php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61728 PHP crash when calling ob_start in session_write
Submitted: 2012-04-13 19:24 UTC Modified: 2013-09-26 15:03 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:2 of 3 (66.7%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: frederik_php at vanrenterghem dot biz Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.0 OS: Linux Debian Wheezy
Private report: No CVE-ID: None
 [2012-04-13 19:24 UTC] frederik_php at vanrenterghem dot biz
Description:
------------
Hi,

I am running a friendica (friendica.com) instance on a bitfolk.com VPS with 480MB ram. As webserver I'm using nginx. I can cause the site to crash very easily by clicking around on some links.

I am using an up-to-date version of Debian Wheezy. All packages are installed from the standard repository.

I have attached a backtrace, which is the same with each crash.

It seems as if the error is linked with the facebook connector from friendica, as it crashes when I try to load the connector settings, or if I go to the network page, which contains statuses from all connected sites including facebook. https://github.com/friendica/friendica-addons/tree/master/facebook

Thanks in advance for helping find a solution!

Best regards,
Frederik


Actual result:
--------------
Reading symbols from /usr/sbin/php5-fpm...(no debugging symbols found)...done.
[New LWP 2801]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                         '.
Program terminated with signal 11, Segmentation fault.
#0  0x0832239d in zend_stack_push ()
(gdb) bt
#0  0x0832239d in zend_stack_push ()
#1  0x082d0e5c in php_output_handler_start ()
#2  0x082d337b in php_output_start_default ()
#3  0x0823953d in ?? ()
#4  0x083d2c31 in ?? ()
#5  0x0838e6d5 in execute ()
#6  0x08315e36 in zend_call_function ()
#7  0x083161b3 in call_user_function_ex ()
#8  0x08316228 in call_user_function ()
#9  0x081a67a0 in ?? ()
#10 0x081a69fe in ?? ()
#11 0x0819ecc4 in ?? ()
#12 0x0819ef55 in ?? ()
#13 0x0832b384 in ?? ()
#14 0x082bd905 in php_request_shutdown ()
#15 0x0806fd70 in ?? ()
#16 0xb6e6ce46 in __libc_start_main () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#17 0x08070875 in _start ()


Patches

bug61728.patch (last revision 2012-04-14 16:58 UTC by laruence@php.net)
bug61728.phpt (last revision 2012-04-14 16:57 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-04-13 19:26 UTC] frederik_php at vanrenterghem dot biz
corrected summary
 [2012-04-13 19:26 UTC] frederik_php at vanrenterghem dot biz
-Summary: php-fpm SIGSEV running friendica on nginx +Summary: php-fpm SIGSEGV running friendica on nginx
 [2012-04-14 02:50 UTC] aharvey@php.net
-Status: Open +Status: Feedback
 [2012-04-14 02:50 UTC] aharvey@php.net
Can you install the php5-dbg package and generate a new backtrace with debug 
symbols installed, please?
 [2012-04-14 07:15 UTC] frederik_php at vanrenterghem dot biz
-Status: Feedback +Status: Open
 [2012-04-14 07:15 UTC] frederik_php at vanrenterghem dot biz
Ok, here's the updated backtrace with the debugging package installed:

Reading symbols from /usr/sbin/php5-fpm...Reading symbols from /usr/lib/debug/usr/sbin/php5-fpm...done.
done.
[New LWP 8194]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".

warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).

