PHP :: Bug #58237 :: Segmentation fault with errorcallback handler

Bug #58237	Segmentation fault with errorcallback handler
Submitted:	2008-06-16 20:50 UTC	Modified:	2008-11-24 14:36 UTC
From:	nicolas at netlog dot com	Assigned:	mikl (profile)
Status:	Closed	Package:	memcache (PECL)
PHP Version:	5.2.5	OS:	linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2008-06-16 20:50 UTC] nicolas at netlog dot com

Description:
------------
When setting a callback function from within a function, php just segfaults whenever it should call the callback handler.

When I remove the init() function and put the code in the main of the script, it works perfectly.



Reproduce code:
---------------
<?php

        init ();

        $mc->set ('key', 'value');

        function init ()
        {
                global $mc;

                $mc = new Memcache ();
                if ($mc->addServer ('netlog', 11212, TRUE, 1, 1, 1, TRUE, '__errorCallback') === FALSE)
                {
                        die ("Unable to connect\n");
                }
        }

        function __errorCallback ($host, $tcpPort, $udpPort, $error, $errno)
        {
                die ("Memcache error '$host' '$tcpPort' '$udpPort' '$error' '$errno'\n");
        }

        die ("OK\n");

?>

Expected result:
----------------
Memcache error 'localhost' '11212' '0' 'Connection refused' '111'

Actual result:
--------------
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0x00000000006d4dad in zend_object_store_get_object (zobject=0x2b4de56e00d8) at /usr/src/php-5.2.6/Zend/zend_objects_API.c:255
255             return EG(objects_store).object_buckets[handle].bucket.obj.object;
(gdb) bt
#0  0x00000000006d4dad in zend_object_store_get_object (zobject=0x2b4de56e00d8) at /usr/src/php-5.2.6/Zend/zend_objects_API.c:255
#1  0x00000000006d0d61 in zend_objects_get_address (zobject=0x2b4de56e00d8) at /usr/src/php-5.2.6/Zend/zend_objects.c:140
#2  0x00000000006d106d in zend_std_get_properties (object=0x2b4de56e00d8) at /usr/src/php-5.2.6/Zend/zend_object_handlers.c:55
#3  0x00002b4de865025f in php_mmc_failure_callback (pool=0x2b4de56e0580, mmc=0x10b69b0, param=0x2b4de56e00d8) at /usr/src/memcache-3.0.1/memcache.c:939

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-10-21 05:22 UTC] nicolas at netlog dot com

Here at Netlog, we found why the module was segfaulting.

The problem is that the module itself references to the mmc_object, but never increases the reference counter of mmc_object. So when for some reason, mmc_object goes out of the scope and a memcache error occurs, we're causing a segmentation fault. The easy fix is increasing the reference counter in the function php_mmc_set_failure_callback. At least, it works for us.

Here is the patch:

diff -ruN memcache-3.0.2-orig/memcache.c memcache-3.0.2-netlog/memcache.c
--- memcache-3.0.2-orig/memcache.c	2008-09-11 22:03:23.000000000 +0200
+++ memcache-3.0.2-netlog/memcache.c	2008-10-21 10:49:06.000000000 +0200
@@ -977,6 +977,8 @@
		add_property_zval(mmc_object, "_failureCallback", callback_tmp);
		pool->failure_callback_param = mmc_object;  

+		zval_add_ref(&mmc_object);
+
		INIT_PZVAL(callback_tmp);
	}
	else {

What do you guys think? Every comment is appreciated.

Cheers,
Nicolas

[2008-11-22 18:21 UTC] tony at daylessday dot org

Mikael, can you check this out plz?

[2008-11-24 14:36 UTC] mikael at synd dot info

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Apr 29 10:01:30 2024 UTC