php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36884 *** glibc detected *** double free or corruption (!prev): 0x0000000000b4acc0 **
Submitted: 2006-03-28 09:40 UTC Modified: 2006-04-03 09:17 UTC
Votes:17
Avg. Score:4.6 ± 0.8
Reproduced:15 of 15 (100.0%)
Same Version:4 (26.7%)
Same OS:3 (20.0%)
From: guenther dot unterrainer at gknsintermetals dot com Assigned:
Status: No Feedback Package: Apache related
PHP Version: 4.4.2 OS: SLES9 SP3 x86-64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-03-28 09:40 UTC] guenther dot unterrainer at gknsintermetals dot com
Description:
------------
When I walk trough my php-program I accidentally get the following errors in apache error.log:

[Mon Mar 27 14:50:24 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
*** glibc detected *** double free or corruption (!prev): 0x0000000000b4acc0 ***
[Mon Mar 27 14:52:16 2006] [notice] child pid 15561 exit signal Segmentation fault (11)
[Mon Mar 27 14:53:59 2006] [notice] child pid 15558 exit signal Segmentation fault (11)
*** glibc detected *** double free or corruption (out): 0x0000000000f16c90 ***
*** glibc detected *** free(): invalid next size (fast): 0x0000000000f16c60 ***
*** glibc detected *** corrupted double-linked list: 0x0000000000f16c50 ***
*** glibc detected *** free(): invalid pointer: 0x0000000000f16c88 ***

Then the site crashes and the error.log-file reaches aprox. 300 MB (always with the last errormessage: *** glibc detected *** free(): invalid pointer: 0x0000000000f16c88 ***)

Same Problem with PHP 4.4.1

Apache Version is 1.3.34 with PHP as static module.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-03-28 09:58 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.


 [2006-03-28 11:06 UTC] guenther dot unterrainer at gknsintermetals dot com
Now I compiled PHP with --enable-debug and get the following in apache error.log. Result is the same: the site crashes.

[Tue Mar 28 10:54:37 2006] [notice] Apache/1.3.34 (Unix) mod_gzip/1.3.26.1a PHP/4.4.2 configured -- resuming normal operations
[Tue Mar 28 10:54:37 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Tue Mar 28 10:56:47 2006]  Script:  '/www/servers/obd/htdocs/obd/modules/salesControlNew/index.php'
---------------------------------------
/install/web/php-4.4.2/Zend/zend_execute_API.c(289) : Block 0x00FA4910 status:
/install/web/php-4.4.2/Zend/zend_variables.c(44) : Actual location (location was relayed)
Beginning:  	OK (allocated on /install/web/php-4.4.2/ext/standard/var_unserializer.c:696, 5 bytes)
      End:	Overflown (magic=0xFA49588FCC84 instead of 0x2A8FCC84)
          	3 byte(s) overflown
---------------------------------------
[Tue Mar 28 10:57:40 2006] [notice] child pid 7962 exit signal Segmentation fault (11)
[Tue Mar 28 10:59:01 2006] [notice] child pid 7964 exit signal Segmentation fault (11)
[Tue Mar 28 10:59:16 2006] [notice] child pid 7966 exit signal Segmentation fault (11)
[Tue Mar 28 11:00:10 2006]  Script:  '/www/servers/obd/htdocs/obd/modules/budget/index.php'
---------------------------------------
/install/web/php-4.4.2/Zend/zend_hash.c(561) : Block 0x00E0B3F0 status:
Beginning:  	OK (allocated on /install/web/php-4.4.2/Zend/zend_hash.c:419, 71 bytes)
      End:	Overflown (magic=0xE0B47884 instead of 0x2A8FCC84)
          	3 byte(s) overflown
---------------------------------------
*** glibc detected *** double free or corruption (!prev): 0x00000000010738c0 ***
[Tue Mar 28 11:00:16 2006] [notice] child pid 7987 exit signal Segmentation fault (11)
[Tue Mar 28 11:00:16 2006] [notice] child pid 7988 exit signal Segmentation fault (11)
[Tue Mar 28 11:00:21 2006] [notice] child pid 7972 exit signal Segmentation fault (11)
[Tue Mar 28 11:00:24 2006]  Script:  '/www/servers/obd/htdocs/obd/modules/salesFunnel/salesFunnel.php'
---------------------------------------
/install/web/php-4.4.2/Zend/zend_execute.h(44) : Block 0x00F630F0 status:
Beginning:  	OK (allocated on /install/web/php-4.4.2/ext/standard/var_unserializer.c:230, 24 bytes)
      End:	Overflown (magic=0x00F63148 instead of 0x2A8FCC84)
          	4 byte(s) overflown
---------------------------------------
[Tue Mar 28 11:00:25 2006] [notice] child pid 7998 exit signal Segmentation fault (11)
 [2006-03-28 11:09 UTC] tony2001@php.net
We still need a short but complete reproduce code.
 [2006-03-28 12:17 UTC] guenther dot unterrainer at gknsintermetals dot com
<?php
require("obd/scripts/obdStartPage.script.php");
require_once("./TSlsBdgInitForm.class.inc");
$cAppForm = new TSlsBdgInitForm("index.php");
require("obd/scripts/obdStartDoc.script.php");
$cAppForm->printHtmlForm();
require("obd/scripts/obdFinishDoc.script.php");
?>
 [2006-03-28 12:23 UTC] bjori@php.net
....with no includes
 [2006-03-28 12:23 UTC] mike@php.net
No external files please.
 [2006-03-28 12:27 UTC] guenther dot unterrainer at gknsintermetals dot com
<?php
$msg = "I tried to explane but your system tells me: Please do not SPAM our bug system. Is there an other way to comunicate?";
?>
 [2006-03-28 12:28 UTC] tony2001@php.net
We need a *SHORT* but *COMPLETE* reproduce code.
If you're unable to paste it here - please make as SHORT as you can and put it somewhere in the net.
 [2006-09-14 17:40 UTC] albertof at barrahome dot org
I got the same error:

*** glibc detected *** free(): invalid pointer: 0x09586360 ***
*** glibc detected *** free(): invalid pointer: 0x099f2360 ***
*** glibc detected *** free(): invalid pointer: 0x0a0f1360 ***


root@srv101 [/usr/local/apache/conf]# php -v
PHP 4.4.4 (cli) (built: Sep 14 2006 14:21:20)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Zend Extension Manager v1.0.10, Copyright (c) 2003-2006, by Zend Technologies
    with Zend Optimizer v3.0.0, Copyright (c) 1998-2006, by Zend Technologies
*** glibc detected *** corrupted double-linked list: 0x09328b90 ***
Aborted (core dumped)
root@srv101 [/usr/local/apache/conf]#

I solve disabling the Zend Optimizer module.
 [2006-10-04 22:31 UTC] egon at inf dot ufpr dot br
Man, this was very difficult to track down. I spent some hours locating to problem and trying to isolate it. To me it has nothing to do with databases or acceletators. Apparently it has to do with a lot of classes in an array. I'm using
PHP 4.4.2-1build1 on Ubuntu 6.06.
You need to have some high limit on php.ini's memory_limit (to me 512M was enough). The 'magical' number 16000 on the code above can be lowered to 3000 to crash my 1GRam machine but I had to increase it to 16000 to crash my 2GRam server.
I have a production server down now because of this, any suggestions? Downgrading perhaps?
We will be glad to cooperate with more info.
Thanks,


<?php
class Field {
        var $name,$type,$value, $length, $allownull, $description, $long_description, $validation, $accepted_values, $default_value;
        function Field($name, $type, $length, $allownull, $description, $default=NULL,$long_description=NULL) {
                $this->name=$name;
                $this->type=$type;
                $this->length=$length;
                $this->allownull=$allownull;
                $this->description=$description;
                $this->long_description=$long_description;
                $this->default_value=$default;
                $this->validation=NULL;
                $this->accepted_values=NULL;
        }
}
class DBObject {
        function DBObject($conn=NULL) {
                $this->setupFields();
                $this->conn=$conn;
                $this->orderby=array();
        }
        function addField($name, $type, $length, $allownull, $description, $default=NULL,$long_description=NULL) {
                $this->field[$name]["obj"]=new Field($name, $type, $length, $allownull, $description, $default,$long_description);
        }
}
class SomeTable extends DBObject {
        function setupFields() {
                for ($i=0;$i<26;$i++)
                        $this->addField("field$i", "string", 11, false, "Some field");
        }
}
function crashMe() {
        $x=new SomeTable(NULL);
        $arr=array();
        for($i=0;$i<16000;$i++) {
                $m=new SomeTable(NULL);
                $arr[]=$m;
        }
        return $arr;
}
crashMe();
echo "I've not crashed?";
?>
 [2006-10-04 22:35 UTC] egon at inf dot ufpr dot br
By the way, I've got several types of erros, it appears to be random:


[Wed Oct 04 17:51:18 2006] [notice] child pid 12451 exit signal Segmentation fault (11)

*** glibc detected *** free(): invalid next size (fast): 0x08202798 ***
[Wed Oct 04 17:58:35 2006] [notice] child pid 12693 exit signal Aborted (6)


77*** glibc detected *** corrupted double-linked list: 0xb7b7d358 ***
[Wed Oct 04 19:21:51 2006] [notice] child pid 12731 exit signal Aborted (6)
 [2006-10-05 16:53 UTC] egon at inf dot ufpr dot br
The above code works fine in 5.1. It crashes on PHP 4.3.4, 4.4.2 and 4.4.4 on both linux/windows.
 [2006-10-05 21:14 UTC] ndickerson at gmi-mr dot com
I have also encountered this bug on php 4.3.10 using php xmlrpc libraries(phpxmlrpc.sourceforge.net) and processing an array of 20,000 records using the library, which happens to create a large number of objects.

*** glibc detected *** double free or corruption (!prev): 0x0fbf24b8 ***

is followed by some

*** glibc detected *** corrupted double-linked list: 0x006f4858 ***

There are also some other errors that I have lost that occur in the place of the double free or corruption error..

This works fine when it is not processing as many objects.
 [2006-10-11 14:01 UTC] kutovoy at gmail dot com
The same errors on big arrays of objects. on PHP 4.4.2, I'm now trying to figure out working version of PHP.

*** glibc detected *** free(): invalid pointer: 0x08925b00 ***
[Wed Oct 11 09:26:06 2006] [notice] child pid 2610 exit signal Aborted (6)
[Wed Oct 11 09:28:38 2006] [error] [client 194.247.xxx.yyy] File does not exist: /xxx/htdocs/yyy/favicon.ico
[Wed Oct 11 10:58:43 2006] [notice] child pid 4059 exit signal Segmentation fault (11)

and similar with *** glibc detected *** corrupted double-linked list:
 [2006-10-13 08:13 UTC] kutovoy at gmail dot com
I found out that this problem (in my case) was connected with unpacking (gz) corrupted(truncated) data from database after some headeik with debugging and testing. I stored compressed data in TEXT field, but data was 85Kb length and was truncated to 65535. I think gzuncompress cause that glibc errors. After altering field to LONGBLOB problem gone.

Good luck!
 [2007-05-23 04:41 UTC] tuliogs at pgt dot mpt dot gov dot br
As noted in the notes for Oracle Funcions online documentation, this issue was already solved in PECL oci8 1.2.1 and later, but is still present in 4.4.7. To solve this, you?ll have to go through the following steps (modified from Rainer Klier?s notes on that page):

0. (before anything): be sure to have the path to instantclient in your LD_LIBRARY_PATH

1. download latest oci8-package from http://pecl.php.net/package/oci8
(if you already have PHP installed), just do "pecl download oci8"

2. extract package somewhere

3. go to php-4.4.x-source directory

4. rm -rf ext/oci8

5. cp extraceted oci8-1.2.x directory to/as ext/oci8

6. make distclean

7. If you use autoconf 2.5 and later (maybe other versions too), present in updated RedHat/CentOS 4.4 and 5, you MUST delete PHP?s configure script, or it will do nothing:
rm configure

8./buildconf --force

9. ./configure (with the options you need) --with-oci8=instantclient,/path/to/instantclient
(notice you?ll be using PHP5 syntax for --with-oci8)

10. make

11. ONLY for x86_64, and not really mandatory (same effect as manually editing "memory_limit = 128M" in php.ini, if existing):
11.1. create pear-install.ini:
-----------------------------------------------
[PHP]

memory_limit = 128M
------------------------------------------------

11.2. edit Makefile:
replace:
PEAR_INSTALL_FLAGS = -n -dshort_open_tag=0 -dsafe_mode=0
with:
PEAR_INSTALL_FLAGS = -cpear-install.ini -dshort_open_tag=0 -dsafe_mode=0

12. make install

13. if not already, set LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/path/to/instantclient" in your environment (one of profile, apachectl, or /etc/rc.d/init.d/httpd scripts, as you prefer) BEFORE starting Apache. No need to set TNS_ADMIN and tnsnames.ora for Instant Client, IF and only if Oracle?s easy syntax is available - see http://download-east.oracle.com/docs/cd/B12037_01/network.101/b10775/naming.htm#i498306

14. have fun!

One example of easily reproducing sample for this issue is phpBB-3.0-RC1. I know it?s not small, but it?s very easy and simple to pick, and you?ll probably get this kind of error still in the install screens, past the database settings.

Now I think it?s past time to update oci8, ;) this bug is really more than just an annoyance.

*Note: presently, oci8 v1.2.3 may cause the following warning in some scripts: "ocilogoff(): supplied resource is not a valid oci8 connection resource in /path/to/script", but this is less troublesome and easily treated with adjusting logging facilities in php.ini while the scripts are adjusted. Cheers!
 [2007-11-15 06:55 UTC] dombug at aggmedia dot net
Been seeing the double linked list problem reported in bug #37201 and tried to reproduce it using simple code, but ended up instead reproducing this bug instead. I'm guessing they're related.

Working on a more detailed backtrace (w/gdb/enable-debug), php config, and PHP 4.4.8 (untested), but for now here is the reproduce that segfaults on PHP 4.3.8 and 4.4.0, followed by the simple backtrace.

Looks like a problem with cyclic references, in that an object with a dom as a property of itself, will seemingly corrupt memory if the dom is modified. See the code below.

PHPINFO
-------

PHP Version => 4.4.0

System => Linux lnx04 2.6.16.21-0.8-smp #1 SMP Mon Jul 3 18:25:39 UTC 2006 x86_64
Build Date => Aug 28 2007 12:57:58
Configure Command =>  './configure' '--prefix=/usr' '--datadir=/usr/share/php' '--mandir=/usr/share/man' '--bindir=/usr/bin' '--libdir=/usr/share' '--includedir=/usr/include' '--sysconfdir=/etc' '--with-_lib=lib64' '--with-config-file-path=/etc' '--with-exec-dir=/usr/lib64/php/bin' '--disable-debug' '--enable-inline-optimization' '--enable-memory-limit' '--enable-magic-quotes' '--enable-safe-mode' '--enable-sigchild' '--disable-ctype' '--disable-session' '--without-mysql' '--disable-cli' '--without-pear' '--with-openssl' '--enable-force-cgi-redirect' '--enable-discard-path' '--enable-cli' '--with-pear' 'x86_64-suse-linux'


REPRODUCE
---------

class dummy {
    var $dom = null;
    var $me = null;
    function setDomByXpath ($xpath, $value) {
        $context = $this->dom->xpath_new_context();
        $result = xpath_eval($context, $xpath);
        $nodes = $result->nodeset;
        $nodes[0]->set_content($value);
    }
}
$xml = '<a><b/></a>';
$o = new dummy();
$o->dom = domxml_open_mem($xml);
$o->setDomByXpath('/a/b','xxxx'); // comment this out and it works
$o->me = $o;
$o->me = $o; // comment this out and it works
echo $o->dom->dump_mem()."\n";
echo time().': '.memory_get_usage();flush();


SEGFAULT
--------

user@lnx04:/tmp> ./domtest.php 
<?xml version="1.0"?>
<a><b>xxxx</b></a>

1195108231: 46536*** glibc detected *** /usr/local/bin/php: double free or corruption (!prev): 0x000000000074d310 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2b459279a37e]
/lib64/libc.so.6(__libc_free+0x6c)[0x2b459279b99c]
/usr/local/bin/php(shutdown_memory_manager+0x9b)[0x4cdb4b]
/usr/local/bin/php(php_request_shutdown+0x2ec)[0x4afbbc]
/usr/local/bin/php(main+0x33f)[0x4fb3df]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2b459274c154]
/usr/local/bin/php[0x41fd59]
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Mar 31 18:01:23 2020 UTC