PHP :: Bug #29996 :: segmention fault since final release of PHP5

Bug #29996

segmention fault since final release of PHP5

Submitted:

2004-09-06 11:32 UTC

Modified:

2007-09-03 10:56 UTC

Votes:	6
Avg. Score:	4.3 ± 0.9
Reproduced:	4 of 4 (100.0%)
Same Version:	3 (75.0%)
Same OS:	3 (75.0%)

From:

thomas dot hebinck at digionline dot de

Assigned:

andi (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.0.3RC1

OS:

Linux Debian Woody

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2004-09-06 11:32 UTC] thomas dot hebinck at digionline dot de

Description:
------------
Hi,

there is some strange error in the release version of PHP5:
I use a massive amoung of objects and in some scripts, I get a segmentation fault after the whole script run.
This results in a missing end of die output (since PHP is called from within apache).
I tried 5.0.0, 5.0.1 and 5.1-dev from yesterday.
I switched back to 5.0.0RC3 and everything is fine again.

I know, this will be "useless" as a bug report, but maybe others have the same problem.
And then at least it is a hint, when the bug went into the source code.

Bye,
Thomas.

---

sh ./configure \
        --disable-ipv6 \
        --with-apxs=/usr/local/apache1/bin/apxs \
        --prefix=/usr/local/apache1/php \
        --with-config-file-path=/usr/local/apache1/php \
        --disable-all \
        --with-ldap \
        --with-pgsql=/usr/local/pgsql \
        --with-gmp \
        --enable-xml \
        --enable-libxml \
        --with-pcre-regex \
        --with-imap=/usr/src/imap-2004a \
        --without-imap-ssl \


Reproduce code:
---------------
sorry - I cannot reproduce the bug with only a few lines of code.

Expected result:
----------------
;-)

Actual result:
--------------
[Sun Sep  5 15:59:54 2004] [notice] Apache/1.3.31 (Unix) PHP/5.0.0 configured -- resuming normal operations
[Sun Sep  5 15:59:54 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sun Sep  5 16:00:01 2004] [notice] child pid 30806 exit signal Segmentation fault (11)
[Sun Sep  5 16:00:21 2004] [notice] child pid 30818 exit signal Segmentation fault (11)
[Sun Sep  5 16:00:21 2004] [notice] child pid 30817 exit signal Segmentation fault (11)
[Sun Sep  5 16:00:21 2004] [notice] child pid 30805 exit signal Segmentation fault (11)
[Sun Sep  5 16:00:22 2004] [notice] child pid 30847 exit signal Segmentation fault (11)
[Sun Sep  5 16:00:22 2004] [notice] child pid 30846 exit signal Segmentation fault (11)
[Sun Sep  5 16:00:22 2004] [notice] child pid 30839 exit signal Segmentation fault (11)
[Sun Sep  5 16:00:22 2004] [notice] child pid 30803 exit signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-09-06 12:12 UTC] thomas dot hebinck at digionline dot de

I know, this is far to less information to fix anything.
When I add --with-debug, it seems, that everything breaks much earlier - even scripts, that work normally don't work any more.

Bye,
Thomas.

