php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59417 Segfault in getServerByKey
Submitted: 2010-09-13 18:14 UTC Modified: 2012-03-07 17:11 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:2 (66.7%)
From: kevin at magicmonkey dot org Assigned: andrei (profile)
Status: Closed Package: memcached (PECL)
PHP Version: 5.3.2 OS: Linux (Ubuntu)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kevin at magicmonkey dot org
New email:
PHP Version: OS:

 

 [2010-09-13 18:14 UTC] kevin at magicmonkey dot org 
Description:
------------
There's a double-free (I think) causing a segfault when using 
getServerByKey.  I think it's caused by the 
"memcached_server_free(server)" on line 1775 of 
php_memcached.c, as the "server" variable returned from 
memcached_server_by_key is a pointer into a struct which is 
used elsewhere (ie it wasn't specifically alloc'd for this 
call, so it shouldn't be free'd by this call).  I've forked on 
github and committed a fix at 
http://github.com/magicmonkey/php-
memcached/commit/2b16eaf6e1839a534fa136cabe60b9278a4c9f58 - 
I'm not sure if it will break anything else, though.

Note that if you add a call to "$m->get('test');" after the 
getServerByKey line, then the segfault doesn't happen.

Reproduce code:
---------------
<?php
	$m = new Memcached();
	$m->addServers(array(array('127.0.0.1', 11211)));
	$m->add('test', 'test1');
	var_dump($m->getServerByKey('1'));


Expected result:
----------------
array(3) {
  ["host"]=>
  string(9) "127.0.0.1"
  ["port"]=>
  int(11211)
  ["weight"]=>
  int(0)
}


Actual result:
--------------
Segfault, followed by:

*** glibc detected *** php: corrupted double-linked list: 
0x0000000002a4b5c0 ***

======= Backtrace: =========
/lib/libc.so.6(+0x775b6)[0x7f99028f95b6]
/lib/libc.so.6(+0x77a1f)[0x7f99028f9a1f]
/lib/libc.so.6(+0x7a460)[0x7f99028fc460]
/lib/libc.so.6(cfree+0x73)[0x7f99028ffe53]
/usr/stuff/libmemcached/lib/libmemcached.so.5(memcached_free
+0x19)[0x7f98f9236d69]
/usr/lib/php5/20090626/memcached4.so(+0x7210)[0x7f98f9449210
]
/usr/lib/php5/20090626/memcached4.so(+0x813f)[0x7f98f944a13f
]
php(zend_objects_store_del_ref_by_handle_ex+0x28c)[0x6ba76c]
php(zend_objects_store_del_ref+0x13)[0x6ba793]
php(_zval_ptr_dtor+0x3d)[0x688e5d]
php[0x6a1ae2]
php(zend_hash_reverse_apply+0x59)[0x6a1be9]
php[0x6894f5]
php[0x695c84]
php(php_request_shutdown+0x325)[0x641995]
php[0x725314]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f99028a0c4d]
php[0x42c639]

(note that I've called it memcached4.so, to avoid clashing 
with my real memcached.so from version 1.0.2)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-26 13:21 UTC] bugs at philosof dot dk 
I have also experienced this problem.
See details at:
https://bugs.launchpad.net/ubuntu/+source/php-memcached/+bug/922053

The fault differs a bit depending on whether I have a get before getServerByKey or not.
 [2012-02-29 01:46 UTC] dpk at dpk dot net 
This bug is also tracked at: http://bugs.debian.org/cgi-bin/bugreport.cgi?
bug=629896

It appears to be fixed, but not in the version that is distributed w/ Debian 
Squeeze (or Ubuntu apparently).
 [2012-03-07 17:11 UTC] andrei@php.net 
Closing because of age. Please try versionb 2.0.1 and reopen if this still 
occurs.
 [2012-03-07 17:11 UTC] andrei@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: andrei
 [2012-04-30 16:33 UTC] bugs at philosof dot dk 
The documentation has now been fixed.
http://bazaar.launchpad.net/~tangent-org/libmemcached/trunk/revision/929.2.97

So you can remove https://github.com/php-memcached-dev/php-memcached/blob/master/php_memcached.c#L1984
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 08:01:28 2024 UTC