php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59551 Segmentation fault when memcached server does not respond
Submitted: 2010-12-28 13:42 UTC Modified: 2011-05-04 09:11 UTC
From: michal at neotronic dot org Assigned:
Status: Not a bug Package: memcache (PECL)
PHP Version: 5.3.2 OS: Linux 2.6.26-2-xen-amd64
Private report: No CVE-ID: None
View Developer Edit
 [2010-12-28 13:42 UTC] michal at neotronic dot org 
Description:
------------

steps to reproduce:
1) make your memcached server unavailable
2) run the included code

I've been trying to track the bug down. It segfaults right in the fourth iteration of:
while ((request = mmc_queue_pop(&(pool->free_requests))) != NULL) {
    pool->protocol->free_request(request);
}
in mmc_pool_free()

just prior to the segmentation fault, the mmc_request_t *request contains this:
(gdb) print *request
$6 = {io = 0x5a5a5a5a5a5a5a5a, sendbuf = {value = {c = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, len = 6510615555426900570, a = 6510615555426900570}, idx = 1515870810}, readbuf = {value = {
      c = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>, len = 6510615555426900570, a = 6510615555426900570}, idx = 1515870810}, key = 'Z' <repeats 251 times>, key_len = 1515870810, protocol = 1515870810,
  failed_servers = {items = 0x5a5a5a5a5a5a5a5a, alloc = 1515870810, head = 1515870810, tail = 1515870810, len = 1515870810}, failed_index = 1515870810, read = 0x5a5a5a5a5a5a5a5a, parse = 0x5a5a5a5a5a5a5a5a,
  value_handler = 0x5a5a5a5a5a5a5a5a, value_handler_param = 0x5a5a5a5a5a5a5a5a, response_handler = 0x5a5a5a5a5a5a5a5a, response_handler_param = 0x5a5a5a5a5a5a5a5a, failover_handler = 0x5a5a5a5a5a5a5a5a,
  failover_handler_param = 0x5a5a5a5a5a5a5a5a, udp = {reqid = 23130, seqid = 23130, total = 23130}}


At this point an assistance is needed.

Thank you

Reproduce code:
---------------
<?php
session_start()
?>

Expected result:
----------------
the script should end normally returning non-zero value

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f3289da7710 (LWP 6607)]
0x00000000009567a8 in zend_mm_check_ptr (heap=Cannot access memory at address 0x8000cec0d818
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc_canary.c:1433
1433            if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt
#0  0x00000000009567a8 in zend_mm_check_ptr (heap=Cannot access memory at address 0x8000cec0d818
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc_canary.c:1433
#1  0x00000000009585df in _zend_mm_free_canary_int (heap=Cannot access memory at address 0x8000cec0d8b8
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc_canary.c:2079
#2  0x000000000090284c in _efree (ptr=Cannot access memory at address 0x8000cec0d938
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_alloc.c:2616
#3  0x00007f3284c5e666 in mmc_buffer_free (buffer=0x2b9f140) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_pool.c:56
#4  0x00007f3284c5ea96 in mmc_request_free (request=0x2b9f138) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_pool.c:181
#5  0x00007f3284c61319 in mmc_pool_free (pool=0x2b9d120) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_pool.c:945
#6  0x00007f3284c6c276 in ps_close_memcache (mod_data=0x1194220) at /root/php-session/php-memcache-3.0.5/build-tree/memcache-3.0.5/memcache_session.c:195
#7  0x00000000006f2906 in php_session_save_current_state () at /usr/src/php5.3/source/php5-5.3.3/ext/session/session.c:625
#8  0x00000000006f69b1 in php_session_flush () at /usr/src/php5.3/source/php5-5.3.3/ext/session/session.c:1517
#9  0x00000000006f87c1 in zm_deactivate_session (type=Cannot access memory at address 0x8000cec0db4c
) at /usr/src/php5.3/source/php5-5.3.3/ext/session/session.c:2171
#10 0x000000000093413d in module_registry_cleanup (module=Cannot access memory at address 0x8000cec0db78
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_API.c:2150
#11 0x000000000093c412 in zend_hash_reverse_apply (ht=Cannot access memory at address 0x8000cec0db98
) at /usr/src/php5.3/source/php5-5.3.3/Zend/zend_hash.c:957
#12 0x0000000000929dbe in zend_deactivate_modules () at /usr/src/php5.3/source/php5-5.3.3/Zend/zend.c:938
#13 0x00000000008aa337 in php_request_shutdown (dummy=Cannot access memory at address 0x8000cec0dcb8
) at /usr/src/php5.3/source/php5-5.3.3/main/main.c:1610
#14 0x0000000000a23c3a in main (argc=Cannot access memory at address 0x8000cec0de9c
) at /usr/src/php5.3/source/php5-5.3.3/sapi/cli/php_cli.c:1377