Core was generated by `php-fpm: pool www                                         '.
Program terminated with signal 11, Segmentation fault.
#0  0x0832239d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c:42
42      /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c: No such file or directory.
(gdb) bt
#0  0x0832239d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_stack.c:42
#1  0x082d0e5c in php_output_handler_start (handler=0x82cf910) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/output.c:563
#2  0x082d337b in php_output_start_default () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/output.c:412
#3  0x0823953d in zif_print_r (ht=-1226425644, return_value=0x0, return_value_ptr=0x0, this_ptr=0x1, return_value_used=-1269958144) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/standard/basic_functions.c:5485
#4  0x083d2c31 in zend_do_fcall_common_helper_SPEC (execute_data=0xb6e39450) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_vm_execute.h:642
#5  0x0838e6d5 in execute (op_array=0x8315e36) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_vm_execute.h:410
#6  0x08315e36 in zend_call_function (fci=0x7, fci_cache=0x878ff54) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:958
#7  0x083161b3 in call_user_function_ex (function_table=0xa04b450, object_pp=0x0, function_name=0xb6e5b010, retval_ptr_ptr=0xbfe4facc, param_count=<unknown type>, params=0xb6e50d20, no_separation=1, symbol_table=0x0)
    at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:750
#8  0x08316228 in call_user_function (function_table=0x0, object_pp=0xb6e5b010, function_name=0xb6e619a0, retval_ptr=0x2, param_count=<unknown type>, params=0x6)
    at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_execute_API.c:723
#9  0x081a67a0 in ps_call_handler (func=0xb6e5b010, argc=2, argv=0x13b) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/mod_user.c:53
#10 0x081a69fe in ps_write_user (mod_data=0x819ecc4, key=0x878c294 "", val=0xb6e5c048 "qm2ukkgs12n6ftusrqrihd9qo2", vallen=170073760) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/mod_user.c:144
#11 0x0819ecc4 in php_session_flush () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/session.c:489
#12 0x0819ef55 in zm_deactivate_session (type=137540484, module_number=1) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/ext/session/session.c:2145
#13 0x0832b384 in zend_deactivate_modules () at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/Zend/zend_API.c:2325
#14 0x082bd905 in php_request_shutdown (dummy=0xa) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/main/main.c:1755
#15 0x0806fd70 in main (argc=3, argv=0xbfe521b4) at /build/buildd-php5_5.4.0-3-i386-2XGvJx/php5-5.4.0/sapi/fpm/fpm/fpm_main.c:1884
 [2012-04-14 15:13 UTC] frederik_php at vanrenterghem dot biz
I get the same error on apache2:

