php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #50438 destroy_op_array refcount invalid ptr / apache filter sapi
Submitted: 2009-12-10 12:12 UTC Modified: 2009-12-18 01:00 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: m dot moeller at bigpoint dot net Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.11 OS: Linux / Debian
Private report: No CVE-ID: None
View Developer Edit
 [2009-12-10 12:12 UTC] m dot moeller at bigpoint dot net 
Description:
------------
if apache receives a shutdown signal, php occasionally triggers a
segfault, because the refcount pointer of an op_array points to an invalid address.

Program terminated with signal 11, Segmentation fault.
[New process 1475]
#0  0x00007f801f93f390 in ?? ()
(gdb) bt
#0  0x00007f801f93f390 in ?? ()
#1  <signal handler called>
#2  destroy_op_array (op_array=0x1c5fde0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c:232
#3  0x00007f8023642088 in zend_hash_destroy (ht=0x1928a00) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_hash.c:717
#4  0x00007f802363779a in zend_shutdown () at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend.c:816
#5  0x00007f80235f0df5 in php_module_shutdown () at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/main/main.c:1921
#6  0x00007f80235f0e99 in php_module_shutdown_wrapper (sapi_globals=0x0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/main/main.c:1892
#7  0x00007f80236ac2b1 in php_apache_child_shutdown (tmp=0x0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/sapi/apache2handler/sapi_apache2.c:362
#8  0x00007f80284bb4fb in ?? () from /usr/lib/libapr-1.so.0
#9  0x00007f80284ba401 in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#10 0x0000000000450d3e in clean_child_exit (code=0) at /root/apache2-backport/httpd-2.2.14/server/mpm/prefork/prefork.c:196
#11 0x000000000045140b in just_die (sig=<value optimized out>) at /root/apache2-backport/httpd-2.2.14/server/mpm/prefork/prefork.c:328
#12 <signal handler called>
#13 0x00007f8027ffe190 in __connect_nocancel () from /lib/libc.so.6
#14 0x00007f801bfc65b5 in ?? ()
#15 0x0000000001c26458 in ?? ()
#16 0x0000000001b3f528 in ?? ()
#17 0x00007f801c30e940 in ?? ()
#18 0x0000000000000015 in ?? ()
#19 0x0000000001c26458 in ?? ()
#20 0x0000000001b3f528 in ?? ()
#21 0x00007f801c30e940 in ?? ()
#22 0x0000000001b41300 in ?? ()
#23 0x00007fff41c64dc0 in ?? ()
#24 0x00007f801bfc7142 in ?? ()
#25 0x0000000100000001 in ?? ()
#26 0x000000004b20862f in ?? ()
#27 0x3020302000000035 in ?? ()
#28 0x0000000000000000 in ?? ()
(gdb) frame 2
#2  destroy_op_array (op_array=0x1c5fde0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c:232
232     /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c: No such file or directory.
        in /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c
(gdb) print *op_array->refcount
Cannot access memory at address 0x7f801fb5da28


[reopened http://bugs.php.net/bug.php?id=49922 with current php ver]

Reproduce code:
---------------
while true; do
  curl http://localhost/testpage.php &
  apachectl restart
done


Expected result:
----------------
clear error log

Actual result:
--------------
segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-10 13:03 UTC] felipe@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2009-12-18 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-03-11 12:53 UTC] proforg at maloletka dot ru 
same crash with php 5.2.13

Core was generated by `/usr/sbin/apache2 -k restart'.
Program terminated with signal 11, Segmentation fault.
[New process 31978]
#0  0x00007fae6ebff060 in ?? ()
(gdb) bt
#0  0x00007fae6ebff060 in ?? ()
#1  <signal handler called>
#2  0x00007fae728c64c8 in destroy_op_array () from 
/usr/lib/apache2/modules/libphp5.so
#3  0x00007fae728da728 in zend_hash_destroy () from 
/usr/lib/apache2/modules/libphp5.so
#4  0x00007fae728cfe3a in zend_shutdown () from 
/usr/lib/apache2/modules/libphp5.so
#5  0x00007fae728892e5 in php_module_shutdown () from 
/usr/lib/apache2/modules/libphp5.so
#6  0x00007fae72889389 in php_module_shutdown_wrapper () from 
/usr/lib/apache2/modules/libphp5.so
#7  0x00007fae72944981 in ?? () from /usr/lib/apache2/modules/libphp5.so
#8  0x00007fae790c3a5c in ?? () from /usr/lib/libapr-1.so.0
#9  0x00007fae790c2ca3 in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#10 0x000000000044d90e in ?? ()
#11 0x000000000044e03b in ?? ()
#12 <signal handler called>
#13 0x00007fae78e987a0 in __read_nocancel () from /lib/libpthread.so.0
#14 0x00007fae728a43d6 in ?? () from /usr/lib/apache2/modules/libphp5.so
#15 0x00007fae7289fd48 in ?? () from /usr/lib/apache2/modules/libphp5.so
#16 0x00007fae7289fee6 in _php_stream_get_line () from 
/usr/lib/apache2/modules/libphp5.so
#17 0x00007fae72814f9c in php_exec () from /usr/lib/apache2/modules/libphp5.so
#18 0x00007fae72815386 in ?? () from /usr/lib/apache2/modules/libphp5.so
#19 0x00007fae7290a3cd in ?? () from /usr/lib/apache2/modules/libphp5.so
#20 0x00007fae728f3134 in execute () from /usr/lib/apache2/modules/libphp5.so
#21 0x00007fae6ff2290f in zend_oe () from 
/usr/lib/php5/20060613/ZendOptimizer.so
#22 0x00007fae728cf1c8 in zend_execute_scripts () from 
/usr/lib/apache2/modules/libphp5.so
#23 0x00007fae728890ea in php_execute_script () from 
/usr/lib/apache2/modules/libphp5.so
#24 0x00007fae72945a73 in ?? () from /usr/lib/apache2/modules/libphp5.so
#25 0x0000000000438ee3 in ap_run_handler ()
#26 0x000000000043c4af in ap_invoke_handler ()
#27 0x000000000044967e in ap_process_request ()
#28 0x00000000004467a8 in ?? ()
#29 0x0000000000440403 in ap_run_process_connection ()
#30 0x000000000044dc80 in ?? ()
#31 0x000000000044dfd4 in ?? ()
#32 0x000000000044e57c in ap_mpm_run ()
#33 0x0000000000425be5 in main ()
(gdb)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 14:01:32 2024 UTC