ww3-dev:/# gdb /usr/local/apache1/bin/httpd
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking
GNU gdb 2002-04-01-cvs
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...(no debugging symbols found)...
(gdb) run -X
Starting program: /usr/local/apache1/bin/httpd -X
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[New Thread 1024 (LWP 12399)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12399)]
0x400d8bb8 in free () from /lib/libc.so.6
(gdb) bt
#0  0x400d8bb8 in free () from /lib/libc.so.6
#1  0x400d8aa3 in free () from /lib/libc.so.6
#2  0x402f5001 in zend_hash_del_key_or_index (ht=0x816b16c, arKey=0x824582c "p_parent", nKeyLength=9, h=755180190, flag=0) at /usr/src/php-5.0.1/Zend/zend_hash.c:495
#3  0x40302ccb in zend_std_unset_property (object=0xbfffeb80, member=0x814d7f4) at /usr/src/php-5.0.1/Zend/zend_object_handlers.c:506
#4  0x40317b52 in zend_unset_dim_obj_handler (execute_data=0xbfffe800, opline=0x814d7c4, op_array=0x81431e4) at /usr/src/php-5.0.1/Zend/zend_execute.c:3662
#5  0x403116f9 in execute (op_array=0x81431e4) at /usr/src/php-5.0.1/Zend/zend_execute.c:1400
#6  0x403153ff in zend_do_fcall_common_helper (execute_data=0xbfffe920, opline=0x8239da4, op_array=0x823b03c) at /usr/src/php-5.0.1/Zend/zend_execute.c:2737
#7  0x403158d0 in zend_do_fcall_by_name_handler (execute_data=0xbfffe920, opline=0x8239da4, op_array=0x823b03c) at /usr/src/php-5.0.1/Zend/zend_execute.c:2822
#8  0x403116f9 in execute (op_array=0x823b03c) at /usr/src/php-5.0.1/Zend/zend_execute.c:1400
#9  0x402e0cc4 in zend_call_function (fci=0xbfffead0, fci_cache=0xbfffea90) at /usr/src/php-5.0.1/Zend/zend_execute_API.c:835
#10 0x402fecee in zend_call_method (object_pp=0xbfffeb7c, obj_ce=0x81db894, fn_proxy=0x0, function_name=0x403a4957 "__destruct", function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0,
    arg2=0x0) at /usr/src/php-5.0.1/Zend/zend_interfaces.c:79
#11 0x40301c9f in zend_objects_destroy_object (object=0x81d9774, handle=5) at /usr/src/php-5.0.1/Zend/zend_objects.c:78
#12 0x40304282 in zend_objects_store_call_destructors (objects=0x4040b6a4) at /usr/src/php-5.0.1/Zend/zend_objects_API.c:54
#13 0x402decf2 in shutdown_executor () at /usr/src/php-5.0.1/Zend/zend_execute_API.c:209
#14 0x402eceed in zend_deactivate () at /usr/src/php-5.0.1/Zend/zend.c:819
#15 0x402a5ca7 in php_request_shutdown (dummy=0x0) at /usr/src/php-5.0.1/main/main.c:1212
#16 0x4031d858 in apache_php_module_main (r=0x811b734, display_source_mode=0) at /usr/src/php-5.0.1/sapi/apache/sapi_apache.c:60
#17 0x4031e782 in send_php (r=0x811b734, display_source_mode=0, filename=0x811c254 "/SPACE/ww3-dev/www/ww3ee/8.php") at /usr/src/php-5.0.1/sapi/apache/mod_php5.c:622
#18 0x4031e7f1 in send_parsed_php (r=0x811b734) at /usr/src/php-5.0.1/sapi/apache/mod_php5.c:637
#19 0x08058307 in ap_invoke_handler ()
#20 0x0806d39f in process_request_internal ()
#21 0x0806d400 in ap_process_request ()
#22 0x08064439 in child_main ()
#23 0x080645e4 in make_child ()
#24 0x0806474c in startup_children ()
#25 0x08064e42 in standalone_main ()
#26 0x0806568a in main ()
#27 0x4008314f in __libc_start_main () from /lib/libc.so.6
(gdb)

[2004-09-06 15:18 UTC] tony2001@php.net

What's in /SPACE/ww3-dev/www/ww3ee/8.php ?
Are you able to reproduce it with this script?

[2004-09-06 15:24 UTC] thomas dot hebinck at digionline dot de

there a tons of includes in there ... a few thousand lines of code ...

[2004-09-27 13:22 UTC] thomas dot hebinck at digionline dot de

Hi,

still the same problem in 5.0.2

Sincerely,
Thomas Hebinck

--

ww3-dev:/usr/src/php-5.0.2# gdb /usr/local/apache1/bin/httpd
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking
GNU gdb 2002-04-01-cvs
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...(no debugging symbols found)...
(gdb) run -X
Starting program: /usr/local/apache1/bin/httpd -X
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[New Thread 1024 (LWP 18002)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 18002)]
0x400d8bb8 in free () from /lib/libc.so.6
(gdb) bt
#0  0x400d8bb8 in free () from /lib/libc.so.6
#1  0x400d8aa3 in free () from /lib/libc.so.6
#2  0x402f6315 in zend_hash_del_key_or_index (ht=0x81ffd14, arKey=0x8249e5c "p_parent", nKeyLength=9, h=755180190, flag=0)
    at /usr/src/php-5.0.2/Zend/zend_hash.c:495
#3  0x40304173 in zend_std_unset_property (object=0xbfffeb70, member=0x815646c) at /usr/src/php-5.0.2/Zend/zend_object_handlers.c:506
#4  0x4031911a in zend_unset_dim_obj_handler (execute_data=0xbfffe810, opline=0x815643c, op_array=0x8144f54) at /usr/src/php-5.0.2/Zend/zend_execute.c:3665
#5  0x40312cc1 in execute (op_array=0x8144f54) at /usr/src/php-5.0.2/Zend/zend_execute.c:1400
#6  0x403169c7 in zend_do_fcall_common_helper (execute_data=0xbfffe910, opline=0x823e3d4, op_array=0x823f66c) at /usr/src/php-5.0.2/Zend/zend_execute.c:2740
#7  0x40316e98 in zend_do_fcall_by_name_handler (execute_data=0xbfffe910, opline=0x823e3d4, op_array=0x823f66c) at /usr/src/php-5.0.2/Zend/zend_execute.c:2825
#8  0x40312cc1 in execute (op_array=0x823f66c) at /usr/src/php-5.0.2/Zend/zend_execute.c:1400
#9  0x402e16dc in zend_call_function (fci=0xbfffeac0, fci_cache=0xbfffea80) at /usr/src/php-5.0.2/Zend/zend_execute_API.c:838
#10 0x40300172 in zend_call_method (object_pp=0xbfffeb6c, obj_ce=0x81df1ec, fn_proxy=0x0, function_name=0x403a6397 "__destruct", function_name_len=10,
    retval_ptr_ptr=0x0, param_count=0, arg1=0x0, arg2=0x0) at /usr/src/php-5.0.2/Zend/zend_interfaces.c:79
#11 0x40303123 in zend_objects_destroy_object (object=0x81dd0cc, handle=5) at /usr/src/php-5.0.2/Zend/zend_objects.c:78
#12 0x4030572a in zend_objects_store_call_destructors (objects=0x4040c404) at /usr/src/php-5.0.2/Zend/zend_objects_API.c:54
#13 0x402df6ee in shutdown_executor () at /usr/src/php-5.0.2/Zend/zend_execute_API.c:209
#14 0x402edcb5 in zend_deactivate () at /usr/src/php-5.0.2/Zend/zend.c:818
#15 0x402a664b in php_request_shutdown (dummy=0x0) at /usr/src/php-5.0.2/main/main.c:1212
#16 0x4031ee3c in apache_php_module_main (r=0x811b8bc, display_source_mode=0) at /usr/src/php-5.0.2/sapi/apache/sapi_apache.c:60
#17 0x4031fd66 in send_php (r=0x811b8bc, display_source_mode=0, filename=0x811c3dc "/SPACE/ww3-dev/www/ww3ee/8.php")
    at /usr/src/php-5.0.2/sapi/apache/mod_php5.c:622
#18 0x4031fdd5 in send_parsed_php (r=0x811b8bc) at /usr/src/php-5.0.2/sapi/apache/mod_php5.c:637
#19 0x08058307 in ap_invoke_handler ()
#20 0x0806d39f in process_request_internal ()
#21 0x0806d400 in ap_process_request ()
#22 0x08064439 in child_main ()
#23 0x080645e4 in make_child ()
#24 0x0806474c in startup_children ()
#25 0x08064e42 in standalone_main ()
#26 0x0806568a in main ()
#27 0x4008314f in __libc_start_main () from /lib/libc.so.6
(gdb)

[2004-09-27 18:08 UTC] andi@php.net

It's really impossible to look into this without further information.
Either try and cut it down (might take you some time) or at least try and run valgrind (http://valgrind.kde.org/) on the script and see if there's any information which might point us in the right direction.

[2004-10-05 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2004-12-01 15:54 UTC] thomas dot hebinck at digionline dot de

Hi,

still the same problem in 5.0.3RC1

Sincerely,
Thomas Hebinck

[2004-12-01 16:03 UTC] tony2001@php.net

You didn't provide a reproduce script. I doubt we'll be able to reproduce and fix the bug without it.

[2004-12-06 21:01 UTC] jost2345 at yahoo dot de

#13 0x402df6ee in shutdown_executor () at
/usr/src/php-5.0.2/Zend/zend_execute_API.c:209
#14 0x402edcb5 in zend_deactivate () at
/usr/src/php-5.0.2/Zend/zend.c:818
#15 0x402a664b in php_request_shutdown (dummy=0x0) at


We have experienced the same problem.  A description and a preliminary fix is here:
-> http://cvs.sourceforge.net/viewcvs.py/php-java-bridge/php-java-bridge/php5-crash-in-evaluator-shutdown_workaround.patch?view=markup

[2004-12-07 17:24 UTC] thomas dot hebinck at digionline dot de

Hi,

I applied the patch - but it doesn't work for me.

Now I get:
/usr/src/php-5.0.3RC1/Zend/zend_hash.c(636) : ht=0x40412370 is already destroyed
[Tue Dec  7 17:21:10 2004] [notice] child pid 21964 exit signal Segmentation fault (11)

But - thanks! :-)

Bye,
Thomas.

[2004-12-08 18:23 UTC] wez@php.net

Andi, this looks like a reasonable patch (caveat emptor: I didn't look very hard), and is cleaner than my suggestion for commenting out the dlunload call that I mentioned a couple of times now.
Would be great if we can resolve this soon.

[2004-12-11 00:16 UTC] andi@php.net

I took a look at this bug report but honestly there's not enough here for me to actually understand where the problem is. More info would be appreciated. Maybe a valgrind trace of ./httpd -X?

[2004-12-11 00:21 UTC] andi@php.net

One more question. Is this a script which uses dl()?

[2004-12-19 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2007-09-03 10:56 UTC] thomas dot hebinck at digionline dot de

Closed since 5.0.5

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun May 05 07:01:32 2024 UTC