PHP :: Bug #5553 :: Internal data corruption

Bug #5553	Internal data corruption
Submitted:	2000-07-13 10:35 UTC	Modified:	2000-08-08 23:03 UTC
From:	christian at pil dot dk	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.0.1pl2	OS:	Linux 2.2.15
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-07-13 10:35 UTC] christian at pil dot dk

I got segfaults at the end of almost every request during cleanup. After compiling with '--enable-debug' I get the following messages in the errorlog instead:

[Wed Jul 12 16:21:36 2000]  Script:  '/path/docs/my.php3'
---------------------------------------
session.c(1282) : Block 0x081D730C status:
Beginning:      Overrun (magic=0x6E61685F, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
session.c(1262) :  Freeing 0x08232F04 (20 bytes), script=/path/docs/my.php3

I placed a breakpoint at the offending line and a backtrace at that point looks like this:

#0  php_rshutdown_session_globals () at session.c:1282
#1  0x80aea90 in php_rshutdown_session (type=1, module_number=19) at session.c:1319
#2  0x80f0b5e in module_registry_cleanup (module=0x81f4ef8) at zend_API.c:858
#3  0x80f33f9 in zend_hash_apply (ht=0x81bb900, apply_func=0x80f0b38 <module_registry_cleanup>) at zend_hash.c:672
#4  0x80f02a0 in zend_deactivate_modules () at zend.c:503
#5  0x807f82f in php_request_shutdown (dummy=0x0) at main.c:659
#6  0x807da16 in php_apache_request_shutdown (dummy=0x0) at mod_php4.c:301
#7  0x811bd4e in run_cleanups (c=0x820f67c) at alloc.c:1706
#8  0x811a57d in ap_clear_pool (a=0x820cf94) at alloc.c:531
#9  0x811a5f1 in ap_destroy_pool (a=0x820cf94) at alloc.c:561
#10 0x811a56c in ap_clear_pool (a=0x81c923c) at alloc.c:528
#11 0x8129a2f in child_main (child_num_arg=0) at http_main.c:3900
#12 0x8129fcc in make_child (s=0x81bfa24, slot=0, now=963411222) at http_main.c:4281
#13 0x812a129 in startup_children (number_to_start=5) at http_main.c:4363
#14 0x812a756 in standalone_main (argc=4, argv=0xbffffb14) at http_main.c:4651
#15 0x812aee3 in main (argc=4, argv=0xbffffb14) at http_main.c:4978
#16 0x408d79cb in __libc_start_main (main=0x812ab9c <main>, argc=4, argv=0xbffffb14, init=0x8064798 <_init>, fini=0x81583dc <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb0c) at ../sysdeps/generic/libc-start.c:92

The output from session_encode looks like this:

my_destination|s:26:"http://cola.pil.dk/my.php3";mymsUser|O:8:"mymsuser":17:{s:16:"MymsMobilenumber";s:20:"40176558            ";s:9:"CountryID";i:20;s:10:"LanguageID";i:1;s:15:"LanguageISOCode";s:2:"en";s:9:"SelectAll";s:162:"SELECT MymsUserID, MymsUserEmail, MymsUserPassword, MymsFirstname, MymsLastname, 
                                MymsRememberCode, MymsMobilenumber, CountryID, LanguageID 
                        FROM Myms_User";s:5:"valid";b:1;s:2:"ID";i:1;s:5:"Email";s:16:"christian@pil.dk";s:8:"Password";s:4:"fisk";s:9:"FirstName";s:254:"Christian                                                                                                                                                                                                                                                     ";s:8:"LastName";s:254:"Laursen                                                                                                                                                                                                                                                       ";s:12:"RememberCode";s:0:"";s:18:"RememberCookieName";s:12:"MymsRemember";s:10:"ExistsInDB";b:1;s:3:"dbh";O:6:"db_sql":14:{s:4:"Host";s:9:"localhost";s:8:"Database";s:6:"master";s:4:"User";s:6:"master";s:8:"Password";s:13:"XXXXXXXXXXXXX";s:13:"UseODBCCursor";i:0;s:7:"Link_ID";i:0;s:8:"Query_ID";i:0;s:6:"Record";a:2:{i:0;s:5:"en   ";s:15:"languageisocode";s:5:"en   ";}s:3:"Row";i:0;s:5:"Errno";i:0;s:5:"Error";s:0:"";s:9:"Auto_Free";i:0;s:11:"Auto_Commit";i:1;}s:8:"Timezone";i:0;}

I tried to inspect the contents of ps_globals at that point but forund nothing suspicious-looking there.

If there is anything else I can do to help, please let me know.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-07-13 10:52 UTC] christian at pil dot dk

Generating the session_dump causes a segfault.

Here's the backtrace:

#0  __writev (fd=8, vector=0xbfffbf88, count=2) at ../sysdeps/unix/sysv/linux/writev.c:52
#1  0x811d90b in writev_it_all (fb=0x81c9274, vec=0xbfffbf88, nvec=2) at buff.c:1070
#2  0x811dd40 in large_write (fb=0x81c9274, buf=0x83cab24, nbyte=149) at buff.c:1225
#3  0x811de04 in ap_bwrite (fb=0x81c9274, buf=0x83cab24, nbyte=149) at buff.c:1288
#4  0x812f61e in ap_rwrite (buf=0x83cab24, nbyte=149, r=0x820cfbc) at http_protocol.c:2393
#5  0x807d5f6 in sapi_apache_ub_write (str=0x83cab24 "</font>\n\t\t\t\t  </td>\n", ' ' <repeats 18 times>, "<td width=\"110\" align=\"right\"><font size=\"-2\" face=\"Verdana, Arial, Helvetica, sans-serif\"><a href=\"help.php3\">", str_length=149) at mod_php4.c:141
#6  0x80daaf9 in php_ub_body_write_no_header (str=0x83cab24 "</font>\n\t\t\t\t  </td>\n", ' ' <repeats 18 times>, "<td width=\"110\" align=\"right\"><font size=\"-2\" face=\"Verdana, Arial, Helvetica, sans-serif\"><a href=\"help.php3\">", str_length=149) at output.c:270
#7  0x80da8cc in php_body_write (str=0x83cab24 "</font>\n\t\t\t\t  </td>\n", ' ' <repeats 18 times>, "<td width=\"110\" align=\"right\"><font size=\"-2\" face=\"Verdana, Arial, Helvetica, sans-serif\"><a href=\"help.php3\">", str_length=149) at output.c:84
#8  0x807f892 in php_body_write_wrapper (str=0x83cab24 "</font>\n\t\t\t\t  </td>\n", ' ' <repeats 18 times>, "<td width=\"110\" align=\"right\"><font size=\"-2\" face=\"Verdana, Arial, Helvetica, sans-serif\"><a href=\"help.php3\">", str_length=149) at main.c:688
#9  0x80efded in zend_print_zval_ex (write_func=0x807f884 <php_body_write_wrapper>, expr=0x824c34c, indent=0) at zend.c:189
#10 0x80efd9c in zend_print_zval (expr=0x824c34c, indent=0) at zend.c:170
#11 0x80ef9e9 in zend_print_variable (var=0x824c34c) at zend_variables.c:162
#12 0x8113610 in execute (op_array=0x826afd0) at ./zend_execute.c:1189
#13 0x8115b88 in execute (op_array=0x83a38e0) at ./zend_execute.c:1598
#14 0x8115b88 in execute (op_array=0x83a3ed8) at ./zend_execute.c:1598
#15 0x8115b88 in execute (op_array=0x82a2e70) at ./zend_execute.c:1598
#16 0x8115b88 in execute (op_array=0x83a8004) at ./zend_execute.c:1598
#17 0x80801db in php_execute_script (primary_file=0xbffff95c) at main.c:1157
#18 0x80faca0 in apache_php_module_main (r=0x820cfbc, fd=23, display_source_mode=0) at sapi_apache.c:93
#19 0x807defb in send_php (r=0x820cfbc, display_source_mode=0, filename=0x820daac "/path/docs/my.php3") at mod_php4.c:515
#20 0x807df3c in send_parsed_php (r=0x820cfbc) at mod_php4.c:527
#21 0x811f013 in ap_invoke_handler (r=0x820cfbc) at http_config.c:508
#22 0x81324f9 in process_request_internal (r=0x820cfbc) at http_request.c:1215
#23 0x813255c in ap_process_request (r=0x820cfbc) at http_request.c:1231
#24 0x8129e3e in child_main (child_num_arg=0) at http_main.c:4177
#25 0x8129fcc in make_child (s=0x81bfa24, slot=0, now=963411222) at http_main.c:4281
#26 0x812a129 in startup_children (number_to_start=5) at http_main.c:4363
#27 0x812a756 in standalone_main (argc=4, argv=0xbffffb14) at http_main.c:4651
#28 0x812aee3 in main (argc=4, argv=0xbffffb14) at http_main.c:4978
#29 0x408d79cb in __libc_start_main (main=0x812ab9c <main>, argc=4, argv=0xbffffb14, init=0x8064798 <_init>, fini=0x81583dc <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffffb0c) at ../sysdeps/generic/libc-start.c:92

[2000-07-13 11:01 UTC] kara at cvs dot php dot net

Should be fixed in CVS a few days ago

[2000-08-08 23:03 UTC] waldschrott@php.net

Closed due to missing user feedback.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 02:01:29 2024 UTC