php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58721 Second script execution causes Apache process to exit with SIGSEGV
Submitted: 2009-06-13 10:13 UTC Modified: 2009-10-05 12:09 UTC
From: vojtech at sazel dot cz Assigned: crobin (profile)
Status: Closed Package: spidermonkey (PECL)
PHP Version: 5_3 CVS-2009-06-13 (dev) OS: Linux
Private report: No CVE-ID: None
 [2009-06-13 10:13 UTC] vojtech at sazel dot cz
Description:
------------
Used SW:
* Apache 2.2.11 
* PHP Version 5.3.0RC4-dev, latest CVS snapshot, shared Apache module
* current SVN spidermonkey extension (rev 51)
* spidermonkey 1.7.0

Reproducing the error:
* running code for first time returns correct result
* running code for second time causes SIGSEGV

I think that it is related to using PHP as shared module.

Reproduce code:
---------------
<?php
function outFunc($x) {
	echo ($x."<br\>");
}

$code=<<<EOT
   var x;
   x=2;
   outFunc(x);
EOT;

$loJsEngine=new JSContext();
$loJsEngine->registerFunction('outFunc');
$loJsEngine->evaluateScript($code);

?>

Expected result:
----------------
2<br\>

Actual result:
--------------
0xb65c0325 in JS_DHashTableOperate (table=0x837d7b8, key=0x837d788, op=JS_DHASH_ADD) at jsdhash.c:536
536         JS_ASSERT(op == JS_DHASH_LOOKUP || RECURSION_LEVEL(table) == 0);

GDB backtrace:
#0  0xb65c0325 in JS_DHashTableOperate (table=0x837d7b8, key=0x837d788, op=JS_DHASH_ADD) at jsdhash.c:536
#1  0xb65e0667 in js_AddRootRT (rt=0x837d738, rp=0x837d788, name=0xb667f57c "res->input") at jsgc.c:787
#2  0xb65e0635 in js_AddRoot (cx=0x837d6e8, rp=0x837d788, name=0xb667f57c "res->input") at jsgc.c:753
#3  0xb663d556 in js_InitRegExpStatics (cx=0x837d6e8, res=0x837d788) at jsregexp.c:3584
#4  0xb65b5116 in js_NewContext (rt=0x837d738, stackChunkSize=8092) at jscntxt.c:242
#5  0xb65a60d0 in JS_NewContext (rt=0x837d738, stackChunkSize=8092) at jsapi.c:963
#6  0xb668bb09 in php_jscontext_object_new (class_type=0x8365f30) at /usr/install/src/php-extensions/pecl-spidermonkey/spidermonkey.c:128
#7  0xb7607dfa in _object_and_properties_init (arg=0xb6d4df74, class_type=0x8365f30, properties=0x0) at /usr/install/src/php5.3-200906120630/Zend/zend_API.c:1087
#8  0xb7607eee in _object_init_ex (arg=0xb6d4df74, class_type=0x8365f30) at /usr/install/src/php5.3-200906120630/Zend/zend_API.c:1095
#9  0xb76598bc in ZEND_NEW_SPEC_HANDLER (execute_data=0xb64f0028) at /usr/install/src/php5.3-200906120630/Zend/zend_vm_execute.h:477
#10 0xb76211f9 in execute (op_array=0xb6d4de68) at /usr/install/src/php5.3-200906120630/Zend/zend_vm_execute.h:104
#11 0xb75fffa7 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/install/src/php5.3-200906120630/Zend/zend.c:1188
#12 0xb75b0c09 in php_execute_script (primary_file=0xbfdaadd0) at /usr/install/src/php5.3-200906120630/main/main.c:2196
#13 0xb767fb6b in php_handler (r=0x83a3890) at /usr/install/src/php5.3-200906120630/sapi/apache2handler/sapi_apache2.c:648
#14 0x0807d897 in ap_run_handler (r=0x83a3890) at config.c:157
#15 0x08080987 in ap_invoke_handler (r=0x83a3890) at config.c:372
#16 0x080c5ae8 in ap_process_request (r=0x83a3890) at http_request.c:282
#17 0x080c2cae in ap_process_http_connection (c=0x836b498) at http_core.c:190
#18 0x08084847 in ap_run_process_connection (c=0x836b498) at connection.c:43
#19 0x080f4d6d in child_main (child_num_arg=<value optimized out>) at prefork.c:650
#20 0x080f4fa5 in make_child (s=0x8139ed8, slot=0) at prefork.c:690
#21 0x080f5d4c in ap_mpm_run (_pconf=0x81350a8, plog=0x8185328, s=0x8139ed8) at prefork.c:966
#22 0x0806b20f in main (argc=135475360, argv=0x83692b8) at main.c:740


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-01 15:39 UTC] clay at killersoft dot com
This patch fixes this bug:

Index: spidermonkey.c
============================================================
=======
--- spidermonkey.c      (revision 52)
+++ spidermonkey.c      (working copy)
@@ -241,8 +241,10 @@
  * were only freed when the server was shutdown */
 PHP_RSHUTDOWN_FUNCTION(spidermonkey)
 {
-       if (SPIDERMONKEY_G(rt) != NULL)
+       if (SPIDERMONKEY_G(rt) != NULL) {
                JS_DestroyRuntime(SPIDERMONKEY_G(rt));
+               SPIDERMONKEY_G(rt) = NULL;
+       }
        return SUCCESS;
 }
 [2009-10-05 03:36 UTC] c dot robin at smartphp dot org
Fixed in SVN, new PECL release coming before the end of day
 [2009-10-05 11:42 UTC] c dot robin at smartphp dot org
Thank you for taking the time to report a problem with the package.
Unfortunately you are not using a current version of the package -- 
the problem might already be fixed. Please download a new
version from http://pecl.php.net/packages.php

If you are able to reproduce the bug with one of the latest
versions, please change the package version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PECL.

New PECL package released, should solve this bug.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC