php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35140 Segmentation fault in shutdown_memory_manager
Submitted: 2005-11-07 16:34 UTC Modified: 2005-11-24 01:00 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: jfbustarret at tf1 dot fr Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5CVS-2005-11-10 (snap) OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-11-07 16:34 UTC] jfbustarret at tf1 dot fr
Description:
------------
Sometimes, some apache process segfault in shutdown_memory_manager. 

Configuration : PHP 5.0.5/Linux/apache2



Reproduce code:
---------------
Unable to find the code that generates the segfault (the app is quite large)

Actual result:
--------------
Backtrace :

#0  0x40662c45 in shutdown_memory_manager (silent=1, full_shutdown=0)
    at /soft/sources/php/php-5.0.5/Zend/zend_alloc.c:485
485                             for (j=0; j<AG(cache_count)[i]; j++) {
(gdb) bt
#0  0x40662c45 in shutdown_memory_manager (silent=1, full_shutdown=0)
    at /soft/sources/php/php-5.0.5/Zend/zend_alloc.c:485
#1  0x40641b79 in php_request_shutdown (dummy=0x0)
    at /soft/sources/php/php-5.0.5/main/main.c:1236
#2  0x406a5114 in php_handler (r=0x82e06e0)
    at /soft/sources/php/php-5.0.5/sapi/apache2handler/sapi_apache2.c:436
(gdb) p alloc_globals.cache[i]
$2 = {0xb7179c38, 0xb7179c38, 0xb7179c38, 0xb7179c38, 0xb7179c38, 0xb7179c38,
  0xb7179c38, 0xb7179c38, 0xb7179c38, 0x0 <repeats 247 times>}
[ same pointer, multiple times !!! ]
(gdb) p alloc_globals.cache[i][j]
$3 = (void *) 0xb7179c38
(gdb) p *(zend_mem_header*) alloc_globals.cache[i][j]
$5 = {pNext = 0x0, pLast = 0x65646f6d, size = 0, cached = 0}

I tried recompiling with enable-debug, and I get "Only variables can be passed by reference" fatal errors in a function call that does not use references :
httpRedirect($referer.$urlReconstruite);
The function prototype is :
function httpRedirect($url) {

I am unable to reproduce the crash with enable-debug activated.

configure is :
'./configure' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc' '--with-oci8' '--with-curl=/usr/lib' '--with-gd=shared' '--with-jpeg-dir=/usr/lib' '--with-png-dir=/usr/lib' '--with-freetype-dir=/usr/lib' '--enable-gd-native-ttf' '--with-zlib' '--with-mcrypt=/usr/lib' '--with-dom' '--enable-sockets' '--with-gmp=shared' '--without-pear' '--with-mysql=/usr' '--with-mysql-sock=/tmp/mysql.sock' '--with-imagick-gm' '--with-imagick=shared' 'CFLAGS=-O2 -g' '--with-snmp=shared' '--enable-ftp=shared' '--enable-soap=shared' '--enable-debug'

I tried the latest snapshot, but it crashes while trying to load the main php file.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-07 18:02 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-11-10 10:31 UTC] jfbustarret at tf1 dot fr
With/without --enable-debug, php5-latests crashes in :

#0  0x4075c447 in _zend_hash_index_update_or_next_insert (ht=0x4089cd40, h=0,
    pData=0xbfee8100, nDataSize=12, pDest=0x0, flag=Variable "flag" is not available.
)
    at /soft/sources/php/php5-200511100730/Zend/zend_hash.c:354
#1  0x4075dc42 in zend_list_insert (ptr=0x0, type=0)
    at /soft/sources/php/php5-200511100730/Zend/zend_list.c:47
#2  0x4075dc67 in zend_register_resource (rsrc_result=0x0,
    rsrc_pointer=0x830b10c, rsrc_type=2)
    at /soft/sources/php/php5-200511100730/Zend/zend_list.c:99
#3  0x4072b228 in _php_stream_alloc (ops=0x0, abstract=0x0, persistent_id=0x0,
    mode=0x407cafb7 "rb", __php_stream_call_depth=5,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=205,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/streams.c:263
#4  0x4072e9c3 in _php_stream_fopen_from_fd (fd=27, mode=0x407cafb7 "rb",
    persistent_id=0x0, __php_stream_call_depth=4,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=882,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c:205
#5  0x4072eb40 in _php_stream_fopen (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    mode=0x407cafb7 "rb", opened_path=0xbfee95f8, options=133,
    __php_stream_call_depth=3,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=1233,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/ma---Type <return> to continue, or q <return> to quit---
in.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c:882
#6  0x4072ed65 in _php_stream_fopen_with_path (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    mode=0x407cafb7 "rb",
    path=0x82ec2e4 "/data/www/commons/commons:/data/www/www/htdocs/src:/data/www/commons/PEAR:/data/www/commons/conf:/data/www/www/conf:.",
    opened_path=0xbfee95f8, options=133, __php_stream_call_depth=2,
    __zend_filename=0x40806e28 "/soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c", __zend_lineno=931,
    __zend_orig_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_orig_lineno=855)
    at /soft/sources/php/php5-200511100730/main/streams/plain_wrapper.c:1276
#7  0x4072b525 in _php_stream_open_wrapper_ex (
    path=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    mode=0x407cafb7 "rb", options=141, opened_path=0xbfee95f8, context=0x0,
    __php_stream_call_depth=0,
    __zend_filename=0x408048d4 "/soft/sources/php/php5-200511100730/main/main.c", __zend_lineno=855, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /soft/sources/php/php5-200511100730/main/streams/streams.c:1771
#8  0x407186d3 in php_stream_open_for_zend (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    handle=0xbfee95f0) at /soft/sources/php/php5-200511100730/main/main.c:855
#9  0x40763a6a in zend_stream_open (
    filename=0x83170a8 "/data/www/www/htdocs/src/affichePage.php",
    handle=0xbfee95f0)
    at /soft/sources/php/php5-200511100730/Zend/zend_stream.c:47
#10 0x40763bc0 in zend_stream_fixup (file_handle=0xbfee95f0)
    at /soft/sources/php/php5-200511100730/Zend/zend_stream.c:62
---Type <return> to continue, or q <return> to quit---
#11 0x4073c010 in open_file_for_scanning (file_handle=0xbfee95f0)
    at zend_language_scanner.c:3070
#12 0x4073c6e9 in compile_file (file_handle=0xbfee95f0, type=2)
    at zend_language_scanner.c:3156
#13 0x4075256c in zend_execute_scripts (type=2, retval=0x0, file_count=1)
    at /soft/sources/php/php5-200511100730/Zend/zend.c:1079

(gdb) print ht
$1 = (HashTable *) 0x4089cd40
(gdb) print *ht
$2 = {nTableSize = 0, nTableMask = 0, nNumOfElements = 0,
  nNextFreeElement = 0, pInternalPointer = 0x0, pListHead = 0x0,
  pListTail = 0x0, arBuckets = 0x0, pDestructor = 0, persistent = 0 '\0',
  nApplyCount = 0 '\0', bApplyProtection = 0 '\0', inconsistent = 0}
 [2005-11-10 10:52 UTC] sniper@php.net
Do you load those shared extensions in your php.ini?
Can you try without them? And what is the shortest possible configure line you can reproduce this with?
 [2005-11-10 13:58 UTC] jfbustarret at tf1 dot fr
With :
'./configure' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc' '--with-oci8=/soft/ora920' '--prefix=/soft/php-5-200511100730-20051110-debug' '--exec-prefix=/soft/php-5-200511100730-20051110-debug' '--without-pear' '--with-mysql=/usr' '--with-mysql-sock=/tmp/mysql.sock' 'CFLAGS=-O2 -g'

I get this crash :
#0  0x4070f068 in zend_clear_exception ()
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:68
68              if (!EG(exception)) {
(gdb) bt
#0  0x4070f068 in zend_clear_exception ()
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:68
#1  0x4071050d in zif_exception_getLine ()
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:220
#2  0x4083acf8 in ?? ()
[snip]
#16 0xbf9233e8 in ?? ()
#17 0x40710537 in zif_exception_getFile (ht=137277364, return_value=0x2,
    return_value_ptr=0x3a97, this_ptr=0x0, return_value_used=137147524)
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:209
#18 0x40710537 in zif_exception_getFile (ht=0, return_value=0x82eafb4,
    return_value_ptr=0x2, this_ptr=0x0, return_value_used=860730000)
    at /soft/sources/php/php5-200511100730/Zend/zend_exceptions.c:209
#19 0x406e2639 in zendparse () at zend_language_parser.c:4333
[snip]
(gdb) print executor_globals.exception
$1 = (zval *) 0x44238317
(gdb) print *executor_globals.exception
Cannot access memory at address 0x44238317

With more extensions, I have various crashes, like this one :
#0  0x406ed5fd in yy_push_state (new_state=1) at zend_language_scanner.c:6029
#1  0x406edfe7 in lex_scan (zendlval=0xbf8163d4)
    at zend_language_scanner.c:4418

I'll try the same with PHP-5.0.5.
 [2005-11-10 17:28 UTC] tony2001@php.net
Are you able to reproduce it with PHP CLI?
Why are you using those CFLAGS? 
Do you really need both ext/mysql && ext/oci8? If not, please remove at least one of them.
Do you use the new OCI8 (from PECL) or the old one?
 [2005-11-14 11:28 UTC] jfbustarret at tf1 dot fr
> Are you able to reproduce it with PHP CLI?
So far, no crash using CLI.

> Why are you using those CFLAGS?
Legacy shell script... -g -O2 is the default, so CLFAGS is useless.

> Do you really need both ext/mysql && ext/oci8? If not, please remove at least one of them.
Most servers need both. I'll remove ext/mysql & ext/oci8 where I can.

> Do you use the new OCI8 (from PECL) or the old one?
The new one. Some features of the PECL one are very useful.
 [2005-11-14 11:34 UTC] jfbustarret at tf1 dot fr
FYI, I have crashes on a server that loads the oci ext, but does not connect to oracle.

On this server, the crashes were in a template that uses mysql + jpgraph v2 + gd.
 [2005-11-14 11:38 UTC] tony2001@php.net
What MPM do you use with Apache2?
Are you able to reproduce it with prefork MPM?
 [2005-11-14 11:39 UTC] jfbustarret at tf1 dot fr
We use prefork
 [2005-11-15 11:00 UTC] dmitry@php.net
Please try make full rebuild (including extensions).

make clean ; make install
 [2005-11-15 11:18 UTC] jfbustarret at tf1 dot fr
Our standard procedure for building PHP is already :
configure
make clean
make
make install
(we even rm -rf the directory & untar the source package each time)

I am trying to get a new core with 5.0.5/enable-debug & various extensions.
 [2005-11-15 23:01 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

We're not interested in 5.0.5, we're interested if this happens with the latest CVS.
 [2005-11-16 16:08 UTC] jfbustarret at tf1 dot fr
I did some extensive tests with 5.1RC.

I did get a few random parsing errors :
#0  0x4070a2ad in yy_push_state (new_state=1) at zend_language_scanner.c:6031
#1  0x4070ac97 in lex_scan (zendlval=0xbf8c5764) at zend_language_scanner.c:4420
#2  0x407105a9 in zendlex (zendlval=0xbf8c5760) at /soft/sources/php/php5-200511160730/Zend/zend_compile.c:3971
#3  0x40709b07 in zendparse () at zend_language_parser.c:2644

Every core I got was on the same template. Most of the time, the template is correctly parsed, and sometimes it crashes (3 crashes in a few thousand compiles, about the same frequency than my 5.0.5 crash).

I'll try to extract the part of the template that crashes and put it online.

configure is the same as the beginning of the ticket, without enable-debug (I'm unable to get core files with enable-debug). No accelerator is used.
 [2005-11-16 16:23 UTC] tony2001@php.net
We really need a reproduce script.
 [2005-11-24 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2005-12-10 02:39 UTC] brion at pobox dot com
I'm having the segfault as well, with PHP 5.1.1/Linux/Apache 
1.3 (also had under Apache 2.0; switched to 1.3 to try to 
replicate more of our non-crashing PHP 4.4 setup from other 
machines).

The system is Fedora 2/x86; compiler is GCC 3.3.3.

The segfaulting condition develops after a full day or two 
of running with relatively light load; once it's started, 
all PHP requests seem to segfault this way until Apache is 
restarted. I have not been able to find a way to trigger it 
on command yet.

I am using the APC caching module (3.0.8); will try to 
confirm with it off as well.

# ./configure  --with-apxs=/usr/local/apache/bin/apxs --
enable-memory-limit --enable-sysvsem --enable-sysvshm --
with-bz2 --enable-ctype --with-iconv --enable-exif --enable-
gettext --enable-mbstring --enable-shmop --enable-sockets --
with-zlib --with-openssl --with-curl --with-dom --with-dom-
xslt --with-dom-exslt --with-zlib --with-gd --with-mysql=/
usr/local/mysql --with-record --enable-xslt --with-xslt-
sablot --with-readline --with-xmlrpc

Apache 1.3.34 and PHP are compiled with CFLAGS='-g -O2' to 
enable debugging information, but I had the segfaults under 
the defaults as well.


Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 31234)]
0x4049db7c in shutdown_memory_manager (silent=0, 
full_shutdown=0)
    at /home/brion/src/php-5.1.1/Zend/zend_alloc.c:511
511                                     
REMOVE_POINTER_FROM_LIST(ptr);
(gdb) bt
#0  0x4049db7c in shutdown_memory_manager (silent=0, 
full_shutdown=0)
    at /home/brion/src/php-5.1.1/Zend/zend_alloc.c:511
#1  0x4047bbca in php_request_shutdown (dummy=0x0)
    at /home/brion/src/php-5.1.1/main/main.c:1287
#2  0x4050d3c6 in apache_php_module_main (r=0x818a3bc, 
display_source_mode=0)
    at /home/brion/src/php-5.1.1/sapi/apache/sapi_apache.c:
59
#3  0x4050dda0 in send_php (r=0x818a3bc, 
display_source_mode=0, filename=0x0)
    at /home/brion/src/php-5.1.1/sapi/apache/mod_php5.c:644
#4  0x4050d60b in send_parsed_php (r=0x818a3bc)
    at /home/brion/src/php-5.1.1/sapi/apache/mod_php5.c:659
#5  0x08069a46 in ap_invoke_handler (r=0x818a3bc) at 
http_config.c:475
#6  0x0807943f in process_request_internal (r=0x818a3bc) at 
http_request.c:1298
#7  0x080795ef in ap_process_request (r=0x818a3bc) at 
http_request.c:1314
#8  0x08072bfc in child_main (child_num_arg=0) at 
http_main.c:4787
#9  0x08072d9f in make_child (s=0x80a397c, slot=11, now=0) 
at http_main.c:4957
#10 0x08073042 in perform_idle_server_maintenance () at 
http_main.c:5142
#11 0x080737f9 in standalone_main (argc=1, argv=0xbfffea34) 
at http_main.c:5405
#12 0x08073d22 in main (argc=1, argv=0xbfffea34) at 
http_main.c:5658
(gdb) p alloc_globals.cache[i]
$1 = {0x4214bdac, 0x4214bf7c, 0x4214bf64, 0x4214bf44, 
0x4214bdbc, 0x4214bd5c, 
  0x4214bf9c, 0x0 <repeats 249 times>}
(gdb) p i
$2 = 0
(gdb) p alloc_globals.cache[i][j]
$3 = (void *) 0x4214bdac
(gdb) p *(zend_mem_header*) alloc_globals.cache[i][j]
$4 = {pNext = 0x0, pLast = 0x10, size = 0}
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 08 21:01:25 2019 UTC