Bug 472253 - Seg Fault on ImageMagick
Seg Fault on ImageMagick
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnome-vfs2 (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tomáš Bžatek
desktop-bugs@redhat.com
: Patch
Depends On:
Blocks: 499522
  Show dependency treegraph
 
Reported: 2008-11-19 11:21 EST by Alan Matsuoka
Modified: 2015-03-03 17:33 EST (History)
6 users (show)

See Also:
Fixed In Version: gnome-vfs2-2.16.2-8.el5
Doc Type: Bug Fix
Doc Text:
Cause: ImageMagick uses librsvg which initializes gnome libs, whose in turn install atexit handler. But since librsvg gets unloaded after use, program then crashes due to exit handler trying to access an unloaded code. Consequence: segfault occurs after succesful conversion during exit code Fix: __attribute__((destructor)) has been used instead of atexit() Result: ImageMagick tools no longer crash on exit
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-13 16:14:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ImageMagick-6.2.8-svg.patch (1.33 KB, patch)
2008-11-19 11:21 EST, Alan Matsuoka
no flags Details | Diff
1.svg (54.00 KB, image/svg+xml)
2008-11-19 11:22 EST, Alan Matsuoka
no flags Details
core file from failed test case (573.33 KB, application/x-bzip2)
2008-11-19 11:23 EST, Alan Matsuoka
no flags Details
Patch for gnome-vfs2 (2.11 KB, patch)
2009-12-16 12:43 EST, Olivier Fourdan
no flags Details | Diff

  None (edit)
Description Alan Matsuoka 2008-11-19 11:21:41 EST
Created attachment 324068 [details]
ImageMagick-6.2.8-svg.patch

General Escalation Information
State the problem

  1. Provide time and date of the problem
Easily Reproducible
  2. Indicate the platform(s) (architectures) the problem is being reported against.
RHEL 5.2 x86_64
  3. Provide clear and concise problem description as it is understood at the time of escalation
         * Observed behavior
$ convert 1.svg 2.png
Segmentation fault

Segfault occurs after succesful conversion during exit code afaict.

         * Desired behavior
No segfault
  4. State specific action requested of SEG
Determine cause of segfault, and fix it.
  5. State whether or not a defect in the product is suspected
A defect is suspected, I did not find any relevant BZs
  6. If there is a proposed patch, make sure it is in unified diff format (diff -pruN)
Found a patch, but after testing, I'm not sure if it's really relevant to the issue.  Details in ticket.
  7. Refrain from using the word "hang", as it can mean different things to different people in different contexts. Use a better and more specific description of your problem.
N/A
  8. This is especially important for severity one and two issues. What is the impact to the customer when they experience this problem?
         * For example: "This system houses our accounts payable database. When the system crashes we are unable to process payroll, and other payable functions. This is especially critical as we approach end of our quarter."

Provide supporting info

  1. State other actions already taken in working the problem:
         Reproduced the problem in gdb, attempted to find the fault
  2. Attach sosreport
attached
  3. Attach other supporting data
1.svg is attched
  4. Provide issue repro information:

$ gdb convert
GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/libthread_db.so.1".

(gdb) break convert.c:118
Breakpoint 1 at 0x400c8a: file utilities/convert.c, line 118.
(gdb) run 1.svg 2.png
Starting program: /usr/bin/convert 1.svg 2.png
[Thread debugging using libthread_db enabled]
[New Thread 47210843027024 (LWP 18913)]
[Switching to Thread 47210843027024 (LWP 18913)]

Breakpoint 1, main (argc=3, argv=0x7fff898d9ea8) at utilities/convert.c:119
119     }
(gdb) where
#0  main (argc=3, argv=0x7fff898d9ea8) at utilities/convert.c:119
#1  0x00000033d2e1d8b4 in __libc_start_main (main=0x400b40 <main>, argc=3, ubp_av=0x7fff898d9ea8, init=<value optimized out>, fini=<value optimized out>,
   rtld_fini=<value optimized out>, stack_end=0x7fff898d9e98) at libc-start.c:231
#2  0x0000000000400a89 in _start ()
(gdb) list
114         }
115       image_info=DestroyImageInfo(image_info);
116       (void) DestroyExceptionInfo(&exception);
117       DestroyMagick();
118       return(status == MagickFalse ? 1 : 0);
119     }
(gdb) next
__libc_start_main (main=0x400b40 <main>, argc=3, ubp_av=0x7fff898d9ea8, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>,
   stack_end=0x7fff898d9e98) at libc-start.c:262
262       exit (result);
(gdb)

Program received signal SIGSEGV, Segmentation fault.
0x00000030cb83637c in



  5. List any known hot-fix packages on the system
N/A
  6. List any customer applied changes from the last 30 days
N/A



SEG NOTES:

atexit seems to be the culprit here.
set a breakpoint on atexit and I get.

Breakpoint 2, 0x0000003802a56870 in atexit () from /lib64/libglib-2.0.so.0
(gdb) bt
#0  0x0000003802a56870 in atexit () from /lib64/libglib-2.0.so.0
#1  0x0000003802a53219 in IA__g_atexit (func=0x3416e3637c <free_stack_tables_to_free>)
   at gutils.c:269
#2  0x0000003416e36524 in _gnome_vfs_module_callback_private_init ()
   at gnome-vfs-module-callback.c:464
#3  0x0000003416e29327 in gnome_vfs_thread_init () at gnome-vfs-init.c:89
#4  0x0000003416e2940d in gnome_vfs_init () at gnome-vfs-init.c:127
#5  0x00002abe07f7e761 in RegisterSVGImage ()
  from /usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/svg.so
#6  0x000000389e6c0597 in OpenModule () from /usr/lib64/libMagick.so.10
#7  0x000000389e6be7b1 in GetMagickInfo () from /usr/lib64/libMagick.so.10
#8  0x000000389e6b1c6e in SetImageInfo () from /usr/lib64/libMagick.so.10
#9  0x000000389e65a1ba in ReadImage () from /usr/lib64/libMagick.so.10
#10 0x000000389e228476 in ConvertImageCommand () from /usr/lib64/libWand.so.10
#11 0x0000000000400c5e in ?? ()
#12 0x00000037fca1d8b4 in __libc_start_main () from /lib64/libc.so.6
#13 0x0000000000400a89 in ?? ()
#14 0x00007fffa614c9c8 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb) 


There's a call to rsvg_init() in RegisterSVGImage that doesn't show up with x86_64 but does on i386.

rsvg_init() calls gnome_vfs_init() so it actually dies inside gnome_vfs code. 

sigh..the bug described is a similar on to the one referred to in the ImageMagick forum.

In this case we get...

(gdb) cont
Continuing.
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib64/librsvg-2.so.2"
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib64/libgnomevfs-2.so.0"

Program received signal SIGSEGV, Segmentation fault.
0x0000003416e3637c in ?? ()
(gdb) bt
#0  0x0000003416e3637c in ?? ()
#1  0x00000037fca32fa5 in exit () from /lib64/libc.so.6
#2  0x00000037fca1d8bb in __libc_start_main () from /lib64/libc.so.6
#3  0x0000000000400a89 in ?? ()
#4  0x00007fff50be6168 in ?? ()
#5  0x0000000000000000 in ?? ()
(gdb)

since libgnomevfs-2.so.0 has been unloaded.. crash. 

ugh. there's a way around this that involves some special casing.
ImageMagick calls librsvg which was originally meant for gnome. The way it is built for RHEL means that for some reason or other it calls gnome_vfs_init().
gnome_vfs_init makes a call to atexit which is the real source of the problem.

The reason for the SEGFAULT is that the library has been unloaded and the function that was registered by the atexit call in gnome_vfs_init() is no longer resident.

The svg module appears to be the only ImageMagick module that has a secondary dependency.

The shared libs that were dynamically loaded can be kept resident by making a call to lt_dlmakeresident just after the call to ld_dlopen.  
This negates the purpose of having loadable modules but if it's special cased just for .svg it may be a little more palatable. 

This patch is a horrible hack but it does work. see attachment


Customer reports that test packages works.
Comment 1 Alan Matsuoka 2008-11-19 11:22:10 EST
Created attachment 324069 [details]
1.svg
Comment 2 Alan Matsuoka 2008-11-19 11:23:01 EST
Created attachment 324070 [details]
core file from failed test case
Comment 3 RHEL Product and Program Management 2009-03-26 13:17:36 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 4 Alan Matsuoka 2009-03-26 13:23:36 EDT
setting flags for 5.5
Comment 7 Olivier Fourdan 2009-12-16 12:43:09 EST
Created attachment 378803 [details]
Patch for gnome-vfs2

Actually the root cause of the problem is gnome-vfs2 using atexit() which breaks on exit after the DSO has been unloaded.

The following patch fixes the issue in gnome-vfs2 by using __attribute__((destructor)) instead of atexit().

Tests show that the functions are still called on normal exit and also on unload of the DSO.

ImageMagick works fine with that patch in gnome-vfs2.
Comment 11 Michael A. Peters 2010-03-05 04:29:12 EST
I also experienced this bug in CentOS (i386).
Applied the patch to gnome-vfs2 and so far have not had any more issues with convert and SVG.
Comment 17 Tomáš Bžatek 2011-03-29 10:39:33 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: ImageMagick uses librsvg which initializes gnome libs, whose in turn install atexit handler. But since librsvg gets unloaded after use, program then crashes due to exit handler trying to access an unloaded code.

Consequence: segfault occurs after succesful conversion during exit code

Fix: __attribute__((destructor)) has been used instead of atexit()

Result: ImageMagick tools no longer crash on exit
Comment 20 Thiago Sobral 2011-04-06 14:02:35 EDT
Hi,

Could you please send me a hotfix (.rpm)? 

I need to send it to the customer ASAP.

Regards,

Thiago Sobral
Comment 21 errata-xmlrpc 2011-04-13 16:14:05 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0441.html

Note You need to log in before you can comment on or make changes to this bug.