php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78561 Multithreading causes php to segfault
Submitted: 2019-09-18 16:48 UTC Modified: 2019-09-18 19:35 UTC
From: erik at coretech dot se Assigned:
Status: Closed Package: imagick (PECL)
PHP Version: 7.3.9 OS: CentOS 7
Private report: No CVE-ID: None
 [2019-09-18 16:48 UTC] erik at coretech dot se
Description:
------------
Multithreading in ImageMagick causes php to segfault when it's trying to cleanup.

This can be avoided by setting:
export MAGICK_THREAD_LIMIT=1

But should be set by the php-extension.

Test script:
---------------
$img = new Imagick();
if($img->readImage('testfile.eps') !== TRUE)
        die("Unable to read file");

$blob = $img->getImageBlob();
var_dump(strlen($blob));


Expected result:
----------------
No segmentation fault

Actual result:
--------------
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Detaching after fork from child process 7263.
[New Thread 0x7fffddf41700 (LWP 7264)]
[New Thread 0x7fffdd740700 (LWP 7265)]
[New Thread 0x7fffdcf3f700 (LWP 7266)]
int(449593)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdcf3f700 (LWP 7266)]
0x00007fffe1fa2ae1 in ?? () from /lib64/libgomp.so.1

Thread 4 (Thread 0x7fffdcf3f700 (LWP 7266)):
#0  0x00007fffe1fa2ae1 in ?? () from /lib64/libgomp.so.1
No symbol table info available.
#1  0x00007fffe1fa03a0 in ?? () from /lib64/libgomp.so.1
No symbol table info available.
#2  0x00007ffff427fe65 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#3  0x00007ffff479588d in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 3 (Thread 0x7fffdd740700 (LWP 7265)):
#0  0x00007fffe1fa2ae1 in ?? () from /lib64/libgomp.so.1
No symbol table info available.
#1  0x00007fffe1fa03a0 in ?? () from /lib64/libgomp.so.1
No symbol table info available.
#2  0x00007ffff427fe65 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#3  0x00007ffff479588d in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 2 (Thread 0x7fffddf41700 (LWP 7264)):
#0  0x00007fffe1fa2ae1 in ?? () from /lib64/libgomp.so.1
No symbol table info available.
#1  0x00007fffe1fa03a0 in ?? () from /lib64/libgomp.so.1
No symbol table info available.
#2  0x00007ffff427fe65 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#3  0x00007ffff479588d in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 1 (Thread 0x7ffff7fc5880 (LWP 7259)):
#0  0x00007ffff7df4807 in munmap () from /lib64/ld-linux-x86-64.so.2
No symbol table info available.
#1  0x00007ffff7df275d in _dl_unmap () from /lib64/ld-linux-x86-64.so.2
No symbol table info available.
#2  0x00007ffff7df0387 in _dl_close_worker () from /lib64/ld-linux-x86-64.so.2
No symbol table info available.
#3  0x00007ffff7df0d5c in _dl_close () from /lib64/ld-linux-x86-64.so.2
No symbol table info available.
#4  0x00007ffff7dea784 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
No symbol table info available.
#5  0x00007ffff64cb4ed in _dlerror_run () from /lib64/libdl.so.2
No symbol table info available.
#6  0x00007ffff64cafcf in dlclose () from /lib64/libdl.so.2
No symbol table info available.
#7  0x00005555557e7544 in module_destructor (module=module@entry=0x555555c65670) at /usr/src/debug/php-7.3.9/Zend/zend_API.c:2598
No locals.
#8  0x00005555557dfabc in module_destructor_zval (zv=<optimized out>) at /usr/src/debug/php-7.3.9/Zend/zend.c:746
        module = 0x555555c65670
#9  0x00005555557f2078 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=39, ht=<optimized out>) at /usr/src/debug/php-7.3.9/Zend/zend_hash.c:1182
        tmp = {value = {lval = 93824999642736, dval = 4.6355709044543088e-310, counted = 0x555555c65670, str = 0x555555c65670, arr = 0x555555c65670, obj = 0x555555c65670, res = 0x555555c65670, ref = 0x555555c65670, ast = 0x555555c65670, zv = 0x555555c65670, ptr = 0x555555c65670, ce = 0x555555c65670, func = 0x555555c65670, ww = {w1 = 1439061616, w2 = 21845}}, u1 = {v = {type = 14 '\016', type_flags = 0 '\000', u = {call_info = 0, extra = 0}}, type_info = 14}, u2 = {next = 21845, cache_slot = 21845, opline_num = 21845, lineno = 21845, num_args = 21845, fe_pos = 21845, fe_iter_idx = 21845, access_flags = 21845, property_guard = 21845, constant_flags = 21845, extra = 21845}}
#10 _zend_hash_del_el (p=0x555555be96a0, idx=39, ht=0x555555bd0440 <module_registry>) at /usr/src/debug/php-7.3.9/Zend/zend_hash.c:1205
        prev = <optimized out>
#11 zend_hash_graceful_reverse_destroy (ht=ht@entry=0x555555bd0440 <module_registry>) at /usr/src/debug/php-7.3.9/Zend/zend_hash.c:1659
        idx = 39
        p = 0x555555be96a0
#12 0x00005555557e57cc in zend_destroy_modules () at /usr/src/debug/php-7.3.9/Zend/zend_API.c:2013
No locals.
#13 0x00005555557e15d3 in zend_shutdown () at /usr/src/debug/php-7.3.9/Zend/zend.c:977
No locals.
#14 0x0000555555781902 in php_module_shutdown () at /usr/src/debug/php-7.3.9/main/main.c:2498
No locals.
#15 0x0000555555643385 in main (argc=2, argv=0x555555bd56b0) at /usr/src/debug/php-7.3.9/sapi/cli/php_cli.c:1404
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 1
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x555555bd5950 "(\350\245\364\377\177"
        ini_entries_len = 0
        ini_ignore = 0
        sapi_module = <optimized out>
A debugging session is active.

        Inferior 1 [process 7259] will be killed.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-18 19:35 UTC] erik at coretech dot se
-Status: Open +Status: Closed
 [2019-09-18 19:35 UTC] erik at coretech dot se
Already reported on on the pecl-imagick github page.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Apr 21 19:01:23 2021 UTC