php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51319 apache process sigsegv (double free or corruption (fasttop))
Submitted: 2010-03-18 08:35 UTC Modified: 2012-06-11 14:13 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: idsl at cc dot com dot pl Assigned:
Status: Duplicate Package: Apache related
PHP Version: 5.2.13 OS: Redhat 4U4
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: idsl at cc dot com dot pl
New email:
PHP Version: OS:

 

 [2010-03-18 08:35 UTC] idsl at cc dot com dot pl
Description:
------------
Hello.
We have this problem with 5.2.12 and still with 5.2.13.
In very random situation apache process sigsegv with 
this in error log:

*** glibc detected *** double free or corruption (fasttop): 0x88aa9300 ***
[Thu Mar 18 06:22:06 2010] [notice] seg fault or similar nasty error detected in the parent process
[Thu Mar 18 06:22:07 2010] [notice] child pid 1107 exit signal Segmentation fault (11), possible coredump in /tmp

gdb shows this:

(gdb) backtrace
#0  0x0013a2c2 in abort () from /lib/tls/libc.so.6
#1  0x0016c4ea in __libc_message () from /lib/tls/libc.so.6
#2  0x00172c6f in _int_free () from /lib/tls/libc.so.6
#3  0x00172fea in free () from /lib/tls/libc.so.6
#4  0x01287c44 in php_error_cb (type=1, error_filename=0xc36f894 "theme.php(10) : eval()'d code", 
    error_lineno=9, format=0x1570b84 "Maximum execution time of %d second%s exceeded", 
    args=0xa0f6195c "\036") at /tmp/php-5.2.13/main/main.c:836
#5  0x012c8b2a in zend_error (type=1, 
    format=0x1570b84 "Maximum execution time of %d second%s exceeded")
    at /tmp/php-5.2.13/Zend/zend.c:976
#6  0x012bd76d in zend_timeout (dummy=27) at /tmp/php-5.2.13/Zend/zend_execute_API.c:1347
#7  <signal handler called>
#8  0x00175030 in malloc () from /lib/tls/libc.so.6
#9  0x00179cd0 in strdup () from /lib/tls/libc.so.6
#10 0x012879e7 in php_error_cb (type=2, error_filename=0xc36f894 "theme.php(10) : eval()'d code", 
    error_lineno=9, format=0x15723f4 "%s%s%s(): supplied argument is not a valid %s resource", 
    args=0xa0f61d48 "ŃKT\001ŃKT\001OjT\001FŽU\001x\035ö \001") at /tmp/php-5.2.13/main/main.c:845


Lines of code from backtrace are:

    833     /* store the error if it has changed */
    834     if (display) {
    835         if (PG(last_error_message)) {
    836             free(PG(last_error_message));
    837         }
    838         if (PG(last_error_file)) {
    839             free(PG(last_error_file));
    840         }
    841         if (!error_filename) {
    842             error_filename = "Unknown";
    843         }
    844         PG(last_error_type) = type;
    845         PG(last_error_message) = strdup(buffer);
    846         PG(last_error_file) = strdup(error_filename);
    847         PG(last_error_lineno) = error_lineno;







Test script:
---------------
It's independent from scripts.
For last 12h on over 3mln requests we have only 15 such errors.


Expected result:
----------------
We expected not to receive sigsegv's for apache.


Patches

php-apache2-sigblock-20090316.patch.diff (last revision 2010-09-08 13:32 UTC by hossy421 at yahoo dot co dot jp)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-23 14:16 UTC] php-lover at bobmail dot info
Following script could be useful in reproducing issue:
<?php error_reporting(0); set_time_limit(0); do {} while ($dummy != 1); ?>

The problem is caused by zend_timeout() signal handler, php now is doing unsafe operation inside like calling free/malloc. Possible fix is delaying zend_timeout call.
 [2010-09-04 10:19 UTC] hossy421 at yahoo dot co dot jp
this is the same problem that I reported before.
apache2handler doesn't have the handler of blocking signals.

please test the patch attached my report.
ref. http://bugs.php.net/bug.php?id=47768
 [2010-10-20 22:35 UTC] gms8994 at gmail dot com
For What It's Worth:

I recompiled PHP on 2 of the boxes exhibiting the problem for me to include --
enable-debug, and the problem has not manifested itself since. Heisenberg in the 
house?
 [2011-05-29 18:37 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-05-29 18:37 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2012-06-11 14:13 UTC] moriyoshi@php.net
-Status: Feedback +Status: Duplicate
 [2012-06-11 14:13 UTC] moriyoshi@php.net
quite the same as #47768
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 12:01:32 2024 UTC