php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46434 session.save_handler=mm causes crash during garbage collection
Submitted: 2008-10-31 15:04 UTC Modified: 2009-12-16 01:00 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: charlie dot orford at gmail dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.2CVS-2008-10-31 OS: Debian 4/Etch
Private report: No CVE-ID: None
 [2008-10-31 15:04 UTC] charlie dot orford at gmail dot com
Description:
------------
When mm is used as session.save_handler, apache child processes begin to segfault shortly after session.gc_maxlifetime is reached. The work around is to change session.save_handler to "files". This bug is reproducible (for me at least).


Apache version: 2.2.10, compiled from source using:

./configure --prefix=/usr/local/apache --disable-cgi --disable-cgid --disable-charset-lite --disable-env --disable-include --disable-autoindex --disable-asis --disable-negotiation --disable-imagemap --disable-actions --disable-userdir --enable-nonportable-atomics --enable-deflate --enable-proxy-ftp=shared --enable-proxy=shared --enable-proxy-connect=shared --enable-proxy-http=shared --enable-cache=shared --enable-setenvif --enable-expires --enable-headers --enable-rewrite --enable-unique-id --enable-dav=shared --enable-dav-fs=shared --enable-ssl --enable-so --with-ssl=/etc/ssl --with-mpm=prefork --with-dbm=db4 --with-berkeley-db=/usr/include:/usr/lib


httpd -l output:

Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_filter.c
  mod_deflate.c
  mod_log_config.c
  mod_expires.c
  mod_headers.c
  mod_unique_id.c
  mod_setenvif.c
  mod_ssl.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_dir.c
  mod_alias.c
  mod_rewrite.c
  mod_so.c


PHP version 5.2.6, compiled from source using:

./configure --disable-ipv6 --disable-short-tags --disable-cgi --enable-versioning --enable-url-includes --enable-sysvshm --enable-sysvsem --enable-ftp --enable-calendar --enable-gd-native-ttf --enable-mbstring --enable-libxml --enable-cli --enable-xml --enable-sockets --with-pdflib=/usr/src/PDFlib-6.0.4-Linux-x86_64/bind/c --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql --with-mysql-sock=/var/run/mysqld/mysqld.sock --with-mm=/usr/local/mm-1.4.2 --with-zlib --with-zlib-dir=/usr/lib/ --with-pear --with-gd --with-freetype-dir=/usr/local/lib/ --with-png-dir=/usr/lib/ --with-jpeg-dir=/usr/lib/ --with-ttf --with-libtiff-dir=/usr/lib/ --with-openssl=/usr


mm-1.4.2, compiled from source using:

./configure --prefix=/usr/local/mm-1.4.2






Reproduce code:
---------------
See: http://pastebin.com/f38b947b

Expected result:
----------------
A session marked for garbage collection should be destroyed by the garbage collector.

Actual result:
--------------
Garbage collection results in an apache child process segfault. I have included two backtraces from two separate child process crashes.

Both seem to suggest php-5.2.6/ext/session/mod_mm.c is where the bug resides.


GDB backtrace #1:
===================================

Core was generated by `/usr/local/apache/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  zm_shutdown_ps_mm (type=<value optimized out>,
    module_number=<value optimized out>)
    at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243
243                             next = sd->next;
(gdb) bt full
#0  zm_shutdown_ps_mm (type=<value optimized out>,
    module_number=<value optimized out>)
    at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243
No locals.
#1  0x00002b814cef0234 in zm_shutdown_session (type=1, module_number=12)
    at /usr/src/lamp/php-5.2.6/ext/session/session.c:1983
No locals.
#2  0x00002b814d00bea1 in module_destructor (module=0x7460f0)
    at /usr/src/lamp/php-5.2.6/Zend/zend_API.c:1921
No locals.
#3  0x00002b814d012642 in zend_hash_apply_deleter (ht=0x2b814d6ab320,
    p=0x746090) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:611
        retval = <value optimized out>
#4  0x00002b814d0128b8 in zend_hash_graceful_reverse_destroy (
    ht=0x2b814d6ab320) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:646
        p = (Bucket *) 0x657469735f666572
#5  0x00002b814d008247 in zend_shutdown ()
    at /usr/src/lamp/php-5.2.6/Zend/zend.c:733
No locals.
#6  0x00002b814cfc666a in php_module_shutdown ()
    at /usr/src/lamp/php-5.2.6/main/main.c:1888
No locals.
#7  0x00002b814cfc6709 in php_module_shutdown_wrapper (sapi_globals=0x1)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/lamp/php-5.2.6/main/main.c:1859
No locals.
#8  0x00002b814d0898e1 in php_apache_server_shutdown (
    tmp=<value optimized out>)
    at /usr/src/lamp/php-5.2.6/sapi/apache2handler/sapi_apache2.c:352
No locals.
#9  0x00002b814c43c62d in run_cleanups (cref=0x5b5158)
    at memory/unix/apr_pools.c:2306
        c = (cleanup_t *) 0x2b814f630058
#10 0x00002b814c43d0b7 in apr_pool_destroy (pool=0x5b5138)
    at memory/unix/apr_pools.c:774
        active = <value optimized out>
        allocator = <value optimized out>
#11 0x00002b814c43d0a5 in apr_pool_destroy (pool=0x5b3128)
    at memory/unix/apr_pools.c:771
        active = <value optimized out>
        allocator = <value optimized out>
#12 0x00000000004296a6 in destroy_and_exit_process (process=0x5b3220,
    process_exit_value=0) at main.c:270
No locals.
#13 0x000000000042a179 in main (argc=3, argv=0x7fff5f238e78) at main.c:747
        c = 0 '\0'
        configtestonly = 0
---Type <return> to continue, or q <return> to quit---
        confname = 0x47d51f "conf/httpd.conf"
        def_server_root = 0x47d52f "/usr/local/apache"
        temp_error_log = 0x0
        error = <value optimized out>
        process = (process_rec *) 0x5b3220
        server_conf = <value optimized out>
        pglobal = (apr_pool_t *) 0x5b3128
        pconf = (apr_pool_t *) 0x5b5138
        plog = (apr_pool_t *) 0x5f9358
        ptemp = (apr_pool_t *) 0x5c1198
        pcommands = (apr_pool_t *) 0x5b7148
        opt = (apr_getopt_t *) 0x5b7240
        rv = 0
        optarg = 0x2b814c9aa170 "?'"
(gdb)



GDB backtrace #2:
===================================

Core was generated by `/usr/local/apache/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  ps_sd_lookup (data=<value optimized out>, key=0x2b814b91d488 "ufc77adjfgtmpfcju2mgiejf20l6bsd5", rw=0) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:189
189                     if (ret->hv == hv && !strcmp(ret->key, key))
(gdb) bt full
#0  ps_sd_lookup (data=<value optimized out>, key=0x2b814b91d488 "ufc77adjfgtmpfcju2mgiejf20l6bsd5", rw=0) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:189
        hv = 17287314
        ret = (ps_sd *) 0x490
        prev = (ps_sd *) 0x0
#1  0x00002b814cef68d7 in ps_read_mm (mod_data=<value optimized out>, key=0x2b814b91d488 "ufc77adjfgtmpfcju2mgiejf20l6bsd5", val=0x7fff5f2315b0, vallen=0x7fff5f2315cc) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:334
        data = (ps_mm *) 0x78b1e0
        sd = <value optimized out>
        ret = -1
#2  0x00002b814cef321e in php_session_start () at /usr/src/lamp/php-5.2.6/ext/session/session.c:844
        value = <value optimized out>
        ppid = (zval **) 0x2b814b91c2c0
        data = (zval **) 0x2b814b91cc58
        p = <value optimized out>
        lensess = <value optimized out>
#3  0x00002b814cef3b69 in zif_session_start (ht=1267848328, return_value=0x2b814b91d488, return_value_ptr=0x20, this_ptr=0x20, return_value_used=-16843009) at /usr/src/lamp/php-5.2.6/ext/session/session.c:1815
No locals.
#4  0x00002b814d037117 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5f232ee0) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:200
        i = 32767
        p = <value optimized out>
        arg_count = 47834416506944
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2b8151676930
        original_return_value = <value optimized out>
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = -16843009
        should_change_scope = 0 '\0'
#5  0x00002b814d026f93 in execute (op_array=0x2b814b9232f8) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b8151676930, function_state = {function_symbol_table = 0x0, function = 0x746f70, reserved = {0x2b814cfda2cc, 0x2b814b920948, 0x0, 0x2b814b920948}}, fbc = 0x0, op_array = 0x2b814b9232f8, object = 0x0,
  Ts = 0x7fff5f231710, CVs = 0x7fff5f2316f0, original_in_execution = 1 '\001', symbol_table = 0x2b814d6aafc8, prev_execute_data = 0x7fff5f236400, old_error_reporting = 0x0}
#6  0x00002b814d0298e5 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fff5f236400) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:2037
        saved_object = (zval *) 0x0
        saved_function = (zend_function *) 0x2b814b91ce70
        opline = (zend_op *) 0x2b815164e4d0
        new_op_array = (zend_op_array *) 0x2b814b9232f8
        original_return_value = (zval **) 0x7fff5f236520
        inc_filename = <value optimized out>
        tmp_inc_filename = {value = {lval = 140734789529624, dval = 6.9532224681285584e-310, str = {val = 0x7fff5f233018 "\200?\220K\201+", len = 1267783040}, ht = 0x7fff5f233018, obj = {handle = 1596141592, handlers = 0x2b814b90d580}},
  refcount = 0, type = 0 '\0', is_ref = 0 '\0'}
        failure_retval = 255 '?'
#7  0x00002b814d026f93 in execute (op_array=0x2b814b91ce70) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b815164e4d0, function_state = {function_symbol_table = 0x0, function = 0x2b814b9232f8, reserved = {0x2b814cfda2cc, 0x2b814b91d258, 0x0, 0x2b814b91d258}}, fbc = 0x0, op_array = 0x2b814b91ce70,
  object = 0x0, Ts = 0x7fff5f233170, CVs = 0x7fff5f233090, original_in_execution = 0 '\0', symbol_table = 0x2b814d6aafc8, prev_execute_data = 0x0, old_error_reporting = 0x0}
#8  0x00002b814d007ccd in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3) at /usr/src/lamp/php-5.2.6/Zend/zend.c:1134
        files = {{gp_offset = 40, fp_offset = 0, overflow_arg_area = 0x7fff5f236620, reg_save_area = 0x7fff5f236530}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff5f2388d0
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#9  0x00002b814cfc6508 in php_execute_script (primary_file=0x7fff5f2388d0) at /usr/src/lamp/php-5.2.6/main/main.c:2005
        realfile = "\000\000\000\000\000\000\000\000nQ?K\201+\000\000xv#_?\177", '\0' <repeats 18 times>, "\200q\210\000\000\000\000\000\020w#_?\177\000\000JN?K\201+\000\000\200q\210\000\000\000\000\000\020w#_?\177\000\000\237\017\000\000\000\000\000\000?\212\bM\201+\000\000?\v\000\000\000\000\000\000f'", '\0' <repeats 15 times>, "?jM\201+\000\000@?jM\201+\000\000??jM\201+\000\000\000?jM\201+\000\000@?jM\201+\000\000\000?jM\201+\000\000???L\201+\000\000?\021\000\000\000\000\000\000o \000\000\000\000\000\000+\036\000\000\000\000\000\000e\"\000\000\000\000\000\000?$\000\000\000"...
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff5f236630 "/"
        retval = 0
#10 0x00002b814d08975d in php_handler (r=0x885f38) at /usr/src/lamp/php-5.2.6/sapi/apache2handler/sapi_apache2.c:629
        __bailout = {{__jmpbuf = {120, 3, 8937272, 6052448, 8912520, 140734789552784, 140734789552112, 47834343182899}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 17179869184, 8937144, 4623373, 8995888, 16, 8937144, 8994104,
        8937144, 8937272, 8871352, 6002672, 8937904, 0, 8937144}}}}
        ctx = (php_struct * volatile) 0x894540
        conf = (void *) 0x604a98
        brigade = (apr_bucket_brigade * volatile) 0x895220
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = (request_rec * volatile) 0x0
#11 0x000000000043c179 in ap_run_handler (r=0x885f38) at config.c:157
        n = 3
---Type <return> to continue, or q <return> to quit---
        rv = 32
#12 0x000000000043f25c in ap_invoke_handler (r=0x885f38) at config.c:372
        handler = 0x65ae80 "application/x-httpd-php"
        result = 0
        old_handler = 0x0
        ignore = <value optimized out>
#13 0x0000000000464598 in ap_process_request (r=0x885f38) at http_request.c:258
        access_status = 1168
#14 0x0000000000461a3c in ap_process_http_connection (c=0x875db8) at http_core.c:190
        r = (request_rec *) 0x885f38
        csd = (apr_socket_t *) 0x0
#15 0x0000000000442e11 in ap_run_process_connection (c=0x875db8) at connection.c:43
        n = 0
        rv = 32
#16 0x00000000004736b6 in child_main (child_num_arg=<value optimized out>) at prefork.c:650
        numdesc = 1
        pdesc = (const apr_pollfd_t *) 0x873e20
        current_conn = (conn_rec *) 0x875db8
        csd = (void *) 0x875bc8
        ptrans = (apr_pool_t *) 0x875b48
        allocator = (apr_allocator_t *) 0x873a40
        status = <value optimized out>
        i = <value optimized out>
        lr = <value optimized out>
        pollset = (apr_pollset_t *) 0x873d68
        sbh = (ap_sb_handle_t *) 0x873d60
        bucket_alloc = (apr_bucket_alloc_t *) 0x87fe88
        last_poll_idx = 1
#17 0x0000000000473934 in make_child (s=0x5bef68, slot=5) at prefork.c:746
        pid = 0
#18 0x00000000004741d6 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at prefork.c:881
        pidfile = <value optimized out>
        active_children = <value optimized out>
        cutoff = <value optimized out>
        index = <value optimized out>
        remaining_children_to_start = 0
        rv = <value optimized out>
#19 0x000000000042a167 in main (argc=3, argv=0x7fff5f238e78) at main.c:740
        c = 0 '\0'
        configtestonly = 0
        confname = 0x47d51f "conf/httpd.conf"
        def_server_root = 0x47d52f "/usr/local/apache"
        temp_error_log = 0x0
        error = <value optimized out>
        process = (process_rec *) 0x5b3220
        server_conf = <value optimized out>
        pglobal = (apr_pool_t *) 0x5b3128
        pconf = (apr_pool_t *) 0x5b5138
        plog = (apr_pool_t *) 0x5f9358
        ptemp = (apr_pool_t *) 0x5c1198
        pcommands = (apr_pool_t *) 0x5b7148
        opt = (apr_getopt_t *) 0x5b7240
        rv = 0
        optarg = 0x2b814c9aa170 "?'"
(gdb)



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-31 15:10 UTC] charlie dot orford at gmail dot com
Forgot to include hardware and kernel version (in case it is helpful):

Linux kernel: 2.6.20.3

Hardware: Dual AMD Opteron 252 with 4GB RAM

Memory status at time of segfault:

#free -m
             total       used       free     shared    buffers     cached
Mem:          3903       3804         99          0        210       1707
-/+ buffers/cache:       1885       2017
Swap:         7632        271       7360
 [2008-10-31 21:20 UTC] charlie dot orford at gmail dot com
GDB backtrace #3:
===================================

Core was generated by `/usr/local/apache/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00002b121af85f7d in ps_gc_mm (mod_data=<value optimized out>,
    maxlifetime=1800, nrdels=0x7fff911a30bc)
    at /usr/src/lamp/php5.2-200810311530/ext/session/mod_mm.c:422
422                             if (sd->ctime < limit) {
(gdb) bt full
#0  0x00002b121af85f7d in ps_gc_mm (mod_data=<value optimized out>,
    maxlifetime=1800, nrdels=0x7fff911a30bc)
    at /usr/src/lamp/php5.2-200810311530/ext/session/mod_mm.c:422
        data = (ps_mm *) 0x78b210
        limit = 1225485826
        ohash = (ps_sd **) 0x2b121d6c2060
        ehash = (ps_sd **) 0x2b121d6c3058
        sd = (ps_sd *) 0x7c65707989b73ff3
        next = (ps_sd *) 0x708
#1  0x00002b121af82e04 in php_session_start ()
    at /usr/src/lamp/php5.2-200810311530/ext/session/session.c:1344
        nrdels = 0
        ppid = (zval **) 0x2b12199abaa8
        data = (zval **) 0x2b12199ac630
        p = 0x2b12199b28c0 "X,\233\031\022+"
        lensess = 429598912
#2  0x00002b121af83689 in zif_session_start (ht=26,
    return_value=0x7c65707989b73ff3, return_value_ptr=0x2b121b841960,
    this_ptr=0x2b121a82834a, return_value_used=460575968)
    at /usr/src/lamp/php5.2-200810311530/ext/session/session.c:1824
No locals.
#3  0x00002b121b0c7177 in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7fff911a49d0)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:200
        i = 32767
        p = <value optimized out>
        arg_count = 47356836608064
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2b121f6c7930
        original_return_value = <value optimized out>
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 460575968
        should_change_scope = 0 '\0'
#4  0x00002b121b0b6fa3 in execute (op_array=0x2b12199b1030)
    at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b121f6c7930, function_state = {
    function_symbol_table = 0x0, function = 0x746fa0, reserved = {
      0x2b121b06a12c, 0x2b12199b1138, 0x0, 0x2b12199b1138}}, fbc = 0x0,
  op_array = 0x2b12199b1030, object = 0x0, Ts = 0x7fff911a3200,
  CVs = 0x7fff911a31e0, original_in_execution = 1 '\001',
  symbol_table = 0x2b121b73d668, prev_execute_data = 0x7fff911a60f0,
  old_error_reporting = 0x0}
#5  0x00002b121b0b991f in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
    execute_data=0x7fff911a60f0)
    at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:2087
---Type <return> to continue, or q <return> to quit---
        saved_object = (zval *) 0x0
        saved_function = (zend_function *) 0x2b12199ad2e8
        opline = (zend_op *) 0x2b12199b5308
        new_op_array = (zend_op_array *) 0x2b12199b1030
        original_return_value = (zval **) 0x7fff911a6358
        inc_filename = <value optimized out>
        tmp_inc_filename = {value = {lval = 47356769981664,
    dval = 2.3397353145946181e-310, str = {
      val = 0x2b121b73d4e0 "(N\032\221?\177", len = 454017753},
    ht = 0x2b121b73d4e0, obj = {handle = 460575968,
      handlers = 0x2b121b0fc2d9}}, refcount = 0, type = 0 '\0',
  is_ref = 0 '\0'}
        failure_retval = 224 '?'
#6  0x00002b121b0b6fa3 in execute (op_array=0x2b12199ad2e8)
    at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b12199b5308, function_state = {
    function_symbol_table = 0x0, function = 0x2b12199b1030, reserved = {
      0x2b121b06a12c, 0x2b12199addb8, 0x0, 0x2b12199addb8}}, fbc = 0x0,
  op_array = 0x2b12199ad2e8, object = 0x0, Ts = 0x7fff911a4ba0,
  CVs = 0x7fff911a4b80, original_in_execution = 1 '\001',
  symbol_table = 0x2b121b73d668, prev_execute_data = 0x7fff911a6390,
  old_error_reporting = 0x0}
#7  0x00002b121b0b991f in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
---Type <return> to continue, or q <return> to quit---
    execute_data=0x7fff911a6390)
    at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:2087
        saved_object = (zval *) 0x0
        saved_function = (zend_function *) 0x2b12199ac848
        opline = (zend_op *) 0x2b12199acf48
        new_op_array = (zend_op_array *) 0x2b12199ad2e8
        original_return_value = (zval **) 0x7fff911a64b0
        inc_filename = <value optimized out>
        tmp_inc_filename = {value = {lval = 3, dval = 1.4821969375237396e-323,
    str = {val = 0x3 <Address 0x3 out of bounds>, len = 454017753}, ht = 0x3,
    obj = {handle = 3, handlers = 0x2b121b0fc2d9}}, refcount = 0,
  type = 0 '\0', is_ref = 0 '\0'}
        failure_retval = 224 '?'
#8  0x00002b121b0b6fa3 in execute (op_array=0x2b12199ac848)
    at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b12199acf48, function_state = {
    function_symbol_table = 0x0, function = 0x2b12199ad2e8, reserved = {
      0x2b121b06a12c, 0x2b12199acc10, 0x0, 0x2b12199acc10}}, fbc = 0x0,
  op_array = 0x2b12199ac848, object = 0x0, Ts = 0x7fff911a62b0,
  CVs = 0x7fff911a62a0, original_in_execution = 0 '\0',
  symbol_table = 0x2b121b73d668, prev_execute_data = 0x0,
  old_error_reporting = 0x0}
#9  0x00002b121b097c6d in zend_execute_scripts (type=8,
---Type <return> to continue, or q <return> to quit---
    retval=<value optimized out>, file_count=3)
    at /usr/src/lamp/php5.2-200810311530/Zend/zend.c:1134
        files = {{gp_offset = 40, fp_offset = 0,
    overflow_arg_area = 0x7fff911a65b0, reg_save_area = 0x7fff911a64c0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff911a8860
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#10 0x00002b121b055f58 in php_execute_script (primary_file=0x7fff911a8860)
    at /usr/src/lamp/php5.2-200810311530/main/main.c:2011
        realfile = "?\024\000\000\000\000\000\000;\000\000\000\000\000\000\000##\000\000\000\000\000\000b\020\000\000\000\000\000\000m\024\000\000\000\000\000\000?!\000\000\000\000\000\000?\005\000\000\000\000\000\000\237\032\000\000\000\000\000\000?\036\000\000\000\000\000\000Z\v\000\000\000\000\000\000?,\000\000\000\000\000\000V\017\000\000\000\000\000\000\231\032\000\000\000\000\000\000i$\000\000\000\000\000\000\033#\000\000\000\000\000\000b\"\000\000\000\000\000\000?#\000\000\000\000\000\000?\035\000\000\000\000\000\000\001\n\000\000\000\000\000\000W&\000\000\000\000\000\000d&\000\000\000\000\000\000\203\006\000\000\000\000\000\000?\n\000\000\000\000\000\000?\031\000\000\000\000\000\000?\b\000\000\000\000\000\000"...
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x2b1200000000
---Type <return> to continue, or q <return> to quit---
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
  handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0,
      fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
  handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0,
      fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff911a65c0 "/"
        retval = 0
#11 0x00002b121b119885 in php_handler (r=0x881fe8)
    at /usr/src/lamp/php5.2-200810311530/sapi/apache2handler/sapi_apache2.c:629
        __bailout = {{__jmpbuf = {120, 3, 8921064, 6052448, 8912728,
      140735627823648, 140735627822976, 47356763542355}, __mask_was_saved = 0,
    __saved_mask = {__val = {0, 0, 17179869184, 8920936, 4623373,
        47356750571568, 47356747237712, 8920936, 5921512, 6053712, 8921064,
        8912728, 140735627823648, 0, 47356738320017, 8920936}}}}
        ctx = (php_struct * volatile) 0x8867c0
        conf = (void *) 0x604a98
        brigade = (apr_bucket_brigade * volatile) 0x887478
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = (request_rec * volatile) 0x0
#12 0x000000000043c179 in ap_run_handler (r=0x881fe8) at config.c:157
        n = 3
---Type <return> to continue, or q <return> to quit---
        rv = 461642080
#13 0x000000000043f25c in ap_invoke_handler (r=0x881fe8) at config.c:372
        handler = 0x65ae80 "application/x-httpd-php"
        result = 0
        old_handler = 0x0
        ignore = <value optimized out>
#14 0x0000000000464598 in ap_process_request (r=0x881fe8) at http_request.c:258
        access_status = 1225485826
#15 0x0000000000461a3c in ap_process_http_connection (c=0x875e88)
    at http_core.c:190
        r = (request_rec *) 0x881fe8
        csd = (apr_socket_t *) 0x0
#16 0x0000000000442e11 in ap_run_process_connection (c=0x875e88)
    at connection.c:43
        n = 0
        rv = 461642080
#17 0x00000000004736b6 in child_main (child_num_arg=<value optimized out>)
    at prefork.c:650
        numdesc = 1
        pdesc = (const apr_pollfd_t *) 0x873ef0
        current_conn = (conn_rec *) 0x875e88
        csd = (void *) 0x875c98
        ptrans = (apr_pool_t *) 0x875c18
---Type <return> to continue, or q <return> to quit---
        allocator = (apr_allocator_t *) 0x873b10
        status = <value optimized out>
        i = <value optimized out>
        lr = <value optimized out>
        pollset = (apr_pollset_t *) 0x873e38
        sbh = (ap_sb_handle_t *) 0x873e30
        bucket_alloc = (apr_bucket_alloc_t *) 0x87ff58
        last_poll_idx = 1
#18 0x0000000000473934 in make_child (s=0x5bef68, slot=5) at prefork.c:746
        pid = 0
#19 0x00000000004741d6 in ap_mpm_run (_pconf=<value optimized out>,
    plog=<value optimized out>, s=<value optimized out>) at prefork.c:881
        pidfile = <value optimized out>
        active_children = <value optimized out>
        cutoff = <value optimized out>
        index = <value optimized out>
        remaining_children_to_start = 0
        rv = <value optimized out>
#20 0x000000000042a167 in main (argc=3, argv=0x7fff911a8e08) at main.c:740
        c = 0 '\0'
        configtestonly = 0
        confname = 0x47d51f "conf/httpd.conf"
        def_server_root = 0x47d52f "/usr/local/apache"
---Type <return> to continue, or q <return> to quit---
        temp_error_log = 0x0
        error = <value optimized out>
        process = (process_rec *) 0x5b3220
        server_conf = <value optimized out>
        pglobal = (apr_pool_t *) 0x5b3128
        pconf = (apr_pool_t *) 0x5b5138
        plog = (apr_pool_t *) 0x5f9358
        ptemp = (apr_pool_t *) 0x5c1198
        pcommands = (apr_pool_t *) 0x5b7148
        opt = (apr_getopt_t *) 0x5b7240
        rv = 0
        optarg = 0x2b121aa3a170 "?'"
(gdb)
 [2009-12-08 20:47 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2009-12-16 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 13:01:30 2024 UTC