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-09 15:40 UTC] jeremyw-phpbugs at igmus dot org 
I have the same problem -- a connection timeout to one of the servers segfaults trying to deallocate free requests.

My stack trace, on PHP 5.3.6 & Memcache 3.0.5, ends:

#0  _zend_mm_free_int (heap=0x7f0a829ccf60, p=0x7f0a8aa034a0) at /usr/src/debug/php-5.3.6/Zend/zend_alloc.c:2028
#1  0x00007f0a746d20fb in mmc_buffer_free (request=0x7f0a8aa034b0) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:50
#2  mmc_request_free (request=0x7f0a8aa034b0) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:169
#3  0x00007f0a746d36ca in mmc_pool_free (pool=0x7f0a8a9f6b38) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:928

If I comment out free_request() below, memcache calls return after a timeout and life continues.  (Obviously, when I get rid of the bad server, 
no errors occur.)

    /* requests are owned by us so free them */
    while ((request = mmc_queue_pop(&(pool->free_requests))) != NULL) {
        //pool->protocol->free_request(request);                                                                                                                                                 
    }
    mmc_queue_free(&(pool->free_requests));

Thoughts?
 [2011-05-03 05:59 UTC] niakrisn at gmail dot com 
The same problem with php 5.2.17 and memcache 3.0.5

#0  0x2890a9da in _zend_mm_free_int () from 
/usr/local/libexec/apache22/libphp5.so
#1  0x29c48115 in mmc_request_free () from 
/usr/local/lib/php/20060613/memcache.so
#2  0x29c4589c in mmc_pool_free () from 
/usr/local/lib/php/20060613/memcache.so
#3  0x29c4cd38 in ps_close_memcache () from 
/usr/local/lib/php/20060613/memcache.so
#4  0x29ad931a in php_rshutdown_session_globals () from 
/usr/local/lib/php/20060613/session.so
#5  0x29ad9365 in php_session_destroy () from 
/usr/local/lib/php/20060613/session.so
#6  0x29ad941b in zif_session_destroy () from 
/usr/local/lib/php/20060613/session.so
#7  0x2894d93c in zend_do_fcall_common_helper_SPEC () from 
/usr/local/libexec/apache22/libphp5.so
#8  0x28942b69 in execute () from 
/usr/local/libexec/apache22/libphp5.so
#9  0x29faac38 in zend_oe () from 
/usr/local/lib/php/20060613/Optimizer/php-
5.2.x/ZendOptimizer.so
#10 0x29087be0 in ?? ()
#11 0x00000009 in ?? ()
#12 0x28a3f8d0 in executor_globals () from 
/usr/local/libexec/apache22/libphp5.so
#13 0x28929396 in zend_update_class_constants () from 
/usr/local/libexec/apache22/libphp5.so
Previous frame inner to this frame (corrupt stack?)
 [2011-05-04 09:02 UTC] pierre dot php at gmail dot com 
Try with 3.0.6, and keep in mind that we don't support 5.2 
anymore.
 [2011-05-04 09:10 UTC] niakrisn at gmail dot com 
Thanks, pecl-memcache 3.0.6 works fine.
 [2011-05-04 09:11 UTC] pierre dot php at gmail dot com 
Duplicate of previous report (and fixed in 3.0.6).
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 14:00:01 2025 UTC