php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61067 free() from signal handler leads to deadlock
Submitted: 2012-02-12 22:59 UTC Modified: 2012-05-22 16:06 UTC
From: phpbugs at oops dot mooo dot com Assigned:
Status: Not a bug Package: FPM related
PHP Version: 5.3.10 OS: Debian Squeeze
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: phpbugs at oops dot mooo dot com
New email:
PHP Version: OS:

 

 [2012-02-12 22:59 UTC] phpbugs at oops dot mooo dot com
Description:
------------
Using PHP-FPM-5.3.10+APC-3.1.9.

I just discovered 30 PHP processes that's been running for 22 hours.

Further inspection revealed all of them (except one) are waiting to flock() a session file.

The process holding the flock() is doing:
futex(0x7f21238f9e40, FUTEX_WAIT_PRIVATE, 2, NULL <unfinished ...>

(gdb) info threads
  Id   Target Id         Frame 
* 1    Thread 0x7f2126114720 (LWP 4271) __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:97

(gdb) bt
#0  __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:97
#1  0x00007f2123614558 in _L_lock_9590 () from /lib/libc.so.6
#2  0x00007f2123612941 in *__GI___libc_free (mem=0x7f21238f9e40) at malloc.c:3737
#3  0x00007f21263f5820 in php_error_cb (type=1, error_filename=0x7f2121088fd8 "", error_lineno=154, format=<optimized out>, args=<optimized out>) at /build/php-5.3.10/main/main.c:931
#4  0x00007f2126446d7c in zend_error (type=1, format=0x7f2126902028 "Maximum execution time of %d second%s exceeded") at /build/php-5.3.10/Zend/zend.c:1127
#5  <signal handler called>
#6  0x00007f2123612a1d in *__GI___libc_malloc (bytes=50) at malloc.c:3658
#7  0x00007f2123617a22 in *__GI___strdup (s=0x7f2121088fd8 "") at strdup.c:43
#8  0x00007f21263f587a in php_error_cb (type=8, error_filename=0x7f2121088fd8 "", error_lineno=154, format=<optimized out>, args=<optimized out>) at /build/php-5.3.10/main/main.c:943
#9  0x00007f2126446d7c in zend_error (type=8, format=0x7f2126907356 "Undefined index: %s") at /build/php-5.3.10/Zend/zend.c:1127
#10 0x00007f21264b2f89 in zend_fetch_dimension_address_inner (type=<optimized out>, dim=<optimized out>, ht=<optimized out>) at /build/php-5.3.10/Zend/zend_execute.c:820
#11 zend_fetch_dimension_address_read (result=0x7f2127f17930, container_ptr=<optimized out>, dim=0x7f2126bf25c8, dim_is_tmp_var=<optimized out>, type=0) at /build/php-5.3.10/Zend/zend_execute.c:1043
#12 0x00007f21264b4059 in ZEND_FETCH_DIM_R_SPEC_CV_VAR_HANDLER (execute_data=0x7f2127f17678) at /build/php-5.3.10/Zend/zend_vm_execute.h:26962
#13 0x00007f212646ee30 in execute (op_array=0x7f2127efe020) at /build/php-5.3.10/Zend/zend_vm_execute.h:107
#14 0x00007f212644654f in zend_execute_scripts (type=8, retval=<optimized out>, file_count=3) at /build/php-5.3.10/Zend/zend.c:1308
#15 0x00007f21263f2bc7 in php_execute_script (primary_file=<optimized out>) at /build/php-5.3.10/main/main.c:2323
#16 0x00007f21264db7c8 in main (argc=669766600, argv=<optimized out>) at /build/php-5.3.10/sapi/fpm/fpm/fpm_main.c:1875

It looks like PHP caught a signal inside malloc(), causing glibc to take some lock, and that free() wants the same lock, leading to deadlock.

I'm not sure if malloc/free is safe to use in signal handlers. http://linux.derkeiler.com/Newsgroups/comp.os.linux.development.apps/2005-07/0323.html seems to suggest it's not.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-14 12:11 UTC] jpauli@php.net
Seems related to #31749
 [2012-02-23 10:06 UTC] phpbugs at oops dot mooo dot com
You're correct it looks like the same bug. Sorry for not searching well enough.
 [2012-05-22 16:06 UTC] fat@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.


 [2012-05-22 16:06 UTC] fat@php.net
-Status: Open +Status: Not a bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC