PHP :: Bug #35140 :: Segmentation fault in shutdown_memory

Bug #35140

Segmentation fault in shutdown_memory_manager

Submitted:

2005-11-07 16:34 UTC

Modified:

2005-11-24 01:00 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

jfbustarret at tf1 dot fr

Assigned:

Status:

No Feedback

Package:

Scripting Engine problem

PHP Version:

5CVS-2005-11-10 (snap)

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jfbustarret at tf1 dot fr
New email:
PHP Version:		OS:

New Comment:

[2005-11-07 16:34 UTC] jfbustarret at tf1 dot fr

Description:
------------
Sometimes, some apache process segfault in shutdown_memory_manager. 

Configuration : PHP 5.0.5/Linux/apache2



Reproduce code:
---------------
Unable to find the code that generates the segfault (the app is quite large)

Actual result:
--------------
Backtrace :

#0  0x40662c45 in shutdown_memory_manager (silent=1, full_shutdown=0)
    at /soft/sources/php/php-5.0.5/Zend/zend_alloc.c:485
485                             for (j=0; j<AG(cache_count)[i]; j++) {
(gdb) bt
#0  0x40662c45 in shutdown_memory_manager (silent=1, full_shutdown=0)
    at /soft/sources/php/php-5.0.5/Zend/zend_alloc.c:485
#1  0x40641b79 in php_request_shutdown (dummy=0x0)
    at /soft/sources/php/php-5.0.5/main/main.c:1236
#2  0x406a5114 in php_handler (r=0x82e06e0)
    at /soft/sources/php/php-5.0.5/sapi/apache2handler/sapi_apache2.c:436
(gdb) p alloc_globals.cache[i]
$2 = {0xb7179c38, 0xb7179c38, 0xb7179c38, 0xb7179c38, 0xb7179c38, 0xb7179c38,
  0xb7179c38, 0xb7179c38, 0xb7179c38, 0x0 <repeats 247 times>}
[ same pointer, multiple times !!! ]
(gdb) p alloc_globals.cache[i][j]
$3 = (void *) 0xb7179c38
(gdb) p *(zend_mem_header*) alloc_globals.cache[i][j]
$5 = {pNext = 0x0, pLast = 0x65646f6d, size = 0, cached = 0}

I tried recompiling with enable-debug, and I get "Only variables can be passed by reference" fatal errors in a function call that does not use references :
httpRedirect($referer.$urlReconstruite);
The function prototype is :
function httpRedirect($url) {

I am unable to reproduce the crash with enable-debug activated.

configure is :
'./configure' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc' '--with-oci8' '--with-curl=/usr/lib' '--with-gd=shared' '--with-jpeg-dir=/usr/lib' '--with-png-dir=/usr/lib' '--with-freetype-dir=/usr/lib' '--enable-gd-native-ttf' '--with-zlib' '--with-mcrypt=/usr/lib' '--with-dom' '--enable-sockets' '--with-gmp=shared' '--without-pear' '--with-mysql=/usr' '--with-mysql-sock=/tmp/mysql.sock' '--with-imagick-gm' '--with-imagick=shared' 'CFLAGS=-O2 -g' '--with-snmp=shared' '--enable-ftp=shared' '--enable-soap=shared' '--enable-debug'

I tried the latest snapshot, but it crashes while trying to load the main php file.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-11-07 18:02 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

[2005-11-10 10:31 UTC] jfbustarret at tf1 dot fr

With/without --enable-debug, php5-latests crashes in :

#0  0x4075c447 in _zend_hash_index_update_or_next_insert (ht=0x4089cd40, h=0,
    pData=0xbfee8100, nDataSize=12, pDest=0x0, flag=Variable "flag" is not available.
)
    at /soft/sources/php/php5-200511100730/Zend/zend_hash.c:354
#1  0x4075dc42 in zend_list_insert (ptr=0x0, type=0)
    at /soft/sources/php/php5-200511100730/Zend/zend_list.c:47
#2  0x4075dc67 in zend_register_resource (rsrc_result=0x0,
    rsrc_pointer=0x830b10c, rsrc_type=2)
    at /soft/sources/php/php5-200511100730/Zend/zend_list.c:99
#3  0x4072b228 in _php_stream_alloc (ops=0x0, abstract=0x0, persistent_id=0x0,
    mode=0x407cafb7 "rb", __php_stream_call_depth=5,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=205,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/streams.c:263
#4  0x4072e9c3 in _php_stream_fopen_from_fd (fd=27, mode=0x407cafb7 "rb",
    persistent_id=0x0, __php_stream_call_depth=4,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=882,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c:205
#5  0x4072eb40 in _php_stream_fopen (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    mode=0x407cafb7 "rb", opened_path=0xbfee95f8, options=133,
    __php_stream_call_depth=3,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=1233,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/ma---Type <return> to continue, or q <return> to quit---
in.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c:882
#6  0x4072ed65 in _php_stream_fopen_with_path (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    mode=0x407cafb7 "rb",
    path=0x82ec2e4 "/data/www/commons/commons:/data/www/www/htdocs/src:/data/www/commons/PEAR:/data/www/commons/conf:/data/www/www/conf:.",
    opened_path=0xbfee95f8, options=133, __php_stream_call_depth=2,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=931,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c:1276
#7  0x4072b525 in _php_stream_open_wrapper_ex (
    path=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    mode=0x407cafb7 "rb", options=141, opened_path=0xbfee95f8, context=0x0,
    __php_stream_call_depth=0,
    __zend_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_lineno=855, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /soft/sources/php/php5-200511100730/main/streams/streams.c:1771
#8  0x407186d3 in php_stream_open_for_zend (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    handle=0xbfee95f0) at /soft/sources/php/php5-200511100730/main/main.c:855
#9  0x40763a6a in zend_stream_open (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    handle=0xbfee95f0)
    at /soft/sources/php/php5-200511100730/Zend/zend_stream.c:47
#10 0x40763bc0 in zend_stream_fixup (file_handle=0xbfee95f0)
    at /soft/sources/php/php5-200511100730/Zend/zend_stream.c:62
---Type <return> to continue, or q <return> to quit---
#11 0x4073c010 in open_file_for_scanning (file_handle=0xbfee95f0)
    at zend_language_scanner.c:3070
#12 0x4073c6e9 in compile_file (file_handle=0xbfee95f0, type=2)
    at zend_language_scanner.c:3156
#13 0x4075256c in zend_execute_scripts (type=2, retval=0x0, file_count=1)
    at /soft/sources/php/php5-200511100730/Zend/zend.c:1079

(gdb) print ht
$1 = (HashTable *) 0x4089cd40
(gdb) print *ht
$2 = {nTableSize = 0, nTableMask = 0, nNumOfElements = 0,
  nNextFreeElement = 0, pInternalPointer = 0x0, pListHead = 0x0,
  pListTail = 0x0, arBuckets = 0x0, pDestructor = 0, persistent = 0 '\0',
  nApplyCount = 0 '\0', bApplyProtection = 0 '\0', inconsistent = 0}

[2005-11-10 10:52 UTC] sniper@php.net

Do you load those shared extensions in your php.ini?
Can you try without them? And what is the shortest possible configure line you can reproduce this with?

[2005-11-10 13:58 UTC] jfbustarret at tf1 dot fr

With :
'./configure' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc' '--with-oci8=/soft/ora920' '--prefix=/soft/php-5-200511100730-20051110-debug' '--exec-prefix=/soft/php-5-200511100730-20051110-debug' '--without-pear' '--with-mysql=/usr' '--with-mysql-sock=/tmp/mysql.sock' 'CFLAGS=-O2 -g'

I get this crash :
#0  0x4070f068 in zend_clear_exception ()
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:68
68              if (!EG(exception)) {
(gdb) bt
#0  0x4070f068 in zend_clear_exception ()
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:68
#1  0x4071050d in zif_exception_getLine ()
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:220
#2  0x4083acf8 in ?? ()
[snip]
#16 0xbf9233e8 in ?? ()
#17 0x40710537 in zif_exception_getFile (ht=137277364, return_value=0x2,
    return_value_ptr=0x3a97, this_ptr=0x0, return_value_used=137147524)
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:209
#18 0x40710537 in zif_exception_getFile (ht=0, return_value=0x82eafb4,
    return_value_ptr=0x2, this_ptr=0x0, return_value_used=860730000)
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:209
#19 0x406e2639 in zendparse () at zend_language_parser.c:4333
[snip]
(gdb) print executor_globals.exception
$1 = (zval *) 0x44238317
(gdb) print *executor_globals.exception
Cannot access memory at address 0x44238317

With more extensions, I have various crashes, like this one :
#0  0x406ed5fd in yy_push_state (new_state=1) at zend_language_scanner.c:6029
#1  0x406edfe7 in lex_scan (zendlval=0xbf8163d4)
    at zend_language_scanner.c:4418

I'll try the same with PHP-5.0.5.

[2005-11-10 17:28 UTC] tony2001@php.net

Are you able to reproduce it with PHP CLI?
Why are you using those CFLAGS? 
Do you really need both ext/mysql && ext/oci8? If not, please remove at least one of them.
Do you use the new OCI8 (from PECL) or the old one?

[2005-11-14 11:28 UTC] jfbustarret at tf1 dot fr

> Are you able to reproduce it with PHP CLI?
So far, no crash using CLI.

> Why are you using those CFLAGS?
Legacy shell script... -g -O2 is the default, so CLFAGS is useless.

> Do you really need both ext/mysql && ext/oci8? If not, please remove at least one of them.
Most servers need both. I'll remove ext/mysql & ext/oci8 where I can.

> Do you use the new OCI8 (from PECL) or the old one?
The new one. Some features of the PECL one are very useful.

[2005-11-14 11:34 UTC] jfbustarret at tf1 dot fr

FYI, I have crashes on a server that loads the oci ext, but does not connect to oracle.

On this server, the crashes were in a template that uses mysql + jpgraph v2 + gd.

[2005-11-14 11:38 UTC] tony2001@php.net

What MPM do you use with Apache2?
Are you able to reproduce it with prefork MPM?

[2005-11-14 11:39 UTC] jfbustarret at tf1 dot fr

We use prefork

[2005-11-15 11:00 UTC] dmitry@php.net

Please try make full rebuild (including extensions).

make clean ; make install

[2005-11-15 11:18 UTC] jfbustarret at tf1 dot fr

Our standard procedure for building PHP is already :
configure
make clean
make
make install
(we even rm -rf the directory & untar the source package each time)

I am trying to get a new core with 5.0.5/enable-debug & various extensions.

[2005-11-15 23:01 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

We're not interested in 5.0.5, we're interested if this happens with the latest CVS.

[2005-11-16 16:08 UTC] jfbustarret at tf1 dot fr

I did some extensive tests with 5.1RC.

I did get a few random parsing errors :
#0  0x4070a2ad in yy_push_state (new_state=1) at zend_language_scanner.c:6031
#1  0x4070ac97 in lex_scan (zendlval=0xbf8c5764) at zend_language_scanner.c:4420
#2  0x407105a9 in zendlex (zendlval=0xbf8c5760) at /soft/sources/php/php5-200511160730/Zend/zend_compile.c:3971
#3  0x40709b07 in zendparse () at zend_language_parser.c:2644

Every core I got was on the same template. Most of the time, the template is correctly parsed, and sometimes it crashes (3 crashes in a few thousand compiles, about the same frequency than my 5.0.5 crash).

I'll try to extract the part of the template that crashes and put it online.

configure is the same as the beginning of the ticket, without enable-debug (I'm unable to get core files with enable-debug). No accelerator is used.

[2005-11-16 16:23 UTC] tony2001@php.net

We really need a reproduce script.

