php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24792 --enable-zend-multibyte causes segmentation fault in efree
Submitted: 2003-07-24 08:58 UTC Modified: 2003-08-08 06:05 UTC
From: tilman dot giese at gmx dot de Assigned: fujimoto
Status: Closed Package: mbstring related
PHP Version: 4.3.2 OS: Linux
Private report: No CVE-ID:
 [2003-07-24 08:58 UTC] tilman dot giese at gmx dot de
Description:
------------
I recently changed my Apache 2.0.47 to use the worker MPM instead of the prefork MPM. I compiled PHP like described below and realized that using phpMyAdmin very often caused my httpd to crash. A gdb backtrace shows that a segmentation fault in _efree is the reason. Same problem with 4.3.3RC1 but as I said, I assume that changing the Apache MPM and thus compiling PHP with thread safety is the real reason. When producing the crash only the mysql extension is loaded.

Below is the output as generated by running 'make test':

OS:
Linux

Automake:
automake (GNU automake) 1.7.2
Written by Tom Tromey <tromey@redhat.com>.

Copyright 2002 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Autoconf:
autoconf (GNU Autoconf) 2.57
Written by David J. MacKenzie and Akim Demaille.

Copyright 2002 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Libtool:
ltmain.sh (GNU libtool) 1.4.3 (1.922.2.110 2002/10/23 01:39:54)

Compiler:
Reading specs from /usr/lib/gcc-lib/i586-suse-linux/3.3/specs
Configured with: ../configure --enable-threads=posix --prefix=/usr --with-local-prefix=/usr/local --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib --enable-languages=c,c++,f77,objc,java,ada --disable-checking --enable-libgcj --with-gxx-include-dir=/usr/include/g++ --with-slibdir=/lib --with-system-zlib --enable-shared --enable-__cxa_atexit i586-suse-linux
Thread model: posix
gcc version 3.3 (SuSE Linux)

Bison:
bison (GNU Bison) 1.75
Written by Robert Corbett and Richard Stallman.

Copyright (C) 2002 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Libraries:
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x40024000)
	libnsl.so.1 => /lib/libnsl.so.1 (0x40055000)
	libpam.so.0 => /lib/libpam.so.0 (0x4006a000)
	libz.so.1 => /lib/libz.so.1 (0x40072000)
	libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40082000)
	libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x400b2000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x40189000)
	libm.so.6 => /lib/libm.so.6 (0x4019b000)
	libdl.so.2 => /lib/libdl.so.2 (0x401bd000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x401c0000)
	libc.so.6 => /lib/libc.so.6 (0x40211000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)



================================================================================
PHPINFO
================================================================================
phpinfo()
PHP Version => 4.3.2

System => Linux nefertari 2.4.21-4-athlon #1 Fri Jul 4 11:17:40 UTC 2003 i686
Build Date => Jul 22 2003 12:26:03
Configure Command =>  './configure' '--prefix=/usr' '--mandir=/usr/share/man' '--with-apxs2' '--with-config-file-path=/etc' '--without-pear' '--enable-bcmath' '--enable-calendar' '--enable-dba=shared' '--enable-dbase' '--enable-dbx' '--enable-dio' '--enable-exif' '--enable-filepro' '--enable-ftp' '--enable-gd-native-ttf' '--enable-gd-jis-conv' '--enable-magic-quotes' '--enable-mbregex' '--enable-mbstring' '--enable-shmop' '--enable-sigchild' '--enable-sockets' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--enable-ucd-snmp-hack' '--enable-wddx' '--enable-xslt=shared' '--enable-yp' '--enable-zend-multibyte' '--with-bz2=shared' '--with-curl=shared' '--with-cyrus=shared' '--with-db4' '--with-dbm' '--with-dom=shared' '--with-dom-xslt' '--with-dom-exslt' '--with-flatfile' '--with-freetype-dir=/usr' '--with-fribidi=shared' '--with-gdbm' '--with-gd=shared' '--with-gettext=shared' '--with-gmp=shared' '--with-gnu-ld' '--with-hyperwave' '--with-iconv=shared' '--with-imap=shared' '--with-imap-ssl' '--with-java=shared' '--with-ldap=shared' '--with-mcal=shared,/usr' '--with-mcrypt=shared' '--with-mhash=shared' '--with-mime-magic' '--with-mysql=shared,/usr' '--with-ncurses=shared' '--with-ndbm' '--with-openssl' '--with-pgsql=shared' '--with-pic' '--with-qtdom=shared,/usr/lib/qt3' '--with-readline=shared' '--with-recode=shared' '--with-snmp=shared' '--with-t1lib' '--with-ttf' '--with-unixODBC=shared' '--with-xslt-sablot' '--with-zlib'
Server API => Command Line Interface
Virtual Directory Support => enabled
Configuration File (php.ini) Path => /etc/php.ini
PHP API => 20020918
PHP Extension => 20020429
Zend Extension => 20021010
Debug Build => no
Thread Safety => enabled
Registered PHP Streams => php, http, ftp, https, ftps, compress.zlib

Reproduce code:
---------------
I do not really know how to reproduce the segmentation fault but it occurs very often (but not always) when using phpMyAdmin which is up to now the only thing I am using. But I can provide further information on what can exactly cause the crash if you are interested.

