Hide Forgot
Description of problem: It started with rubygem-activestorage test suite failures on s390x: https://github.com/rails/rails/issues/42957 And continues with upstream report: https://github.com/ImageMagick/ImageMagick6/issues/164 Version-Release number of selected component (if applicable): $ rpm -q ImageMagick ImageMagick-6.9.11.27-5.fc35.s390x How reproducible: Steps to Reproduce: 1. $ curl -OL https://github.com/rails/rails/raw/77b7835a6af96cf85bc9e01ee0c19924063a9af0/activestorage/test/fixtures/files/racecar.tif 2. $ convert racecar.tif -auto-orient -resize 50x50 racecar.png Aborted (core dumped) or 3. $ curl -OL https://github.com/rails/rails/raw/13722000baa4ba896682255fc2a3cd975d2a177d/activestorage/test/fixtures/files/racecar.tif 4. $ convert racecar.tif -auto-orient -resize 50x50 racecar.png malloc(): unsorted double linked list corrupted Aborted (core dumped) Actual results: Expected results: Additional info: It seems that ImageMagick is borked on s390x. Is it due to LTO? Here are the relevant backtraces: ~~~ $ gdb --args convert racecar.tif -auto-orient -resize 50x50 racecar.png GNU gdb (GDB) Fedora 10.2-6.fc35 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "s390x-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from convert... Reading symbols from /usr/lib/debug/usr/bin/convert-6.9.11.27-5.fc35.s390x.debug... (gdb) r Starting program: /usr/bin/convert racecar.tif -auto-orient -resize 50x50 racecar.png [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x000003fffd930762 in __GI___strcasecmp (s1=0xaa020000c0500300 <error: Cannot access memory at address 0xaa020000c0500300>, s2=0x2aa00078160 "tiff:timestamp") at strcasecmp.c:58 58 while ((result = TOLOWER (*p1) - TOLOWER (*p2++)) == 0) (gdb) bt #0 0x000003fffd930762 in __GI___strcasecmp (s1=0xaa020000c0500300 <error: Cannot access memory at address 0xaa020000c0500300>, s2=0x2aa00078160 "tiff:timestamp") at strcasecmp.c:58 #1 0x000003fffdd7fc50 in Splay (splay_tree=splay_tree@entry=0x2aa00034fa0, depth=depth@entry=2, key=key@entry=0x2aa00078160, node=0x2aa00035158, parent=parent@entry=0x2aa0007d858, grandparent=0x2aa00034fa0) at magick/splay-tree.c:1533 #2 0x000003fffdd7fca4 in Splay (splay_tree=splay_tree@entry=0x2aa00034fa0, depth=depth@entry=1, key=key@entry=0x2aa00078160, node=0x2aa0007d858, parent=parent@entry=0x2aa00034fa0, grandparent=0x0) at magick/splay-tree.c:1549 #3 0x000003fffdd7fca4 in Splay (splay_tree=splay_tree@entry=0x2aa00034fa0, depth=depth@entry=0, key=key@entry=0x2aa00078160, node=node@entry=0x2aa00034fa0, parent=parent@entry=0x0, grandparent=0x0) at magick/splay-tree.c:1549 #4 0x000003fffdd85fce in SplaySplayTree (splay_tree=splay_tree@entry=0x2aa00034fa0, key=key@entry=0x2aa00078160) at magick/splay-tree.c:1624 #5 0x000003fffdd86f12 in AddValueToSplayTree (splay_tree=0x2aa00034fa0, key=0x2aa00078160, value=0x2aa00077fc0) at magick/splay-tree.c:163 #6 0x000003fffb791e9e in TIFFGetProperties (image=0x2aa0002f940, tiff=0x2aa00032dd0) at coders/tiff.c:705 #7 ReadTIFFImage (image_info=0x2aa0001a6f0, exception=0x2aa0000ba50) at coders/tiff.c:1444 #8 0x000003fffdc7d95c in ReadImage (image_info=0x2aa00016270, exception=0x2aa0000ba50) at magick/constitute.c:554 #9 0x000003fffdc7ea42 in ReadImages (image_info=0x2aa00011df0, exception=0x2aa0000ba50) at magick/constitute.c:955 #10 0x000003fffdac1810 in ConvertImageCommand (image_info=0x2aa00011df0, image_info@entry=0x2aa0000d310, argc=<optimized out>, argc@entry=6, argv=<optimized out>, argv@entry=0x3fffffff448, metadata=<optimized out>, metadata@entry=0x0, exception=exception@entry=0x2aa0000ba50) at wand/convert.c:601 #11 0x000003fffdb3458c in MagickCommandGenesis (image_info=0x2aa0000d310, command=0x3fffdac0ca0 <ConvertImageCommand>, argc=<optimized out>, argv=0x3fffffff448, metadata=<optimized out>, exception=0x2aa0000ba50) at wand/mogrify.c:173 #12 0x000002aa00000966 in ConvertMain (argv=0x3fffffff448, argc=6) at utilities/convert.c:81 #13 main (argc=<optimized out>, argv=0x3fffffff448) at utilities/convert.c:92 ~~~ and ~~~ $ gdb --args convert racecar.tif -auto-orient -resize 50x50 racecar.png GNU gdb (GDB) Fedora 10.2-6.fc35 Copyright (C) 2021 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "s390x-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from convert... Reading symbols from /usr/lib/debug/usr/bin/convert-6.9.11.27-5.fc35.s390x.debug... (gdb) r Starting program: /usr/bin/convert racecar.tif -auto-orient -resize 50x50 racecar.png [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". malloc(): unsorted double linked list corrupted Program received signal SIGABRT, Aborted. __pthread_kill_internal (threadid=<optimized out>, signo=<optimized out>) at pthread_kill.c:45 45 val = (INTERNAL_SYSCALL_ERROR_P (val) (gdb) bt #0 __pthread_kill_internal (threadid=<optimized out>, signo=<optimized out>) at pthread_kill.c:45 #1 0x000003fffd91ed02 in __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at pthread_kill.c:62 #2 0x000003fffd8d03e0 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x000003fffd8b3480 in __GI_abort () at abort.c:79 #4 0x000003fffd911d94 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x3fffda113ea "%s\n") at ../sysdeps/posix/libc_fatal.c:155 #5 0x000003fffd928f20 in malloc_printerr (str=str@entry=0x3fffda0fb2c "malloc(): unsorted double linked list corrupted") at malloc.c:5543 #6 0x000003fffd92c374 in _int_malloc (av=av@entry=0x3fffda49d48 <main_arena>, bytes=bytes@entry=4128) at malloc.c:3897 #7 0x000003fffd92d534 in __GI___libc_malloc (bytes=4128) at malloc.c:3208 #8 0x000003fffdd92d68 in AcquireStringInfoContainer () at magick/string.c:177 #9 BlobToStringInfo (blob=0x2aa000340c0, length=1725) at magick/string.c:234 #10 0x000003fffb78af12 in ReadProfile (image=image@entry=0x2aa0002f940, name=name@entry=0x3fffb797a94 "iptc", datum=<optimized out>, length=<optimized out>) at coders/tiff.c:564 #11 0x000003fffb79187e in ReadProfile (length=<optimized out>, datum=<optimized out>, name=<optimized out>, image=<optimized out>) at coders/tiff.c:562 #12 TIFFGetProfiles (image=0x2aa0002f940, tiff=0x2aa00032dd0) at coders/tiff.c:650 #13 ReadTIFFImage (image_info=0x2aa0001a6f0, exception=0x2aa0000ba50) at coders/tiff.c:1437 #14 0x000003fffdc7d95c in ReadImage (image_info=0x2aa00016270, exception=0x2aa0000ba50) at magick/constitute.c:554 #15 0x000003fffdc7ea42 in ReadImages (image_info=0x2aa00011df0, exception=0x2aa0000ba50) at magick/constitute.c:955 #16 0x000003fffdac1810 in ConvertImageCommand (image_info=0x2aa00011df0, image_info@entry=0x2aa0000d310, argc=<optimized out>, argc@entry=6, argv=<optimized out>, argv@entry=0x3fffffff448, metadata=<optimized out>, metadata@entry=0x0, exception=exception@entry=0x2aa0000ba50) at wand/convert.c:601 #17 0x000003fffdb3458c in MagickCommandGenesis (image_info=0x2aa0000d310, command=0x3fffdac0ca0 <ConvertImageCommand>, argc=<optimized out>, argv=0x3fffffff448, metadata=<optimized out>, exception=0x2aa0000ba50) at wand/mogrify.c:173 #18 0x000002aa00000966 in ConvertMain (argv=0x3fffffff448, argc=6) at utilities/convert.c:81 #19 main (argc=<optimized out>, argv=0x3fffffff448) at utilities/convert.c:92 (gdb) ~~~
@dhorak since this seems to be platform specific and rather strange that IM would be that broken, could you please take a look?
Doing quick check, the convert command above worked on Fedora 33 with ImageMagick-1:6.9.11.27-1.fc33.s390x + libtiff-4.1.0-8.fc33.s390x, but it does not work in: * Fedora 34 with ImageMagick-1:6.9.11.27-3.fc34.s390x + libtiff-4.2.0-1.fc34.s390x * Fedora 35 with ImageMagick-1:6.9.11.27-6.fc35.s390x + libtiff-4.3.0-2.fc35.s390x * Fedora Rawhide with ImageMagick-1:6.9.11.27-7.fc36.s390x + libtiff-4.3.0-2.fc35.s390x So this really might be libtiff issue.
This is not a libtiff issue. The problem is in coders/tiff.c: 637 #if defined(TIFFTAG_RICHTIFFIPTC) && (TIFFLIB_VERSION >= 20191103) 638 if ((TIFFGetField(tiff,TIFFTAG_RICHTIFFIPTC,&length,&profile) == 1) && 639 (profile != (unsigned char *) NULL)) 640 { 641 const TIFFField 642 *field; 643 644 if (TIFFIsByteSwapped(tiff) != 0) 645 TIFFSwabArrayOfLong((uint32 *) profile,(size_t) length); 646 field=TIFFFieldWithTag(tiff,TIFFTAG_RICHTIFFIPTC); 647 if (TIFFFieldDataType(field) == TIFF_LONG) 648 status=ReadProfile(image,"iptc",profile,4L*length); 649 else 650 status=ReadProfile(image,"iptc",profile,length); 651 } 652 #endif TIFFSwabArrayOfLong() expects as its second argument the length of an array of 4-byte elements, but in this case the length variable represents a length in bytes, because the input image contains TIFFTAG_RICHTIFFIPTC with associated profile data stored as TIFF_UNDEFINED, not TIFF_LONG. So the function accesses and modifies memory it's not supposed to and that later leads to the crash. It's already fixed upstream: https://github.com/ImageMagick/ImageMagick/commit/d1b3b2513f8fb48a3958230e3a1de0e3c21913a0
If someone wants to take primary ownership of ImageMagick please step forward. I do not have the time to dedicate to this package. I only picked it up because it was going to be orphaned and so many applications rely on it.
There is also ImageMagick6 fix: https://github.com/ImageMagick/ImageMagick6/commit/112051a709f83f13ca2b9ab63007d4a41b0a9beb I have opened PR: https://src.fedoraproject.org/rpms/ImageMagick/pull-request/4 I'll merge ~Monday if nobody objects.
(In reply to Nikola Forró from comment #3) BTW thx a lot for your analysis!
I took the liberty and merged the PR myself. The build is underway.
FEDORA-2021-7f3753c9e8 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7f3753c9e8
FEDORA-2021-7f3753c9e8 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.