PHP :: Bug #59783 :: SIGSEGV with addServer method callback

Bug #59783	SIGSEGV with addServer method callback
Submitted:	2011-05-25 17:03 UTC	Modified:	-
From:	adam at sixohthree dot com	Assigned:
Status:	Open	Package:	memcache (PECL)
PHP Version:	5.3.5	OS:	Ubuntu Server 11.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	adam at sixohthree dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2011-05-25 17:03 UTC] adam at sixohthree dot com

Description:
------------
I am experiencing a SIGSEGV, possibly related to a "double 
free or corruption (!prev)" condition. I have reduced this 
down to an instance of Memcache in a property, which has a 
single server added in persistent mode, where that addServer 
call's callback argument is in the format array($this, 
'method'). Instantiating this object twice will trigger a 
SIGSEGV as PHP exits.

This is a reduction of the behavior exhibited by WordPress 
3.1.2 with the memcached plugin installed.

The "double free" was exhibited by strace on the box this 
was discovered on. I received a SIGSEGV, but not the extra 
debug detail, on the following test VM:

Ubuntu 11.04 Server (clean install, fully patched)
PHP 5.3.6 (compiled from source: ./configure --prefix=/opt)
PHP Memcache extension 2.2.6

strace ./sapi/cli/php -n -dextension=../memcache-
2.2.6/modules/memcache.so ~/crash.php

I am not able to reproduce this error using PHP Memcache 
3.0.6.

Related: Bug #10282

Reproduce code:
---------------
class MCWrapper {
        // has to be an object property
        public $mc;

        function __construct() {
                $this->mc = new Memcache;

                // has to have a callback in the format: array($this, 'methodname')
                $this->mc->addServer( 'localhost', 11211, true, 1, 1, 15, true, array($this, 'failure_callback') );
        }       

        function failure_callback($host, $port) {
                // nothing
        }
}

new MCWrapper; // first
new MCWrapper; // crash inducing
echo 'Done.'; // SIGSEGV on exit

Expected result:
----------------
"Done," with exit code 0.

Actual result:
--------------
"Done." with SIGSEGV, exit code 139. With --enable-debug I 
get:

Done./home/adam/php-5.3.6/Zend/zend_hash.c(980) : 
ht=0x2e82fe0 
is being destroyed
/home/adam/php-5.3.6/Zend/zend_hash.c(980) : ht=0x2e82fe0 is 
being destroyed
/home/adam/php-5.3.6/Zend/zend_hash.c(70) : Bailed out 
without 
a bailout address!

gdb:

(gdb) run -n -dextension=../memcache-
2.2.6/modules/memcache.so ~/crash.php 
Starting program: /home/adam/php-5.3.6/sapi/cli/php -n -
dextension=../memcache-2.2.6/modules/memcache.so ~/crash.php
[Thread debugging using libthread_db enabled]
Done.
Program received signal SIGSEGV, Segmentation fault.
0x00000000006bdb79 in zend_objects_store_del_ref 
(zobject=0xe1a2d0) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:175
175		GC_ZOBJ_CHECK_POSSIBLE_ROOT(zobject);
(gdb) bt
#0  0x00000000006bdb79 in zend_objects_store_del_ref 
(zobject=0xe1a2d0) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:175
#1  0x000000000068ea6a in _zval_dtor (zval_ptr=0xe1a640) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#2  _zval_ptr_dtor (zval_ptr=0xe1a640) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#3  0x00000000006a8c5b in zend_hash_destroy (ht=0xe1a920) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#4  0x00000000006b9b19 in zend_object_std_dtor 
(object=0xe1a600) at /home/adam/php-
5.3.6/Zend/zend_objects.c:45
#5  0x00000000006b9b39 in zend_objects_free_object_storage 
(object=0xe1a600) at /home/adam/php-
5.3.6/Zend/zend_objects.c:126
#6  0x00000000006bdb49 in 
zend_objects_store_del_ref_by_handle_ex (handle=3, handlers=
<value optimized out>) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:220
#7  0x00000000006bdb63 in zend_objects_store_del_ref 
(zobject=0xe1a2a0) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:172
#8  0x000000000068ea6a in _zval_dtor (zval_ptr=0xe1ab58) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#9  _zval_ptr_dtor (zval_ptr=0xe1ab58) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#10 0x00000000006a8c5b in zend_hash_destroy (ht=0xe1aa98) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#11 0x000000000069b886 in _zval_dtor_func (zvalue=0xe1ac48) 
at /home/adam/php-5.3.6/Zend/zend_variables.c:43
#12 0x000000000068ea6a in _zval_dtor (zval_ptr=0xe3fb10) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#13 _zval_ptr_dtor (zval_ptr=0xe3fb10) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#14 0x00007ffff61104c3 in mmc_server_callback_dtor 
(callback=0xe3fb10) at /home/adam/memcache-
2.2.6/memcache.c:416
#15 0x00007ffff6110510 in mmc_server_sleep (mmc=0xe3eaa0) at 
/home/adam/memcache-2.2.6/memcache.c:438
#16 0x00007ffff61124ad in mmc_pool_free (pool=0xe1a700) at 
/home/adam/memcache-2.2.6/memcache.c:680
#17 0x00000000006aab4e in list_entry_destructor 
(ptr=0xe1a7d8) at /home/adam/php-5.3.6/Zend/zend_list.c:184
#18 0x00000000006a8b81 in zend_hash_del_key_or_index 
(ht=0xc761d0, arKey=<value optimized out>, nKeyLength=<value 
optimized out>, h=<value optimized out>, flag=<value 
optimized out>)
    at /home/adam/php-5.3.6/Zend/zend_hash.c:500
#19 0x00000000006aac37 in _zend_list_delete (id=5) at 
/home/adam/php-5.3.6/Zend/zend_list.c:58
#20 0x000000000068ea6a in _zval_dtor (zval_ptr=0xe1a890) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#21 _zval_ptr_dtor (zval_ptr=0xe1a890) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#22 0x00000000006a8c5b in zend_hash_destroy (ht=0xe1a1f8) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#23 0x00000000006b9b19 in zend_object_std_dtor 
(object=0xe19d18) at /home/adam/php-
5.3.6/Zend/zend_objects.c:45
#24 0x00000000006b9b39 in zend_objects_free_object_storage 
(object=0xe19d18) at /home/adam/php-
5.3.6/Zend/zend_objects.c:126
#25 0x00000000006bdb49 in 
zend_objects_store_del_ref_by_handle_ex (handle=2, handlers=
<value optimized out>) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:220
#26 0x00000000006bdb63 in zend_objects_store_del_ref 
(zobject=0xe16300) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:172
#27 0x000000000068ea6a in _zval_dtor (zval_ptr=0xe19228) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#28 _zval_ptr_dtor (zval_ptr=0xe19228) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#29 0x00000000006a8c5b in zend_hash_destroy (ht=0xe1a148) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#30 0x00000000006b9b19 in zend_object_std_dtor 
(object=0xe16ad0) at /home/adam/php-
5.3.6/Zend/zend_objects.c:45
#31 0x00000000006b9b39 in zend_objects_free_object_storage 
(object=0xe16ad0) at /home/adam/php-
5.3.6/Zend/zend_objects.c:126
#32 0x00000000006bd715 in 
zend_objects_store_free_object_storage (objects=0xc762f8) at 
/home/adam/php-5.3.6/Zend/zend_objects_API.c:92
#33 0x000000000068f01b in shutdown_executor () at 
/home/adam/php-5.3.6/Zend/zend_execute_API.c:302
#34 0x000000000069c516 in zend_deactivate () at 
/home/adam/php-5.3.6/Zend/zend.c:890
#35 0x000000000064b7a8 in php_request_shutdown (dummy=<value 
optimized out>) at /home/adam/php-5.3.6/main/main.c:1635
#36 0x000000000072ab38 in main (argc=4, argv=0x7fffffffe698) 
at /home/adam/php-5.3.6/sapi/cli/php_cli.c:1374

Patches

Add a Patch

Pull Requests

Add a Pull Request

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2020 The PHP Group All rights reserved.	Last updated: Tue Jun 02 12:01:25 2020 UTC