PHP :: Bug #58478 :: Persistent Connections Cause Segfaults if One Server Drops

Bug #58478	Persistent Connections Cause Segfaults if One Server Drops
Submitted:	2008-12-29 17:57 UTC	Modified:	2011-03-14 01:22 UTC
From:	jhohle at godaddy dot com	Assigned:	hradtke (profile)
Status:	Closed	Package:	memcache (PECL)
PHP Version:	5.2.8	OS:	Linux 2.4.21-47.ELsmp
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-12-29 17:57 UTC] jhohle at godaddy dot com

Description:
------------
When a memcache server is shutdown when the client is using 
persistent connections, a client may segfault. This did not 
occur with previous versions of the memcache extension:








Reproduce code:
---------------
?php

$port = 11211;
$persistent = true;

$memcache = new Memcache();
$memcache->addServer('localhost', $port, $persistent);
$memcache->addServer('anotherhost', $port, $persistent);

if (!($value = $memcache->get('foo')))
{
        $memcache->set('foo', 'bar');
}

echo 'bar value: ', print_r($value, true), PHP_EOL;



Expected result:
----------------
No segfault

Actual result:
--------------
(gdb) bt
#0  0x00483e92 in mmc_value_handler_single (key=0x8d7235c 
"foo", key_len=3, value=0xbfffb150, 
    flags=148317608, cas=148317608, param=0xbfffb2d0) at 
/tmp/pear/temp/memcache/memcache.c:1430
#1  0x00485af6 in mmc_unpack_value (mmc=0x8ea8e58, 
request=0x8d721f4, buffer=0x8d72208, 
    key=0x8d7235c "foo", key_len=3, flags=0, cas=0, 
bytes=3221205328)
    at /tmp/pear/temp/memcache/memcache_pool.c:457
#2  0x00488695 in mmc_server_read_value (mmc=0x8ea8e58, 
request=0x8d721f4)
    at /tmp/pear/temp/memcache/memcache_ascii_protocol.c:187
#3  0x00487529 in mmc_pool_select (pool=0x8d70ed4, 
timeout=148317608)
    at /tmp/pear/temp/memcache/memcache_pool.c:1443
#4  0x00487b8b in mmc_pool_run (pool=0x8d70ed4) at 
/tmp/pear/temp/memcache/memcache_pool.c:1519
#5  0x004821db in php_mmc_store (ht=2, 
return_value=0x8d72590, return_value_ptr=0x0, 
this_ptr=0x8d725a8, 
    return_value_used=0, op=1) at 
/tmp/pear/temp/memcache/memcache.c:487
#6  0x00483d2c in zif_memcache_set (ht=2, 
return_value=0x8d72590, return_value_ptr=0x0, 
    this_ptr=0x8d70d28, return_value_used=0) at 
/tmp/pear/temp/memcache/memcache.c:1353
#7  0x012a748a in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfffb4e0)
    at /home/jhohle/src/php-5.2.8/Zend/zend_vm_execute.h:200
#8  0x012a6d51 in execute (op_array=0x8d70bec) at 
/home/jhohle/src/php-5.2.8/Zend/zend_vm_execute.h:92
#9  0x0128fe61 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3)
    at /home/jhohle/src/php-5.2.8/Zend/zend.c:1134
#10 0x0125ccf4 in php_execute_script 
(primary_file=0xbfffd790)
    at /home/jhohle/src/php-5.2.8/main/main.c:2023
#11 0x012ebff0 in php_handler (r=0x8ea2e90)
    at /home/jhohle/src/php-
5.2.8/sapi/apache2handler/sapi_apache2.c:629
#12 0x08072006 in ap_run_handler (r=0x8ea2e90) at 
config.c:158
#13 0x08072522 in ap_invoke_handler (r=0x8ea2e90) at 
config.c:372
#14 0x08085a77 in ap_process_request (r=0x8ea2e90) at 
http_request.c:258
#15 0x08083b81 in ap_process_http_connection (c=0x8e9cd48) 
at http_core.c:184
#16 0x08077692 in ap_run_process_connection (c=0x8e9cd48) at 
connection.c:43
#17 0x08095e4e in child_main (child_num_arg=148317608) at 
prefork.c:640
#18 0x08095fb7 in make_child (s=0x8cf07c8, slot=39) at 
prefork.c:736
#19 0x08096053 in startup_children (number_to_start=1) at 
prefork.c:754
#20 0x08096983 in ap_mpm_run (_pconf=0x8c950a8, 
plog=0x8cd1198, s=0x8cf07c8) at prefork.c:975
#21 0x08062718 in main (argc=3, argv=0xbfffdb84) at 
main.c:717

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-01-08 15:20 UTC] mikael at synd dot info

Hi,

I'm unable to reproduce this problem, tested on

PHP 5.2.8, pecl/memcache 3.0.2, Apache 2.2.8
PHP 5.2.6, pecl/memcache 3.0.2, Apache 2.2.8
PHP 5.2.8, pecl/memcache 3.0.3-dev, command line

The trace indicates that you're using PHP 5.2.8 and not 5.2.5 as indicated in the bug report, is it possible that you're using a memcache.so module built against 5.2.5 with a 5.2.8 mod_php5.so?

What version of pecl/memcache are you using and would you mind posting your memcache ini settings (see the memcache section of the phpinfo() output)

Are there any other circumstances that allows one to reproduce the problem? Would be very helpful if it could be reproduced from the command line, for example by simulating multiple requests and persistent connections like 

for (..) {
  $mc = new Memcache();
  ..
  $mc->disconnect();
  $mc = null;
}

[2009-01-08 15:51 UTC] jhohle at godaddy dot com

The trace came from PHP 5.2.8, but this behavior also occurs in PHP 5.2.6 (the PECL bug 
submission form does not include anything after 5.2.5 in its version drop down)

Here is the memcache info from a server where I can reproduce the bug:

memcache support	enabled
Version	3.0.2
Revision	$Revision: 1.83.2.28 $

Directive	Local Value	Master Value
memcache.allow_failover	1	1
memcache.chunk_size	32768	32768
memcache.default_port	11211	11211
memcache.hash_function	crc32	crc32
memcache.hash_strategy	consistent	consistent
memcache.max_failover_attempts	20	20
memcache.protocol	ascii	ascii
memcache.redundancy	1	1
memcache.session_redundancy	2	2



I don't know if I was clear in my original post, but this occurs when using persistent 
connections and one of the memcache servers goes offline.


Here is a commandline test case I can recreate with memcache 3.0.2 and PHP 5.2.8. I start 
memcached on localhost and anotherhost. I start the test and then kill memcached on 
anotherhost. At that point PHP segfaults in mmc_value_handler_single.

<?php

$port = 11211;
$persistent = true;
$key = 0;

while (true)
{
        $memcache = new Memcache();
        $memcache->addServer('localhost', $port, $persistent);
        $memcache->addServer('gdhelp.dev.godaddy-com.ide', $port, $persistent);

        if (!($value = $memcache->get((string) $key)))
        {
                $memcache->set(
                        (string) $key,
                        ($key % 2) == 0 ? 'bar' : 'baz');
        }
        echo $key, ' value: ', print_r($value, true), PHP_EOL;
        $key = ($key + 1) % 10;
}
?>



Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1218565440 (LWP 14401)]
0x00f87e92 in mmc_value_handler_single (key=0xb75af180 "7", key_len=1, 
    value=0xbfff8b80, flags=3076186088, cas=3076186088, param=0xbfff8d00)
    at /tmp/pear/temp/memcache/memcache.c:1430
warning: Source file is more recent than executable.

1430		*(result[0]) = *value;
(gdb) bt
#0  0x00f87e92 in mmc_value_handler_single (key=0xb75af180 "7", key_len=1, 
    value=0xbfff8b80, flags=3076186088, cas=3076186088, param=0xbfff8d00)
    at /tmp/pear/temp/memcache/memcache.c:1430
#1  0x00f89af6 in mmc_unpack_value (mmc=0xa264c78, request=0xb75af018, 
    buffer=0xb75af02c, key=0xb75af180 "7", key_len=1, flags=0, cas=0, 
    bytes=3221195648) at /tmp/pear/temp/memcache/memcache_pool.c:457
#2  0x00f8c695 in mmc_server_read_value (mmc=0xa264c78, request=0xb75af018)
    at /tmp/pear/temp/memcache/memcache_ascii_protocol.c:187
#3  0x00f8b529 in mmc_pool_select (pool=0xb75ac914, timeout=-1218781208)
    at /tmp/pear/temp/memcache/memcache_pool.c:1443
#4  0x00f8bb8b in mmc_pool_run (pool=0xb75ac914)
    at /tmp/pear/temp/memcache/memcache_pool.c:1519
#5  0x00f861db in php_mmc_store (ht=2, return_value=0xb75adf50, 
    return_value_ptr=0x0, this_ptr=0xb75adfe8, return_value_used=0, op=1)
    at /tmp/pear/temp/memcache/memcache.c:487
#6  0x00f87d2c in zif_memcache_set (ht=2, return_value=0xb75adf50, 
    return_value_ptr=0x0, this_ptr=0xb75ade3c, return_value_used=0)
    at /tmp/pear/temp/memcache/memcache.c:1353
#7  0x08247006 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfff8fd0)
    at /home/jhohle/src/php-5.2.8/Zend/zend_vm_execute.h:200
#8  0x082468cd in execute (op_array=0xb75ab6ac)
    at /home/jhohle/src/php-5.2.8/Zend/zend_vm_execute.h:92
#9  0x0822f9dd in zend_execute_scripts (type=8, retval=0x0, file_count=3)
---Type <return> to continue, or q <return> to quit---
    at /home/jhohle/src/php-5.2.8/Zend/zend.c:1134
#10 0x081fc870 in php_execute_script (primary_file=0xbfffb350)
    at /home/jhohle/src/php-5.2.8/main/main.c:2023
#11 0x0828c045 in main (argc=2, argv=0xbfffb434)
    at /home/jhohle/src/php-5.2.8/sapi/cli/php_cli.c:1133
(gdb) 



This only happens if I kill a remote host, and will not cause a segfault if i kill 
memcached on localhost.

[2009-01-08 16:56 UTC] mikael at synd dot info

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

[2010-04-26 04:43 UTC] phpbugs at colin dot guthr dot ie

Hi there,

I'm still seeing a very similar crash here with PHP 5.2.11 and PECL-Memcache 3.0.4 with Memcache 1.4.5+Memcache 1.2.8 (two servers).

It seems to be related to the "memcache.allow_failover" setting. If I do not set this flag, things seem to work as expected and it does not crash. For me at least this seems like a valid workaround (I'd rather not have automatic failover anyway).

#0  mmc_value_handler_single (key=0xf613d8 "9", key_len=<value optimized out>, value=<value optimized out>, flags=0, cas=0, param=0x7fff6c568030)
    at /usr/src/debug/memcache-3.0.4/memcache.c:1518
#1  0x00007f4f2fb74586 in mmc_unpack_value (mmc=<value optimized out>, request=<value optimized out>, buffer=<value optimized out>, key=<value optimized out>, 
    key_len=<value optimized out>, flags=<value optimized out>, cas=0, bytes=3) at /usr/src/debug/memcache-3.0.4/memcache_pool.c:522
#2  0x00007f4f2fb796b7 in mmc_server_read_value (mmc=0xf835d0, request=0xf61220) at /usr/src/debug/memcache-3.0.4/memcache_ascii_protocol.c:187
#3  0x00007f4f2fb765ba in mmc_pool_select (pool=0xf51c78) at /usr/src/debug/memcache-3.0.4/memcache_pool.c:1573
#4  0x00007f4f2fb76c35 in mmc_pool_run (pool=0xf51c78) at /usr/src/debug/memcache-3.0.4/memcache_pool.c:1659
#5  0x00007f4f2fb70102 in php_mmc_store (ht=<value optimized out>, return_value=0xf63168, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, 
    return_value_used=<value optimized out>, op=1) at /usr/src/debug/memcache-3.0.4/memcache.c:524
#6  0x00007f4f3c9bb835 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff6c568610) at /usr/src/debug/php-5.2.11/Zend/zend_vm_execute.h:200
#7  0x00007f4f3c9bbf43 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff6c568610) at /usr/src/debug/php-5.2.11/Zend/zend_vm_execute.h:322
#8  0x00007f4f3c9bb2c4 in execute (op_array=0xf5c528) at /usr/src/debug/php-5.2.11/Zend/zend_vm_execute.h:92
#9  0x00007f4f3c98bdcf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.2.11/Zend/zend.c:1215
#10 0x00007f4f3c929479 in php_execute_script (primary_file=0x7fff6c56aa50) at /usr/src/debug/php-5.2.11/main/main.c:2041
#11 0x000000000040492a in main (argc=2, argv=0x7fff6c56ae18) at /usr/src/debug/php-5.2.11/sapi/cli/php_cli.c:1168


(gdb) bt full
#0  mmc_value_handler_single (key=0xf613d8 "9", key_len=<value optimized out>, value=<value optimized out>, flags=0, cas=0, param=0x7fff6c568030)
    at /usr/src/debug/memcache-3.0.4/memcache.c:1518
No locals.
#1  0x00007f4f2fb74586 in mmc_unpack_value (mmc=<value optimized out>, request=<value optimized out>, buffer=<value optimized out>, key=<value optimized out>, 
    key_len=<value optimized out>, flags=<value optimized out>, cas=0, bytes=3) at /usr/src/debug/memcache-3.0.4/memcache_pool.c:522
        data = 0x0
        data_len = 3
        value = {value = {lval = 16127256, dval = 7.9679231512871184e-317, str = {val = 0xf61518 "baz", len = 3}, ht = 0xf61518, obj = {handle = 16127256, handlers = 0x3}}, refcount = 1, 
          type = 6 '\006', is_ref = 0 '\000'}
#2  0x00007f4f2fb796b7 in mmc_server_read_value (mmc=0xf835d0, request=0xf61220) at /usr/src/debug/memcache-3.0.4/memcache_ascii_protocol.c:187
        result = <value optimized out>
#3  0x00007f4f2fb765ba in mmc_pool_select (pool=0xf51c78) at /usr/src/debug/memcache-3.0.4/memcache_pool.c:1573
        i = 0
        result = 2
        sending = <value optimized out>
        reading = 0xf51e10
#4  0x00007f4f2fb76c35 in mmc_pool_run (pool=0xf51c78) at /usr/src/debug/memcache-3.0.4/memcache_pool.c:1659
No locals.
#5  0x00007f4f2fb70102 in php_mmc_store (ht=<value optimized out>, return_value=0xf63168, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, 
    return_value_used=<value optimized out>, op=1) at /usr/src/debug/memcache-3.0.4/memcache.c:524
        pool = 0xf51c78
        request = <value optimized out>
        keys = 0xf5e520
        value = 0xf5e1c8
        mmc_object = 0xf60fd8
        flags = <value optimized out>
        exptime = 0
        cas = 0
#6  0x00007f4f3c9bb835 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff6c568610) at /usr/src/debug/php-5.2.11/Zend/zend_vm_execute.h:200
        return_reference = 0 '\000'
        opline = 0xf5d890
        original_return_value = 0x7f4f3ccc5a18
        current_scope = 0x0
        current_this = 0x0
        return_value_used = 0
        should_change_scope = 1 '\001'
        ctor_opline = 0x7fff6c568100
#7  0x00007f4f3c9bbf43 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fff6c568610) at /usr/src/debug/php-5.2.11/Zend/zend_vm_execute.h:322
No locals.
#8  0x00007f4f3c9bb2c4 in execute (op_array=0xf5c528) at /usr/src/debug/php-5.2.11/Zend/zend_vm_execute.h:92
---Type <return> to continue, or q <return> to quit---
        execute_data = {opline = 0xf5d890, function_state = {function_symbol_table = 0x4201a0d5a90b59a6, function = 0xf3d0a0, reserved = {0x7f4f3c97e1c7, 0x7f4f3ccc5b40, 0x7f4f3c95a27a, 
              0x7fff6c56aa50}}, fbc = 0xf3d0a0, op_array = 0xf5c528, object = 0xf60fd8, Ts = 0x7fff6c5681b0, CVs = 0x7fff6c568170, original_in_execution = 0 '\000', 
          symbol_table = 0x7f4f3ccc5888, prev_execute_data = 0x0, old_error_reporting = 0x0}
#9  0x00007f4f3c98bdcf in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.2.11/Zend/zend.c:1215
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff6c568820, reg_save_area = 0x7fff6c568750}}
        i = 1
        file_handle = 0x7fff6c56aa50
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
        local_retval = 0x0
#10 0x00007f4f3c929479 in php_execute_script (primary_file=0x7fff6c56aa50) at /usr/src/debug/php-5.2.11/main/main.c:2041
        realfile = "/home/colin/Development/Work/trunk/codebase/code/cmd.php\000. \000\000\000\000\000\360\001\000\000\000\000\000\000\360\001\000\000\000\000\000\000\001\000\000\000\000\000\000\000\235A\315<O\177\000\000\002\000\000\000\a\000\000\000\200-\016\071O\177\000\000P\326\330\000\000\000\000\000\302\323\314<O\177\000\000\000\000\000\000\r\000\000\000\235A\315<O\177\000\000\017\000\000\000\000\000\000\000s6n9O\177\000\000\271\313\031;O\177\000\000\002\000\000\000O\177\000\000\000\000\000\000\000\000\000\000\235A\315<O\177\000\000\245X\321Q\227\"\212\v\244\313\031;O\177\000\000r\272\062\071O\177\000\000\002\000\000\000O\177\000\000\000\000\000\000\000\000\000\000\235"...
        __orig_bailout = 0x7fff6c56abc0
        __bailout = {{__jmpbuf = {140735011002448, 920718966037658474, 4204608, 140735011008016, 0, 0, 920718964898904938, 983944765382572906}, __mask_was_saved = 0, __saved_mask = {
              __val = {25769803778, 11840, 2108992, 2108992, 400, 400, 8, 18865251664, 10488, 10488, 10488, 68, 68, 4, 27455186257, 0}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = 0 '\000', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, 
          free_filename = 0 '\000'}
        append_file = {type = 0 '\000', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, 
          free_filename = 0 '\000'}
        old_cwd = 0x7fff6c568830 ""
        retval = 0
#11 0x000000000040492a in main (argc=2, argv=0x7fff6c56ae18) at /usr/src/debug/php-5.2.11/sapi/cli/php_cli.c:1168
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {140735011008024, 920718965874080618, 4204608, 140735011008016, 0, 0, 920718966039755626, -920470279618577558}, __mask_was_saved = 0, __saved_mask = {
              __val = {139978301091008, 139978301391144, 139978299208955, 0, 139978301091008, 1, 0, 140733193388033, 139978301391144, 73, 139978301391104, 1930709532, 5658608, 191, 0, 
                139978301392000}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff6c56cfec "cmd.php", opened_path = 0x0, handle = {fd = 16248768, fp = 0xf7efc0, stream = {handle = 0xf7efc0, 
              reader = 0x7f4f3c9a6e44 <zend_stream_stdio_reader>, closer = 0x7f4f3c9a6e96 <zend_stream_stdio_closer>, fteller = 0x7f4f3c9a6ee6 <zend_stream_stdio_fteller>, 
              interactive = 0}}, free_filename = 0 '\000'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
---Type <return> to continue, or q <return> to quit---
        arg_free = 0x7fff6c56cfec "cmd.php"
        arg_excp = 0x7fff6c56ae20
        script_file = 0x7fff6c56cfec "cmd.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110

[2010-04-26 11:44 UTC] hradtke@php.net

I will take another look.

[2011-03-14 01:22 UTC] hradtke@php.net

I can confirm that Mikael fixed the original bug filed.  I recreated the test script and it handles the servers falling offline with no segfault.

Colin,
Please open a new bug report with a script to recreate the crash.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 15 17:01:27 2025 UTC