php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #15020 Segfault - something to do with arBuckets
Submitted: 2002-01-13 17:10 UTC Modified: 2002-07-18 01:00 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: charlie at charliedyson dot net Assigned:
Status: No Feedback Package: Session related
PHP Version: 4.1.1 OS: Linux (SuSE 7.2)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: charlie at charliedyson dot net
New email:
PHP Version: OS:

 

 [2002-01-13 17:10 UTC] charlie at charliedyson dot net 
Hi,
I've just installed the latest version of PHP, with apache 1.3.22, and I have found what may be a serious seg-fault bug. I have made a backtrace. I don't know anything about PHP's internals, so you'll have to figure out what went wrong for yourself (sorry). My config line is:

 './configure' '--with-apxs=/opt/apache/bin/apxs' '--enable-bcmath' '--with-bz2' '--enable-calendar' '--enable-ftp' '--with-gd' '--with-pspell' '--with-pgsql=/opt/postgres' '--enable-trans-sid' '--without-mysql' '--with-jpeg-dir=/usr/lib' '--with-png-dir=/usr/lib' '--with-zlib-dir=/usr/lib' '--prefix=/opt/php'
(Sorry its so long, I will try and reproduce the bug with less of this stuff).
I can get you the core if you want it. The bug is reproducable - I was just running a few sample pages to test it out, they can't be more that 1 or 2k, so I could send you them. It seems to happen when I go back and forth between the same two pages (a login one and a logout one - also, the log-out does not work properly if cookies are enabled. Any ideas?) Also, I made a few (generally minor) modifications to php.ini - I will send a copy or a diff if neccesary. Here's the output from gdb - I checked the value of a few variables as well, in case it helps.

Bear in mind that I don't understand PHP's internals at all. Note that nIndex was 539567104 the second time I did this. It would seem that arBuckets (again, I don't know what this is) references an area of memory the program didn't allocate itself, which causes the segfault.

Program received signal SIGSEGV, Segmentation fault.
0x40206f18 in zend_hash_del_key_or_index (ht=0x810958c,
    arKey=0x8108e5c "isloggedin", nKeyLength=11, h=0, flag=0)
    at zend_hash.c:484
484             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0x40206f18 in zend_hash_del_key_or_index (ht=0x810958c,
    arKey=0x8108e5c "isloggedin", nKeyLength=11, h=0, flag=0)
    at zend_hash.c:484
#1  0x4024f14a in zif_session_unregister (ht=1, return_value=0x8108e7c,
    this_ptr=0x0, return_value_used=0) at session.c:1201
#2  0x401f32c9 in execute (op_array=0x8103a6c) at ./zend_execute.c:1590
#3  0x402024b3 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:814
#4  0x40211456 in php_execute_script (primary_file=0xbffff008) at main.c:1307
#5  0x4020ce2e in apache_php_module_main (r=0x80f9eb4, display_source_mode=0)
    at sapi_apache.c:90
#6  0x4020d9ef in send_php (r=0x80f9eb4, display_source_mode=0, filename=0x0)
    at mod_php4.c:575
#7  0x4020da53 in send_parsed_php (r=0x80f9eb4) at mod_php4.c:590
#8  0x806c409 in ap_invoke_handler ()
#9  0x8081e7f in process_request_internal ()
#10 0x8081ef2 in ap_process_request ()
#11 0x8078ab6 in child_main ()
#12 0x8078c75 in make_child ()
#13 0x8078df6 in startup_children ()
#14 0x807949d in standalone_main ()
#15 0x8079cfc in main ()
#16 0x400b9c6f in __libc_start_main () from /lib/libc.so.6
(gdb) list
479                     HANDLE_NUMERIC(arKey, nKeyLength, zend_hash_del_key_or_index(ht, arKey, nKeyLength, idx, HASH_DEL_INDEX));
480                     h = zend_inline_hash_func(arKey, nKeyLength);
481             }
482             nIndex = h & ht->nTableMask;
483
484             p = ht->arBuckets[nIndex];
485             while (p != NULL) {
486                     if ((p->h == h) && ((p->nKeyLength == 0) || /* Numeric index */
487                             ((p->nKeyLength == nKeyLength) && (!memcmp(p->arKey, arKey, nKeyLength))))) {
488                             HANDLE_BLOCK_INTERRUPTIONS();
(gdb) p ht
$1 = (HashTable *) 0x810958c
(gdb) p nIndex
$2 = 0

Good luck figuring this out! Also, apologies for bad spelling (feature request: spell check on bug form)

Thanks in advance,

Charlie Dyson - charlie@charliedyson.net

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-13 20:25 UTC] yohgaki@php.net 
Looks like this is a session module problem. (session_unregister)
Could you make short & complete script causes this segfault?
 [2002-01-15 16:41 UTC] charlie at charliedyson dot net 
Here are two sample pages that cause the crash on my 
machine:
== login.php ==
<?
	session_start();
	session_register("isloggedin");
	$HTTP_SESSION_VARS["isloggedin"]=0
?>
<html>
<body>
You are logged in.<br/>
<a href="logout.php">Click here</a> to log-out.<br/>
</body>
</html>
== CUT ==
== logout.php ==
<?
	session_unregister("isloggedin");
	session_destroy();
?>
<html>
<body>
You are now logged - out.
<a href="login.php">Click here</a> to log-in again. <br/>
<?= session_id() ?><br/>
</body>
</html>
== CUT ==
I also made some small changes to my php.ini file, 
starting with php.ini-reccomended. Here is the output of 
diff php.ini-recommended php.ini:
683c683
< session.save_path = /tmp
---
> session.save_path = /tmp/phpsess
690c690
< session.name = PHPSESSID
---
> session.name = POSSUMSESSID
== CUT ==
Hope this helps,

Charlie Dyson - charlie@charliedyson.net
 [2002-05-04 10:04 UTC] kimmo dot mustonen at hut dot fi 
The same(?) problem occurs for me on Tru64 Unix 4.0f.
The problem has appeared between 4.0.6 and 4.1.0. 4.0.6 works fine, 4.1.0, 4.1.1 and 4.2.0 just crash.

---<8---<8---
zend_hash.c:935 if ((p->h == h) && (p->nKeyLength == 0)) {
(gdb) print p
$1 = (Bucket *) 0x5a5a5a5a5a5a5a5a
(gdb) print ht->arBuckets[1]
$2 = (Bucket *) 0x5a5a5a5a5a5a5a5a
(gdb) print *ht
$3 = {nTableSize = 8, nTableMask = 7, nNumOfElements = 3, 
  nNextFreeElement = 4, pInternalPointer = 0x140114880, 
  pListHead = 0x140114880, pListTail = 0x0, arBuckets = 0x1400eea60, 
  pDestructor = 0x120068910 <list_entry_destructor>, persistent = 0 '\000', 
  nApplyCount = 0 '\000', bApplyProtection = 1 '\001', inconsistent = 0}
---8<---8<---
It seems that the arBuckets table is completely freed(?) or uninitialized(?) but is still tried to be used.
 [2002-05-04 16:09 UTC] charlie at charliedyson dot net 
Not much I can do: I've never hacked PHP, and I'm kinda busy at the moment. Have you tried watching arBuckets (whatever that is) in gdb? Maybe one of those libc-allocation-function-replaceing-libraries will work (electric fence, etc). Good luck, and thanks again.

BTW: I've been working on a different project with PHP, and had no problems what-so-ever. This seems to be a pretty obscure thing. What does arBuckets do anyway?

Thanks,

Charlie Dyson - charlie@charliedyson.net
 [2002-06-17 19:53 UTC] sniper@php.net 
I can not reproduce this..can you please try this snapshot:

http://snaps.php.net/php4-latest.tar.gz
 [2002-07-18 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2011-06-02 01:30 UTC] harman dot birdi at gmail dot com 
I am trying to compile this using pdo_informix, and getting the same issue. 
Segfault in php-5.1.6/Zend/zend_hash.c (nned to use php-5.1.6)
If I don't build pdo_informix, then everything goes fine. Would appreciate
any help to resolve this. I have tried PDO-INFORMIX-1.0.0 and the latest one.


It bombs on line 213 - p = ht->arBuckets[nIndex];

I am building this on RHEL5.5

Linux ******* 2.6.18-194.11.3.el5PAE #1 SMP Mon Aug 23 15:57:10 EDT 2010 i686 
i686 i386 GNU/Linux

$ ./sapi/cli/php  -m
Segmentation fault
$ 



$ /usr/local/apache2/bin/httpd -v
Server version: Apache/2.2.3
Server built:   May 31 2011 16:43:58
$ 

My configure line

$ ./configure --with-apxs2=/usr/local/apache2/bin/apxs --enable-debug --disable-
ftp --disable-inline-optimization --disable-magic-quotes --disable-mbstring --
enable-wddx=shared --enable-xml --with-dom --with-regex=system --with-xml --
with-jpeg-dir=/usr/lib --with-zlib-dir=/usr/lib --with-zlib --without-pdo-sqlite 
--without-iconv --without-sqlite --enable-shared --enable-pdo --with-pdo-
informix=$INFORMIXDIR --with-informix=$INFORMIXDIR
 [2011-06-02 01:34 UTC] harman dot birdi at gmail dot com 
Should have added this gdb output to my last entry.


$ gdb sapi/cli/php
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from ~/software/php-5.1.6/sapi/cli/php...done.
(gdb) r
Starting program: ~/software/php-5.1.6/sapi/cli/php 
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x082432a1 in _zend_hash_add_or_update (ht=0x8367820, arKey=0x82d0385 
"informix", nKeyLength=8, pData=0xbfffe510, nDataSize=4, pDest=0x0, flag=2, 
    __zend_filename=0x82cc980 "~/software/php-5.1.6/ext/pdo/pdo.c", 
__zend_lineno=171)
    at ~/software/php-5.1.6/Zend/zend_hash.c:213
213             p = ht->arBuckets[nIndex];
(gdb)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 22:01:27 2024 UTC