PHP :: Bug #59551 :: Segmentation fault when memcached server does not respond

Bug #59551	Segmentation fault when memcached server does not respond
Submitted:	2010-12-28 13:42 UTC	Modified:	2011-05-04 09:11 UTC
From:	michal at neotronic dot org	Assigned:
Status:	Not a bug	Package:	memcache (PECL)
PHP Version:	5.3.2	OS:	Linux 2.6.26-2-xen-amd64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	michal at neotronic dot org
New email:
PHP Version:		OS:

New Comment:

[2010-12-28 13:42 UTC] michal at neotronic dot org

Description:
------------

steps to reproduce:
1) make your memcached server unavailable
2) run the included code

I've been trying to track the bug down. It segfaults right in the fourth iteration of:
while ((request = mmc_queue_pop(&(pool->free_requests))) != NULL) {
    pool->protocol->free_request(request);
}
in mmc_pool_free()

just prior to the segmentation fault, the mmc_request_t *request contains this:
(gdb) print *request
$6 = {io = 0x5a5a5a5a5a5a5a5a, sendbuf = {value = {c = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, len = 6510615555426900570, a = 6510615555426900570}, idx = 1515870810}, readbuf = {value = {
      c = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, len = 6510615555426900570, a = 6510615555426900570}, idx = 1515870810}, key = 'Z' <repeats 251 times>, key_len = 1515870810, protocol = 1515870810,
  failed_servers = {items = 0x5a5a5a5a5a5a5a5a, alloc = 1515870810, head = 1515870810, tail = 1515870810, len = 1515870810}, failed_index = 1515870810, read = 0x5a5a5a5a5a5a5a5a, parse = 0x5a5a5a5a5a5a5a5a,
  value_handler = 0x5a5a5a5a5a5a5a5a, value_handler_param = 0x5a5a5a5a5a5a5a5a, response_handler = 0x5a5a5a5a5a5a5a5a, response_handler_param = 0x5a5a5a5a5a5a5a5a, failover_handler = 0x5a5a5a5a5a5a5a5a,
  failover_handler_param = 0x5a5a5a5a5a5a5a5a, udp = {reqid = 23130, seqid = 23130, total = 23130}}


At this point an assistance is needed.

Thank you

Reproduce code:
---------------
<?php
session_start()
?>

Expected result:
----------------
the script should end normally returning non-zero value

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f3289da7710 (LWP 6607)]
0x00000000009567a8 in zend_mm_check_ptr (heap=Cannot access memory at address 0x8000cec0d818
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc_canary.c:1433
1433            if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt
#0  0x00000000009567a8 in zend_mm_check_ptr (heap=Cannot access memory at address 0x8000cec0d818
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc_canary.c:1433
#1  0x00000000009585df in _zend_mm_free_canary_int (heap=Cannot access memory at address 0x8000cec0d8b8
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc_canary.c:2079
#2  0x000000000090284c in _efree (ptr=Cannot access memory at address 0x8000cec0d938
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc.c:2616
#3  0x00007f3284c5e666 in mmc_buffer_free (buffer=0x2b9f140) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_pool.c:56
#4  0x00007f3284c5ea96 in mmc_request_free (request=0x2b9f138) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_pool.c:181
#5  0x00007f3284c61319 in mmc_pool_free (pool=0x2b9d120) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_pool.c:945
#6  0x00007f3284c6c276 in ps_close_memcache (mod_data=0x1194220) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_session.c:195
#7  0x00000000006f2906 in php_session_save_current_state () at /usr/src/php5.3/source/php5-5.3.3/ext/session/session.c:625
#8  0x00000000006f69b1 in php_session_flush () at /usr/src/php5.3/source/php5-5.3.3/ext/session/session.c:1517
#9  0x00000000006f87c1 in zm_deactivate_session (type=Cannot access memory at address 0x8000cec0db4c
) at /usr/src/php5.3/source/php5-5.3.3/ext/session/session.c:2171
#10 0x000000000093413d in module_registry_cleanup (module=Cannot access memory at address 0x8000cec0db78
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_API.c:2150
#11 0x000000000093c412 in zend_hash_reverse_apply (ht=Cannot access memory at address 0x8000cec0db98
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_hash.c:957
#12 0x0000000000929dbe in zend_deactivate_modules () at /usr/src/php5.3/source/php5-5.3.3/Zend/zend.c:938
#13 0x00000000008aa337 in php_request_shutdown (dummy=Cannot access memory at address 0x8000cec0dcb8
) at /usr/src/php5.3/source/php5-5.3.3/main/main.c:1610
#14 0x0000000000a23c3a in main (argc=Cannot access memory at address 0x8000cec0de9c
) at /usr/src/php5.3/source/php5-5.3.3/sapi/cli/php_cli.c:1377

