php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #35074 Call to virtual() causes Segmentation fault
Submitted: 2005-11-03 00:29 UTC Modified: 2005-11-07 23:16 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: jeff dot potter at hp dot com Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5CVS, 4CVS (2005-11-04) (snap) OS: Linux (Redhat EL 3 i386)
Private report: No CVE-ID: None
View Developer Edit
 [2005-11-03 00:29 UTC] jeff dot potter at hp dot com 
Description:
------------
Just compiled and integrated PHP v4.4.1, and I get an immediate Segmentation fault on my first virtual() call. Same code works fine in PHP 4.3.11 & PHP 4.4.0.

Configure script:

./configure $php_dbg_flag --prefix=/opt/hp/hpsmh/php --with-apxs2=/opt/hp/hpsmh/sbin/apxs \
--with-dom=/opt/hp/hpsmh  --with-zlib --enable-bcmath --enable-calendar --enable-wddx --enable-ftp
make
make install

Platform:

RedHat Enterprise Linux Advanced Server 3 Update 2
Apache 2.0.48 with security patches


Reproduce code:
---------------
Just call virtual(some_uri).

Expected result:
----------------
My page rendered on the screen.

Actual result:
--------------
It looks like the rr->main structure in PHP_FUNCTION(virtual)is all zeros. 

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1469858896 (LWP 13252)]
ap_rflush (r=0x82ef088) at protocol.c:1561
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);

(gdb) bt
#0  ap_rflush (r=0x82ef088) at protocol.c:1561
#1  0xb71eba7f in zif_virtual (ht=1, return_value=0x839d264, this_ptr=0x0, return_value_used=0, tsrm_ls=0x8363dd8)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/sapi/apache2handler/php_functions.c:101
#2  0xb71e2b59 in execute (op_array=0x83987b4, tsrm_ls=0x8363dd8)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/Zend/zend_execute.c:1675
#3  0xb71cea6c in zend_execute_scripts (type=8, tsrm_ls=0x8363dd8, retval=0x0, file_count=3)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/Zend/zend.c:938
#4  0xb71a5d3e in php_execute_script (primary_file=0xa863b830, tsrm_ls=0x8363dd8)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/main/main.c:1743
#5  0xb71eb3ce in php_handler (r=0x82b8e50)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/sapi/apache2handler/sapi_apache2.c:572
#6  0x080a5b1e in ap_run_handler (r=0x82b8e50) at config.c:151
#7  0x080a6039 in ap_invoke_handler (r=0x82b8e50) at config.c:358
#8  0x080a1d8f in ap_process_request (r=0x82b8e50) at http_request.c:246
#9  0x0809dd04 in ap_process_http_connection (c=0x82abf18) at http_core.c:250
#10 0x080adeca in ap_run_process_connection (c=0x82abf18) at connection.c:42
#11 0x080a2d3f in process_socket (p=0x82abdf0, sock=0x82abe28, my_child_num=0, my_thread_num=22,
    bucket_alloc=0x82addf8) at worker.c:520
#12 0x080a3332 in worker_thread (thd=0x81dbac8, dummy=0x82a5040) at worker.c:834
#13 0xb747551c in dummy_worker (opaque=0x81dbac8) at thread.c:88
#14 0xb744adec in start_thread () from /lib/tls/libpthread.so.0
#15 0xb7370e8a in clone () from /lib/tls/libc.so.6
(gdb)


Frame #0 Code

#0  ap_rflush (r=0x82ef088) at protocol.c:1561
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);

(gdb) print bb
$1 = (apr_bucket_brigade *) 0x839d264
(gdb) print *bb
$2 = {p = 0x0, list = {next = 0x0, prev = 0x10000}, bucket_alloc = 0x0}

gdb) print c->bucket_alloc
Cannot access memory at address 0x50
(gdb) print *c->bucket_alloc
Cannot access memory at address 0x50
(gdb) print &c->bucket_alloc
$3 = (struct apr_bucket_alloc_t **) 0x50

(gdb) print r->pool
$4 = (apr_pool_t *) 0x0
(gdb) print *r->pool
$5 = {parent = 0x82ef088, child = 0x6b637562, sibling = 0x2f737465, ref = 0x92e7887, cleanups = 0x7000058,
  allocator = 0x31, subprocesses = 0x0, abort_fn = 0, user_data = 0x0, tag = 0x0, active = 0x0, self = 0x0,
  self_first_avail = 0x0}
(gdb) print &r->pool
$6 = (apr_pool_t **) 0x82ef088


1555    AP_DECLARE(int) ap_rflush(request_rec *r)
1556    {
1557        conn_rec *c = r->connection;
1558        apr_bucket_brigade *bb;
1559        apr_bucket *b;
1560
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);
1562        b = apr_bucket_flush_create(c->bucket_alloc);
1563        APR_BRIGADE_INSERT_TAIL(bb, b);
1564        if (ap_pass_brigade(r->output_filters, bb) != APR_SUCCESS)
1565            return -1;
1566
1567        return 0;
1568    }

Frame #1 Code

(gdb) print rr->main
$7 = (request_rec *) 0x82ef088
(gdb) print *rr->main
$8 = {pool = 0x0, connection = 0x0, server = 0x0, next = 0x0, prev = 0x0, main = 0x0, the_request = 0x0,
  assbackwards = 0, proxyreq = 0, header_only = 0, protocol = 0x0, proto_num = 0, hostname = 0x0, request_time = 0,
  status_line = 0x0, status = 0, method = 0x0, method_number = 0, allowed = 0, allowed_xmethods = 0x0,
  allowed_methods = 0x0, sent_bodyct = 0, bytes_sent = 0, mtime = 0, chunked = 0, range = 0x0, clength = 0,
  remaining = 0, read_length = 0, read_body = 0, read_chunked = 0, expecting_100 = 0, headers_in = 0x0,
  headers_out = 0x0, err_headers_out = 0x0, subprocess_env = 0x0, notes = 0x0, content_type = 0x0, handler = 0x0,
  content_encoding = 0x0, content_languages = 0x0, vlist_validator = 0x0, user = 0x0, ap_auth_type = 0x0,
  no_cache = 0, no_local_copy = 0, unparsed_uri = 0x0, uri = 0x0, filename = 0x0, canonical_filename = 0x0,
  path_info = 0x0, args = 0x0, finfo = {pool = 0x0, valid = 0, protection = 0, filetype = APR_NOFILE, user = 0,
    group = 0, inode = 0, device = 0, nlink = 0, size = 0, csize = 0, atime = 0, mtime = 0, ctime = 0, fname = 0x0,
    name = 0x0, filehand = 0x0}, parsed_uri = {scheme = 0x0, hostinfo = 0x0, user = 0x0, password = 0x0,
    hostname = 0x0, port_str = 0x0, path = 0x0, query = 0x0, fragment = 0x0, hostent = 0x0, port = 0,
    is_initialized = 0, dns_looked_up = 0, dns_resolved = 0}, used_path_info = 0, per_dir_config = 0x0,
  request_config = 0x0, htaccess = 0x0, output_filters = 0x0, input_filters = 0x0, proto_output_filters = 0x0,
  proto_input_filters = 0x0, eos_sent = 0}

70      /* {{{ proto bool virtual(string uri)
71       Perform an apache sub-request */
72      PHP_FUNCTION(virtual)
73      {
74              zval **filename;
75              request_rec *rr;
76
77              if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &filename) == FAILURE) {
78                      WRONG_PARAM_COUNT;
79              }
80
81              convert_to_string_ex(filename);
82
83
84              if (!(rr = php_apache_lookup_uri(Z_STRVAL_PP(filename) TSRMLS_CC))) {
85                      php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to include '%s' - URI lookup failed", Z_STRVAL_PP(filename));
86                      RETURN_FALSE;
87              }
88
89              if (rr->status != HTTP_OK) {
90                      php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to include '%s' - error finding URI", Z_STRVAL_PP(filename));
91                      ap_destroy_sub_req(rr);
92                      RETURN_FALSE;
93              }
94
95              /* Flush everything. */
96              php_end_ob_buffers(1 TSRMLS_CC);
97              php_header();
98
99              /* Ensure that the ap_r* layer for the main request is flushed, to
100              * work around http://issues.apache.org/bugzilla/show_bug.cgi?id=17629 */
101             ap_rflush(rr->main);
102
103             if (ap_run_sub_req(rr)) {
104                     php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to include '%s' - request execution failed", Z_STRVAL_PP(filename));
105                     ap_destroy_sub_req(rr);
106                     RETURN_FALSE;
107             }
108             ap_destroy_sub_req(rr);
109             RETURN_TRUE;
110     }
111     /* }}} */
112

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-03 09:10 UTC] derick@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2005-11-03 17:16 UTC] jeff dot potter at hp dot com 
php4-STABLE-latest (php4-STABLE-200511031356) still appears to have the same symptoms as php-4.4.1

[Thu Nov 03 09:41:35 2005] [notice] child pid 4209 exit signal Segmentation fault (11)
[Thu Nov 03 09:41:37 2005] [notice] child pid 4264 exit signal Segmentation fault (11)
 [2005-11-03 21:53 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2005-11-03 23:42 UTC] jeff dot potter at hp dot com 
php5-latest.tar.gz (php5-200511031930)  Also fails with a Segmentation fault.

[Thu Nov 03 16:05:08 2005] [notice] child pid 21281 exit signal Segmentation fault (11)

[Thu Nov 03 16:05:10 2005] [notice] child pid 21317 exit signal Segmentation fault (11)

Summary:

php-4.3.11 - No issue
php-4.4.0  - No issue
php-4.4.1  - SEGMENTATION FAULT
php4-STABLE-200511031356 - SEGMENTATION FAULT
php5-200511031930 - SEGMENTATION FAULT
 [2005-11-05 16:59 UTC] sniper@php.net 
Does the GDB backtrace differ to the one with PHP 4?
 [2005-11-07 16:29 UTC] jeff dot potter at hp dot com 
The PHP 5 has a very similar gdb back trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1482818640 (LWP 30591)]
ap_rflush (r=0x8377af0) at protocol.c:1561
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);
(gdb) bt
#0  ap_rflush (r=0x8377af0) at protocol.c:1561
#1  0xb71715ac in zif_virtual (ht=1, return_value=0x83e2b48, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0,
    tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/sapi/apache2handler/php_functions.c:103
#2  0xb70dd9c8 in zend_do_fcall_common_helper_SPEC (execute_data=0xa79dd4b0, tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/Zend/zend_vm_execute.h:188
#3  0xb70dd36e in execute (op_array=0x83e2830, tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/Zend/zend_vm_execute.h:88
#4  0xb70b8fd2 in zend_execute_scripts (type=8, tsrm_ls=0x838caa8, retval=0x0, file_count=3)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/Zend/zend.c:1087
#5  0xb707ccba in php_execute_script (primary_file=0xa79df820, tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/main/main.c:1677
#6  0xb7170ebe in php_handler (r=0x8373ae0)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/sapi/apache2handler/sapi_apache2.c:575
#7  0x080a5b1e in ap_run_handler (r=0x8373ae0) at config.c:151
#8  0x080a6039 in ap_invoke_handler (r=0x8373ae0) at config.c:358
#9  0x080a1d8f in ap_process_request (r=0x8373ae0) at http_request.c:246
#10 0x0809dd04 in ap_process_http_connection (c=0x8369bb0) at http_core.c:250
#11 0x080adeca in ap_run_process_connection (c=0x8369bb0) at connection.c:42
#12 0x080a2d3f in process_socket (p=0x8369a88, sock=0x8369ac0, my_child_num=0, my_thread_num=23,
    bucket_alloc=0x836ba90) at worker.c:520
#13 0x080a3332 in worker_thread (thd=0x81dbae8, dummy=0x8309bb8) at worker.c:834
#14 0xb747551c in dummy_worker (opaque=0x81dbae8) at thread.c:88
#15 0xb744adec in start_thread () from /lib/tls/libpthread.so.0
#16 0xb7370e8a in clone () from /lib/tls/libc.so.6
 [2005-11-07 18:17 UTC] sniper@php.net 
I see you're using worker MPM which is not supported.
Please try with the prefork MPM instead.
 [2005-11-07 20:06 UTC] jeff dot potter at hp dot com 
We have never used prefork on Linux or HP-UX.  I think what you are syaing is that PHP 4.4.1+ & PHP 5 latest is no longer thread safe.  This would explain why we see similar issues in Windows as well.  Is the Windows MPM not supported either?
 [2005-11-07 21:37 UTC] sniper@php.net 
No, I'm saying that it has never been thread safe. We never claimed it is. Anyway, can you reproduce this crash with the prefork MPM or not?
 [2005-11-07 22:25 UTC] jeff dot potter at hp dot com 
It would not be a simple matter to attempt to reproduce this issue with prefork.  Using prefork is not an option right now.  We are seeing similar symptoms on Windows (threaded) platforms.  Should I abandon working the issue through this channel?
 [2005-11-07 22:52 UTC] sniper@php.net 
If you're not willing to co-operate, we'll just ignore this then.
 [2005-11-07 23:16 UTC] jeff dot potter at hp dot com 
I will cooperate in debugging the failing configuration.  If you need more traces, have any suggestions, or want to work this issue, please let me know.  Otherwise, IGNORE FLAG acknowledged.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Nov 19 07:00:01 2025 UTC