PHP :: Bug #40545 :: zend_strtod.c threading issue

Bug #40545	zend_strtod.c threading issue
Submitted:	2007-02-19 17:53 UTC	Modified:	2007-02-20 13:26 UTC
From:	scottmacvicar at ntlworld dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2.1	OS:	RHEL 4
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	scottmacvicar at ntlworld dot com
New email:
PHP Version:		OS:

New Comment:

[2007-02-19 17:53 UTC] scottmacvicar at ntlworld dot com

Description:
------------
Recently upgraded to PHP 5.2.1 from PHP 5.1.6 and we started to see a series of crashes every few hundred thousand requests, couldn't isolate this to a specific section of code so I think its a concurrency problem.

I managed to catch a core file from the past few and in each case the backtrace revealed that the problem is zend_strod. This is just an excerpt the rest of the backtrace are just apache internals.

Thread 27 (process 14353):
#0  0x008b07a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
No symbol table info available.
#1  0x0013bc46 in kill () from /lib/tls/libc.so.6
No symbol table info available.
#2  0x0807e90d in sig_coredump (sig=14332) at mpm_common.c:1170
No locals.
#3  <signal handler called>
No symbol table info available.
#4  Balloc (k=1953067823) at /www/src/php-5.2.1/Zend/zend_strtod.c:460
        x = Variable "x" is not available. 

We're seeing this problem on both of our web servers, I can recompile one of the boxes in debug mode if that would help.

The only change I can see of recent was a reimplementation of the code to a BSD license.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-02-19 18:14 UTC] tony2001@php.net

We still need to know how to reproduce it, otherwise it's hardly a "**Reproducible** crash".

[2007-02-19 18:21 UTC] scottmacvicar at ntlworld dot com

I've been unable to track it down specifically, its happening across a larger number of scripts, the only thing I can see in common between them all is a large number of unserialize calls during the script startup.

I've compiled PHP into debug mode now and I'll leave it running overnight to try and obtain a more detailed backtrace.

[2007-02-19 18:24 UTC] tony2001@php.net

Ok.

[2007-02-19 18:51 UTC] scottmacvicar at ntlworld dot com

The backtrace was too large to paste, the trace from the thread in question is at.

http://public.vbulletin.com/bugs/php/bug40545-bt.txt

It does appear to be an unserialize call thats causing the crash.

[2007-02-19 19:20 UTC] tony2001@php.net

That's ok, but how to reproduce it?

[2007-02-19 20:21 UTC] scottmacvicar at ntlworld dot com

Source of a simple script at http://public.vbulletin.com/bugs/php/bug40545.phps

You can grab the text file from the same folder.

I then ran:
ab -c 30 -n 10000 http://localhost/~scott/bug40545.php

Segfaults within a few hundred requests.

Apache 2.2.4 with keep alive disabled and PHP 5.2.1

It's a development box and not a production box so I can change more or less anything if you need anything else tested.

[2007-02-19 20:24 UTC] tony2001@php.net

'./datastore.txt' ?
Looks like you forgot to provide this file.

[2007-02-19 20:29 UTC] scottmacvicar at ntlworld dot com

As I said its in the same folder.

http://public.vbulletin.com/bugs/php/datastore.txt

[2007-02-20 11:35 UTC] tony2001@php.net

What kind of MPM are you using?
I assume it's worker?

[2007-02-20 11:46 UTC] scottmacvicar at ntlworld dot com

That's correct, configure string for apache is the following:

./configure --with-included-apr --enable-so --enable-info --enable-rewrite --enable-speling --enable-deflate --enable-ssl --enable-mime-magic --with-mpm=worker

[2007-02-20 12:02 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Ok, found and fixed.
Special thanks for the great reproduce case.

[2007-02-20 13:14 UTC] scottmacvicar at ntlworld dot com

Applied the patch to our production servers and I'll leave it running overnight again and check tomorrow morning.

I have however seen another core dump in _zend_mm_alloc_int but I'll hold back on reporting it for the moment.

[2007-02-20 13:26 UTC] tony2001@php.net

Thanks. Feel free to reopen the report if you find something.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 12:00:01 2025 UTC