[Fixed][invalid] Perl magick segfault

[broucaries]

perl -MImage::Magick -MUUID -e 'UUID::generate($uuid)'

Segfault

bastien

[magick]

We cannot reproduce the problem. Our Perl5 version of UUID.pm does not include the generate() method. We're using

• ## OSSP uuid - Universally Unique Identifier
  ## This file is part of OSSP uuid, a library for the generation
  ## of UUIDs which can found at http://www.ossp.org/pkg/lib/uuid/

We''ll need a stack trace to investigate this problem further.

[broucaries]

see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622591 please

bastien

[magick]

We can reproduce the problem with xapian and PerlMagick. However, the stack trace shows the problem is in libuuid:

• Program received signal SIGSEGV, Segmentation fault.
  0x0000003b56201770 in ?? () from /lib64/libuuid.so.1
  (gdb) where
  #0 0x0000003b56201770 in ?? () from /lib64/libuuid.so.1
  #1 0x0000003b562025f9 in uuid_generate () from /lib64/libuuid.so.1
  #2 0x00007ffff0c82fe2 in ?? () from /usr/lib64/libxapian.so.22
  #3 0x00007ffff0c5390d in ?? () from /usr/lib64/libxapian.so.22
  #4 0x00007ffff0c58251 in ?? () from /usr/lib64/libxapian.so.22
  #5 0x00007ffff0c586b9 in ?? () from /usr/lib64/libxapian.so.22
  #6 0x00007ffff0c01cd1 in Xapian::WritableDatabase::WritableDatabase(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) ()
  from /usr/lib64/libxapian.so.22
  #7 0x00007ffff0fbdd0d in XS_Search__Xapian__WritableDatabase_new1 ()
  from /usr/lib64/perl5/vendor_perl/auto/Search/Xapian/Xapian.so
  #8 0x0000003b4eaaff9d in Perl_pp_entersub ()

Notice PerlMagick is not in the stack trace. We're not sure why its failing or if the problem is related to PerlMagick. We'll investigate but currently we are clueless why the fault occurs.

[broucaries]

I get this using valgrind perl -MImage::Magick -MUUID -e 'UUID::generate($uuid)'
no crash without -MImage::Magick or with valgrind perl -MUUID -MImage::Magick -e 'UUID::generate($uuid)'

==6339== Memcheck, a memory error detector
==6339== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==6339== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==6339== Command: perl -MImage::Magick -MUUID -e UUID::generate($uuid)
==6339==
==6339== Conditional jump or move depends on uninitialised value(s)
==6339== at 0x4EB07E9: Perl_re_compile (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E6B511: Perl_pmruntime (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E9D786: Perl_yyparse (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4F045D8: ??? (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4F1025E: Perl_pp_require (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4ED13FF: Perl_runops_standard (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E76CE4: Perl_call_sv (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4EC1098: ??? (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4EC34DA: Perl_magic_getpack (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4EC1494: Perl_mg_get (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4EE009E: Perl_sv_setsv_flags (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4ED45BF: Perl_pp_aassign (in /usr/lib/libperl.so.5.10.1)
==6339==
==6339== Conditional jump or move depends on uninitialised value(s)
==6339== at 0x4EB07E9: Perl_re_compile (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4F0797D: Perl_pp_regcomp (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4ED13FF: Perl_runops_standard (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E77036: Perl_call_sv (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E776CC: Perl_call_list (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E629F8: ??? (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E70AE1: Perl_newATTRSUB (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E71053: Perl_utilize (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E9E4E7: Perl_yyparse (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E7B5B1: perl_parse (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x400CEB: main (in /usr/bin/perl)
==6339==
==6339== Invalid write of size 2
==6339== at 0x9B98882: ??? (in /lib/libuuid.so.1.3.0)
==6339== by 0x9B99728: uuid_generate (in /lib/libuuid.so.1.3.0)
==6339== by 0xA3C0C08: do_generate (in /usr/lib/perl5/auto/UUID/UUID.so)
==6339== by 0xA3C0CE6: XS_UUID_generate (in /usr/lib/perl5/auto/UUID/UUID.so)
==6339== by 0x4ED9A14: Perl_pp_entersub (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4ED13FF: Perl_runops_standard (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E7C8ED: perl_run (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x400D5B: main (in /usr/bin/perl)
==6339== Address 0x44 is not stack'd, malloc'd or (recently) free'd
==6339==
==6339==
==6339== Process terminating with default action of signal 11 (SIGSEGV)
==6339== Access not within mapped region at address 0x44
==6339== at 0x9B98882: ??? (in /lib/libuuid.so.1.3.0)
==6339== by 0x9B99728: uuid_generate (in /lib/libuuid.so.1.3.0)
==6339== by 0xA3C0C08: do_generate (in /usr/lib/perl5/auto/UUID/UUID.so)
==6339== by 0xA3C0CE6: XS_UUID_generate (in /usr/lib/perl5/auto/UUID/UUID.so)
==6339== by 0x4ED9A14: Perl_pp_entersub (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4ED13FF: Perl_runops_standard (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x4E7C8ED: perl_run (in /usr/lib/libperl.so.5.10.1)
==6339== by 0x400D5B: main (in /usr/bin/perl)
==6339== If you believe this happened as a result of a stack
==6339== overflow in your program's main thread (unlikely but
==6339== possible), you can try to increase the size of the
==6339== main thread stack using the --main-stacksize= flag.
==6339== The main thread stack size used in this run was 8388608.
==6339==
==6339== HEAP SUMMARY:
==6339== in use at exit: 1,048,603 bytes in 9,667 blocks
==6339== total heap usage: 18,675 allocs, 9,008 frees, 22,887,967 bytes allocated
==6339==
==6339== LEAK SUMMARY:
==6339== definitely lost: 416 bytes in 1 blocks
==6339== indirectly lost: 3,085 bytes in 50 blocks
==6339== possibly lost: 712,430 bytes in 9,308 blocks
==6339== still reachable: 332,672 bytes in 308 blocks
==6339== suppressed: 0 bytes in 0 blocks

[broucaries]

We use the http://search.cpan.org/dist/Data-UUID-LibUUID/

[broucaries]

Sorry we use this one for uuid

http://search.cpan.org/dist/UUID/

[magick]

We can reproduce the problem and have investigated. However, we have not been able to trace the source of the problem. We added debug statements to PerlMagick and the only method it seems to call is the boot section. Even if we comment out that section, the fault still occurs. We also looked for namespace collisions between libuuid and ImageMagick but could not identify any.

[mkoppanen]

Hi,

I just stumbled upon this same issue: https://github.com/mkoppanen/php-zmq/issues/11, http://usrportage.de/archives/922-PHP-s ... agick.html

It seems that the issue is not limited to PerlMagick. will investigate further.

[mkoppanen]

Hi,

looks like the issue goes away if I LD_PRELOAD uuid.so. Still unsure what the actual issue is.

[mkoppanen]

Debugging further:

This is the output when of LD_PRELOAD=/usr/lib/libuuid.so gdb --args php examples/client.php

Code: Select all

(gdb) run
Starting program: /usr/local/bin/php examples/client.php
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff0e57700 (LWP 25866)]
[New Thread 0x7ffff0656700 (LWP 25867)]
^C
Program received signal SIGINT, Interrupt.
0x00007ffff66e4113 in *__GI___poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87
87      ../sysdeps/unix/sysv/linux/poll.c: No such file or directory.
        in ../sysdeps/unix/sysv/linux/poll.c
(gdb) bt
#0  0x00007ffff66e4113 in *__GI___poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00007ffff0efa450 in zmq::signaler_t::wait (this=<value optimized out>, timeout_=-1) at signaler.cpp:159
#2  0x00007ffff0eed84a in zmq::mailbox_t::recv (this=0xd31dd8, cmd_=0x7fffffffc0f0, timeout_=-1) at mailbox.cpp:68
#3  0x00007ffff0efac29 in zmq::socket_base_t::process_commands (this=0xd31cf0, timeout_=<value optimized out>, throttle_=false) at socket_base.cpp:729
#4  0x00007ffff0efaf02 in zmq::socket_base_t::recv (this=0xd31cf0, msg_=0x7fffffffc1e0, flags_=0) at socket_base.cpp:622
#5  0x00007ffff0f03206 in zmq_recvmsg (s_=0xd31cf0, msg_=0x7fffffffc1e0, flags_=0) at zmq.cpp:278
#6  0x00007ffff111ab0a in php_zmq_recv (intern=0xd0a1c8, flags=0, return_value=0xd094a8) at /mnt/hgfs/projects/php-zmq/zmq.c:642
#7  0x00007ffff111ac64 in php_zmq_recvmsg_impl (ht=0, return_value=0xd094a8, return_value_ptr=0x0, this_ptr=0xd09430, return_value_used=1) at /mnt/hgfs/projects/php-zmq/zmq.c:671
#8  0x00007ffff111ad20 in zim_zmqsocket_recv (ht=0, return_value=0xd094a8, return_value_ptr=0x0, this_ptr=0xd09430, return_value_used=1) at /mnt/hgfs/projects/php-zmq/zmq.c:694
#9  0x000000000070e78b in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff0e58090) at /root/PHP_5_3/Zend/zend_vm_execute.h:320
#10 0x000000000070ef13 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff0e58090) at /root/PHP_5_3/Zend/zend_vm_execute.h:425
#11 0x000000000070db05 in execute (op_array=0xd0a250) at /root/PHP_5_3/Zend/zend_vm_execute.h:107
#12 0x00000000006d7544 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/PHP_5_3/Zend/zend.c:1194
#13 0x0000000000656947 in php_execute_script (primary_file=0x7fffffffe9b0) at /root/PHP_5_3/main/main.c:2275
#14 0x00000000007cb579 in main (argc=2, argv=0x7fffffffec08) at /root/PHP_5_3/sapi/cli/php_cli.c:1193
(gdb) frame 14
#14 0x00000000007cb579 in main (argc=2, argv=0x7fffffffec08) at /root/PHP_5_3/sapi/cli/php_cli.c:1193
1193                            php_execute_script(&file_handle TSRMLS_CC);
(gdb) print jrand_seed
$1 = {29218, 49784, 20029}

The following is without the LD_PRELOAD:

Code: Select all

Starting program: /usr/local/bin/php examples/client.php
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff0e57700 (LWP 25933)]
[New Thread 0x7ffff0656700 (LWP 25934)]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff194a882 in get_random_fd () at gen_uuid.c:156
156                     jrand_seed[0] = getpid() ^ (tv.tv_sec & 0xFFFF);
(gdb) bt
#0  0x00007ffff194a882 in get_random_fd () at gen_uuid.c:156
#1  0x00007ffff194b729 in uuid_generate (out=0x7ffff7fe3010 "\003") at gen_uuid.c:674
#2  0x00007ffff0ef5a76 in zmq::generate_random (buf_=0xd324d4, size_=0) at random.cpp:34
#3  0x00007ffff0ef6361 in req_t (this=0xd32260, parent_=<value optimized out>, tid_=<value optimized out>) at req.cpp:38
#4  0x00007ffff0efb846 in zmq::socket_base_t::create (type_=<value optimized out>, parent_=0xd2f450, tid_=4) at socket_base.cpp:86
#5  0x00007ffff0ee62d9 in zmq::ctx_t::create_socket (this=0xd2f450, type_=3) at ctx.cpp:183
#6  0x00007ffff1119913 in php_zmq_socket_new (context=0xd2f430, type=3, is_persistent=1 '\001') at /mnt/hgfs/projects/php-zmq/zmq.c:214
#7  0x00007ffff1119c2c in php_zmq_socket_get (context=0xd2f430, type=3, persistent_id=0xd0cf78 "MySock1", is_new=0x7fffffffc2bf "") at /mnt/hgfs/projects/php-zmq/zmq.c:282
#8  0x00007ffff111a246 in zim_zmqsocket___construct (ht=3, return_value=0xd0b980, return_value_ptr=0x0, this_ptr=0xd09780, return_value_used=0) at /mnt/hgfs/projects/php-zmq/zmq.c:453
#9  0x000000000070e78b in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff0e58090) at /root/PHP_5_3/Zend/zend_vm_execute.h:320
#10 0x000000000070ef13 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff0e58090) at /root/PHP_5_3/Zend/zend_vm_execute.h:425
#11 0x000000000070db05 in execute (op_array=0xd0a4b0) at /root/PHP_5_3/Zend/zend_vm_execute.h:107
#12 0x00000000006d7544 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/PHP_5_3/Zend/zend.c:1194
#13 0x0000000000656947 in php_execute_script (primary_file=0x7fffffffe9e0) at /root/PHP_5_3/main/main.c:2275
#14 0x00000000007cb579 in main (argc=2, argv=0x7fffffffec38) at /root/PHP_5_3/sapi/cli/php_cli.c:1193
(gdb) frame 14
#14 0x00000000007cb579 in main (argc=2, argv=0x7fffffffec38) at /root/PHP_5_3/sapi/cli/php_cli.c:1193
1193                            php_execute_script(&file_handle TSRMLS_CC);
(gdb) print jrand_seed
Cannot access memory at address 0x44

The jrand_seed:

Code: Select all

#ifdef HAVE_TLS
#define THREAD_LOCAL static __thread
#else
#define THREAD_LOCAL static
#endif

#if defined(linux) && defined(__NR_gettid) && defined(HAVE_JRAND48)
#define DO_JRAND_MIX
THREAD_LOCAL unsigned short jrand_seed[3];
#endif
[code]

I really don't understand what is going on in here. Also changing load order where zmq.so (another extension using uuid_generate) is loaded before Imagick makes this go away

[mkoppanen]

Hi,

I managed to make the error go away by accidentally removing a ton of libraries (dependencies of X11) and recompiling ImageMagick. I am now trying to trace back my steps and see which one of the dependencies caused the error to go away.

[mkoppanen]

Actually,

can you test the following configure line:

Code: Select all

./configure --disable-openmp
[code]

This eliminates the segfault for me.

[broucaries]

libc bug see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637239

[broucaries]

Not a bug in your side. It is glibc bug