php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20986 PHP causes Apache to leak semaphores
Submitted: 2002-12-13 04:13 UTC Modified: 2003-01-07 01:00 UTC
From: louis at sixnet dot net Assigned:
Status: No Feedback Package: Apache related
PHP Version: 4.2.2 OS: RedHat Linux 7.1 & 8.0
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-12-13 04:13 UTC] louis at sixnet dot net
This bug has been discussed over at RedHat's Bugzilla.  See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=70846

A quick synopsis of how I get it to misbehave:

Create the following simple PHP script and access it through a web browser:

<?php
  $crash = array( 0 => 2,
                 'test' => 2,
                  1 => 'hello',
                 'say' => 'hello',
                  2 => 42,
                 'life' => 42,
                  3 => 'this should help \'crash\' the machine',
                 'hoho' => 'this should help \'crash\' the machine');

  print_r($crash);

  for( $i=0; $i<count($crash); $i++ )
    $crash[$i] = stripslashes($crash[$i]);

  print_r($crash);
?>

It should die with an error similar to this:

Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 35 bytes) in /home/****/crash.php on line 14

Reload this page a good 5-10 times.  If you run 'ipcs -s' and then restart apache and run 'ipcs -s' again you will find that the number of semaphore arrays has increased and the first few semid's are unchanged (not having been freed when apache shutdown?).

If you rinse and repeat the above with a crude shell script like:

while [ true ]; do
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 wget -O - http://localhost/crash.php
 ipcs -s|grep apache|wc
 /etc/rc.d/init.d/httpd restart
 sleep 1
 ipcs -s|grep apache|wc
done

then you'll find the semaphore array numbers increasing slowly and apache taking longer and longer to do each restart until eventually (once all 128 semaphore arrays are used) it refuses to start at all with the message reported earlier in this bug (70846):

Starting httpd: Ouch! ap_mm_create(1048576, "/var/run/httpd.mm.5619") failed
Error: MM: mm:core: failed to acquire semaphore (No space left on device): OS: Invalid argument
                                                           [FAILED]

Just restarting apache in a loop without loading crash.php on a freshly booted system does not cause the number of semaphores to spiral - it stays constant at 5.

This is verifyable on multiple RH7.1 and a RH8.0 machine, all fully updated through RHN (except for kernels).

RedHat have literally just released an updated mm package which stops the use of kernel semaphores so that the leaks should not cause Apache problems so quickly (ie more than 128 are now allowed), but none-the-less there RedHat agree there is still a PHP problem.

Louis

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-12-22 01:10 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip


 [2003-01-07 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2003-06-13 01:17 UTC] mee at huyou dot com
~ from china
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 08:01:29 2024 UTC