php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46936 php-cgi fastcgi mode crashes (randomly) in zend_mm_check_ptr
Submitted: 2008-12-23 13:31 UTC Modified: 2010-12-20 12:39 UTC
From: bierisplezier at gmail dot com Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5.2.8 OS: linux gentoo 2007.0, kern 2.6.25
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bierisplezier at gmail dot com
New email:
PHP Version: OS:

 

 [2008-12-23 13:31 UTC] bierisplezier at gmail dot com
Description:
------------
We tested both mod_php and fastcgi. mod_php doesn't crash. Looking at the coredump it always crashes on the same file (randomly) on 2 functions. See reproduce code. Disabled all 3th party extentions.

Reproduce code:
---------------
//Our application is rather large, but php-cgi gdb always shows these functions, stripped them from the class
//
// Could be "public static" or "abstract class" related together with php-cgi memory management

abstract class BaseLogPeer 
{
   //stripped some content here
   public static function getOMClass()
   {
      return fdPeer::CLASS_DEFAULT;
   }

   public static function findOne(Criteria $crit, $con = null)
   {
      $copy = clone $crit;
      $copy->setLimit(1);
      $objects = fdPeer::doSelect($copy, $con);
      if ($objects) {
        return $objects[0];
      }
      return null;
   }
}

Actual result:
--------------
php configure

'./configure' '--prefix=/usr/lib64/php5' '--host=x86_64-pc-linux-gnu'
'--mandir=/usr/lib64/php5/man' '--infodir=/usr/lib64/php5/info'
'--sysconfdir=/etc' '--cache-file=./config.cache' '--with-libdir=lib64'
'--with-pcre-regex=/usr' '--disable-cli' '--enable-cgi'
'--enable-fastcgi' '--disable-discard-path'
'--enable-force-cgi-redirect' '--enable-fpm'
'--with-fpm-conf=/etc/php/cgi-php5/php-fpm.conf'
'--with-config-file-path=/etc/php/cgi-php5'
'--with-config-file-scan-dir=/etc/php/cgi-php5/ext-active'
'--without-pear' '--disable-bcmath' '--with-bz2=shared'
'--disable-calendar' '--disable-ctype' '--with-curl=shared'
'--without-curlwrappers' '--disable-dbase' '--disable-exif'
'--without-fbsql' '--without-fdftk' '--disable-filter'
'--enable-ftp=shared' '--with-gettext=shared' '--without-gmp'
'--disable-ipv6' '--without-kerberos' '--enable-mbstring=shared'
'--with-mcrypt=shared' '--without-mhash' '--without-msql'
'--without-mssql' '--without-ncurses' '--with-openssl'
'--with-openssl-dir=/usr' '--enable-pcntl=shared' '--disable-pdo'
'--without-pgsql' '--without-pspell' '--without-recode'
'--disable-simplexml' '--enable-shmop' '--without-snmp' '--disable-soap'
'--enable-sockets=shared' '--without-sybase' '--without-sybase-ct'
'--enable-sysvmsg=shared' '--enable-sysvsem=shared'
'--enable-sysvshm=shared' '--without-tidy' '--disable-tokenizer'
'--disable-wddx' '--disable-xmlreader' '--disable-xmlwriter'
'--with-xmlrpc=shared' '--without-xsl' '--enable-zip=shared'
'--with-zlib=shared' '--enable-debug' '--without-cdb' '--without-db4'
'--disable-flatfile' '--without-gdbm' '--disable-inifile'
'--without-qdbm' '--with-freetype-dir=/usr' '--with-t1lib=/usr'
'--disable-gd-jis-conv' '--with-gd=shared,/usr'
'--with-mysql=shared,/usr'
'--with-mysql-sock=/var/run/mysqld/mysqld.sock'
'--with-mysqli=shared,/usr/bin/mysql_config' '--with-readline'
'--without-libedit' '--with-mm' '--without-sqlite'

php-cgi -m

[PHP Modules]
bz2
cgi-fcgi
curl
date
dom
ftp
gd
gettext
hash
iconv
json
libxml
mbstring
mcrypt
memcache
mysql
mysqli
openssl
pcntl
pcre
posix
readline
Reflection
session
shmop
sockets
SPL
standard
sysvmsg
sysvsem
sysvshm
xml
xmlrpc
zip
zlib

[Zend Modules]

GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from /lib64/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib64/libmm.so.13...done.
Loaded symbols for /usr/lib/libmm.so.13
Reading symbols from /lib64/libhistory.so.5...done.
Loaded symbols for /lib/libhistory.so.5
Reading symbols from /lib64/libreadline.so.5...done.
Loaded symbols for /lib/libreadline.so.5
Reading symbols from /lib64/libncurses.so.5...done.
Loaded symbols for /lib/libncurses.so.5
Reading symbols from /usr/lib64/libpcre.so.0...done.
Loaded symbols for /usr/lib/libpcre.so.0
Reading symbols from /lib64/libz.so.1...done.
Loaded symbols for /lib/libz.so.1
Reading symbols from /lib64/libbz2.so.1...done.
Loaded symbols for /lib/libbz2.so.1
Reading symbols from /lib64/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib64/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib64/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib64/librt.so.1...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /usr/lib64/libssl.so.0.9.8...done.
Loaded symbols for /usr/lib/libssl.so.0.9.8
Reading symbols from /usr/lib64/libcrypto.so.0.9.8...done.
Loaded symbols for /usr/lib/libcrypto.so.0.9.8
Reading symbols from /usr/lib64/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/bz2.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/bz2.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/curl.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/curl.so
Reading symbols from /usr/lib64/libcurl.so.4...done.
Loaded symbols for /usr/lib/libcurl.so.4
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/ftp.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/ftp.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/gd.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/gd.so
Reading symbols from /usr/lib64/libgd.so.2...done.
Loaded symbols for /usr/lib/libgd.so.2
Reading symbols from /usr/lib64/libt1.so.5...done.
Loaded symbols for /usr/lib/libt1.so.5
Reading symbols from /usr/lib64/libfreetype.so.6...done.
Loaded symbols for /usr/lib/libfreetype.so.6
Reading symbols from /usr/lib64/libjpeg.so.62...done.
Loaded symbols for /usr/lib/libjpeg.so.62
Reading symbols from /usr/lib64/libpng12.so.0...done.
Loaded symbols for /usr/lib/libpng12.so.0
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/gettext.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/gettext.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mbstring.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mbstring.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mcrypt.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mcrypt.so
Reading symbols from /usr/lib64/libmcrypt.so.4...done.
Loaded symbols for /usr/lib/libmcrypt.so.4
Reading symbols from /usr/lib64/libltdl.so.3...done.
Loaded symbols for /usr/lib/libltdl.so.3
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/memcache.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/memcache.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mysql.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mysql.so
Reading symbols from /usr/lib64/libmysqlclient.so.16...done.
Loaded symbols for /usr/lib/libmysqlclient.so.16
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mysqli.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/mysqli.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/pcntl.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/pcntl.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sockets.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sockets.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sysvmsg.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sysvmsg.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sysvsem.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sysvsem.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sysvshm.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/sysvshm.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/xmlrpc.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/xmlrpc.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/zip.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/zip.so
Reading symbols from /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/zlib.so...done.
Loaded symbols for /usr/lib64/php5/lib/php/extensions/debug-non-zts-20060613/zlib.so
Reading symbols from /lib64/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib64/libnss_compat.so.2...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib64/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /usr/lib64/gconv/ISO8859-1.so...done.
Loaded symbols for /usr/lib64/gconv/ISO8859-1.so
Reading symbols from /lib64/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Core was generated by `/usr/bin/php-cgi --fpm'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005f9069 in zend_mm_check_ptr (heap=0x9dc300, ptr=0x644b8c803, silent=1, __zend_filename=0x74bc28 "/var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c", __zend_lineno=240, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_alloc.c:1299
1299		if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt
#0  0x00000000005f9069 in zend_mm_check_ptr (heap=0x9dc300, ptr=0x644b8c803, silent=1, __zend_filename=0x74bc28 "/var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c", __zend_lineno=240, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_alloc.c:1299
#1  0x00000000005fac72 in _zend_mm_free_int (heap=0x9dc300, p=0x644b8c803, __zend_filename=0x74bc28 "/var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c", __zend_lineno=240, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_alloc.c:1938
#2  0x00000000005fc33f in _efree (ptr=0x644b8c803, __zend_filename=0x74bc28 "/var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c", __zend_lineno=240, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_alloc.c:2306
#3  0x0000000000612d01 in destroy_op_array (op_array=0xb78588) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c:240
#4  0x0000000000612865 in destroy_zend_function (function=0xb78588) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c:113
#5  0x000000000061287c in zend_function_dtor (function=0xb78588) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c:125
#6  0x000000000062d153 in zend_hash_destroy (ht=0x65d85b0) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_hash.c:526
#7  0x0000000000612a70 in destroy_zend_class (pce=0x42e6748) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_opcode.c:186
#8  0x000000000062d519 in zend_hash_apply_deleter (ht=0x9dcc40, p=0x42e6730) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_hash.c:611
#9  0x000000000062db6e in zend_hash_reverse_apply (ht=0x9dcc40, apply_func=0x60baeb <clean_non_persistent_class>) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_hash.c:760
#10 0x000000000060c42b in shutdown_executor () at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend_execute_API.c:291
#11 0x000000000061e219 in zend_deactivate () at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/Zend/zend.c:860
#12 0x00000000005be91a in php_request_shutdown (dummy=0x0) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/main/main.c:1492
#13 0x00000000006ae4c0 in main (argc=2, argv=0x7fffcfe07b38) at /var/tmp/portage/dev-lang/php-5.2.8/work/php-5.2.8/sapi/cgi/cgi_main.c:2187

printing op_array->filename in frame 3, always shows up the same php functions findOne and getOMClass in the same file, it's attached.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-23 16:59 UTC] jani@php.net
Are those shared extensions build for (with) the CGI binary? Try compile those when you (only) build cgi binary.
 [2008-12-23 17:02 UTC] bierisplezier at gmail dot com
They are build for apache2 and cgi (USE='apache cgi' in gentoo), I will compile them for (fast)cgi only and see if that helps.
 [2008-12-23 17:39 UTC] bierisplezier at gmail dot com
compiled php for cgi only, tried with shared extensions and compiled in. Both result in the same crash described earlier.
 [2009-01-22 22:53 UTC] jani@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2009-01-30 01:01 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-12-20 12:39 UTC] jani@php.net
-Package: Tidy +Package: Scripting Engine problem
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 13:01:31 2024 UTC