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0xb5cf371d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c:42
42      /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c: No such file or directory.
(gdb) bt
#0  0xb5cf371d in zend_stack_push (stack=<error reading variable: Unknown argument list address for `stack'.>, element=<error reading variable: Unknown argument list address for `element'.>, 
    size=<error reading variable: Unknown argument list address for `size'.>) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_stack.c:42
#1  0xb5ca1c1c in php_output_handler_start (handler=0xb5ca06d0) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/output.c:563
#2  0xb5ca413b in php_output_start_default () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/output.c:412
#3  0xb5c0a0dd in zif_print_r (ht=-1295141216, return_value=0x0, return_value_ptr=0x0, this_ptr=0x1, return_value_used=-1228621212) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/standard/basic_functions.c:5496
#4  0xb5da40b1 in zend_do_fcall_common_helper_SPEC (execute_data=0xb6c1e908) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_vm_execute.h:642
#5  0xb5d5fc75 in execute (op_array=0xb5ce70c6) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_vm_execute.h:410
#6  0xb5ce70c6 in zend_call_function (fci=0x7, fci_cache=0xb61cc7c4) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:958
#7  0xb5ce7463 in call_user_function_ex (function_table=0xb82d57f8, object_pp=0x0, function_name=0xb2c89c18, retval_ptr_ptr=0xbfbeb81c, param_count=<unknown type>, params=0xb6c361a4, no_separation=1, symbol_table=0x0)
    at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:750
#8  0xb5ce74d8 in call_user_function (function_table=0x0, object_pp=0xb2c89c18, function_name=0xb2d59274, retval_ptr=0x2, param_count=<unknown type>, params=0xb)
    at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_execute_API.c:723
#9  0xb5b76fa0 in ps_call_handler (func=0xb2c89c18, argc=2, argv=0x13b) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/mod_user.c:53
#10 0xb5b771fe in ps_write_user (mod_data=0xb5b6f4e5, key=0xb61c8a94 "", val=0xb6c41214 "qm2ukkgs12n6ftusrqrihd9qo2", vallen=-1296104456) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/mod_user.c:144
#11 0xb5b6f4e5 in php_session_flush () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/session.c:489
#12 0xb5b703b5 in zm_deactivate_session (type=-1239763244, module_number=-1078019424) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/ext/session/session.c:2144
#13 0xb5cfc684 in zend_deactivate_modules () at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/Zend/zend_API.c:2328
#14 0xb5c8e5d5 in php_request_shutdown (dummy=0xb630c838) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/main/main.c:1755
#15 0xb5da6824 in php_handler (r=0xb630f4c0) at /build/buildd-php5_5.4.1~rc1-1-i386-2yRNQU/php5-5.4.1~rc1/sapi/apache2handler/sapi_apache2.c:520
#16 0xb77945be in ap_run_handler (r=0xb630f4c0) at config.c:159
#17 0xb7794a36 in ap_invoke_handler (r=0xb630f4c0) at config.c:377
#18 0xb77a5efc in ap_internal_redirect (new_uri=0xb630f490 "/index.php?q=admin/plugins/facebook/&a=t", r=0xb631d058) at http_request.c:554
#19 0xb6c93d96 in handler_redirect (r=0xb631d058) at mod_rewrite.c:4860
#20 0xb77945be in ap_run_handler (r=0xb631d058) at config.c:159
#21 0xb7794a36 in ap_invoke_handler (r=0xb631d058) at config.c:377
#22 0xb77a6878 in ap_process_request (r=0xb631d058) at http_request.c:282
#23 0xb77a3350 in ap_process_http_connection (c=0xb6bb81f0) at http_core.c:190
#24 0xb779bbce in ap_run_process_connection (c=0xb6bb81f0) at connection.c:43
#25 0xb77ac125 in child_main (child_num_arg=<optimized out>) at prefork.c:667
#26 0xb77aca83 in make_child (slot=0, s=<optimized out>) at prefork.c:768
#27 make_child (s=<optimized out>, slot=0) at prefork.c:696
#28 0xb77acb5c in startup_children (number_to_start=5) at prefork.c:786
#29 0xb77ad730 in ap_mpm_run (_pconf=0xb7730018, plog=0xb747c018, s=0xb74aa880) at prefork.c:1007
#30 0xb777d5d2 in main (argc=3, argv=0xbfbec334) at main.c:755
 [2012-04-14 16:57 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug61728.phpt
Revision:   1334422666
URL:        https://bugs.php.net/patch-display.php?bug=61728&patch=bug61728.phpt&revision=1334422666
 [2012-04-14 16:58 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug61728.patch
Revision:   1334422683
URL:        https://bugs.php.net/patch-display.php?bug=61728&patch=bug61728.patch&revision=1334422683
 [2012-04-14 16:59 UTC] laruence@php.net
if you try to start a user output handler in session_write.  then it will crash. I 
have attach a simple reproduce script. 

and also made a simple fix.
 [2012-04-14 17:03 UTC] laruence@php.net
-Status: Open +Status: Verified
 [2012-04-14 17:16 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)
 [2012-04-14 17:18 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)
 [2012-04-14 17:21 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2012-04-14 17:21 UTC] laruence@php.net
assign to me, since I have made a try to fix it. will close this after confirm 
that fix is okey.
 [2012-04-16 11:19 UTC] laruence@php.net
-Summary: php-fpm SIGSEGV running friendica on nginx +Summary: PHP crash when calling ob_start in session_write
 [2012-04-16 11:19 UTC] laruence@php.net
change the summary
 [2013-09-26 15:03 UTC] mike@php.net
-Status: Verified +Status: Closed
 [2013-09-26 15:03 UTC] mike@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)
 [2014-10-07 23:37 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3b42f184cdcf512fdc1f944052bfa296f17a035f
Log: Fixed bug #61728 (php-fpm SIGSEGV running friendica on nginx)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC