php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43295 php-cgi crash
Submitted: 2007-11-14 14:41 UTC Modified: 2007-12-03 16:19 UTC
Votes:36
Avg. Score:4.8 ± 0.7
Reproduced:32 of 33 (97.0%)
Same Version:31 (96.9%)
Same OS:5 (15.6%)
From: pioklo at serveradmin dot pl Assigned: dmitry
Status: Closed Package: CGI/CLI related
PHP Version: 5.2.5 OS: Debian 4.0 kernel 2.6.23.1
Private report: No CVE-ID:
 [2007-11-14 14:41 UTC] pioklo at serveradmin dot pl

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-14 19:50 UTC] pioklo at serveradmin dot pl

 [2007-11-14 23:35 UTC] jani@php.net
First of all: Disable ALL 3rd party shared extensions. (Like xcache for starters) If after that you're still able to reproduce this, generate a clean backtrace.
 [2007-11-17 20:53 UTC] pioklo at serveradmin dot pl
I have disable Xcache  recompile php with --enable-debug

I spawned php process using spawn-fcgi from lighttpd

---------------------------------------
[Sat Nov 17 21:40:49 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x08820bec status:
Invalid pointer: ((size=0x00000000) != (next.prev=0x0000000e))
Invalid pointer: ((prev=0x0000000e) != (prev.size=0x086a56d8))
---------------------------------------
[Sat Nov 17 21:41:02 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x0881dc44 status:
Beginning:      Freed (magic=0x00000010, expected=0x99954317)
    Start:      Overflown (magic=0x914E91A4 instead of 0x3AF0ADC9)
                At least 4 bytes overflown
[Sat Nov 17 21:42:58 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x08861764 status:
Beginning:      Freed (magic=0x00000007, expected=0x99954317)
    Start:      Overflown (magic=0x00000080 instead of 0x3AF0ADC9)
                At least 4 bytes overflown
[Sat Nov 17 21:42:59 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x08824004 status:
Invalid pointer: ((size=0x00000041) != (next.prev=0x086ee1f4))
[Sat Nov 17 21:43:59 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x08822308 status:
Invalid pointer: ((size=0x00000041) != (next.prev=0x00000000))
[Sat Nov 17 21:46:46 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x08822bec status:
Invalid pointer: ((prev=0x000000fc) != (prev.size=0x3af0adc9))
---------------------------------------
[Sat Nov 17 21:47:13 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x08828034 status:
Invalid pointer: ((size=0x0000000a) != (next.prev=0x5a5a5a5a))
[Sat Nov 17 21:47:18 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x08823344 status:
Invalid pointer: ((size=0x0000002d) != (next.prev=0x00000089))
zend_mm_heap corrupted
[Sat Nov 17 21:49:03 2007]  Script:  '/home/admin/domains/poszkole.pl/public_html/beta/gry.php'
---------------------------------------
/root/php-5.2.5/main/SAPI.c(445) : Block 0x0886192c status:
Invalid pointer: ((size=0x000000ac) != (next.prev=0x5a5a5a5a))


Regards,
Piotr
 [2007-11-17 21:46 UTC] pioklo at serveradmin dot pl
Bellow is clean backtrace:
hardware is ok because I have tested this on 5 different servers..

ns79:~# gdb /usr/local/bin/php-cgi /home/admin/domains/poszkole.pl/public_html/beta/core
GNU gdb 6.6.90.20070912-debian
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/librt.so.1...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /usr/local/mysql/lib/mysql/libmysqlclient.so.15...done.
Loaded symbols for /usr/local/mysql/lib/mysql/libmysqlclient.so.15
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/local/lib/libiconv.so.2...done.
Loaded symbols for /usr/local/lib/libiconv.so.2
Reading symbols from /usr/local/lib/libfreetype.so.6...done.
Loaded symbols for /usr/local/lib/libfreetype.so.6
Reading symbols from /usr/local/lib/libpng.so.3...done.
Loaded symbols for /usr/local/lib/libpng.so.3
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/lib/libnss_db.so.2...done.
Loaded symbols for /usr/lib/libnss_db.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /usr/lib/libdb-4.3.so...done.
Loaded symbols for /usr/lib/libdb-4.3.so
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Core was generated by `/usr/local/bin/php-cgi -b 80.86.81.87:1026'.
Program terminated with signal 11, Segmentation fault.
#0  0x08391412 in zend_mm_check_ptr (heap=0x86ee138, ptr=0x8820e54, silent=1,
    __zend_filename=0x868d9f7 "/root/php-5.2.5/main/SAPI.c", __zend_lineno=445, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /root/php-5.2.5/Zend/zend_alloc.c:1276
1276            if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt full
#0  0x08391412 in zend_mm_check_ptr (heap=0x86ee138, ptr=0x8820e54, silent=1,
    __zend_filename=0x868d9f7 "/root/php-5.2.5/main/SAPI.c", __zend_lineno=445, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /root/php-5.2.5/Zend/zend_alloc.c:1276
        p = (zend_mm_block *) 0x8820e2c
        no_cache_notice = 0
        had_problems = 0
        valid_beginning = 1
#1  0x08392961 in _zend_mm_free_int (heap=0x86ee138, p=0x8820e54, __zend_filename=0x868d9f7 "/root/php-5.2.5/main/SAPI.c",
    __zend_lineno=445, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /root/php-5.2.5/Zend/zend_alloc.c:1909
        mm_block = (zend_mm_block *) 0xcf0
        next_block = (zend_mm_block *) 0x1
        size = 3214980088
#2  0x0839396a in _efree (ptr=0x8820e54, __zend_filename=0x868d9f7 "/root/php-5.2.5/main/SAPI.c", __zend_lineno=445,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /root/php-5.2.5/Zend/zend_alloc.c:2277
No locals.
#3  0x08366c4a in sapi_deactivate () at /root/php-5.2.5/main/SAPI.c:445
No locals.
#4  0x0835f207 in php_request_shutdown (dummy=0x0) at /root/php-5.2.5/main/main.c:1494
        __orig_bailout = (jmp_buf *) 0xbfa0c514
        __bailout = {{__jmpbuf = {-1212280844, -1208259360, 0, -1079982904, 1434960001, 2145648110}, __mask_was_saved = 0,
    __saved_mask = {__val = {0, 3082575350, 0, 142330428, 0, 0, 1, 142330525, 0, 3082686452, 142634872, 3081258672,
        3214984296, 3081774445, 3086707936, 0, 3214984360, 137964004, 142330468, 90, 57, 141237152, 1968, 0, 0, 0,
        3082686452, 0, 3082690880, 3214984360, 142330428, 3082690880}}}}
        report_memleaks = 1 '\001'
#5  0x0842cb32 in main (argc=3, argv=0xbfa0e784) at /root/php-5.2.5/sapi/cgi/cgi_main.c:1972
        path_translated = 0x8809f28 "/home/admin/domains/poszkole.pl/public_html/beta/gry.php"
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {-1212280844, -1208259360, 0, -1079974168, 1435082881, -1853892114}, __mask_was_saved = 0,
    __saved_mask = {__val = {0 <repeats 32 times>}}}}
        free_query_string = 0
        exit_status = 0
        cgi = 0
        c = 60
        i = -1079974096
        len = -1208256920
        file_handle = {type = 2 '\002', filename = 0x87bca64 'Z' <repeats 57 times>, "Fi\024\017", opened_path = 0x0,
  handle = {fd = 142634872, fp = 0x8806f78, stream = {handle = 0x8806f78, reader = 0x83c6f0c <zend_stream_stdio_reader>,
      closer = 0x83c6f35 <zend_stream_stdio_closer>, fteller = 0x83c6f54 <zend_stream_stdio_fteller>, interactive = 0}},
  free_filename = 0 '\0'}
        retval = 0
        s = 0x0
        behavior = 1
        no_headers = 0
        orig_optind = 1
        orig_optarg = 0x0
        script_file = 0x0
---Type <return> to continue, or q <return> to quit---
        ini_entries_len = 0
        max_requests = 500
        requests = 7
        fastcgi = 1
        bindpath = 0x86ee110 "80.86.81.87:1026"
        fcgi_fd = 3
        request = {listen_socket = 3, fd = 4, id = 1, keep = 1, in_len = 0, in_pad = 0, out_hdr = 0x0,
  out_pos = 0xbfa0c5f8 "\001\006",
  out_buf = "\001\006\000\001\f&#269;\000\000t goog\">\n\t\t\t<script type=\"text/javascript\"><!--\r\ngoogle_ad_client = \"pub-4042275753879057\";\r\ngoogle_ad_width = 120;\r\ngoogle_ad_height = 600;\r\ngoogle_ad_format = \"120x600_as\";\r\ngoogle_ad_type ="..., reserved = '\0' <repeats 15 times>, env = {nTableSize = 32, nTableMask = 31, nNumOfElements = 27,
    nNextFreeElement = 0, pInternalPointer = 0x87fac80, pListHead = 0x87fac80, pListTail = 0x87b85c8,
    arBuckets = 0x87fb680, pDestructor = 0x8428945 <fcgi_free_var>, persistent = 1 '\001', nApplyCount = 0 '\0',
    bApplyProtection = 1 '\001', inconsistent = 0}}
        repeats = 1
        benchmark = 0
        start = {tv_sec = 0, tv_usec = 0}
        end = {tv_sec = 0, tv_usec = 0}
        status = 0
(gdb)


Regards,
Piotr
 [2007-11-18 21:42 UTC] pioklo at serveradmin dot pl
I have installed php 5.1.6 and the problem has passed away.
 [2007-11-18 23:41 UTC] jani@php.net
Please don't post any backtraces anymore. What exactly does this gry.php do? Try shorten the script to bare minimum which still causes the problem.
 [2007-11-19 12:34 UTC] pioklo at serveradmin dot pl
The problem isnt only with  gry.php  but many other scripts..
I use external sql servers and I'm connection to them through mysql_pconnect method . Changing method to mysql_connect provides less amount of crashes but finally when i changed php version to 5.1.6  segfault was eliminated  at all.

Regards,
Piotr
 [2007-11-19 13:49 UTC] jani@php.net
What is the content-type on these pages where it crashes? What is the diff between your php.ini and the stock php.ini-dist / php.ini-recommended (depending what you used as base for your php.ini)

 [2007-11-19 13:57 UTC] pioklo at serveradmin dot pl
The diff is here :
http://tapsy.pl/phpdiff.txt

Content-Type text/html
 [2007-11-20 10:45 UTC] dns dot bind9 at gmail dot com
hi,I have same problem on my update php to 5.2.5.

My System is FreeBSD 6.1 + Lighttpd 1.4.18 + php5.2.5 + php-cgi. 

[user@www] ~#/usr/local/bin/php-cgi -m
[PHP Modules]
cgi-fcgi
date
gd
iconv
libxml
mbstring
memcache
mysql
pcre
Reflection
session
standard
xml
zlib

[Zend Modules]



In Lighttpd Logs:

2007-11-20 18:25:24: (mod_fastcgi.c.2462) unexpected end-of-file (perhaps the fastcgi process died): pid: 4823 socket: unix:/tmp/php-fastcgi.socket-0 
2007-11-20 18:25:24: (mod_fastcgi.c.3269) response already sent out, but backend returned error on socket: unix:/tmp/php-fastcgi.socket-0 for /detail.php , terminating connection
 [2007-11-21 16:41 UTC] f dot fenix at gmail dot com
I also have such bug appeared after update to PHP 5.2.5.
System Info: FreeBSD 6.2-RELEASE-p3, nginx/0.5.32, PHP 5.2.5
# php -m
[PHP Modules]
bcmath
bz2
ctype
curl
date
dom
gd
gettext
hash
iconv
libxml
mbstring
mhash
mysql
pcre
PDO
pgsql
posix
readline
Reflection
session
SimpleXML
sockets
SPL
SQLite
standard
tokenizer
xml
xmlreader
xmlwriter
zlib

[Zend Modules]

#gdb /usr/local/bin/php-cgi php-cgi.core
--SKIPED--
(gdb) bt
#0  0x00000000004e79cf in _zend_mm_free_int ()
#1  0x00000000004c858a in sapi_deactivate ()
#2  0x00000000004c1eea in php_request_shutdown ()
#3  0x0000000000591943 in main ()

It crashes with such baktrace on ANY script.
 [2007-11-23 18:53 UTC] f dot fenix at gmail dot com
Additional backtrace for previous comment:
(gdb) bt
#0  0x0000000000537d09 in zend_mm_check_ptr (heap=0x7bf000, ptr=0xb29818, silent=1, __zend_filename=0x6445d8 "/usr/ports/lang/php5/work/php-5.2.5/main/SAPI.c", __zend_lineno=445, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1276
#1  0x0000000000539451 in _zend_mm_free_int (heap=0x7bf000, p=0xb29818, __zend_filename=0x6445d8 "/usr/ports/lang/php5/work/php-5.2.5/main/SAPI.c", __zend_lineno=445, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:1909
#2  0x000000000053a64c in _efree (ptr=0xb29818, __zend_filename=0x6445d8 "/usr/ports/lang/php5/work/php-5.2.5/main/SAPI.c", __zend_lineno=445, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/ports/lang/php5/work/php-5.2.5/Zend/zend_alloc.c:2277
#3  0x000000000050b99e in sapi_deactivate () at /usr/ports/lang/php5/work/php-5.2.5/main/SAPI.c:445
#4  0x0000000000502397 in php_request_shutdown (dummy=0x0) at /usr/ports/lang/php5/work/php-5.2.5/main/main.c:1494
#5  0x00000000005d8771 in main (argc=3, argv=0x7fffffffea98) at /usr/ports/lang/php5/work/php-5.2.5/sapi/cgi/cgi_main.c:1972

PS System is AMD64
 [2007-11-25 02:53 UTC] dns dot bind9 at gmail dot com
now,more error msg "
[user@www] ~#zend_mm_heap corrupted
zend_mm_heap corrupted
zend_mm_heap corrupted
zend_mm_heap corrupted
zend_mm_heap corrupted
zend_mm_heap corrupted
zend_mm_heap corrupted
zend_mm_heap corrupted"

display on my console!
 [2007-11-26 09:28 UTC] till@php.net
I can confirm the last additions to this bug.

I am also on FreeBSD/AMD64, and today I started getting "zend_mm_heap corrupted" messages. Also, PHP started to sig11 and what I did so far was disable all modules that I do not need - doing this I got rid off some of the obvious crashes.

This is my extension.ini
http://pastie.caboo.se/private/ytqpr1hnn0slvjsvabt70g

php -m:
http://pastie.caboo.se/private/yscuxwtkvromili7m15w


What can we do to provide more feedback?
 [2007-11-27 13:49 UTC] php at high5 dot nu
I am also seeing problems with FastCGI and PHP-5.2.5.
FreeBSD 6.2-p8 (jail) and Lighttpd 1.4.18. No third party extensions.

root@www2:~ # pkg_info | grep php
php5-5.2.5          PHP Scripting Language
php5-gettext-5.2.5  The gettext shared extension for php
php5-mysql-5.2.5    The mysql shared extension for php
php5-pcre-5.2.5     The pcre shared extension for php
php5-session-5.2.5  The session shared extension for php
php5-xml-5.2.5      The xml shared extension for php
php5-zlib-5.2.5     The zlib shared extension for php

From the log file:

[Tue Nov 27 14:35:18 2007]  Script:  
'/usr/local/www/www.<site>.com/blog/wpcontent/themes/default/images/he
ader-img.php'
---------------------------------------
/var/ports/basejail/usr/ports/lang/php5/work/php-
5.2.5/main/SAPI.c(445) : Block 0x08289e30 status:
Invalid pointer: ((size=0x00000005) != (next.prev=0x5445475f))
2007-11-27 14:35:18: (mod_fastcgi.c.2462) unexpected end-of-file 
(perhaps the fastcgi process died): pid: 96290 socket: unix:/tmp/php-
fastcgi.socket-0
2007-11-27 14:35:18: (mod_fastcgi.c.3269) response already sent out, 
but backend returned error on socket: unix:/tmp/php-fastcgi.socket-0 
for /blog/wp-content/themes/default/images/header-img.php , 
terminating connection
[Tue Nov 27 14:40:21 2007]  Script:  
'/usr/local/www/www.<site>.com/index.php'
---------------------------------------
/var/ports/basejail/usr/ports/lang/php5/work/php-
5.2.5/main/SAPI.c(445) : Block 0x08289d10 status:
Beginning:      Freed (magic=0x00000000, expected=0x99954317)
    Start:      Overflown (magic=0x00000000 instead of 0x678FA504)
                At least 4 bytes overflown
      End:      Overflown (magic=0x0000000E instead of 0x0A184C31)
                At least 4 bytes overflown
---------------------------------------
 [2007-11-28 17:33 UTC] php at high5 dot nu
I went back to php4, this seems to work fine.
 [2007-12-01 23:51 UTC] ty at aumix dot com
Hi,

Same problem here with CentOS 4.5.


-Tareq
 [2007-12-03 11:40 UTC] jani@php.net
Dmitry, this has propably something to do with your patch for this:

"- Added ability to control memory consumption between request using
  ZEND_MM_COMPACT environment variable. (Dmitry)"

 [2007-12-03 11:41 UTC] jani@php.net
See also bug #43459 and bug #43387
 [2007-12-03 16:19 UTC] dmitry@php.net
The crash in main/SAPI.c(445) must be fixed in CVS.
It wasn't releated to CGI sapi or memory manager.
It was just because of uninitialized variable.

It is a duplicate of #43476, but not #43387 and #43459.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 14:01:50 2014 UTC