php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40545 zend_strtod.c threading issue
Submitted: 2007-02-19 17:53 UTC Modified: 2007-02-20 13:26 UTC
From: scottmacvicar at ntlworld dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.2.1 OS: RHEL 4
Private report: No CVE-ID: None
 [2007-02-19 17:53 UTC] scottmacvicar at ntlworld dot com
Description:
------------
Recently upgraded to PHP 5.2.1 from PHP 5.1.6 and we started to see a series of crashes every few hundred thousand requests, couldn't isolate this to a specific section of code so I think its a concurrency problem.

I managed to catch a core file from the past few and in each case the backtrace revealed that the problem is zend_strod. This is just an excerpt the rest of the backtrace are just apache internals.

Thread 27 (process 14353):
#0  0x008b07a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
No symbol table info available.
#1  0x0013bc46 in kill () from /lib/tls/libc.so.6
No symbol table info available.
#2  0x0807e90d in sig_coredump (sig=14332) at mpm_common.c:1170
No locals.
#3  <signal handler called>
No symbol table info available.
#4  Balloc (k=1953067823) at /www/src/php-5.2.1/Zend/zend_strtod.c:460
        x = Variable "x" is not available. 

We're seeing this problem on both of our web servers, I can recompile one of the boxes in debug mode if that would help.

The only change I can see of recent was a reimplementation of the code to a BSD license.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-19 18:14 UTC] tony2001@php.net
We still need to know how to reproduce it, otherwise it's hardly a "**Reproducible** crash".
 [2007-02-19 18:21 UTC] scottmacvicar at ntlworld dot com
I've been unable to track it down specifically, its happening across a larger number of scripts, the only thing I can see in common between them all is a large number of unserialize calls during the script startup.

I've compiled PHP into debug mode now and I'll leave it running overnight to try and obtain a more detailed backtrace.
 [2007-02-19 18:24 UTC] tony2001@php.net
Ok.
 [2007-02-19 18:51 UTC] scottmacvicar at ntlworld dot com
The backtrace was too large to paste, the trace from the thread in question is at.

http://public.vbulletin.com/bugs/php/bug40545-bt.txt

It does appear to be an unserialize call thats causing the crash.
 [2007-02-19 19:20 UTC] tony2001@php.net
That's ok, but how to reproduce it?
 [2007-02-19 20:21 UTC] scottmacvicar at ntlworld dot com
Source of a simple script at http://public.vbulletin.com/bugs/php/bug40545.phps

You can grab the text file from the same folder.

I then ran:
ab -c 30 -n 10000 http://localhost/~scott/bug40545.php

Segfaults within a few hundred requests.

Apache 2.2.4 with keep alive disabled and PHP 5.2.1

It's a development box and not a production box so I can change more or less anything if you need anything else tested.
 [2007-02-19 20:24 UTC] tony2001@php.net
'./datastore.txt' ?
Looks like you forgot to provide this file.
 [2007-02-19 20:29 UTC] scottmacvicar at ntlworld dot com
As I said its in the same folder.

http://public.vbulletin.com/bugs/php/datastore.txt
 [2007-02-20 11:35 UTC] tony2001@php.net
What kind of MPM are you using?
I assume it's worker?
 [2007-02-20 11:46 UTC] scottmacvicar at ntlworld dot com
That's correct, configure string for apache is the following:

./configure --with-included-apr --enable-so --enable-info --enable-rewrite --enable-speling --enable-deflate --enable-ssl --enable-mime-magic --with-mpm=worker
 [2007-02-20 12:02 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Ok, found and fixed.
Special thanks for the great reproduce case.
 [2007-02-20 13:14 UTC] scottmacvicar at ntlworld dot com
Applied the patch to our production servers and I'll leave it running overnight again and check tomorrow morning.

I have however seen another core dump in _zend_mm_alloc_int but I'll hold back on reporting it for the moment.
 [2007-02-20 13:26 UTC] tony2001@php.net
Thanks. Feel free to reopen the report if you find something.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 09:01:30 2024 UTC