|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51159 session_set_save_handler Memory Corruption
Submitted: 2010-02-26 18:39 UTC Modified: 2013-02-18 00:34 UTC
Avg. Score:4.6 ± 0.5
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:4 (80.0%)
From: achristianson at yakabod dot com Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5.3.1 OS: CentOS 5.4
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-02-26 18:39 UTC] achristianson at yakabod dot com
Use of session_set_save_handler seems to cause memory corruption under 
certain conditions.

Inside of _write, there is code that causes a fatal error. The 
corruption seems to not happen if this is removed.

I get the problem in both 5.3.1 and 5.3.2RC3

Reproduce code:
session_set_save_handler('_open', '_close', '_read', '_write', '_destroy', '_gc');
function _write() {
  self::$x = null;
function _destroy() {}
function _gc() {}
function _open() {}
function _close() {}
function _read() {}
for($i = 0; $i < 10000; $i++)
  $exampleArray[] = new C();
class C { }

Expected result:
No segmentation fault

Actual result:
5.2.1 backtrace:

Program received signal SIGSEGV, Segmentation fault.
(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302
302                zval ***ptr = &CV_OF(node->u.var);
(gdb) bt
(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302
#1  0x0142d55d in execute (op_array=0x9a0e260) at /root/php-
#2  0x0140bd57 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /root/php-5.3.1/Zend/zend.c:1194
#3  0x013bbf4e in php_execute_script (primary_file=0xbfa7c8c0) at 
#4  0x0148ad2b in php_handler (r=0x9a56160) at /root/php-
#5  0x08077bf3 in ap_invoke_handler ()
#6  0x080868df in ap_process_request ()
#7  0x080839e8 in ?? ()
#8  0x09a56160 in ?? ()
#9  0x00000004 in ?? ()
#10 0x09a56160 in ?? ()
#11 0x0987c2f8 in ?? ()
#12 0x00000002 in ?? ()
#13 0x09a43be8 in ?? ()
#14 0xbfa7c9c8 in ?? ()
#15 0x0807ff45 in ap_process_connection ()

5.2.3RC3 backtrace:

Program received signal SIGSEGV, Segmentation fault.
_zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-
385                return --pz->refcount__gc;
(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-
#1  0x014674fc in zend_do_fcall_common_helper_SPEC 
(execute_data=0x8558d30) at /root/php-5.3.2RC3/Zend/zend_execute.h:316
#2  0x01441b3d in execute (op_array=0x84f66d0) at /root/php-
#3  0x01420207 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /root/php-5.3.2RC3/Zend/zend.c:1194
#4  0x013cfe7e in php_execute_script (primary_file=0xbf902c10) at 
#5  0x0149f22b in php_handler (r=0x853e5b8) at /root/php-
#6  0x08077bf3 in ap_invoke_handler ()
#7  0x080868df in ap_process_request ()
#8  0x080839e8 in ?? ()
#9  0x0853e5b8 in ?? ()
#10 0x00000004 in ?? ()
#11 0x0853e5b8 in ?? ()
#12 0x08388758 in ?? ()
#13 0x00000002 in ?? ()
#14 0x0852c040 in ?? ()
#15 0xbf902d18 in ?? ()
#16 0x0807ff45 in ap_process_connection ()


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-26 18:49 UTC] achristianson at yakabod dot com
Small typo: I put 5.2.1 and 5.2.3RC3 text along with my backtraces. I 
meant to type 5.3.1 and 5.3.2RC3 respectively.
 [2010-02-26 19:08 UTC] achristianson at yakabod dot com
We tried this with Zend MM and garbage collection turned on and off. No 
change in result.
 [2010-02-28 16:52 UTC]
Try turn garbage collection of so we know if it's that.. zend.enable_gc = off, IIRC. :)
 [2010-03-01 12:46 UTC] achristianson at yakabod dot com
We tried with GC off and we get the same result.
 [2010-03-02 23:12 UTC]
-Package: Session related +Package: Scripting Engine problem
 [2010-05-26 19:37 UTC] info at das-peter dot ch
Hi there,

can confirm this behavior with gc enabled/disabled.
My current installation:
php 5.3.2 for win x86 [API220090626,TS,VC6 ]
Compiler VC6, thread safe

Run under Apache 2.2

 [2011-01-27 22:23 UTC] sa at yakabod dot com
Any chance someone can take a look at this issue that is now approaching 1 year 
in the queue.  We have recently reproduced it on PHP 5.3.4 on CentOS 5.5.  We are 
willing to help out with debugging.  Thanks.
 [2012-03-29 21:14 UTC]
The reproduce code correctly gives a fatal error ("Fatal error: Cannot access self:: when no class scope is active" and no crash) in the current 5.3 branch and trunk. Changing it to a normal variable assignment works fine.

Please let us know if you can reproduce this bug with another script without this error, or a current PHP version.
 [2012-03-29 21:14 UTC]
-Status: Open +Status: Feedback
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 [2013-03-01 12:18 UTC] office at xtreme-vision dot net

We confirm the reproduce code crashes with a segault on CentOS 6 (Linux 2.6.32-
279.22.1.el6.x86_64 #1 SMP Wed Feb 6 03:10:46 UTC 2013 x86_64 x86_64 x86_64 
GNU/Linux) and php 5.3.3 (php-5.3.3-14.el6_3.x86_64).

Also, we get this result in a core dump for Apache 2.2.15 (httpd-2.2.15-

Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f4aef304e94 in _get_zval_ptr_cv (execute_data=0x7f4afb6d0658) at 
251             zval ***ptr = &CV_OF(node->u.var);

Can someone look at this problem, as it's causing major crashes of our 

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Feb 22 19:01:29 2024 UTC