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-04-09 15:40 UTC] jeremyw-phpbugs at igmus dot org

I have the same problem -- a connection timeout to one of the servers segfaults trying to deallocate free requests.

My stack trace, on PHP 5.3.6 & Memcache 3.0.5, ends:

#0  _zend_mm_free_int (heap=0x7f0a829ccf60, p=0x7f0a8aa034a0) at /usr/src/debug/php-5.3.6/Zend/zend_alloc.c:2028
#1  0x00007f0a746d20fb in mmc_buffer_free (request=0x7f0a8aa034b0) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:50
#2  mmc_request_free (request=0x7f0a8aa034b0) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:169
#3  0x00007f0a746d36ca in mmc_pool_free (pool=0x7f0a8a9f6b38) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:928

If I comment out free_request() below, memcache calls return after a timeout and life continues.  (Obviously, when I get rid of the bad server, 
no errors occur.)

    /* requests are owned by us so free them */
    while ((request = mmc_queue_pop(&(pool->free_requests))) != NULL) {
        //pool->protocol->free_request(request);                                                                                                                                                 
    }
    mmc_queue_free(&(pool->free_requests));

Thoughts?

[2011-05-03 05:59 UTC] niakrisn at gmail dot com

The same problem with php 5.2.17 and memcache 3.0.5

#0  0x2890a9da in _zend_mm_free_int () from 
/usr/local/libexec/apache22/libphp5.so
#1  0x29c48115 in mmc_request_free () from 
/usr/local/lib/php/20060613/memcache.so
#2  0x29c4589c in mmc_pool_free () from 
/usr/local/lib/php/20060613/memcache.so
#3  0x29c4cd38 in ps_close_memcache () from 
/usr/local/lib/php/20060613/memcache.so
#4  0x29ad931a in php_rshutdown_session_globals () from 
/usr/local/lib/php/20060613/session.so
#5  0x29ad9365 in php_session_destroy () from 
/usr/local/lib/php/20060613/session.so
#6  0x29ad941b in zif_session_destroy () from 
/usr/local/lib/php/20060613/session.so
#7  0x2894d93c in zend_do_fcall_common_helper_SPEC () from 
/usr/local/libexec/apache22/libphp5.so
#8  0x28942b69 in execute () from 
/usr/local/libexec/apache22/libphp5.so
#9  0x29faac38 in zend_oe () from 
/usr/local/lib/php/20060613/Optimizer/php-
5.2.x/ZendOptimizer.so
#10 0x29087be0 in ?? ()
#11 0x00000009 in ?? ()
#12 0x28a3f8d0 in executor_globals () from 
/usr/local/libexec/apache22/libphp5.so
#13 0x28929396 in zend_update_class_constants () from 
/usr/local/libexec/apache22/libphp5.so
Previous frame inner to this frame (corrupt stack?)

[2011-05-04 09:02 UTC] pierre dot php at gmail dot com

Try with 3.0.6, and keep in mind that we don't support 5.2 
anymore.

[2011-05-04 09:10 UTC] niakrisn at gmail dot com

Thanks, pecl-memcache 3.0.6 works fine.

[2011-05-04 09:11 UTC] pierre dot php at gmail dot com

Duplicate of previous report (and fixed in 3.0.6).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC