x00007fffeb7ec51f <+191>:	mulsd  0x144741(%rip),%xmm1        # 0x7fffeb930c68
   0x00007fffeb7ec527 <+199>:	divsd  0x144741(%rip),%xmm1        # 0x7fffeb930c70
   0x00007fffeb7ec52f <+207>:	movapd %xmm1,%xmm0
   0x00007fffeb7ec533 <+211>:	movsd  %xmm1,0x10(%rsp)
   0x00007fffeb7ec539 <+217>:	mulsd  0x13caa7(%rip),%xmm0        # 0x7fffeb928fe8
   0x00007fffeb7ec541 <+225>:	callq  0x7fffeb766ae0 <tan@plt>
   0x00007fffeb7ec546 <+230>:	movsd  0x10(%rsp),%xmm1
   0x00007fffeb7ec54c <+236>:	movsd  %xmm0,0x8(%rsp)
   0x00007fffeb7ec552 <+242>:	movapd %xmm1,%xmm0
   0x00007fffeb7ec556 <+246>:	callq  0x7fffeb768160 <sin@plt>
   0x00007fffeb7ec55b <+251>:	movq   0x13caed(%rip),%xmm3        # 0x7fffeb929050
   0x00007fffeb7ec563 <+259>:	movsd  0x8(%rsp),%xmm2
   0x00007fffeb7ec569 <+265>:	movsd  0x13c36f(%rip),%xmm1        # 0x7fffeb9288e0
   0x00007fffeb7ec571 <+273>:	andpd  %xmm3,%xmm2
   0x00007fffeb7ec575 <+277>:	ucomisd %xmm2,%xmm1
   0x00007fffeb7ec579 <+281>:	jbe    0x7fffeb7ec589 <RotateImage+297>
   0x00007fffeb7ec57b <+283>:	andpd  %xmm3,%xmm0
   0x00007fffeb7ec57f <+287>:	ucomisd %xmm0,%xmm1
   0x00007fffeb7ec583 <+291>:	ja     0x7fffeb7ec628 <RotateImage+456>
   0x00007fffeb7ec589 <+297>:	xor    %edx,%edx
   0x00007fffeb7ec58b <+299>:	xor    %esi,%esi
   0x00007fffeb7ec58d <+301>:	mov    %r12,%r8
   0x00007fffeb7ec590 <+304>:	mov    $0x1,%ecx
   0x00007fffeb7ec595 <+309>:	mov    %rbp,%rdi
   0x00007fffeb7ec598 <+312>:	callq  0x7fffeb84c740 <CloneImage>
   0x00007fffeb7ec59d <+317>:	test   %rax,%rax
   0x00007fffeb7ec5a0 <+320>:	mov    %rax,%rbx
   0x00007fffeb7ec5a3 <+323>:	je     0x7fffeb7ec650 <RotateImage+496>
   0x00007fffeb7ec5a9 <+329>:	mov    $0x1,%esi
   0x00007fffeb7ec5ae <+334>:	mov    %rax,%rdi
   0x00007fffeb7ec5b1 <+337>:	callq  0x7fffeb84e300 <SetImageVirtualPixelMethod>
   0x00007fffeb7ec5b6 <+342>:	lea    0x18(%rsp),%rcx
   0x00007fffeb7ec5bb <+347>:	mov    %rbx,%rdi
   0x00007fffeb7ec5be <+350>:	mov    %r12,%r9
   0x00007fffeb7ec5c1 <+353>:	mov    $0x1,%r8d
   0x00007fffeb7ec5c7 <+359>:	mov    $0x1,%edx
   0x00007fffeb7ec5cc <+364>:	mov    $0x3,%esi
   0x00007fffeb7ec5d1 <+369>:	callq  0x7fffeb7e91b0 <DistortImage>
   0x00007fffeb7ec5d6 <+374>:	mov    %rbx,%rdi
   0x00007fffeb7ec5d9 <+377>:	mov    %rax,%rbp
   0x00007fffeb7ec5dc <+380>:	callq  0x7fffeb84a730 <DestroyImage>
   0x00007fffeb7ec5e1 <+385>:	add    $0x20,%rsp
   0x00007fffeb7ec5e5 <+389>:	mov    %rbp,%rax
   0x00007fffeb7ec5e8 <+392>:	pop    %rbx
   0x00007fffeb7ec5e9 <+393>:	pop    %rbp
   0x00007fffeb7ec5ea <+394>:	pop    %r12
   0x00007fffeb7ec5ec <+396>:	retq   
   0x00007fffeb7ec5ed <+397>:	nopl   (%rax)
   0x00007fffeb7ec5f0 <+400>:	lea    0x268(%rdi),%r9
   0x00007fffeb7ec5f7 <+407>:	lea    0x159b6b(%rip),%r8        # 0x7fffeb946169
   0x00007fffeb7ec5fe <+414>:	lea    0x152b63(%rip),%rdx        # 0x7fffeb93f168
   0x00007fffeb7ec605 <+421>:	lea    0x152cd1(%rip),%rsi        # 0x7fffeb93f2dd
   0x00007fffeb7ec60c <+428>:	mov    $0xb12,%ecx
   0x00007fffeb7ec611 <+433>:	mov    $0x1,%edi
   0x00007fffeb7ec616 <+438>:	xor    %eax,%eax
   0x00007fffeb7ec618 <+440>:	callq  0x7fffeb85c370 <LogMagickEvent>
   0x00007fffeb7ec61d <+445>:	jmpq   0x7fffeb7ec49d <RotateImage+61>
   0x00007fffeb7ec622 <+450>:	nopw   0x0(%rax,%rax,1)
   0x00007fffeb7ec628 <+456>:	mov    %r12,%rdx
   0x00007fffeb7ec62b <+459>:	mov    %rbx,%rsi
   0x00007fffeb7ec62e <+462>:	mov    %rbp,%rdi
   0x00007fffeb7ec631 <+465>:	callq  0x7fffeb8cfd00 <IntegralRotateImage>
   0x00007fffeb7ec636 <+470>:	add    $0x20,%rsp
   0x00007fffeb7ec63a <+474>:	mov    %rax,%rbp
   0x00007fffeb7ec63d <+477>:	mov    %rbp,%rax
   0x00007fffeb7ec640 <+480>:	pop    %rbx
   0x00007fffeb7ec641 <+481>:	pop    %rbp
   0x00007fffeb7ec642 <+482>:	pop    %r12
   0x00007fffeb7ec644 <+484>:	retq   
   0x00007fffeb7ec645 <+485>:	nopl   (%rax)
   0x00007fffeb7ec648 <+488>:	xor    %ebx,%ebx
   0x00007fffeb7ec64a <+490>:	jmpq   0x7fffeb7ec517 <RotateImage+183>
   0x00007fffeb7ec64f <+495>:	nop
   0x00007fffeb7ec650 <+496>:	xor    %ebp,%ebp
   0x00007fffeb7ec652 <+498>:	jmp    0x7fffeb7ec5e1 <RotateImage+385>
   0x00007fffeb7ec654 <+500>:	lea    0x152b1d(%rip),%rcx        # 0x7fffeb93f178
   0x00007fffeb7ec65b <+507>:	lea    0x152c7b(%rip),%rsi        # 0x7fffeb93f2dd
   0x00007fffeb7ec662 <+514>:	lea    0x13d21f(%rip),%rdi        # 0x7fffeb929888
   0x00007fffeb7ec669 <+521>:	mov    $0xb13,%edx
   0x00007fffeb7ec66e <+526>:	callq  0x7fffeb766c10 <__assert_fail@plt>
   0x00007fffeb7ec673 <+531>:	lea    0x152afe(%rip),%rcx        # 0x7fffeb93f178
   0x00007fffeb7ec67a <+538>:	lea    0x152c5c(%rip),%rsi        # 0x7fffeb93f2dd
   0x00007fffeb7ec681 <+545>:	lea    0x13c658(%rip),%rdi        # 0x7fffeb928ce0
   0x00007fffeb7ec688 <+552>:	mov    $0xb10,%edx
   0x00007fffeb7ec68d <+557>:	callq  0x7fffeb766c10 <__assert_fail@plt>
   0x00007fffeb7ec692 <+562>:	lea    0x152adf(%rip),%rcx        # 0x7fffeb93f178
   0x00007fffeb7ec699 <+569>:	lea    0x152c3d(%rip),%rsi        # 0x7fffeb93f2dd
   0x00007fffeb7ec6a0 <+576>:	lea    0x15a694(%rip),%rdi        # 0x7fffeb946d3b
   0x00007fffeb7ec6a7 <+583>:	mov    $0xb0f,%edx
   0x00007fffeb7ec6ac <+588>:	callq  0x7fffeb766c10 <__assert_fail@plt>
   0x00007fffeb7ec6b1 <+593>:	lea    0x152ac0(%rip),%rcx        # 0x7fffeb93f178
   0x00007fffeb7ec6b8 <+600>:	lea    0x152c1e(%rip),%rsi        # 0x7fffeb93f2dd
   0x00007fffeb7ec6bf <+607>:	lea    0x13de4a(%rip),%rdi        # 0x7fffeb92a510
   0x00007fffeb7ec6c6 <+614>:	mov    $0xb14,%edx
   0x00007fffeb7ec6cb <+619>:	callq  0x7fffeb766c10 <__assert_fail@plt>
End of assembler dump.
rax            0xabacadab	2880220587
rbx            0x555555e3ec50	93825001581648
rcx            0x0	0
rdx            0x0	0
rsi            0x4abcc681c	20062169116
rdi            0x555555e58af0	93825001687792
rbp            0x555555e58af0	0x555555e58af0
rsp            0x7fffffffa380	0x7fffffffa380
r8             0x0	0
r9             0x7ffff2f3b82c	140737269446700
r10            0x1d	29
r11            0x7fffeb7ec460	140737144341600
r12            0x555555e1f250	93825001452112
r13            0x7ffff321c160	140737272463712
r14            0x0	0
r15            0x7ffff2cac080	140737266761856
rip            0x7fffeb7ec50f	0x7fffeb7ec50f <RotateImage+175>
eflags         0x202	[ IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
 [2018-12-30 14:06 UTC] lee at lboynton dot com 
I have a feeling this may have been fixed by this change in imagemagick: https://github.com/ImageMagick/ImageMagick6/commit/bdeab077d8f21d5e5c9cd810fd77d2b65e915fcc#diff-4a82f40d15019f039fa0c806c77caf8e

The version I'm using is ImageMagick 6.9.7-4, and I can't reproduce it in later versions of ImageMagick.
 [2019-03-27 20:31 UTC] danack@php.net 
Sorry only just saw this.

Unfortunately the registers list didn't include the floating point ones which apparently are dumped with `info all-registers`

The values of the %xmm0,%xmm1, and %xmm2 registers are the one's of interest.
 [2019-04-15 16:24 UTC] danack@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: danack
 [2019-04-15 16:24 UTC] danack@php.net 
I'm going to close this as it was fixed upstream, and there is nothing left to do in Imagick itself.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Nov 07 18:00:01 2025 UTC