php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #13095 Deadlock in mod_mm (garbage collection)
Submitted: 2001-09-02 13:54 UTC Modified: 2001-12-10 10:06 UTC
From: csaout at w-commerce dot de Assigned:
Status: Closed Package: Session related
PHP Version: 4.0.6 OS: Linux 2.4.4 (i686)
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2001-09-02 13:54 UTC] csaout at w-commerce dot de 
Symtom: httpd eats 100% CPU and locks up all other httpds trying to access session data (due to lock_mm)

Reproducable with a script that invokes hundreds (~600) of sessions (while true; do lynx --source ...)

Hash collision problem?

/* should be a prime */
#define HASH_SIZE 577

./configure --with-apxs=/usr/sbin/apxs --with-openssl --enable-sigchild --with-bz2 --with-zlib --enable-dbase --with-dom --enable-ftp --with-gd --with-gettext --with-gmp --with-java=/usr/local/jdk1.3 --with-mcrypt --with-mhash --with-mysql=/usr --with-unixODBC --with-sablot --with-mm --enable-shmop --enable-sockets --enable-sysvsem --enable-sysvshm --enable-wddx --enable-inline-optimization

#0  0x40446cce in ps_gc_mm () at mod_mm.c:205
#1  0x40444475 in php_session_start () at session.c:892
#2  0x4044596c in php_if_session_start () at session.c:1156
#3  0x407d4f84 in zend_reverse_table () from /usr/lib/apache/ZendOptimizer.so
#4  0x407dcb35 in zend_reverse_table () from /usr/lib/apache/ZendOptimizer.so
#5  0x407dcb35 in zend_reverse_table () from /usr/lib/apache/ZendOptimizer.so
#6  0x407e001d in zend_oe () from /usr/lib/apache/ZendOptimizer.so
#7  0x403de60e in zend_execute_scripts () at zend.c:259 
#8  0x403f1634 in php_execute_script () at main.c:1138
#9  0x403ed750 in apache_php_module_main () at sapi_apache.c:98
#10 0x403ee1f1 in send_php (r=0x81614fc, display_source_mode=0, filename=0x0) at mod_php4.c:536
#11 0x403ee233 in send_parsed_php (r=0x81614fc) at mod_php4.c:547
#12 0x8079529 in ap_invoke_handler ()
#13 0x808efbf in process_request_internal ()
#14 0x808f44a in ap_internal_redirect ()
#15 0x806443c in handle_dir ()
#16 0x8079529 in ap_invoke_handler ()
#17 0x808efbf in process_request_internal ()
#18 0x808f032 in ap_process_request ()
#19 0x8085b86 in child_main ()
#20 0x8085e2a in make_child ()
#21 0x8085ee6 in startup_children ()
#22 0x808656c in standalone_main ()
#23 0x8086dbc in main ()
#24 0x40126a8e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93

Some common IP Adresses in loop

0x40446cba in ps_gc_mm () at mod_mm.c:205
0x40446cbf in ps_gc_mm () at mod_mm.c:205
0x40446cce in ps_gc_mm () at mod_mm.c:205
0x40446cd0 in ps_gc_mm () at mod_mm.c:205  

   for (h = 0; h < HASH_SIZE; h++)
 	for (sd = data->hash[h]; sd; sd = next) {
         next = sd->next;
         ps_mm_debug("looking at %s\n", sd->key);
         if ((now - sd->ctime) > maxlifetime) {
            ps_sd_destroy(data, sd);
            *nrdels++;
	 }
      }
What happens when the queue head/tail gets deleted with more than one entry? Seams to produce a deadlock here!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-10 10:06 UTC] sas@php.net 
This and several other bugs in this part of the code have been fixed. Please try a snapshot (snaps.php.net) or wait for an upcoming release. Thanks for your detailed report.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 27 01:01:30 2024 UTC