Closed remicollet closed 7 years ago
Most of the errors seems related to "Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885"
Some diff (v3.4.3RC1, PHP 5.6.22, IM 6.9.4-8)
========DIFF========
001+ php: time limit exceeded Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885. 001- Ok 002+ php: time limit exceeded
Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
003+ php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
========DONE========
FAIL Test Imagick, getImageHistogram [tests/081_Imagick_getImageHistogram_basic.phpt]
========DIFF======== 001+ php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885. 001- Ok 002- Ok 003- Ok 004- Ok ========DONE======== FAIL Test Imagick, sparseColorImage [tests/149_Imagick_sparseColorImage.phpt]
========DIFF======== 001+ php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885. 001- Ok ========DONE======== FAIL Test ImagickPixel, construct [tests/169_ImagickPixel_construct_basic.phpt]
========DIFF======== 001+ php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885. 001- Ok ========DONE======== FAIL Test ImagickPixel, setColorValue [tests/171_ImagickPixel_setColorValue_basic.phpt]
time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
Are you running these tests all through the same process somehow?
Up until recently the ImageMagick time limit was a global one, from the time of the first ImageMagick image processing functions were called. It was changed to be resettable recently: https://github.com/ImageMagick/ImageMagick/issues/113
Oh - I see you had another issue https://github.com/ImageMagick/ImageMagick/issues/202 just before 6.9.4-3 was released.....I suspect this isn't going to be an Imagick issue.
Are you running these tests all through the same process somehow?
No, standard "php runtest.php" process.
P.S. IM 202 is fixed, so not related to this issue;
Small test with "tests/002_thumbnail"
Adding; on top of the script
var_dump(Imagick::getresourcelimit(Imagick::RESOURCETYPE_TIME));
Show default limit is -1 (illimited ?)
But Adding
Imagick::setresourcelimit(Imagick::RESOURCETYPE_TIME, -1);
Or any value != 0 make the test pass. So it seems the default value is not honoured... but forcing it make it ok.
Very strange. BTW, wouldn't it make sense to set this limit in the RINIT function ?
Setting time resource in RINIT doesn't really helps :(
PHP_RINIT_FUNCTION(imagick)
{
im_long time;
IMAGICK_G(progress_callback) = NULL;
time = INI_INT("max_execution_time");
if (time <= 0) {
time = -1;
}
MagickSetResourceLimit(TimeResource, time);
return SUCCESS;
}
Even more strange...
$ while true; do sh tests/264_ImagickDraw_getTextDirection_basic.sh ; done
Ok
Ok
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
Ok
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
Ok
Ok
Ok
Ok
Ok
Ok
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
Ok
Ok
Ok
Ok
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
php: time limit exceeded `Operation canceled' @ fatal/cache.c/GetImagePixelCache/1885.
Ok
Its difficult for us to debug. If you can reproduce the problem with the ImageMagick command line or one of the supported API's such as MagickWand, we can be more helpful. The time limit is fairly straightforward. By default its ignored. If you set a time limit policy in policy.xml or call MagickSetResourceLimit() with a time limit, ImageMagick periodically checks the run time against the time limit and if its exceeds the limit it throws an exception and exits. We're not sure how its done in IMagick but from the command line you can view the current policy settings, including any time limit with this command: convert -list resource. Here we set a time lime and review the setting:
-> convert -limit time 10 -list resource
Resource limits:
Width: 107.4MP
Height: 107.4MP
Area: 50.541GB
Memory: 23.535GiB
Map: 47.07GiB
Disk: unlimited
File: 768
Thread: 8
Throttle: 0
Time: 10
@remicollet Just in case I need it, please could you post the policy.xml file that ImageMagick is using on your system?
I think this is the default one
$ cat /etc/ImageMagick-6/policy.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)+>
<!ELEMENT policy (#PCDATA)>
<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
<!ATTLIST policy name CDATA #IMPLIED>
<!ATTLIST policy rights CDATA #IMPLIED>
<!ATTLIST policy pattern CDATA #IMPLIED>
<!ATTLIST policy value CDATA #IMPLIED>
]>
<!--
Configure ImageMagick policies.
Domains include system, delegate, coder, filter, path, or resource.
Rights include none, read, write, and execute. Use | to combine them,
for example: "read | write" to permit read from, or write to, a path.
Use a glob expression as a pattern.
Suppose we do not want users to process MPEG video images:
<policy domain="delegate" rights="none" pattern="mpeg:decode" />
Here we do not want users reading images from HTTP:
<policy domain="coder" rights="none" pattern="HTTP" />
Lets prevent users from executing any image filters:
<policy domain="filter" rights="none" pattern="*" />
The /repository file system is restricted to read only. We use a glob
expression to match all paths that start with /repository:
<policy domain="path" rights="read" pattern="/repository/*" />
Let's prevent possible exploits by removing the right to use indirect reads.
<policy domain="path" rights="none" pattern="@*" />
Any large image is cached to disk rather than memory:
<policy domain="resource" name="area" value="1GB"/>
Define arguments for the memory, map, area, width, height, and disk resources
with SI prefixes (.e.g 100MB). In addition, resource policies are maximums
for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
exceeds policy maximum so memory limit is 1GB).
-->
<policymap>
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<!-- <policy domain="resource" name="memory" value="2GiB"/> -->
<!-- <policy domain="resource" name="map" value="4GiB"/> -->
<!-- <policy domain="resource" name="width" value="10MP"/> -->
<!-- <policy domain="resource" name="height" value="10MP"/> -->
<!-- <policy domain="resource" name="area" value="1GB"/> -->
<!-- <policy domain="resource" name="disk" value="16EB"/> -->
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="4"/> -->
<!-- <policy domain="resource" name="throttle" value="0"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
<!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
<!-- <policy domain="path" rights="none" pattern="|*"/> -->
<policy domain="path" rights="none" pattern="@*"/> <!-- indirect reads not permitted -->
<policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
</policymap>
Hi Remi - I can't reproduce your issue on Centos 6.4.
Can you specify an OS, (or maybe a vagrant box file) that you think the error should be visible under?
cheers Dan
In case it matters - this is how I'm configuring ImageMagick:
./configure --with-quantum-depth=16 \
--with-magick-plus-plus=no \
--without-perl \
--disable-static \
--exec-prefix=/usr/sbin \
--disable-docs \
--disable-openmp
The configure command used for RPM build is a bit more complex and includes various security options.
+ CFLAGS='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
+ export CFLAGS
+ CXXFLAGS='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
+ export CXXFLAGS
+ FFLAGS='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -I/usr/lib64/gfortran/modules'
+ export FFLAGS
+ FCFLAGS='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -I/usr/lib64/gfortran/modules'
+ export FCFLAGS
+ LDFLAGS='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld'
+ export LDFLAGS
+ ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --disable-static --disable-silent-rules --with-modules --with-perl --with-x --with-threads --with-magick_plus_plus --with-gslib --with-wmf --with-lcms --with-openexr --with-rsvg --with-xml --with-webp --with-jbig --with-openjp2 --with-gvc '--with-perl-options=INSTALLDIRS=vendor CC='\''gcc -L/dev/shm/BUILD/ImageMagick-6.9.4-8/magick/.libs'\'' LDDLFLAGS='\''-shared -L/dev/shm/BUILD/ImageMagick-6.9.4-8/magick/.libs'\''' --without-dps --without-gcc-arch
Indeed, test suite pass on RHEL/CentOS 6.8 Issue only affects more recent distro, Fedora and RHEL/CentOS 7.2
So, "Works for me"™.
I'm travelling today/tomorrow. Will try to look tomorrow evening.
@Danack I have open a PR which fix this issue "for me"
This appears to be 'resolved'?
I'll close it after I add a note somewhere about those versions affected not being good ones to use.
Yes, solved, since my PR was merged (not yet released)
I'm going to close this - I never got round to adding a note, but it's been a year so probably not as important now.
imagick 3.4.3RC1 . PHP 7.0.8RC1
PHP 5.6.22