PHP :: Bug #40545 :: zend_strtod.c threading issue

Bug #40545	zend_strtod.c threading issue
Submitted:	2007-02-19 17:53 UTC	Modified:	2007-02-20 13:26 UTC
From:	scottmacvicar at ntlworld dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2.1	OS:	RHEL 4
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-02-19 17:53 UTC] scottmacvicar at ntlworld dot com

Description:
------------
Recently upgraded to PHP 5.2.1 from PHP 5.1.6 and we started to see a series of crashes every few hundred thousand requests, couldn't isolate this to a specific section of code so I think its a concurrency problem.

I managed to catch a core file from the past few and in each case the backtrace revealed that the problem is zend_strod. This is just an excerpt the rest of the backtrace are just apache internals.

Thread 27 (process 14353):
#0  0x008b07a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
No symbol table info available.
#1  0x0013bc46 in kill () from /lib/tls/libc.so.6
No symbol table info available.
#2  0x0807e90d in sig_coredump (sig=14332) at mpm_common.c:1170
No locals.
#3  <signal handler called>
No symbol table info available.
#4  Balloc (k=1953067823) at /www/src/php-5.2.1/Zend/zend_strtod.c:460
        x = Variable "x" is not available. 

We're seeing this problem on both of our web servers, I can recompile one of the boxes in debug mode if that would help.

The only change I can see of recent was a reimplementation of the code to a BSD license.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-02-19 18:14 UTC] tony2001@php.net

We still need to know how to reproduce it, otherwise it's hardly a "**Reproducible** crash".

[2007-02-19 18:21 UTC] scottmacvicar at ntlworld dot com

I've been unable to track it down specifically, its happening across a larger number of scripts, the only thing I can see in common between them all is a large number of unserialize calls during the script startup.

I've compiled PHP into debug mode now and I'll leave it running overnight to try and obtain a more detailed backtrace.

[2007-02-19 18:24 UTC] tony2001@php.net

Ok.

[2007-02-19 18:51 UTC] scottmacvicar at ntlworld dot com

The backtrace was too large to paste, the trace from the thread in question is at.

http://public.vbulletin.com/bugs/php/bug40545-bt.txt

It does appear to be an unserialize call thats causing the crash.

[2007-02-19 19:20 UTC] tony2001@php.net

That's ok, but how to reproduce it?

[2007-02-19 20:21 UTC] scottmacvicar at ntlworld dot com

Source of a simple script at http://public.vbulletin.com/bugs/php/bug40545.phps

You can grab the text file from the same folder.

I then ran:
ab -c 30 -n 10000 http://localhost/~scott/bug40545.php

Segfaults within a few hundred requests.

Apache 2.2.4 with keep alive disabled and PHP 5.2.1

It's a development box and not a production box so I can change more or less anything if you need anything else tested.

[2007-02-19 20:24 UTC] tony2001@php.net

'./datastore.txt' ?
Looks like you forgot to provide this file.

[2007-02-19 20:29 UTC] scottmacvicar at ntlworld dot com

As I said its in the same folder.

http://public.vbulletin.com/bugs/php/datastore.txt

[2007-02-20 11:35 UTC] tony2001@php.net

What kind of MPM are you using?
I assume it's worker?

[2007-02-20 11:46 UTC] scottmacvicar at ntlworld dot com

That's correct, configure string for apache is the following:

./configure --with-included-apr --enable-so --enable-info --enable-rewrite --enable-speling --enable-deflate --enable-ssl --enable-mime-magic --with-mpm=worker

[2007-02-20 12:02 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Ok, found and fixed.
Special thanks for the great reproduce case.

[2007-02-20 13:14 UTC] scottmacvicar at ntlworld dot com

Applied the patch to our production servers and I'll leave it running overnight again and check tomorrow morning.

I have however seen another core dump in _zend_mm_alloc_int but I'll hold back on reporting it for the moment.

[2007-02-20 13:26 UTC] tony2001@php.net

Thanks. Feel free to reopen the report if you find something.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 04 06:01:27 2025 UTC