PHP :: Bug #35074 :: Call to virtual() causes Segmentation fault

Bug #35074

Call to virtual() causes Segmentation fault

Submitted:

2005-11-03 00:29 UTC

Modified:

2005-11-07 23:16 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

jeff dot potter at hp dot com

Assigned:

Status:

Not a bug

Package:

Apache2 related

PHP Version:

5CVS, 4CVS (2005-11-04) (snap)

OS:

Linux (Redhat EL 3 i386)

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	jeff dot potter at hp dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-11-03 00:29 UTC] jeff dot potter at hp dot com

Description:
------------
Just compiled and integrated PHP v4.4.1, and I get an immediate Segmentation fault on my first virtual() call. Same code works fine in PHP 4.3.11 & PHP 4.4.0.

Configure script:

./configure $php_dbg_flag --prefix=/opt/hp/hpsmh/php --with-apxs2=/opt/hp/hpsmh/sbin/apxs \
--with-dom=/opt/hp/hpsmh  --with-zlib --enable-bcmath --enable-calendar --enable-wddx --enable-ftp
make
make install

Platform:

RedHat Enterprise Linux Advanced Server 3 Update 2
Apache 2.0.48 with security patches


Reproduce code:
---------------
Just call virtual(some_uri).

Expected result:
----------------
My page rendered on the screen.

Actual result:
--------------
It looks like the rr->main structure in PHP_FUNCTION(virtual)is all zeros. 

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1469858896 (LWP 13252)]
ap_rflush (r=0x82ef088) at protocol.c:1561
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);

(gdb) bt
#0  ap_rflush (r=0x82ef088) at protocol.c:1561
#1  0xb71eba7f in zif_virtual (ht=1, return_value=0x839d264, this_ptr=0x0, return_value_used=0, tsrm_ls=0x8363dd8)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/sapi/apache2handler/php_functions.c:101
#2  0xb71e2b59 in execute (op_array=0x83987b4, tsrm_ls=0x8363dd8)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/Zend/zend_execute.c:1675
#3  0xb71cea6c in zend_execute_scripts (type=8, tsrm_ls=0x8363dd8, retval=0x0, file_count=3)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/Zend/zend.c:938
#4  0xb71a5d3e in php_execute_script (primary_file=0xa863b830, tsrm_ls=0x8363dd8)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/main/main.c:1743
#5  0xb71eb3ce in php_handler (r=0x82b8e50)
    at /usr/src/redhat/BUILD/cleansweep-2.1.14-10139/php-4.4.1/sapi/apache2handler/sapi_apache2.c:572
#6  0x080a5b1e in ap_run_handler (r=0x82b8e50) at config.c:151
#7  0x080a6039 in ap_invoke_handler (r=0x82b8e50) at config.c:358
#8  0x080a1d8f in ap_process_request (r=0x82b8e50) at http_request.c:246
#9  0x0809dd04 in ap_process_http_connection (c=0x82abf18) at http_core.c:250
#10 0x080adeca in ap_run_process_connection (c=0x82abf18) at connection.c:42
#11 0x080a2d3f in process_socket (p=0x82abdf0, sock=0x82abe28, my_child_num=0, my_thread_num=22,
    bucket_alloc=0x82addf8) at worker.c:520
#12 0x080a3332 in worker_thread (thd=0x81dbac8, dummy=0x82a5040) at worker.c:834
#13 0xb747551c in dummy_worker (opaque=0x81dbac8) at thread.c:88
#14 0xb744adec in start_thread () from /lib/tls/libpthread.so.0
#15 0xb7370e8a in clone () from /lib/tls/libc.so.6
(gdb)


Frame #0 Code

#0  ap_rflush (r=0x82ef088) at protocol.c:1561
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);

(gdb) print bb
$1 = (apr_bucket_brigade *) 0x839d264
(gdb) print *bb
$2 = {p = 0x0, list = {next = 0x0, prev = 0x10000}, bucket_alloc = 0x0}

gdb) print c->bucket_alloc
Cannot access memory at address 0x50
(gdb) print *c->bucket_alloc
Cannot access memory at address 0x50
(gdb) print &c->bucket_alloc
$3 = (struct apr_bucket_alloc_t **) 0x50

(gdb) print r->pool
$4 = (apr_pool_t *) 0x0
(gdb) print *r->pool
$5 = {parent = 0x82ef088, child = 0x6b637562, sibling = 0x2f737465, ref = 0x92e7887, cleanups = 0x7000058,
  allocator = 0x31, subprocesses = 0x0, abort_fn = 0, user_data = 0x0, tag = 0x0, active = 0x0, self = 0x0,
  self_first_avail = 0x0}
(gdb) print &r->pool
$6 = (apr_pool_t **) 0x82ef088


1555    AP_DECLARE(int) ap_rflush(request_rec *r)
1556    {
1557        conn_rec *c = r->connection;
1558        apr_bucket_brigade *bb;
1559        apr_bucket *b;
1560
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);
1562        b = apr_bucket_flush_create(c->bucket_alloc);
1563        APR_BRIGADE_INSERT_TAIL(bb, b);
1564        if (ap_pass_brigade(r->output_filters, bb) != APR_SUCCESS)
1565            return -1;
1566
1567        return 0;
1568    }

Frame #1 Code

(gdb) print rr->main
$7 = (request_rec *) 0x82ef088
(gdb) print *rr->main
$8 = {pool = 0x0, connection = 0x0, server = 0x0, next = 0x0, prev = 0x0, main = 0x0, the_request = 0x0,
  assbackwards = 0, proxyreq = 0, header_only = 0, protocol = 0x0, proto_num = 0, hostname = 0x0, request_time = 0,
  status_line = 0x0, status = 0, method = 0x0, method_number = 0, allowed = 0, allowed_xmethods = 0x0,
  allowed_methods = 0x0, sent_bodyct = 0, bytes_sent = 0, mtime = 0, chunked = 0, range = 0x0, clength = 0,
  remaining = 0, read_length = 0, read_body = 0, read_chunked = 0, expecting_100 = 0, headers_in = 0x0,
  headers_out = 0x0, err_headers_out = 0x0, subprocess_env = 0x0, notes = 0x0, content_type = 0x0, handler = 0x0,
  content_encoding = 0x0, content_languages = 0x0, vlist_validator = 0x0, user = 0x0, ap_auth_type = 0x0,
  no_cache = 0, no_local_copy = 0, unparsed_uri = 0x0, uri = 0x0, filename = 0x0, canonical_filename = 0x0,
  path_info = 0x0, args = 0x0, finfo = {pool = 0x0, valid = 0, protection = 0, filetype = APR_NOFILE, user = 0,
    group = 0, inode = 0, device = 0, nlink = 0, size = 0, csize = 0, atime = 0, mtime = 0, ctime = 0, fname = 0x0,
    name = 0x0, filehand = 0x0}, parsed_uri = {scheme = 0x0, hostinfo = 0x0, user = 0x0, password = 0x0,
    hostname = 0x0, port_str = 0x0, path = 0x0, query = 0x0, fragment = 0x0, hostent = 0x0, port = 0,
    is_initialized = 0, dns_looked_up = 0, dns_resolved = 0}, used_path_info = 0, per_dir_config = 0x0,
  request_config = 0x0, htaccess = 0x0, output_filters = 0x0, input_filters = 0x0, proto_output_filters = 0x0,
  proto_input_filters = 0x0, eos_sent = 0}

70      /* {{{ proto bool virtual(string uri)
71       Perform an apache sub-request */
72      PHP_FUNCTION(virtual)
73      {
74              zval **filename;
75              request_rec *rr;
76
77              if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &filename) == FAILURE) {
78                      WRONG_PARAM_COUNT;
79              }
80
81              convert_to_string_ex(filename);
82
83
84              if (!(rr = php_apache_lookup_uri(Z_STRVAL_PP(filename) TSRMLS_CC))) {
85                      php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to include '%s' - URI lookup failed", Z_STRVAL_PP(filename));
86                      RETURN_FALSE;
87              }
88
89              if (rr->status != HTTP_OK) {
90                      php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to include '%s' - error finding URI", Z_STRVAL_PP(filename));
91                      ap_destroy_sub_req(rr);
92                      RETURN_FALSE;
93              }
94
95              /* Flush everything. */
96              php_end_ob_buffers(1 TSRMLS_CC);
97              php_header();
98
99              /* Ensure that the ap_r* layer for the main request is flushed, to
100              * work around http://issues.apache.org/bugzilla/show_bug.cgi?id=17629 */
101             ap_rflush(rr->main);
102
103             if (ap_run_sub_req(rr)) {
104                     php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to include '%s' - request execution failed", Z_STRVAL_PP(filename));
105                     ap_destroy_sub_req(rr);
106                     RETURN_FALSE;
107             }
108             ap_destroy_sub_req(rr);
109             RETURN_TRUE;
110     }
111     /* }}} */
112

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-11-03 09:10 UTC] derick@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2005-11-03 17:16 UTC] jeff dot potter at hp dot com

php4-STABLE-latest (php4-STABLE-200511031356) still appears to have the same symptoms as php-4.4.1

[Thu Nov 03 09:41:35 2005] [notice] child pid 4209 exit signal Segmentation fault (11)
[Thu Nov 03 09:41:37 2005] [notice] child pid 4264 exit signal Segmentation fault (11)

[2005-11-03 21:53 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

[2005-11-03 23:42 UTC] jeff dot potter at hp dot com

php5-latest.tar.gz (php5-200511031930)  Also fails with a Segmentation fault.

[Thu Nov 03 16:05:08 2005] [notice] child pid 21281 exit signal Segmentation fault (11)

[Thu Nov 03 16:05:10 2005] [notice] child pid 21317 exit signal Segmentation fault (11)

Summary:

php-4.3.11 - No issue
php-4.4.0  - No issue
php-4.4.1  - SEGMENTATION FAULT
php4-STABLE-200511031356 - SEGMENTATION FAULT
php5-200511031930 - SEGMENTATION FAULT

[2005-11-05 16:59 UTC] sniper@php.net

Does the GDB backtrace differ to the one with PHP 4?

[2005-11-07 16:29 UTC] jeff dot potter at hp dot com

The PHP 5 has a very similar gdb back trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1482818640 (LWP 30591)]
ap_rflush (r=0x8377af0) at protocol.c:1561
1561        bb = apr_brigade_create(r->pool, c->bucket_alloc);
(gdb) bt
#0  ap_rflush (r=0x8377af0) at protocol.c:1561
#1  0xb71715ac in zif_virtual (ht=1, return_value=0x83e2b48, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0,
    tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/sapi/apache2handler/php_functions.c:103
#2  0xb70dd9c8 in zend_do_fcall_common_helper_SPEC (execute_data=0xa79dd4b0, tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/Zend/zend_vm_execute.h:188
#3  0xb70dd36e in execute (op_array=0x83e2830, tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/Zend/zend_vm_execute.h:88
#4  0xb70b8fd2 in zend_execute_scripts (type=8, tsrm_ls=0x838caa8, retval=0x0, file_count=3)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/Zend/zend.c:1087
#5  0xb707ccba in php_execute_script (primary_file=0xa79df820, tsrm_ls=0x838caa8)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/main/main.c:1677
#6  0xb7170ebe in php_handler (r=0x8373ae0)
    at /usr/src/redhat/BUILD/pickletown-php5/php5-200511031930/sapi/apache2handler/sapi_apache2.c:575
#7  0x080a5b1e in ap_run_handler (r=0x8373ae0) at config.c:151
#8  0x080a6039 in ap_invoke_handler (r=0x8373ae0) at config.c:358
#9  0x080a1d8f in ap_process_request (r=0x8373ae0) at http_request.c:246
#10 0x0809dd04 in ap_process_http_connection (c=0x8369bb0) at http_core.c:250
#11 0x080adeca in ap_run_process_connection (c=0x8369bb0) at connection.c:42
#12 0x080a2d3f in process_socket (p=0x8369a88, sock=0x8369ac0, my_child_num=0, my_thread_num=23,
    bucket_alloc=0x836ba90) at worker.c:520
#13 0x080a3332 in worker_thread (thd=0x81dbae8, dummy=0x8309bb8) at worker.c:834
#14 0xb747551c in dummy_worker (opaque=0x81dbae8) at thread.c:88
#15 0xb744adec in start_thread () from /lib/tls/libpthread.so.0
#16 0xb7370e8a in clone () from /lib/tls/libc.so.6

[2005-11-07 18:17 UTC] sniper@php.net

I see you're using worker MPM which is not supported.
Please try with the prefork MPM instead.

[2005-11-07 20:06 UTC] jeff dot potter at hp dot com

We have never used prefork on Linux or HP-UX.  I think what you are syaing is that PHP 4.4.1+ & PHP 5 latest is no longer thread safe.  This would explain why we see similar issues in Windows as well.  Is the Windows MPM not supported either?

[2005-11-07 21:37 UTC] sniper@php.net

No, I'm saying that it has never been thread safe. We never claimed it is. Anyway, can you reproduce this crash with the prefork MPM or not?

[2005-11-07 22:25 UTC] jeff dot potter at hp dot com

It would not be a simple matter to attempt to reproduce this issue with prefork.  Using prefork is not an option right now.  We are seeing similar symptoms on Windows (threaded) platforms.  Should I abandon working the issue through this channel?

[2005-11-07 22:52 UTC] sniper@php.net

If you're not willing to co-operate, we'll just ignore this then.

[2005-11-07 23:16 UTC] jeff dot potter at hp dot com

I will cooperate in debugging the failing configuration.  If you need more traces, have any suggestions, or want to work this issue, please let me know.  Otherwise, IGNORE FLAG acknowledged.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat May 04 05:01:30 2024 UTC