Expected result:
----------------
Apache starts another (and maybe another) process (thread?) and one of this processes (threads?) does do not get a segmentation fault and responses.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-24 09:10 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You are using threaded environment, however you did not use the --enable-experimental-zts flag which enables thread safety and you are using extensions such as gd/tff that are know to be not thread safe. Other extensions may be using non-thread-safe libraries as well.
The result is a random memory corruption that causes the crash you are seeing.
 [2003-07-24 09:19 UTC] tilman dot giese at gmx dot de
Looking at your configure script line 5723 enable_experimental_zts is automatically activated if Apache does not use the prefork MPM (which is the case). Besides, a phpinfo() says that thread safety has been activated. 

Concerning the extensions, I already wrote _only_ the MySQL extension is loaded, no gd/ttf extension.

So everything should be thread safe now, should'n it?
 [2003-07-24 09:24 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Your phpinfo() does not reflect the configure line you have used. So it does not appear you are using PHP you've compiled.

If you are only using PHP + MySQL then php should be thread safe, however I still recommend to explicitly enable --enable-experimental-zts
 [2003-07-24 12:47 UTC] tilman dot giese at gmx dot de
After having compiled PHP about a hundred times, I found out that using --enable-zend-multibyte causes the segmentation fault. Is the Zend Multibyte Support thread safe?
 [2003-07-24 13:56 UTC] iliaa@php.net
That is a possibility, besides phpMyAdmin do you have another other preferably much smaller scripts that could be used to replicate the crash?
 [2003-07-25 05:33 UTC] tilman dot giese at gmx dot de
As the segmentation fault only appears sporadically, it is not that easy to find out which code can cause it. But I will try my very best and inform you if I know anything. Meanwhile I compiled PHP with debugging support and got the following gdb output:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 114696 (LWP 28332)]
0x406d752f in _efree (ptr=0x2a, __zend_filename=0x407380de "Zend/zend_language_scanner.c", __zend_lineno=2870,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /tmp/php-4.3.3RC1/Zend/zend_alloc.c:241
241             CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) bt
#0  0x406d752f in _efree (ptr=0x2a, __zend_filename=0x407380de "Zend/zend_language_scanner.c", __zend_lineno=2870,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /tmp/php-4.3.3RC1/Zend/zend_alloc.c:241
#1  0x406c816c in shutdown_scanner (tsrm_ls=0x83a3608) at Zend/zend_language_scanner.c:2870
#2  0x406edc57 in zend_deactivate (tsrm_ls=0x83a3608) at /tmp/php-4.3.3RC1/Zend/zend.c:662
#3  0x406a97c8 in php_request_shutdown (dummy=0x0) at /tmp/php-4.3.3RC1/main/main.c:996
#4  0x407083ba in php_apache_request_dtor (r=0x8496100, tsrm_ls=0x83a3608)
    at /tmp/php-4.3.3RC1/sapi/apache2handler/sapi_apache2.c:445
#5  0x40708769 in php_handler (r=0x8496100) at /tmp/php-4.3.3RC1/sapi/apache2handler/sapi_apache2.c:541
#6  0x0806b6d8 in ap_run_handler ()
#7  0x0806bde9 in ap_invoke_handler ()
#8  0x08065e09 in ap_process_request ()
#9  0x08060afe in _start ()
#10 0x08076748 in ap_run_process_connection ()
#11 0x08076afe in ap_process_connection ()
#12 0x0806764f in ap_graceful_stop_signalled ()
#13 0x08067f15 in ap_graceful_stop_signalled ()
#14 0x402c06c6 in dummy_worker (opaque=0x2) at thread.c:127
#15 0x4033bd80 in pthread_start_thread () from /lib/libpthread.so.0
#16 0x4033be7e in pthread_start_thread_event () from /lib/libpthread.so.0
(gdb)
 [2003-07-25 11:06 UTC] tilman dot giese at gmx dot de
I am not sure, but after experimenting a bit, it seems that all scripts are already finished when the segfault occurs. Unfortunately, there is no free debugger for Linux that provides debugging of remote connections and that makes it very complicated. I tried pear.php.net/apd and the trace files are complete and closed (the only difference is that sometimes another segfault occurs in an vfprintf call - but I assume that this can be closely related to my problem since php tries to free the memory and apd tries to print the memory (that is not allocated any more - I suppose)).
 [2003-08-08 06:05 UTC] fujimoto@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC