#40578 [Csd]: Thread safety issue with imagettftext

pajoye@php.net · pajoye@php.net

ID: 40578
Updated by: [email]pajoye@php.net[/email]
Reported By: scottmacvicar at ntlworld dot com
Status: Closed
Bug Type: GD related
Operating System: RHEL 4
PHP Version: 5.2.1
Assigned To: tony2001
New Comment:

I reported the issue in GD too:

[url]http://bugs.libgd.org/?do=details&task_id=48[/url]

Will be fixed in 2.0.35.

Thanks for your patch and nice reproduce case!

Previous Comments:
------------------------------------------------------------------------

[2007-02-21 15:00:50] [email]tony2001@php.net[/email]

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
[url]http://snaps.php.net/[/url].

Thank you for the report, and for helping us make PHP better.

And again - very nice reproduce case & report, thanks.

------------------------------------------------------------------------

[2007-02-21 14:40:19] scottmacvicar at ntlworld dot com

Should probably class this as a crash.

------------------------------------------------------------------------

[2007-02-21 14:25:47] scottmacvicar at ntlworld dot com

Description:
------------
There appears to be a race condition with the truetype font support of
GD. I can see mutexes in the code for the font cache so there must be a
code path that's missed.

Backtrace:
[url]http://public.vbulletin.com/bugs/php/gd_thread_safety-bt.txt[/url]

Reproduce code:
[url]http://public.vbulletin.com/bugs/php/gd_thread_safety.phps[/url]
[url]http://public.vbulletin.com/bugs/php/HECK.TTF[/url]

Command: ab -c 30 -n 10000
[url]http://localhost/~scott/gd_thread_safety.php[/url]

Using Apache 2 with the Worker MPM.

Only patch applied to the build is a thread safety patch for
zend_strtod.c

------------------------------------------------------------------------

--
Edit this bug report at [url]http://bugs.php.net/?id=40578&edit=1[/url]

scottmacvicar at ntlworld dot com · scottmacvicar at ntlworld dot com

ID: 40578
User updated by: scottmacvicar at ntlworld dot com
Reported By: scottmacvicar at ntlworld dot com
Status: Closed
Bug Type: GD related
Operating System: RHEL 4
PHP Version: 5.2.1
Assigned To: tony2001
New Comment:

Any chance of having this backported to the PHP_4_4 branch? It's a
fairly minor patch to apply.

Previous Comments:
------------------------------------------------------------------------

[2007-02-21 15:42:02] [email]pajoye@php.net[/email]

I reported the issue in GD too:

[url]http://bugs.libgd.org/?do=details&task_id=48[/url]

Will be fixed in 2.0.35.

Thanks for your patch and nice reproduce case!

------------------------------------------------------------------------

[2007-02-21 15:00:50] [email]tony2001@php.net[/email]

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
[url]http://snaps.php.net/[/url].

Thank you for the report, and for helping us make PHP better.

And again - very nice reproduce case & report, thanks.

------------------------------------------------------------------------

[2007-02-21 14:40:19] scottmacvicar at ntlworld dot com

Should probably class this as a crash.

------------------------------------------------------------------------

[2007-02-21 14:25:47] scottmacvicar at ntlworld dot com

Description:
------------
There appears to be a race condition with the truetype font support of
GD. I can see mutexes in the code for the font cache so there must be a
code path that's missed.

Backtrace:
[url]http://public.vbulletin.com/bugs/php/gd_thread_safety-bt.txt[/url]

Reproduce code:
[url]http://public.vbulletin.com/bugs/php/gd_thread_safety.phps[/url]
[url]http://public.vbulletin.com/bugs/php/HECK.TTF[/url]

Command: ab -c 30 -n 10000
[url]http://localhost/~scott/gd_thread_safety.php[/url]

Using Apache 2 with the Worker MPM.

Only patch applied to the build is a thread safety patch for
zend_strtod.c

------------------------------------------------------------------------

--
Edit this bug report at [url]http://bugs.php.net/?id=40578&edit=1[/url]

tony2001@php.net · tony2001@php.net

ID: 40578
Updated by: [email]tony2001@php.net[/email]
Reported By: scottmacvicar at ntlworld dot com
Status: Closed
Bug Type: GD related
Operating System: RHEL 4
PHP Version: 5.2.1
Assigned To: tony2001
New Comment:

Also backported to 4_4.

Previous Comments:
------------------------------------------------------------------------

[2007-02-21 18:24:27] scottmacvicar at ntlworld dot com

Any chance of having this backported to the PHP_4_4 branch? It's a
fairly minor patch to apply.

------------------------------------------------------------------------

[2007-02-21 15:42:02] [email]pajoye@php.net[/email]

I reported the issue in GD too:

[url]http://bugs.libgd.org/?do=details&task_id=48[/url]

Will be fixed in 2.0.35.

Thanks for your patch and nice reproduce case!

------------------------------------------------------------------------

[2007-02-21 15:00:50] [email]tony2001@php.net[/email]

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
[url]http://snaps.php.net/[/url].

Thank you for the report, and for helping us make PHP better.

And again - very nice reproduce case & report, thanks.

------------------------------------------------------------------------

[2007-02-21 14:40:19] scottmacvicar at ntlworld dot com

Should probably class this as a crash.

------------------------------------------------------------------------

[2007-02-21 14:25:47] scottmacvicar at ntlworld dot com

Description:
------------
There appears to be a race condition with the truetype font support of
GD. I can see mutexes in the code for the font cache so there must be a
code path that's missed.

Backtrace:
[url]http://public.vbulletin.com/bugs/php/gd_thread_safety-bt.txt[/url]

Reproduce code:
[url]http://public.vbulletin.com/bugs/php/gd_thread_safety.phps[/url]
[url]http://public.vbulletin.com/bugs/php/HECK.TTF[/url]

Command: ab -c 30 -n 10000
[url]http://localhost/~scott/gd_thread_safety.php[/url]

Using Apache 2 with the Worker MPM.

Only patch applied to the build is a thread safety patch for
zend_strtod.c

------------------------------------------------------------------------

--
Edit this bug report at [url]http://bugs.php.net/?id=40578&edit=1[/url]

scottmacvicar at ntlworld dot com · scottmacvicar at ntlworld dot com

ID: 40578
User updated by: scottmacvicar at ntlworld dot com
Reported By: scottmacvicar at ntlworld dot com
Status: Closed
Bug Type: GD related
Operating System: RHEL 4
PHP Version: 5.2.1
Assigned To: tony2001
New Comment:

Has this potentially caused a regression?

I applied the patch that was checked in CVS this afternoon
and recompiled PHP.

Had another segfault in GD, here is the backtrace.
Unfortunately it wasn't a debug build.

Thread 13 (process 27300):
#0 0x009457a2 in _dl_sysinfo_int80 () from /lib/ld-
linux.so.2
No symbol table info available.
#1 0x00985c46 in kill () from /lib/tls/libc.so.6
No symbol table info available.
#2 0x0807e646 in sig_coredump (sig=11) at mpm_common.c:1170
No locals.
#3 <signal handler called>
No symbol table info available.
#4 0x009bf652 in malloc_consolidate () from /lib/tls/
libc.so.6
No symbol table info available.
#5 0x009bfd30 in _int_free () from /lib/tls/libc.so.6
No symbol table info available.
#6 0x009c033a in free () from /lib/tls/libc.so.6
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#7 0x003d5b8a in ?? () from /usr/lib/libfreetype.so.6
No symbol table info available.
#8 0x9e418dc0 in ?? ()
No symbol table info available.
#9 0x00431b2c in ?? () from /usr/lib/libfreetype.so.6
No symbol table info available.
#10 0xa6629868 in ?? ()
No symbol table info available.
#11 0x003d5fc0 in FT_Free () from /usr/lib/libfreetype.so.6
No symbol table info available.
#12 0x003d5fc0 in FT_Free () from /usr/lib/libfreetype.so.6
No symbol table info available.
#13 0x003d88e9 in FT_GlyphLoader_Reset () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#14 0x003d8948 in FT_GlyphLoader_Done () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#15 0x003dc1de in FT_Remove_Module () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#16 0x003dc72b in FT_Done_Library () from /usr/lib/
libfreetype.so.6
No symbol table info available.
#17 0x003d5ee0 in FT_Done_FreeType () from /usr/lib/
libfreetype.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#18 0x00fa4518 in php_gd_gdFontCacheShutdown ()
at /www/src/php-5.2.1/ext/gd/libgd/gdft.c:724
No locals.
#19 0x00f8c7eb in zm_deactivate_gd (type=1,
module_number=26,
tsrm_ls=0x94aea70) at /www/src/php-5.2.1/ext/gd/gd.c:
1303
No locals.
#20 0x0113434a in module_registry_cleanup (module=0x8b5d1b0,
tsrm_ls=0x94aea70)
at /www/src/php-5.2.1/Zend/zend_API.c:1945
No locals.
#21 0x0113986c in zend_hash_apply (ht=0x14274e0,
apply_func=0x1134328 <module_registry_cleanup>,
tsrm_ls=0x94aea70)
at /www/src/php-5.2.1/Zend/zend_hash.c:673
result = 0
p = (Bucket *) 0x8b5d180
#22 0x0112fb33 in zend_deactivate_modules
(tsrm_ls=0x94aea70)
at /www/src/php-5.2.1/Zend/zend.c:839
__orig_bailout = (jmp_buf *) 0x0
__bailout = {{__jmpbuf = {144334232, 144334256,
19764252, -1503487368,
-1503487568, 18021115}, __mask_was_saved = 0,
__saved_mask = {__val = {
149310844, 10232833, 4294967294, 4294967295,
149310844, 165552858, 0,
0, 165552848, 165159443, 0, 0, 149809548, 0,
11036764, 24, 56, 88, 0,
11, 11536181, 144334232, 0, 2791479928, 17752220, 3,
165552848,
135009633, 2, 0, 165552808, 165552848}}}}
---Type <return> to continue, or q <return> to quit---
#23 0x010f19c5 in php_request_shutdown (dummy=0x0)
at /www/src/php-5.2.1/main/main.c:1293
__orig_bailout = Variable "__orig_bailout" is not
available.

I can try a debug build but the segfaults are occuring less
frequently now.

Previous Comments:
------------------------------------------------------------------------

[2007-02-21 18:41:56] [email]tony2001@php.net[/email]

Also backported to 4_4.

------------------------------------------------------------------------

[2007-02-21 18:24:27] scottmacvicar at ntlworld dot com

Any chance of having this backported to the PHP_4_4 branch? It's a
fairly minor patch to apply.

------------------------------------------------------------------------

[2007-02-21 15:42:02] [email]pajoye@php.net[/email]

I reported the issue in GD too:

[url]http://bugs.libgd.org/?do=details&task_id=48[/url]

Will be fixed in 2.0.35.

Thanks for your patch and nice reproduce case!

------------------------------------------------------------------------

[2007-02-21 15:00:50] [email]tony2001@php.net[/email]

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
[url]http://snaps.php.net/[/url].

Thank you for the report, and for helping us make PHP better.

And again - very nice reproduce case & report, thanks.

------------------------------------------------------------------------

[2007-02-21 14:40:19] scottmacvicar at ntlworld dot com

Should probably class this as a crash.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
[url]http://bugs.php.net/40578[/url]

--
Edit this bug report at [url]http://bugs.php.net/?id=40578&edit=1[/url]

#40578 [Csd]: Thread safety issue with imagettftext

Thread Tools

Display