php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19919 segmentation violation in sapi_apache_header_handler, mod_php4.c line 208
Submitted: 2002-10-15 12:07 UTC Modified: 2003-02-23 19:31 UTC
Votes:9
Avg. Score:5.0 ± 0.0
Reproduced:7 of 8 (87.5%)
Same Version:5 (71.4%)
Same OS:3 (42.9%)
From: dperham at wgate dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.2.3, 4.3.0-Dev OS: FreeBSD 4.7
Private report: No CVE-ID:
 [2002-10-15 12:07 UTC] dperham at wgate dot com
Under heavy load, i.e., when the cpu load is 100%, I see http core-dumping in php (the same spot all the time) as shown in the follow gdb backtrace.  It is a reproducable
bug under heavy load, but I do not have an isolated test
case that always causes the problem.

Since it only appears under load, it may be
a timing issue? 

It might be worth noting that output buffering is being
used on many of the pages.

PHP Version 4.2.3


System        FreeBSD intern6.eng.tvol.net 4.7-RC FreeBSD 4.7-RC #10: Mon
              Sep 23 09:44:37 EDT 2002 XXXXX:/usr/
              src/sys/compile/DEVEL i386

Build Date    Oct 9 2002 11:49:18

Configure     './configure' '--with-apxs=/usr/local/sbin/apxs'
Command       '--with-config-file-path=/usr/local/etc'
              '--enable-versioning' '--with-regex=system' '--without-gd'
              '--without-mysql' '--with-zlib' '--with-imap=/usr/local'
              '--with-pgsql=/usr/local' '--enable-wddx' '--with-gettext=/
              usr/local' '--enable-sockets' '--enable-trans-sid'
              '--with-expat-dir=/usr/local' '--prefix=/usr/local'
              'i386-portbld-freebsd4.7'

Server API    Apache

Server version: Apache/1.3.26 (Unix)
Server built:   Jul  1 2002 11:32:52
Server's Module Magic Number: 19990320:13


Core was generated by `httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x282207ab in sapi_apache_header_handler (sapi_header=0xbfbfe748, 
    sapi_headers=0x282edc70) at mod_php4.c:208
#0  0x282207ab in sapi_apache_header_handler (sapi_header=0xbfbfe748, 
    sapi_headers=0x282edc70) at mod_php4.c:208
#1  0x28227399 in sapi_add_header_ex (header_line=0x87b300c "Set-Cookie", 
    header_line_len=2226, duplicate=0 '\000', replace=0 '\000') at SAPI.c:558
#2  0x2827848e in php_setcookie (name=0x875a72c "TICS0", name_len=5, 
    value=0x87b000c "TG9naW58YToxMzp7czo1OiJCb3hJRCI7czoxMjoiMDAwMDAwMDAyNzY2IjtzOjc6IkJveFR5cGUiO3M6MToiNCI7czoxMzoiQ2hhbm5lbE51bWJlciI7czoxOiIwIjtzOjQ6Ik5vZGUiO3M6MToiMCI7czo5OiJTZXNzaW9uSUQiO3M6MTY6IjJNMVZGVlEwVVFPODU4"..., 
    value_len=2200, expires=0, path=0x875a80c "/", path_len=1, 
    domain=0x875a76c "", domain_len=0, secure=0) at head.c:124
#3  0x28278537 in zif_setcookie (ht=5, return_value=0x86b91ec, this_ptr=0x0, 
    return_value_used=0) at head.c:144
#4  0x28209541 in execute (op_array=0x86d2b80) at ./zend_execute.c:1598
#5  0x2820efe9 in call_user_function_ex (function_table=0x8100200, 
    object_pp=0x0, function_name=0x81bdeac, retval_ptr_ptr=0xbfbff2e0, 
    param_count=2, params=0x875a8ac, no_separation=1, symbol_table=0x0)
    at zend_execute_API.c:517
#6  0x2820ea74 in call_user_function (function_table=0x8100200, object_pp=0x0, 
    function_name=0x81bdeac, retval_ptr=0x879546c, param_count=2, 
    params=0xbfbff36c) at zend_execute_API.c:373
#7  0x28256dbf in ps_call_handler (func=0x81bdeac, argc=2, argv=0xbfbff36c)
    at mod_user.c:60
#8  0x28257164 in ps_write_user (mod_data=0x282edf30, 
    key=0x869908c "ab20624057e7dea39d78749f7119bee5", 
    val=0x81a680c "Login|a:13:{s:5:\"BoxID\";s:12:\"000000002766\";s:7:\"BoxType\";s:1:\"4\";s:13:\"ChannelNumber\";s:1:\"0\";s:4:\"Node\";s:1:\"0\";s:9:\"SessionID\";s:16:\"2M1VFVQ0UQO8582H\";s:9:\"LoginType\";s:2:\"WG\";s:6:\"TocsIP\";s:17:\"17"..., vallen=1650) at mod_user.c:148
#9  0x28253f62 in php_session_save_current_state () at session.c:589
#10 0x282564f9 in php_session_flush () at session.c:1457
#11 0x2825651c in zif_session_write_close (ht=0, return_value=0x86b94ec, 
    this_ptr=0x0, return_value_used=0) at session.c:1466
#12 0x28209541 in execute (op_array=0x86d2d80) at ./zend_execute.c:1598
#13 0x2820efe9 in call_user_function_ex (function_table=0x8100200, 
    object_pp=0x0, function_name=0x86b9b0c, retval_ptr_ptr=0xbfbff658, 
    param_count=2, params=0xbfbff660, no_separation=1, symbol_table=0x0)
    at zend_execute_API.c:517
#14 0x2822b4de in php_end_ob_buffer (send_buffer=1 '\001', just_flush=0 '\000')
    at output.c:177
#15 0x2822b7cf in php_end_ob_buffers (send_buffer=1) at output.c:268
#16 0x28223286 in php_request_shutdown (dummy=0x0) at main.c:763
#17 0x28220a43 in php_apache_request_shutdown (dummy=0x0) at mod_php4.c:317
#18 0x805008e in run_cleanups ()
#19 0x804f11f in ap_clear_pool ()
#20 0x804f180 in ap_destroy_pool ()
#21 0x804f10b in ap_clear_pool ()
#22 0x805a99a in child_main ()
#23 0x805af91 in make_child ()
#24 0x805b200 in perform_idle_server_maintenance ()
#25 0x805b6ad in standalone_main ()
#26 0x805bbdf in main ()
#27 0x804eb91 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-15 12:21 UTC] rasmus@php.net
Hrm..  That's an odd segfault.  Could you type 'l' in gdb to get the source lines listed.  I want to make sure I have the right line.  In 4.2.3 line 208 in mod_php4.c is:

table_add(r->headers_out, header_name, header_content);

the only way I see for that to segfault is if r is bogus.  So please type, 'p r' and 'p *r' and let us know what that produces.
 [2002-10-15 14:46 UTC] dperham at wgate dot com
of course - I should have put that info in the
original post.  my apologies.

Bingo - null pointer.


#0  0x282207ab in sapi_apache_header_handler (sapi_header=0xbfbfe748, sapi_headers=0x282edc70)
    at mod_php4.c:208
208                     table_add(r->headers_out, header_name, header_content);
(gdb) l
203             } while (*header_content==' ');
204
205             if (!strcasecmp(header_name, "Content-Type")) {
206                     r->content_type = pstrdup(r->pool, header_content);
207             } else if (!strcasecmp(header_name, "Set-Cookie")) {
208                     table_add(r->headers_out, header_name, header_content);
209             } else {
210                     table_set(r->headers_out, header_name, header_content);
211             }
212
(gdb) p r
$2 = (request_rec *) 0x0
(gdb) up
#1  0x28227399 in sapi_add_header_ex (header_line=0x830700c "Set-Cookie", header_line_len=2238, 
    duplicate=0 '\000', replace=0 '\000') at SAPI.c:558
558                     retval = sapi_module.header_handler(&sapi_header, &SG(sapi_headers) TSRMLS_CC);
(gdb) l
553                             }
554                     }
555             }
556
557             if (sapi_module.header_handler) {
558                     retval = sapi_module.header_handler(&sapi_header, &SG(sapi_headers) TSRMLS_CC);
559             } else {
560                     retval = SAPI_HEADER_ADD;
561             }
562             if (retval & SAPI_HEADER_DELETE_ALL) {
 [2002-10-15 14:53 UTC] rasmus@php.net
Is this a single CPU machine?
 [2002-10-15 15:14 UTC] dperham at wgate dot com
es, it is a single cpu

hw.machine: i386
hw.model: AMD Athlon(tm) Processor
hw.ncpu: 1
hw.byteorder: 1234
hw.physmem: 533811200
hw.usermem: 462032896
hw.pagesize: 4096
hw.floatingpoint: 1
hw.machine_arch: i386
hw.ata.ata_dma: 1
hw.ata.wc: 1
hw.ata.tags: 0
hw.ata.atapi_dma: 0
hw.fxp_rnr: 0
hw.instruction_sse: 0
hw.availpages: 130159
hw.fxp0.int_delay: 1000
hw.fxp0.bundle_max: 6
 [2002-10-15 23:02 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip


 [2002-10-21 15:20 UTC] dperham at wgate dot com
Still core dumps using the latest snapshot.


PHP Version 4.3.0-dev


System         FreeBSD Server-0-2. 4.7-STABLE FreeBSD
               4.7-STABLE #27: Mon Oct i386
Build Date     Oct 17 2002 13:19:31
Configure      './configure' '--with-apxs=/usr/local/sbin/apxs'
Command        '--with-config-file-path=/usr/local/etc'
               '--enable-versioning' '--with-regex=system' '--without-gd'
               '--without-mysql' '--enable-debug' '--with-imap'
               '--with-pgsql' '--with-gettext' '--enable-track-vars'
               '--enable-wddx' '--disable-magic-quotes'
               '--enable-short-tags' '--enable-debug' '--with-zlib'
               '--with-imap=/usr/local' '--with-pgsql=/usr/local'
               '--enable-wddx' '--with-gettext=/usr/local'
               '--enable-sockets' '--enable-trans-sid' '--with-expat-dir=/
               usr/local' '--prefix=/usr/local' 'i386-portbld-freebsd4.7'
Server API     Apache
Virtual        disabled
Directory
Support
Configuration  /usr/local/www/data/php.ini
File
(php.ini)
Path
PHP API        20020307
PHP Extension  20020429
Zend           20021010
Extension
Debug Build    yes
Thread Safety  disabled
Registered     php, http, ftp, compress.zlib
PHP Streams


----------------------------------------------------------------------
Date: Mon, 21 Oct 2002 15:57:02 GMT

Core was generated by `httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x28309a83 in sapi_apache_header_handler (sapi_header=0xbfbfe3c0, 
    sapi_headers=0x2836f510)
    at /home/wgate/mod_php4/work/php4-200210160300/sapi/apache/mod_php4.c:188
#0  0x28309a83 in sapi_apache_header_handler (sapi_header=0xbfbfe3c0, 
    sapi_headers=0x2836f510)
    at /home/wgate/mod_php4/work/php4-200210160300/sapi/apache/mod_php4.c:188
#1  0x282c88dd in sapi_header_op (op=SAPI_HEADER_ADD, arg=0xbfbfe410)
    at /home/wgate/mod_php4/work/php4-200210160300/main/SAPI.c:629
#2  0x2827cd09 in php_setcookie (name=0x824d564 "TICS0", name_len=5, 
    value=0x82e7024 "TG9naW58YToxMzp7czo1OiJCb3hJRCI7czoxMjoiMDAwMDAwMDAyNzI4IjtzOjc6IkJveFR5cGUiO3M6MToiNCI7czoxMzoiQ2hhbm5lbE51bWJlciI7czoxOiIwIjtzOjQ6Ik5vZGUiO3M6MToiMCI7czo5OiJTZXNzaW9uSUQiO3M6MTY6IjJNMVZFRlEwVVI4OFBF"..., 
    value_len=2200, expires=0, path=0x824d724 "/", path_len=1, 
    domain=0x824d6a4 "", domain_len=0, secure=0)
    at /home/wgate/mod_php4/work/php4-200210160300/ext/standard/head.c:133
#3  0x2827cdcf in zif_setcookie (ht=5, return_value=0x8220f64, this_ptr=0x0, 
    return_value_used=0)
    at /home/wgate/mod_php4/work/php4-200210160300/ext/standard/head.c:155
#4  0x28302338 in execute (op_array=0x81b6c80)
    at /home/wgate/mod_php4/work/php4-200210160300/Zend/zend_execute.c:1599
#5  0x282e581b in call_user_function_ex (function_table=0x80cef00, 
    object_pp=0x0, function_name=0x81c2964, retval_ptr_ptr=0xbfbff1b8, 
    param_count=2, params=0x824d924, no_separation=1, symbol_table=0x0)
    at /home/wgate/mod_php4/work/php4-200210160300/Zend/zend_execute_API.c:561
#6  0x282e50e4 in call_user_function (function_table=0x80cef00, object_pp=0x0, 
    function_name=0x81c2964, retval_ptr=0x82c3c24, param_count=2, 
    params=0xbfbff234)
    at /home/wgate/mod_php4/work/php4-200210160300/Zend/zend_execute_API.c:403
#7  0x282550a3 in ps_call_handler (func=0x81c2964, argc=2, argv=0xbfbff234)
    at /home/wgate/mod_php4/work/php4-200210160300/ext/session/mod_user.c:60
#8  0x2825550c in ps_write_user (mod_data=0x2836e570, 
    key=0x81fc2a4 "10a5228266dd083119c5df2c9d5f0518", 
    val=0x80b2024 "Login|a:13:{s:5:\"BoxID\";s:12:\"000000002728\";s:7:\"BoxType\";s:1:\"4\";s:13:\"ChannelNumber\";s:1:\"0\";s:4:\"Node\";s:1:\"0\";s:9:\"SessionID\";s:16:\"2M1VEFQ0UR88PE0R\";s:9:\"LoginType\";s:2:\"WG\";s:6:\"TocsIP\";s:17:\"17"..., vallen=1650)
    at /home/wgate/mod_php4/work/php4-200210160300/ext/session/mod_user.c:148
#9  0x28251b2c in php_session_save_current_state ()
    at /home/wgate/mod_php4/work/php4-200210160300/ext/session/session.c:676
#10 0x282544e9 in php_session_flush ()
    at /home/wgate/mod_php4/work/php4-200210160300/ext/session/session.c:1553
#11 0x2825450c in zif_session_write_close (ht=0, return_value=0x82083a4, 
    this_ptr=0x0, return_value_used=0)
    at /home/wgate/mod_php4/work/php4-200210160300/ext/session/session.c:1562
#12 0x28302338 in execute (op_array=0x81b6e80)
    at /home/wgate/mod_php4/work/php4-200210160300/Zend/zend_execute.c:1599
#13 0x282e581b in call_user_function_ex (function_table=0x80cef00, 
    object_pp=0x0, function_name=0x8208be4, retval_ptr_ptr=0xbfbff760, 
    param_count=2, params=0xbfbff768, no_separation=1, symbol_table=0x0)
    at /home/wgate/mod_php4/work/php4-200210160300/Zend/zend_execute_API.c:561
#14 0x282d1865 in php_end_ob_buffer (send_buffer=1 '\001', just_flush=0 '\000')
    at /home/wgate/mod_php4/work/php4-200210160300/main/output.c:238
#15 0x282d1c0b in php_end_ob_buffers (send_buffer=1)
    at /home/wgate/mod_php4/work/php4-200210160300/main/output.c:332
#16 0x282c297a in php_request_shutdown (dummy=0x0)
    at /home/wgate/mod_php4/work/php4-200210160300/main/main.c:889
#17 0x28309d3b in php_apache_request_shutdown (dummy=0x0)
    at /home/wgate/mod_php4/work/php4-200210160300/sapi/apache/mod_php4.c:298
#18 0x805008e in run_cleanups ()
#19 0x804f11f in ap_clear_pool ()
#20 0x804f180 in ap_destroy_pool ()
#21 0x804f10b in ap_clear_pool ()
#22 0x805a99a in child_main ()
#23 0x805af91 in make_child ()
#24 0x805b200 in perform_idle_server_maintenance ()
#25 0x805b6ad in standalone_main ()
#26 0x805bbdf in main ()
#27 0x804eb91 in _start ()

------------------------------------------------------------------------------


(gdb) down
#0  0x28309a83 in sapi_apache_header_handler (sapi_header=0xbfbfe3c0, 
    sapi_headers=0x2836f510)
    at /home/wgate/mod_php4/work/php4-200210160300/sapi/apache/mod_php4.c:188
188                     table_add(r->headers_out, header_name, header_content);
(gdb) p r
$2 = (request_rec *) 0x0
 [2002-11-01 05:43 UTC] mbr at freebsd dot org
Hi all,

I see this happen here too ... Also FreeBSD 4.7
and PHP from cvs ...
 [2002-11-11 14:57 UTC] shade at chemlab dot org
i'm experiencing this issue on solaris 8.  under high load apache cores every few minutes.  processes seem to run away with the cpu and memory for a few minutes before coring.
 [2002-11-25 08:42 UTC] imajes@php.net
shade@chemlab.org:

are you seeing this core, or are you seeing random cores on high process usage?

 [2003-02-23 19:30 UTC] gschlossnagle@php.net
please try cvs.
 [2003-02-23 19:31 UTC] sniper@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC