php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51319 apache process sigsegv (double free or corruption (fasttop))
Submitted: 2010-03-18 08:35 UTC Modified: 2012-06-11 14:13 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: idsl at cc dot com dot pl Assigned:
Status: Duplicate Package: Apache related
PHP Version: 5.2.13 OS: Redhat 4U4
Private report: No CVE-ID: None
 [2010-03-18 08:35 UTC] idsl at cc dot com dot pl
Description:
------------
Hello.
We have this problem with 5.2.12 and still with 5.2.13.
In very random situation apache process sigsegv with 
this in error log:

*** glibc detected *** double free or corruption (fasttop): 0x88aa9300 ***
[Thu Mar 18 06:22:06 2010] [notice] seg fault or similar nasty error detected in the parent process
[Thu Mar 18 06:22:07 2010] [notice] child pid 1107 exit signal Segmentation fault (11), possible coredump in /tmp

gdb shows this:

(gdb) backtrace
#0  0x0013a2c2 in abort () from /lib/tls/libc.so.6
#1  0x0016c4ea in __libc_message () from /lib/tls/libc.so.6
#2  0x00172c6f in _int_free () from /lib/tls/libc.so.6
#3  0x00172fea in free () from /lib/tls/libc.so.6
#4  0x01287c44 in php_error_cb (type=1, error_filename=0xc36f894 "theme.php(10) : eval()'d code", 
    error_lineno=9, format=0x1570b84 "Maximum execution time of %d second%s exceeded", 
    args=0xa0f6195c "\036") at /tmp/php-5.2.13/main/main.c:836
#5  0x012c8b2a in zend_error (type=1, 
    format=0x1570b84 "Maximum execution time of %d second%s exceeded")
    at /tmp/php-5.2.13/Zend/zend.c:976
#6  0x012bd76d in zend_timeout (dummy=27) at /tmp/php-5.2.13/Zend/zend_execute_API.c:1347
#7  <signal handler called>
#8  0x00175030 in malloc () from /lib/tls/libc.so.6
#9  0x00179cd0 in strdup () from /lib/tls/libc.so.6
#10 0x012879e7 in php_error_cb (type=2, error_filename=0xc36f894 "theme.php(10) : eval()'d code", 
    error_lineno=9, format=0x15723f4 "%s%s%s(): supplied argument is not a valid %s resource", 
    args=0xa0f61d48 "ŃKT\001ŃKT\001OjT\001FŽU\001x\035ö \001") at /tmp/php-5.2.13/main/main.c:845


Lines of code from backtrace are:

    833     /* store the error if it has changed */
    834     if (display) {
    835         if (PG(last_error_message)) {
    836             free(PG(last_error_message));
    837         }
    838         if (PG(last_error_file)) {
    839             free(PG(last_error_file));
    840         }
    841         if (!error_filename) {
    842             error_filename = "Unknown";
    843         }
    844         PG(last_error_type) = type;
    845         PG(last_error_message) = strdup(buffer);
    846         PG(last_error_file) = strdup(error_filename);
    847         PG(last_error_lineno) = error_lineno;







Test script:
---------------
It's independent from scripts.
For last 12h on over 3mln requests we have only 15 such errors.


Expected result:
----------------
We expected not to receive sigsegv's for apache.


Patches

php-apache2-sigblock-20090316.patch.diff (last revision 2010-09-08 13:32 UTC by hossy421 at yahoo dot co dot jp)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-23 14:16 UTC] php-lover at bobmail dot info
Following script could be useful in reproducing issue:
<?php error_reporting(0); set_time_limit(0); do {} while ($dummy != 1); ?>

The problem is caused by zend_timeout() signal handler, php now is doing unsafe operation inside like calling free/malloc. Possible fix is delaying zend_timeout call.
 [2010-09-04 10:19 UTC] hossy421 at yahoo dot co dot jp
this is the same problem that I reported before.
apache2handler doesn't have the handler of blocking signals.

please test the patch attached my report.
ref. http://bugs.php.net/bug.php?id=47768
 [2010-10-20 22:35 UTC] gms8994 at gmail dot com
For What It's Worth:

I recompiled PHP on 2 of the boxes exhibiting the problem for me to include --
enable-debug, and the problem has not manifested itself since. Heisenberg in the 
house?
 [2011-05-29 18:37 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-05-29 18:37 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2012-06-11 14:13 UTC] moriyoshi@php.net
-Status: Feedback +Status: Duplicate
 [2012-06-11 14:13 UTC] moriyoshi@php.net
quite the same as #47768
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Feb 24 12:01:25 2020 UTC