PHP :: Bug #59783 :: SIGSEGV with addServer method callback

Bug #59783	SIGSEGV with addServer method callback
Submitted:	2011-05-25 17:03 UTC	Modified:	-
From:	adam at sixohthree dot com	Assigned:
Status:	Open	Package:	memcache (PECL)
PHP Version:	5.3.5	OS:	Ubuntu Server 11.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	adam at sixohthree dot com
New email:
PHP Version:		OS:

New Comment:

[2011-05-25 17:03 UTC] adam at sixohthree dot com

Description:
------------
I am experiencing a SIGSEGV, possibly related to a "double 
free or corruption (!prev)" condition. I have reduced this 
down to an instance of Memcache in a property, which has a 
single server added in persistent mode, where that addServer 
call's callback argument is in the format array($this, 
'method'). Instantiating this object twice will trigger a 
SIGSEGV as PHP exits.

This is a reduction of the behavior exhibited by WordPress 
3.1.2 with the memcached plugin installed.

The "double free" was exhibited by strace on the box this 
was discovered on. I received a SIGSEGV, but not the extra 
debug detail, on the following test VM:

Ubuntu 11.04 Server (clean install, fully patched)
PHP 5.3.6 (compiled from source: ./configure --prefix=/opt)
PHP Memcache extension 2.2.6

strace ./sapi/cli/php -n -dextension=../memcache-
2.2.6/modules/memcache.so ~/crash.php

I am not able to reproduce this error using PHP Memcache 
3.0.6.

Related: Bug #10282

Reproduce code:
---------------
class MCWrapper {
        // has to be an object property
        public $mc;

        function __construct() {
                $this->mc = new Memcache;

                // has to have a callback in the format: array($this, 'methodname')
                $this->mc->addServer( 'localhost', 11211, true, 1, 1, 15, true, array($this, 'failure_callback') );
        }       

        function failure_callback($host, $port) {
                // nothing
        }
}

new MCWrapper; // first
new MCWrapper; // crash inducing
echo 'Done.'; // SIGSEGV on exit

Expected result:
----------------
"Done," with exit code 0.

Actual result:
--------------
"Done." with SIGSEGV, exit code 139. With --enable-debug I 
get:

Done./home/adam/php-5.3.6/Zend/zend_hash.c(980) : 
ht=0x2e82fe0 
is being destroyed
/home/adam/php-5.3.6/Zend/zend_hash.c(980) : ht=0x2e82fe0 is 
being destroyed
/home/adam/php-5.3.6/Zend/zend_hash.c(70) : Bailed out 
without 
a bailout address!

gdb:

(gdb) run -n -dextension=../memcache-
2.2.6/modules/memcache.so ~/crash.php 
Starting program: /home/adam/php-5.3.6/sapi/cli/php -n -
dextension=../memcache-2.2.6/modules/memcache.so ~/crash.php
[Thread debugging using libthread_db enabled]
Done.
Program received signal SIGSEGV, Segmentation fault.
0x00000000006bdb79 in zend_objects_store_del_ref 
(zobject=0xe1a2d0) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:175
175		GC_ZOBJ_CHECK_POSSIBLE_ROOT(zobject);
(gdb) bt
#0  0x00000000006bdb79 in zend_objects_store_del_ref 
(zobject=0xe1a2d0) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:175
#1  0x000000000068ea6a in _zval_dtor (zval_ptr=0xe1a640) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#2  _zval_ptr_dtor (zval_ptr=0xe1a640) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#3  0x00000000006a8c5b in zend_hash_destroy (ht=0xe1a920) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#4  0x00000000006b9b19 in zend_object_std_dtor 
(object=0xe1a600) at /home/adam/php-
5.3.6/Zend/zend_objects.c:45
#5  0x00000000006b9b39 in zend_objects_free_object_storage 
(object=0xe1a600) at /home/adam/php-
5.3.6/Zend/zend_objects.c:126
#6  0x00000000006bdb49 in 
zend_objects_store_del_ref_by_handle_ex (handle=3, handlers=
<value optimized out>) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:220
#7  0x00000000006bdb63 in zend_objects_store_del_ref 
(zobject=0xe1a2a0) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:172
#8  0x000000000068ea6a in _zval_dtor (zval_ptr=0xe1ab58) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#9  _zval_ptr_dtor (zval_ptr=0xe1ab58) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#10 0x00000000006a8c5b in zend_hash_destroy (ht=0xe1aa98) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#11 0x000000000069b886 in _zval_dtor_func (zvalue=0xe1ac48) 
at /home/adam/php-5.3.6/Zend/zend_variables.c:43
#12 0x000000000068ea6a in _zval_dtor (zval_ptr=0xe3fb10) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#13 _zval_ptr_dtor (zval_ptr=0xe3fb10) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#14 0x00007ffff61104c3 in mmc_server_callback_dtor 
(callback=0xe3fb10) at /home/adam/memcache-
2.2.6/memcache.c:416
#15 0x00007ffff6110510 in mmc_server_sleep (mmc=0xe3eaa0) at 
/home/adam/memcache-2.2.6/memcache.c:438
#16 0x00007ffff61124ad in mmc_pool_free (pool=0xe1a700) at 
/home/adam/memcache-2.2.6/memcache.c:680
#17 0x00000000006aab4e in list_entry_destructor 
(ptr=0xe1a7d8) at /home/adam/php-5.3.6/Zend/zend_list.c:184
#18 0x00000000006a8b81 in zend_hash_del_key_or_index 
(ht=0xc761d0, arKey=<value optimized out>, nKeyLength=<value 
optimized out>, h=<value optimized out>, flag=<value 
optimized out>)
    at /home/adam/php-5.3.6/Zend/zend_hash.c:500
#19 0x00000000006aac37 in _zend_list_delete (id=5) at 
/home/adam/php-5.3.6/Zend/zend_list.c:58
#20 0x000000000068ea6a in _zval_dtor (zval_ptr=0xe1a890) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#21 _zval_ptr_dtor (zval_ptr=0xe1a890) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#22 0x00000000006a8c5b in zend_hash_destroy (ht=0xe1a1f8) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#23 0x00000000006b9b19 in zend_object_std_dtor 
(object=0xe19d18) at /home/adam/php-
5.3.6/Zend/zend_objects.c:45
#24 0x00000000006b9b39 in zend_objects_free_object_storage 
(object=0xe19d18) at /home/adam/php-
5.3.6/Zend/zend_objects.c:126
#25 0x00000000006bdb49 in 
zend_objects_store_del_ref_by_handle_ex (handle=2, handlers=
<value optimized out>) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:220
#26 0x00000000006bdb63 in zend_objects_store_del_ref 
(zobject=0xe16300) at /home/adam/php-
5.3.6/Zend/zend_objects_API.c:172
#27 0x000000000068ea6a in _zval_dtor (zval_ptr=0xe19228) at 
/home/adam/php-5.3.6/Zend/zend_variables.h:35
#28 _zval_ptr_dtor (zval_ptr=0xe19228) at /home/adam/php-
5.3.6/Zend/zend_execute_API.c:443
#29 0x00000000006a8c5b in zend_hash_destroy (ht=0xe1a148) at 
/home/adam/php-5.3.6/Zend/zend_hash.c:529
#30 0x00000000006b9b19 in zend_object_std_dtor 
(object=0xe16ad0) at /home/adam/php-
5.3.6/Zend/zend_objects.c:45
#31 0x00000000006b9b39 in zend_objects_free_object_storage 
(object=0xe16ad0) at /home/adam/php-
5.3.6/Zend/zend_objects.c:126
#32 0x00000000006bd715 in 
zend_objects_store_free_object_storage (objects=0xc762f8) at 
/home/adam/php-5.3.6/Zend/zend_objects_API.c:92
#33 0x000000000068f01b in shutdown_executor () at 
/home/adam/php-5.3.6/Zend/zend_execute_API.c:302
#34 0x000000000069c516 in zend_deactivate () at 
/home/adam/php-5.3.6/Zend/zend.c:890
#35 0x000000000064b7a8 in php_request_shutdown (dummy=<value 
optimized out>) at /home/adam/php-5.3.6/main/main.c:1635
#36 0x000000000072ab38 in main (argc=4, argv=0x7fffffffe698) 
at /home/adam/php-5.3.6/sapi/cli/php_cli.c:1374

Patches

Add a Patch

Pull Requests

Add a Pull Request

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2020 The PHP Group All rights reserved.	Last updated: Fri Aug 14 00:01:27 2020 UTC