[2005-11-24 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2005-12-10 02:39 UTC] brion at pobox dot com

I'm having the segfault as well, with PHP 5.1.1/Linux/Apache 
1.3 (also had under Apache 2.0; switched to 1.3 to try to 
replicate more of our non-crashing PHP 4.4 setup from other 
machines).

The system is Fedora 2/x86; compiler is GCC 3.3.3.

The segfaulting condition develops after a full day or two 
of running with relatively light load; once it's started, 
all PHP requests seem to segfault this way until Apache is 
restarted. I have not been able to find a way to trigger it 
on command yet.

I am using the APC caching module (3.0.8); will try to 
confirm with it off as well.

# ./configure  --with-apxs=/usr/local/apache/bin/apxs --
enable-memory-limit --enable-sysvsem --enable-sysvshm --
with-bz2 --enable-ctype --with-iconv --enable-exif --enable-
gettext --enable-mbstring --enable-shmop --enable-sockets --
with-zlib --with-openssl --with-curl --with-dom --with-dom-
xslt --with-dom-exslt --with-zlib --with-gd --with-mysql=/
usr/local/mysql --with-record --enable-xslt --with-xslt-
sablot --with-readline --with-xmlrpc

Apache 1.3.34 and PHP are compiled with CFLAGS='-g -O2' to 
enable debugging information, but I had the segfaults under 
the defaults as well.


Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 31234)]
0x4049db7c in shutdown_memory_manager (silent=0, 
full_shutdown=0)
    at /home/brion/src/php-5.1.1/Zend/zend_alloc.c:511
511                                     
REMOVE_POINTER_FROM_LIST(ptr);
(gdb) bt
#0  0x4049db7c in shutdown_memory_manager (silent=0, 
full_shutdown=0)
    at /home/brion/src/php-5.1.1/Zend/zend_alloc.c:511
#1  0x4047bbca in php_request_shutdown (dummy=0x0)
    at /home/brion/src/php-5.1.1/main/main.c:1287
#2  0x4050d3c6 in apache_php_module_main (r=0x818a3bc, 
display_source_mode=0)
    at /home/brion/src/php-5.1.1/sapi/apache/sapi_apache.c:
59
#3  0x4050dda0 in send_php (r=0x818a3bc, 
display_source_mode=0, filename=0x0)
    at /home/brion/src/php-5.1.1/sapi/apache/mod_php5.c:644
#4  0x4050d60b in send_parsed_php (r=0x818a3bc)
    at /home/brion/src/php-5.1.1/sapi/apache/mod_php5.c:659
#5  0x08069a46 in ap_invoke_handler (r=0x818a3bc) at 
http_config.c:475
#6  0x0807943f in process_request_internal (r=0x818a3bc) at 
http_request.c:1298
#7  0x080795ef in ap_process_request (r=0x818a3bc) at 
http_request.c:1314
#8  0x08072bfc in child_main (child_num_arg=0) at 
http_main.c:4787
#9  0x08072d9f in make_child (s=0x80a397c, slot=11, now=0) 
at http_main.c:4957
#10 0x08073042 in perform_idle_server_maintenance () at 
http_main.c:5142
#11 0x080737f9 in standalone_main (argc=1, argv=0xbfffea34) 
at http_main.c:5405
#12 0x08073d22 in main (argc=1, argv=0xbfffea34) at 
http_main.c:5658
(gdb) p alloc_globals.cache[i]
$1 = {0x4214bdac, 0x4214bf7c, 0x4214bf64, 0x4214bf44, 
0x4214bdbc, 0x4214bd5c, 
  0x4214bf9c, 0x0 <repeats 249 times>}
(gdb) p i
$2 = 0
(gdb) p alloc_globals.cache[i][j]
$3 = (void *) 0x4214bdac
(gdb) p *(zend_mem_header*) alloc_globals.cache[i][j]
$4 = {pNext = 0x0, pLast = 0x10, size = 0}

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 10:00:01 2025 UTC