php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44152 Apparent memory leak in filter.c leading to Apache segfault
Submitted: 2008-02-18 18:07 UTC Modified: 2008-02-20 15:28 UTC
From: eiwe dot lingefors at miva dot com Assigned:
Status: Closed Package: Filter related
PHP Version: 5.2.5 OS: RHEL 5
Private report: No CVE-ID:
 [2008-02-18 18:07 UTC] eiwe dot lingefors at miva dot com
Description:
------------
First off, big disclaimer. I'm running Apache 2.2.8 using mpm_event and php 5.2.5. The fact that I'm using mpm_event might disqualify this bug report in your eyes but I figured it was worth noting anyway.

First, PHP is configured thusly:

./configure \
--prefix=/usr/local/php \
--disable-ipv6 \
--with-apxs2=/usr/local/apache/bin/apxs \
--with-mysql=/usr/local/mysql \
--with-cdb \
--with-curl \
--with-xsl \
--with-gettext \
--with-gd \
--with-jpeg-dir=/usr \
--with-png-dir=/usr \
--with-mcrypt \
--with-openssl \
--with-zlib \
--with-iconv \
--without-kerberos \
--without-sqlite \
--enable-mbstring \
--enable-mbregex \
--enable-soap \
--enable-inline-optimization \
--disable-cgi \
--enable-debug \
--disable-rpath

I started noticing segfaults of Apache as evidenced by the error_log:
[Mon Feb 18 11:10:03 2008] [notice] child pid 23618 exit signal Segmentation fault (11)
[Mon Feb 18 11:16:42 2008] [notice] child pid 24547 exit signal Segmentation fault (11)
[Mon Feb 18 11:18:54 2008] [notice] child pid 24591 exit signal Segmentation fault (11)
*** glibc detected *** /usr/local/apache/bin/httpd: free(): invalid pointer: 0xad3e0106 ***
======= Backtrace: =========
/lib/libc.so.6[0x955f7d]
/lib/libc.so.6(cfree+0x90)[0x9595d0]
/usr/local/apache/modules/libphp5.so(zif_openlog+0x65)[0x1044f05]
/usr/local/apache/modules/libphp5.so[0x10f53cf]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so(zend_execute_scripts+0x1d3)[0x10c3bc3]
/usr/local/apache/modules/libphp5.so(php_execute_script+0x242)[0x107c272]
/usr/local/apache/modules/libphp5.so[0x1146385]
/usr/local/apache/bin/httpd(ap_run_handler+0x59)[0x8074f59]
/usr/local/apache/bin/httpd(ap_invoke_handler+0x67)[0x80780c7]
/usr/local/apache/bin/httpd(ap_internal_redirect+0x6a)[0x808884a]
/usr/local/apache/modules/mod_rewrite.so[0x8c0920]
/usr/local/apache/bin/httpd(ap_run_handler+0x59)[0x8074f59]
/usr/local/apache/bin/httpd(ap_invoke_handler+0x67)[0x80780c7]
/usr/local/apache/bin/httpd(ap_process_request+0x178)[0x80889c8]
/usr/local/apache/bin/httpd[0x8085d53]
/usr/local/apache/bin/httpd(ap_run_process_connection+0x59)[0x807bf79]
/usr/local/apache/bin/httpd[0x809479f]
/usr/local/apache/lib/libapr-1.so.0[0x1d1746]
/lib/libpthread.so.0[0xa632db]
/lib/libc.so.6(clone+0x5e)[0x9bd14e]
======= Memory map: ========
[Mon Feb 18 11:23:47 2008] [notice] child pid 24626 exit signal Aborted (6)

I recompiled php with --enable-debug and saw some more information in the error_log:

[Mon Feb 18 11:43:37 2008]  Script:  '/home/httpd/my/my/www/top.php'
/var/home/eiwe/download/php-5.2.5/ext/filter/filter.c(414) :  Freeing 0x09FCA518 (2 bytes), script=/home/httpd/my/my/www/top.php
Last leak repeated 16 times
=== Total 17 memory leaks detected ===
[Mon Feb 18 11:43:37 2008]  Script:  '/home/httpd/my/my/www/top.php'
/var/home/eiwe/download/php-5.2.5/ext/filter/filter.c(414) :  Freeing 0x09FCA7EC (2 bytes), script=/home/httpd/my/my/www/top.php
Last leak repeated 16 times
=== Total 17 memory leaks detected ===
[Mon Feb 18 11:43:37 2008]  Script:  '/home/httpd/my/my/www/index.php'
/var/home/eiwe/download/php-5.2.5/ext/filter/filter.c(414) :  Freeing 0x09FC6974 (14 bytes), script=/home/httpd/my/my/www/index.php
Last leak repeated 8 times

A backtrace using gdb looks like this:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1537336432 (LWP 27844)]
0x0095958c in free () from /lib/libc.so.6
(gdb) bt
#0  0x0095958c in free () from /lib/libc.so.6
#1  0x010c295b in zif_openlog () from /usr/local/apache/modules/libphp5.so
#2  0x0119977a in execute () from /usr/local/apache/modules/libphp5.so
#3  0x011a00bb in execute () from /usr/local/apache/modules/libphp5.so
#4  0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#5  0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#6  0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#7  0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#8  0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#9  0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#10 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#11 0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#12 0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#13 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#14 0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#15 0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#16 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#17 0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#18 0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#19 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#20 0x01170a88 in zend_execute_scripts () from /usr/local/apache/modules/libphp5.so
#21 0x0110dbad in php_execute_script () from /usr/local/apache/modules/libphp5.so
#22 0x011f6592 in zend_get_zval_ptr_ptr () from /usr/local/apache/modules/libphp5.so
#23 0x08074f59 in ap_run_handler (r=0xa26c31d8) at config.c:157
#24 0x080780c7 in ap_invoke_handler (r=0xa26c31d8) at config.c:372
#25 0x0808884a in ap_internal_redirect (new_uri=0xa26c3180 "/top.php?src_id=11006&tb_version=1.2.0.192&install_time=2008-02-18T11%3A47%3A00%2B0000", 
    r=0xa26ba6a0) at http_request.c:477
#26 0x00120920 in handler_redirect (r=0xa26ba6a0) at mod_rewrite.c:4762
#27 0x08074f59 in ap_run_handler (r=0xa26ba6a0) at config.c:157
#28 0x080780c7 in ap_invoke_handler (r=0xa26ba6a0) at config.c:372
#29 0x080889c8 in ap_process_request (r=0xa26ba6a0) at http_request.c:258
#30 0x08085d53 in ap_process_http_async_connection (c=0xa26b6888) at http_core.c:145
#31 0x0807bf79 in ap_run_process_connection (c=0xa26b6888) at connection.c:43
#32 0x0809479f in worker_thread (thd=0x9d7f868, dummy=0x9f4ea48) at event.c:637
#33 0x00305746 in dummy_worker (opaque=0x9d7f868) at threadproc/unix/thread.c:142
#34 0x00a632db in start_thread () from /lib/libpthread.so.0
#35 0x009bd14e in clone () from /lib/libc.so.6

This is my first bug report to PHP and I apologize in advance for any omissions that should have been included. I'll be happy to provide any additional info should you require it.


Reproduce code:
---------------
I can not reliable reproduce this. The segfaults are intermittent. If you have any suggestions on how I might trigger this I would be grateful.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-19 19:52 UTC] eiwe dot lingefors at miva dot com
Further testing reveals that the memory leaks occur in the same fashion  when using both mpm_worker and mpm_prefork. However, there are no segmentation faults when using mpm_prefork.
 [2008-02-20 15:28 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

The leaks reported by Zend Engine are not real leaks, since they are 
cleaned up by the engine, no actual memory is being leaked. The crash 
itself appears to be caused by the logging code inside the openlog 
function.



 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 14:02:18 2014 UTC