php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50438 destroy_op_array refcount invalid ptr / apache filter sapi
Submitted: 2009-12-10 12:12 UTC Modified: 2009-12-18 01:00 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: m dot moeller at bigpoint dot net Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.11 OS: Linux / Debian
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: m dot moeller at bigpoint dot net
New email:
PHP Version: OS:

 

 [2009-12-10 12:12 UTC] m dot moeller at bigpoint dot net
Description:
------------
if apache receives a shutdown signal, php occasionally triggers a
segfault, because the refcount pointer of an op_array points to an invalid address.

Program terminated with signal 11, Segmentation fault.
[New process 1475]
#0  0x00007f801f93f390 in ?? ()
(gdb) bt
#0  0x00007f801f93f390 in ?? ()
#1  <signal handler called>
#2  destroy_op_array (op_array=0x1c5fde0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c:232
#3  0x00007f8023642088 in zend_hash_destroy (ht=0x1928a00) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_hash.c:717
#4  0x00007f802363779a in zend_shutdown () at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend.c:816
#5  0x00007f80235f0df5 in php_module_shutdown () at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/main/main.c:1921
#6  0x00007f80235f0e99 in php_module_shutdown_wrapper (sapi_globals=0x0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/main/main.c:1892
#7  0x00007f80236ac2b1 in php_apache_child_shutdown (tmp=0x0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/sapi/apache2handler/sapi_apache2.c:362
#8  0x00007f80284bb4fb in ?? () from /usr/lib/libapr-1.so.0
#9  0x00007f80284ba401 in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#10 0x0000000000450d3e in clean_child_exit (code=0) at /root/apache2-backport/httpd-2.2.14/server/mpm/prefork/prefork.c:196
#11 0x000000000045140b in just_die (sig=<value optimized out>) at /root/apache2-backport/httpd-2.2.14/server/mpm/prefork/prefork.c:328
#12 <signal handler called>
#13 0x00007f8027ffe190 in __connect_nocancel () from /lib/libc.so.6
#14 0x00007f801bfc65b5 in ?? ()
#15 0x0000000001c26458 in ?? ()
#16 0x0000000001b3f528 in ?? ()
#17 0x00007f801c30e940 in ?? ()
#18 0x0000000000000015 in ?? ()
#19 0x0000000001c26458 in ?? ()
#20 0x0000000001b3f528 in ?? ()
#21 0x00007f801c30e940 in ?? ()
#22 0x0000000001b41300 in ?? ()
#23 0x00007fff41c64dc0 in ?? ()
#24 0x00007f801bfc7142 in ?? ()
#25 0x0000000100000001 in ?? ()
#26 0x000000004b20862f in ?? ()
#27 0x3020302000000035 in ?? ()
#28 0x0000000000000000 in ?? ()
(gdb) frame 2
#2  destroy_op_array (op_array=0x1c5fde0) at /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c:232
232     /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c: No such file or directory.
        in /home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c
(gdb) print *op_array->refcount
Cannot access memory at address 0x7f801fb5da28


[reopened http://bugs.php.net/bug.php?id=49922 with current php ver]

Reproduce code:
---------------
while true; do
  curl http://localhost/testpage.php &
  apachectl restart
done


Expected result:
----------------
clear error log

Actual result:
--------------
segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-10 13:03 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2009-12-18 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-03-11 12:53 UTC] proforg at maloletka dot ru
same crash with php 5.2.13

Core was generated by `/usr/sbin/apache2 -k restart'.
Program terminated with signal 11, Segmentation fault.
[New process 31978]
#0  0x00007fae6ebff060 in ?? ()
(gdb) bt
#0  0x00007fae6ebff060 in ?? ()
#1  <signal handler called>
#2  0x00007fae728c64c8 in destroy_op_array () from 
/usr/lib/apache2/modules/libphp5.so
#3  0x00007fae728da728 in zend_hash_destroy () from 
/usr/lib/apache2/modules/libphp5.so
#4  0x00007fae728cfe3a in zend_shutdown () from 
/usr/lib/apache2/modules/libphp5.so
#5  0x00007fae728892e5 in php_module_shutdown () from 
/usr/lib/apache2/modules/libphp5.so
#6  0x00007fae72889389 in php_module_shutdown_wrapper () from 
/usr/lib/apache2/modules/libphp5.so
#7  0x00007fae72944981 in ?? () from /usr/lib/apache2/modules/libphp5.so
#8  0x00007fae790c3a5c in ?? () from /usr/lib/libapr-1.so.0
#9  0x00007fae790c2ca3 in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#10 0x000000000044d90e in ?? ()
#11 0x000000000044e03b in ?? ()
#12 <signal handler called>
#13 0x00007fae78e987a0 in __read_nocancel () from /lib/libpthread.so.0
#14 0x00007fae728a43d6 in ?? () from /usr/lib/apache2/modules/libphp5.so
#15 0x00007fae7289fd48 in ?? () from /usr/lib/apache2/modules/libphp5.so
#16 0x00007fae7289fee6 in _php_stream_get_line () from 
/usr/lib/apache2/modules/libphp5.so
#17 0x00007fae72814f9c in php_exec () from /usr/lib/apache2/modules/libphp5.so
#18 0x00007fae72815386 in ?? () from /usr/lib/apache2/modules/libphp5.so
#19 0x00007fae7290a3cd in ?? () from /usr/lib/apache2/modules/libphp5.so
#20 0x00007fae728f3134 in execute () from /usr/lib/apache2/modules/libphp5.so
#21 0x00007fae6ff2290f in zend_oe () from 
/usr/lib/php5/20060613/ZendOptimizer.so
#22 0x00007fae728cf1c8 in zend_execute_scripts () from 
/usr/lib/apache2/modules/libphp5.so
#23 0x00007fae728890ea in php_execute_script () from 
/usr/lib/apache2/modules/libphp5.so
#24 0x00007fae72945a73 in ?? () from /usr/lib/apache2/modules/libphp5.so
#25 0x0000000000438ee3 in ap_run_handler ()
#26 0x000000000043c4af in ap_invoke_handler ()
#27 0x000000000044967e in ap_process_request ()
#28 0x00000000004467a8 in ?? ()
#29 0x0000000000440403 in ap_run_process_connection ()
#30 0x000000000044dc80 in ?? ()
#31 0x000000000044dfd4 in ?? ()
#32 0x000000000044e57c in ap_mpm_run ()
#33 0x0000000000425be5 in main ()
(gdb)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 02:01:28 2024 UTC