php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59417 Segfault in getServerByKey
Submitted: 2010-09-13 18:14 UTC Modified: 2012-03-07 17:11 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:2 (66.7%)
From: kevin at magicmonkey dot org Assigned: andrei (profile)
Status: Closed Package: memcached (PECL)
PHP Version: 5.3.2 OS: Linux (Ubuntu)
Private report: No CVE-ID: None
View Developer Edit
 [2010-09-13 18:14 UTC] kevin at magicmonkey dot org 
Description:
------------
There's a double-free (I think) causing a segfault when using 
getServerByKey.  I think it's caused by the 
"memcached_server_free(server)" on line 1775 of 
php_memcached.c, as the "server" variable returned from 
memcached_server_by_key is a pointer into a struct which is 
used elsewhere (ie it wasn't specifically alloc'd for this 
call, so it shouldn't be free'd by this call).  I've forked on 
github and committed a fix at 
http://github.com/magicmonkey/php-
memcached/commit/2b16eaf6e1839a534fa136cabe60b9278a4c9f58 - 
I'm not sure if it will break anything else, though.

Note that if you add a call to "$m->get('test');" after the 
getServerByKey line, then the segfault doesn't happen.

Reproduce code:
---------------
<?php
	$m = new Memcached();
	$m->addServers(array(array('127.0.0.1', 11211)));
	$m->add('test', 'test1');
	var_dump($m->getServerByKey('1'));


Expected result:
----------------
array(3) {
  ["host"]=>
  string(9) "127.0.0.1"
  ["port"]=>
  int(11211)
  ["weight"]=>
  int(0)
}


Actual result:
--------------
Segfault, followed by:

*** glibc detected *** php: corrupted double-linked list: 
0x0000000002a4b5c0 ***

======= Backtrace: =========
/lib/libc.so.6(+0x775b6)[0x7f99028f95b6]
/lib/libc.so.6(+0x77a1f)[0x7f99028f9a1f]
/lib/libc.so.6(+0x7a460)[0x7f99028fc460]
/lib/libc.so.6(cfree+0x73)[0x7f99028ffe53]
/usr/stuff/libmemcached/lib/libmemcached.so.5(memcached_free
+0x19)[0x7f98f9236d69]
/usr/lib/php5/20090626/memcached4.so(+0x7210)[0x7f98f9449210
]
/usr/lib/php5/20090626/memcached4.so(+0x813f)[0x7f98f944a13f
]
php(zend_objects_store_del_ref_by_handle_ex+0x28c)[0x6ba76c]
php(zend_objects_store_del_ref+0x13)[0x6ba793]
php(_zval_ptr_dtor+0x3d)[0x688e5d]
php[0x6a1ae2]
php(zend_hash_reverse_apply+0x59)[0x6a1be9]
php[0x6894f5]
php[0x695c84]
php(php_request_shutdown+0x325)[0x641995]
php[0x725314]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f99028a0c4d]
php[0x42c639]

(note that I've called it memcached4.so, to avoid clashing 
with my real memcached.so from version 1.0.2)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-26 13:21 UTC] bugs at philosof dot dk 
I have also experienced this problem.
See details at:
https://bugs.launchpad.net/ubuntu/+source/php-memcached/+bug/922053

The fault differs a bit depending on whether I have a get before getServerByKey or not.
 [2012-02-29 01:46 UTC] dpk at dpk dot net 
This bug is also tracked at: http://bugs.debian.org/cgi-bin/bugreport.cgi?
bug=629896

It appears to be fixed, but not in the version that is distributed w/ Debian 
Squeeze (or Ubuntu apparently).
 [2012-03-07 17:11 UTC] andrei@php.net 
Closing because of age. Please try versionb 2.0.1 and reopen if this still 
occurs.
 [2012-03-07 17:11 UTC] andrei@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: andrei
 [2012-04-30 16:33 UTC] bugs at philosof dot dk 
The documentation has now been fixed.
http://bazaar.launchpad.net/~tangent-org/libmemcached/trunk/revision/929.2.97

So you can remove https://github.com/php-memcached-dev/php-memcached/blob/master/php_memcached.c#L1984
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 17:01:31 2024 UTC