php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60627 httpd.worker segfault on startup with php_value
Submitted: 2011-12-30 19:10 UTC Modified: 2012-02-28 13:59 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:0 (0.0%)
From: fedora at famillecollet dot com Assigned: laruence
Status: Closed Package: Apache2 related
PHP Version: 5.4SVN-2011-12-30 (snap) OS: GNU/Linux (Fedora 16)
Private report: No CVE-ID:
 [2011-12-30 19:10 UTC] fedora at famillecollet dot com
Description:
------------
With PHP build in ZTS mode, apache in worker mode segfault during launch

Test script:
---------------
$ gdb /usr/sbin/httpd.worker 
(gdb) run -X



Expected result:
----------------
no error

Actual result:
--------------
(gdb) run -X
...
Program received signal SIGSEGV, Segmentation fault.
0x00007fffec8ca897 in _zend_hash_add_or_update (ht=0x55555585a2e8, arKey=<optimized out>, nKeyLength=17, pData=0x7fffffffde70, nDataSize=24, pDest=0x0, flag=1)
    at /usr/src/debug/php5.4-201112300630/Zend/zend_hash.c:268
268		HANDLE_BLOCK_INTERRUPTIONS();

(gdb) bt
#0  0x00007fffec8ca897 in _zend_hash_add_or_update
    (ht=0x55555585a2e8, arKey=<optimized out>, nKeyLength=17,
    pData=0x7fffffffde70, nDataSize=24, pDest=0x0, flag=1)
    at /usr/src/debug/php5.4-201112300630/Zend/zend_hash.c:268
#1  0x00007fffec979217 in real_value_hnd
    (cmd=0x7fffffffe1a0, dummy=0x55555585a2e8, name=0x5555558c40b8
    "register_globals", value=0x7fffffffded0 "0", status=4)
    at /usr/src/debug/php5.4-201112300630/sapi/apache2handler/apache_config.c:73
#2  0x00007fffec9792ae in real_flag_hnd
    (cmd=0x7fffffffe1a0, dummy=0x55555585a2e8, arg1=0x5555558c40b8
    "register_globals", arg2=0x5555558c40d0 "off", status=<optimized out>)
    at /usr/src/debug/php5.4-201112300630/sapi/apache2handler/apache_config.c:98
#3  0x0000555555580483 in invoke_cmd
    (cmd=0x7fffecc918f8, parms=0x7fffffffe1a0, mconfig=0x55555585a2e8,
    args=0x55555582f224 "")
    at /usr/src/debug/httpd-2.2.21/server/config.c:810
#4  0x00005555555826fa in ap_walk_config_sub (section_vector=0x5555557dc798,
    parms=0x7fffffffe1a0, current=0x55555582f1d0)
    at /usr/src/debug/httpd-2.2.21/server/config.c:1163
#5  ap_walk_config (current=0x55555582f1d0, parms=0x7fffffffe1a0,
    section_vector=0x5555557dc798)
    at /usr/src/debug/httpd-2.2.21/server/config.c:1196
#6  0x0000555555583612 in ap_process_config_tree (s=<optimized out>, 
    conftree=<optimized out>, p=0x5555557b7158, ptemp=<optimized out>)
    at /usr/src/debug/httpd-2.2.21/server/config.c:1765
#7  0x000055555556c314 in main (argc=2, argv=0x7fffffffe418) 
    at /usr/src/debug/httpd-2.2.21/server/main.c:644


Patches

bug60627.patch (last revision 2012-01-04 07:46 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-31 07:21 UTC] fedora at famillecollet dot com
segfault occurs during apache config analyse.

If config doesnt have any php_flag, php_value,... apache starts and works as expected.
 [2012-01-01 19:05 UTC] public at wernig dot net
I have the same problem on Solaris 11 (express) i86pc. I'm not sure about ZTS mode (I have NOT set --enable-maintainer-zts)

I have compiled php-5.4 (various versions, the latest one being 5.4.0RC4) with the following configure flags:
--with-apxs2=/usr/local/apache2/bin/apxs --with-openssl=/usr/local/ssl --with-openssl-dir=/usr/local/ssl --with-zlib --enable-sockets --enable-shared=yes --enable-static=yes --prefix=/usr/local/apache2/php --enable-calendar --disable-ftp --with-mysql=/usr/local/mysql --with-imap=/usr/local/imap --with-imap-ssl=/usr/local/ssl --enable-flatfile --without-recode --disable-ipv6 --with-mysql-sock=/var/run/mysql/mysql.sock --with-gettext=/opt/csw --enable-libxml --with-db4=/usr/local/BerkeleyDB

Builds and installs fine.

But during apache (2.2.21) startup, it segfaults and dumps core:
# /usr/local/svc/init.d/apache2 restart
Restarting Apache2 httpd ... 
/usr/local/apache2/bin/apachectl: line 80: 17568: Memory fault(coredump)

In fact, uncommenting all php_admin_value lines from apache config file, apache starts normally.

When compiling and installing 5.3.6 with the same configure options, the problem does not occur.
 [2012-01-01 19:22 UTC] public at wernig dot net
Just tried with 5.3.9RC4, and the problem does not occur. Seems to be something in 5.4
 [2012-01-04 07:32 UTC] laruence@php.net
hmm, the problem is when the real_value_hnd is called, the signal_startup has not 
been called yet...
 [2012-01-04 07:32 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2012-01-04 07:46 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60627.patch
Revision:   1325663174
URL:        https://bugs.php.net/patch-display.php?bug=60627&patch=bug60627.patch&revision=1325663174
 [2012-01-04 07:55 UTC] laruence@php.net
-Summary: httpd.worker segfault on startup +Summary: httpd.worker segfault on startup with php_value
 [2012-01-04 08:24 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=321753
Log: Fixed bug #60627 (httpd.worker segfault on startup with php_value)
 [2012-01-04 08:25 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-01-04 08:25 UTC] laruence@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: laruence
 [2012-01-04 15:38 UTC] public at wernig dot net
I tried php5.4-201201041430.tar.bz2, and the problem persists (Solaris i86pc):

# /usr/local/apache2/php/bin/php --version
PHP 5.4.0RC5-dev (cli) (built: Jan  4 2012 16:32:14) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

# ls -l /usr/local/apache2/modules/
total 40760
-rw-r--r--   1 root     root        9084 Oct 29 12:14 httpd.exp
-rwxr-xr-x   1 root     root     20803576 Jan  4 16:32 libphp5.so

# /usr/local/svc/init.d/apache2 start
Creating Runtime directory /var/run/apache2
Starting Apache2 httpd ... 
/usr/local/apache2/bin/apachectl: line 80: 25146: Memory fault(coredump)
 [2012-01-04 16:05 UTC] laruence@php.net
-Status: Closed +Status: Feedback
 [2012-01-04 16:05 UTC] laruence@php.net
can you give me the backtrace?  and btw, did you build that from a pure 
environ(make clean, make install).
 [2012-01-04 18:19 UTC] public at wernig dot net
Yes, the build is always from a pristine source directory (scripted).

I'm sorry to admit that I do not know how to produce a meaningful backtrace. I have the core file and gdb installed on the machine, yet not in the environment (solaris zone) where apache runs. Could you give a pointer on how to produce a helpful backtrace?
 [2012-01-04 18:50 UTC] public at wernig dot net
OK, managed to get gdb into the zone:

# gdb /usr/local/apache2/bin/httpd
GNU gdb 6.8
...
This GDB was configured as "i386-pc-solaris2.11"...
(gdb) run -X 
Starting program: /usr/local/apache2/bin/httpd -X
warning: Lowest section in /lib/libpthread.so.1 is .dynamic at 00000074
warning: Lowest section in /lib/libdl.so.1 is .dynamic at 00000074
warning: Lowest section in /lib/librt.so.1 is .dynamic at 00000074
warning: Lowest section in /lib/libthread.so.1 is .dynamic at 00000074

Program received signal SIGSEGV, Segmentation fault.
0xfe8956bb in mutex_lock_impl () from /lib/libc.so.1
(gdb) bt
#0  0xfe8956bb in mutex_lock_impl () from /lib/libc.so.1
#1  0xfe895938 in pthread_mutex_lock () from /lib/libc.so.1
#2  0xfe14088d in tsrm_mutex_lock (mutexp=0x0) at /opt/build.d/php-5/tmp/php5.4-201201041430/TSRM/TSRM.c:391
#3  0xfe140e85 in ts_resource_ex (id=0, th_id=0x0) at /opt/build.d/php-5/tmp/php5.4-201201041430/TSRM/TSRM.c:391
#4  0xfe1c3538 in _zend_hash_add_or_update (ht=0x8267cc8, arKey=0x8267cf0 "open_basedir", nKeyLength=13, pData=0x8047894, nDataSize=12, pDest=0x0, flag=1)
    at /opt/build.d/php-5/tmp/php5.4-201201041430/Zend/zend_hash.c:617
#5  0xfe280bbe in real_value_hnd (dummy=0x8267cc8, name=0x8267cf0 "open_basedir", value=0x8267d00 "/data/web/markus:/usr/local/apache2/php/lib/php", status=4)
    at /opt/build.d/php-5/tmp/php5.4-201201041430/sapi/apache2handler/apache_config.c:73
#6  0x0808fa2a in invoke_cmd (cmd=0xfe560cf0, parms=0x8047c70, mconfig=0x8267cc8, args=0x81a1656 "") at config.c:316
#7  0x08267cc8 in ?? ()
#8  0x08267cf0 in ?? ()
#9  0x08267d00 in ?? ()
#10 0x00000004 in ?? ()
#11 0x00000000 in ?? ()
 [2012-01-04 19:15 UTC] fedora at famillecollet dot com
Thanks for the patch.

Works for me, httpd.worker + php 5.4.0RC5-dev ZTS 201201041830.
(solaris bug seems another issue)
 [2012-01-05 02:45 UTC] laruence@php.net
-Status: Feedback +Status: Re-Opened
 [2012-01-05 02:45 UTC] laruence@php.net
seems there is something wrong in solaris .. re-open
 [2012-01-05 09:14 UTC] public at wernig dot net
Is there any further information that I can provide to help track this down?
 [2012-01-05 09:19 UTC] laruence@php.net
sorry, kind of buzy these days, I will look at this in 1 or 2 days, thanks
 [2012-01-05 10:21 UTC] laruence@php.net
@public are you sure your backtrace is simple copy&paste?  there is two strange 
lines:
#2  0xfe14088d in tsrm_mutex_lock (mutexp=0x0) at /opt/build.d/php-5/tmp/php5.4-
201201041430/TSRM/TSRM.c:391
#3  0xfe140e85 in ts_resource_ex (id=0, th_id=0x0) at /opt/build.d/php-
5/tmp/php5.4-201201041430/TSRM/TSRM.c:391

both of them are in line 391.
 [2012-01-05 10:21 UTC] laruence@php.net
-Status: Re-Opened +Status: Feedback
 [2012-01-05 20:04 UTC] public at wernig dot net
Yes, this is exactly as it is displayed by gdb. I still have the console open, and the output is what I have pasted. Strange, now that you mention it...
 [2012-01-05 20:07 UTC] public at wernig dot net
fwiw, here's file and linkeage info:

# file /usr/local/apache2/modules/libphp5.so 
/usr/local/apache2/modules/libphp5.so:  ELF 32-bit LSB dynamic lib 80386 Version 1, dynamically linked, not stripped
# ldd /usr/local/apache2/modules/libphp5.so 
        libcrypt.so.1 =>         /usr/lib/libcrypt.so.1
        libc-client.so =>        /usr/local/imap/lib/libc-client.so
        libresolv.so.2 =>        /lib/libresolv.so.2
        librt.so.1 =>    /lib/librt.so.1
        libmysqlclient.so.18 =>  /usr/local/mysql/lib/libmysqlclient.so.18
        libcrypto.so.1.0.0 =>    /usr/local/ssl/lib/libcrypto.so.1.0.0
        libssl.so.1.0.0 =>       /usr/local/ssl/lib/libssl.so.1.0.0
        libpam.so.1 =>   /lib/libpam.so.1
        libintl.so.8 =>  /opt/csw/lib/libintl.so.8
        libdb-4.7.so =>  /opt/csw/lib/libdb-4.7.so
        libz.so =>       /opt/csw/lib/libz.so
        libm.so.2 =>     /lib/libm.so.2
        libnsl.so.1 =>   /lib/libnsl.so.1
        libsocket.so.1 =>        /lib/libsocket.so.1
        libxml2.so.2 =>  /lib/libxml2.so.2
        libc.so.1 =>     /lib/libc.so.1
        libgcc_s.so.1 =>         /opt/csw/lib/libgcc_s.so.1
        libgen.so.1 =>   /lib/libgen.so.1
        libmd.so.1 =>    /lib/libmd.so.1
        libthread.so.1 =>        /lib/libthread.so.1
        libz.so.1 =>     /lib/libz.so.1
        libdl.so.1 =>    /lib/libdl.so.1
        libiconv.so.2 =>         /opt/csw/lib/libiconv.so.2
        libpthread.so.1 =>       /lib/libpthread.so.1
        libmp.so.2 =>    /lib/libmp.so.2
 [2012-01-30 03:33 UTC] laruence@php.net
weird, does anyone else can reproduce this with the latest snap yet?
 [2012-02-28 13:33 UTC] public at wernig dot net
Hi all

After a couple of upgrades:
- solaris from express to 11.0
- apache from 2.2.21 to 2.2.22

I can now get the latest snapshot 201202281230 working!

[Tue Feb 28 14:20:59 2012] [notice] Apache/2.2.22 (Unix) PHP/5.4.0RC9-dev mod_ssl/2.2.22 OpenSSL/1.0.0g configured -- resuming normal operations

Apache does not segfault anymore, event though there are php_admin_values throughout all config files.

So, at the moment, I don't know why, but it works for me.
 [2012-02-28 13:59 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b31c12435cdd260485d3ec078299d18f26f69f53
Log: Fixed bug #60627 (httpd.worker segfault on startup with php_value)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b31c12435cdd260485d3ec078299d18f26f69f53
Log: Fixed bug #60627 (httpd.worker segfault on startup with php_value)
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b31c12435cdd260485d3ec078299d18f26f69f53
Log: Fixed bug #60627 (httpd.worker segfault on startup with php_value)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 06:02:13 2014 UTC