php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61076 SegFault in memcache client function mmc_value_handler_multi
Submitted: 2012-02-13 22:04 UTC Modified: -
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:3 (75.0%)
From: pada at hrz dot tu-chemnitz dot de Assigned:
Status: Open Package: memcache (PECL)
PHP Version: Irrelevant OS: CentOS
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-02-13 22:04 UTC] pada at hrz dot tu-chemnitz dot de
Description:
------------
We are experiencing segmentation faults on an internal website. An object 
oriented framework fetches objects (containing several arrays and pointers) from 
a database, and writes them to memcache. Memcache client will segfault while 
accessing Z_TYPE_P(result[0]).

Everytime, we end up in the following code of memcache.c:

/usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache.c:1509
1509            if (Z_TYPE_P(result[0]) != IS_ARRAY) {

Any hints what could be the origin for these SegFaults or how one can reproduce 
this behaviour?

OS: CentOS Linux 6.0 x86_64
PHP: 5.3.3
PECL Memcache: 3.0.5 (affected)
PECL Memcache: 3.0.6 (affected)

Configure Line: './configure'  '--build=x86_64-koji-linux-gnu' '--host=x86_64-
koji-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--
prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--
sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--
libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--
sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--cache-file=../config.cache' '--with-libdir=lib64' '--with-config-file-
path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-
pic' '--disable-rpath' '--without-pear' '--with-bz2' '--with-exec-dir=/usr/bin' 
'--with-freetype-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr' '--
enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-
iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pcre-regex=/usr' '--with-
zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' 
'--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--
with-kerberos' '--enable-ucd-snmp-hack' '--enable-shmop' '--enable-calendar' '--
without-sqlite' '--with-libxml-dir=/usr' '--enable-xml' '--with-system-tzdata' 
'--enable-force-cgi-redirect' '--enable-pcntl' '--with-imap=shared' '--with-
imap-ssl' '--enable-mbstring=shared' '--enable-mbregex' '--with-gd=shared' '--
enable-bcmath=shared' '--enable-dba=shared' '--with-db4=/usr' '--with-
xmlrpc=shared' '--with-ldap=shared' '--with-ldap-sasl' '--with-
mysql=shared,/usr' '--with-mysqli=shared,/usr/lib64/mysql/mysql_config' '--
enable-dom=shared' '--with-pgsql=shared' '--enable-wddx=shared' '--with-
snmp=shared,/usr' '--enable-soap=shared' '--with-xsl=shared,/usr' '--enable-
xmlreader=shared' '--enable-xmlwriter=shared' '--with-curl=shared,/usr' '--
enable-fastcgi' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--
with-pdo-mysql=shared,/usr/lib64/mysql/mysql_config' '--with-pdo-
pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--with-sqlite3=shared,/usr' 
'--enable-json=shared' '--enable-zip=shared' '--without-readline' '--with-
libedit' '--with-pspell=shared' '--enable-phar=shared' '--with-tidy=shared,/usr' 
'--enable-sysvmsg=shared' '--enable-sysvshm=shared' '--enable-sysvsem=shared' '-
-enable-posix=shared' '--with-unixODBC=shared,/usr' '--enable-fileinfo=shared' 
'--enable-intl=shared' '--with-icu-dir=/usr' '--with-enchant=shared,/usr' '--
with-recode=shared,/usr'


Test script:
---------------
No test script yet, but reproducible with a non-public website.
Please ask if you need more information.

Expected result:
----------------
No segmentation fault

Actual result:
--------------
core file: core.httpd.14261

zend stack backtrace:

[New Thread 14261]
[New Thread 11400]
[Thread debugging using libthread_db enabled]
Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f344e7c5ad2 in mmc_value_handler_multi (key=0x7fffa42d6c80 
"EXP4_MC_20120213162906:1f8b7944ec23744ccf2f0259c5d4ba662e3d4083", key_len=63, 
value=0x7fffa42d6c30, flags=1, cas=0, param=<value optimized out>) at 
/usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache.c:1509
1509            if (Z_TYPE_P(result[0]) != IS_ARRAY) {
[0x7f345f85a2e0] 
set("EXP4_MC_20120213162906:1f8b7944ec23744ccf2f0259c5d4ba662e3d4083", 
object[0x7f345f6e3f38], 0, 3600) 
/var/www/plugins/comDBPlugin/lib/comMemcache.class.php:358
[0x7f345f85a0d8] set("tag:1:707", object[0x7f345f6e3f38], 3600) 
/var/www/plugins/comDBPlugin/lib/comPeer.class.php:448
[0x7f345f859598] storeInMemcache(object[0x7f345f6e3f38]) 
/var/www/plugins/comDBPlugin/lib/comObject.class.php:212
[0x7f345f858650] hydrate(707, array(0)[0x7f345f721270], array(0)
[0x7f345f7214f0], array(13)[0x7f345f7397a0]) 
/var/www/plugins/comDBPlugin/lib/comObject.class.php:127
[0x7f345f8580a0] __construct("707") 
/var/www/plugins/areaBasePlugin/lib/model/tag.class.php:58
[0x7f345f8576b8] __construct("707") 
/var/www/plugins/comDBPlugin/lib/comPeer.class.php:214
[0x7f345f857340] ids2objectsWithIds(array(17)[0x7f345f6e0c90]) 
/var/www/plugins/comDBPlugin/lib/comPeer.class.php:174
[0x7f345f856f90] ids2objects(array(17)[0x7f345f6e0c90]) 
/var/www/plugins/areaBasePlugin/lib/model/comBaseAsset.class.php:1254
[0x7f345f856c90] getTags(37) 
/var/www/plugins/areaBasePlugin/lib/model/comBaseAsset.class.php:1286
[0x7f345f856ae8] getTagsString(37) 
/var/www/plugins/areaBasePlugin/lib/model/contentAsset.class.php:1555
[0x7f345f855f88] getMetaKeywords() 
/var/www/plugins/areaBasePlugin/modules/progContent/lib/comprogContentActions.cl
ass.php:128
[0x7f345f854c70] setupMetaForContent(object[0x7f345f6b8208]) 
/var/www/plugins/areaBasePlugin/modules/progContent/actions/actions.class.php:13
26
[0x7f345f853f00] renderContent() 
/var/www/plugins/areaBasePlugin/modules/progContent/actions/actions.class.php:23
9
[0x7f345f853838] executeView(object[0x7f345f6d0750]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:459
[0x7f345f853568] execute(object[0x7f345f6d0750]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:952
[0x7f345f853210] executeAction(object[0x7f345f925090]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:947
[0x7f345f852ab8] handleAction(object[0x7f345fce7858], object[0x7f345f925090]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:933
[0x7f345f8525a0] execute(object[0x7f345fce7858]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:1031
[0x7f345f851f38] execute() 
/var/www/lib/vendor/symfony/lib/filter/sfCommonFilter.class.php:29
[0x7f345f851a20] execute(object[0x7f345fce7858]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:1031
[0x7f345f8510e8] execute() 
/var/www/plugins/comDBPlugin/lib/filter/comIPFilter.class.php:109
[0x7f345f850bd0] execute(object[0x7f345fce7858]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:1031
[0x7f345f850818] execute() 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:995
[0x7f345f850300] execute(object[0x7f345fce7858]) 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:1031
[0x7f345f84ee40] execute() 
/var/www/cache/sf/abc/prod/config/config_core_compile.yml.php:665
[0x7f345f84e040] forward("progContent", "view") 
/var/www/plugins/areaBasePlugin/lib/controller/areaWebController.php:62
[0x7f345f84df00] dispatch() 
/var/www/lib/vendor/symfony/lib/util/sfContext.class.php:170
[0x7f345f84da70] dispatch() /var/www/htdocs/index.php:21

full backtrace:

[New Thread 14261]
[New Thread 11400]
[Thread debugging using libthread_db enabled]
Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f344e7c5ad2 in mmc_value_handler_multi (key=0x7fffa42d6c80 
"EXP4_MC_20120213162906:1f8b7944ec23744ccf2f0259c5d4ba662e3d4083", key_len=63, 
value=0x7fffa42d6c30, flags=1, cas=0, param=<value optimized out>) at 
/usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache.c:1509
1509            if (Z_TYPE_P(result[0]) != IS_ARRAY) {
#0  0x00007f344e7c5ad2 in mmc_value_handler_multi (key=0x7fffa42d6c80 
"EXP4_MC_20120213162906:1f8b7944ec23744ccf2f0259c5d4ba662e3d4083", key_len=63, 
value=0x7fffa42d6c30, flags=1, cas=0, param=<value optimized out>) at 
/usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache.c:1509
        arrval = 0x7f345f7216a0
        result = 0x7fffa42d6f00
#1  0x00007f344e7c9588 in mmc_unpack_value (mmc=<value optimized out>, 
request=0x7f345f5fa7a0, buffer=0x7f345f5fa7c8, key=0x7f345f5fa958 
"EXP4_MC_20120213162906:1f8b7944ec23744ccf2f0259c5d4ba662e3d4083", key_len=63, 
flags=1, cas=0, bytes=787) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-
3.0.5/memcache_pool.c:490
        var_hash = {first = 0x7f345f73b658, first_dtor = 0x7f345f73d6e8}
        key_tmp = 
"EXP4_MC_20120213162906:1f8b7944ec23744ccf2f0259c5d4ba662e3d4083\000\000\000\000
\000\000\000\000\000\377\017\000\000\000\000\000\000xu2_4\177\000\000\240\247__4
\177\000\000\320\020\225_4\177\000\000\001", '\000' <repeats 15 times>, 
"8\260\264\\4\177\000\000\020\000\000\000\060\000\000\000\340m-
\244\377\177\000\000 m-
\244\377\177\000\000\000\020\000\000\000\000\000\000(\021\225_4\177\000\000\000\
000\000\000\000\000\000\000X\251__4\177\000\000T\252__4\177\000\000X\252__4\177\
000\000`\252__4\177\000\000M\000\000\000\000\000\000\000(\021\225_4\177\000\000\
000\000\000\000\000\000\000\000\270"...
        buffer_tmp = {value = {c = 0x7f345f67afe8 "O:3:\"tag\":10:{s:21:\"", len 
= 0, a = 3181}, idx = 0}
        p = 0x7f345f67b2fb "\r\ng\";}\r\n3:\"int\";}s:8:\"vote_cnt\";a:1:
{s:1:\"t\";s:3:\"int\";}s:13:\"favourite_cnt\";a:1:
{s:1:\"t\";s:3:\"int\";}s:8:\"view_cnt\";a:2:
{s:1:\"t\";s:3:\"int\";s:1:\"n\";i:1;}s:13:\"navigation_id\";a:1:
{s:1:\"t\";s:3:\"int\";}s:1"...
        object = 0x7fffa42d6c30
        value_handler = 0x7f344e7c5a70 <mmc_value_handler_multi>
        value_handler_param = 0x7fffa42d6f00
        data = 0x7f345f67afe8 "O:3:\"tag\":10:{s:21:\""
        data_len = 787
        value = {value = {lval = 299, dval = 1.4772562810653272e-321, str = {val 
= 0x12b <Address 0x12b out of bounds>, len = 1417720512}, ht = 0x12b, obj = 
{handle = 299, handlers = 0x7f345480b2c0}}, refcount__gc = 1, type = 5 '\005', 
is_ref__gc = 0 '\000'}
#2  0x00007f344e7ce117 in mmc_server_read_value (mmc=0x7f345f9510d0, 
request=0x7f345f5fa7a0) at /usr/src/debug/php-pecl-memcache-3.0.5/memcache-
3.0.5/memcache_ascii_protocol.c:187
        result = <value optimized out>
        req = 0x7f345f5fa7a0
#3  0x00007f344e7cb16b in mmc_pool_select (pool=0x7f345f5ee0c8) at 
/usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:1584
        i = <value optimized out>
        result = <value optimized out>
        mmc = 0x7f345f9510d0
        sending = <value optimized out>
        reading = <value optimized out>
#4  0x00007f344e7cb8d8 in mmc_pool_run (pool=0x7f345f5ee0c8) at 
/usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache_pool.c:1670
        mmc = <value optimized out>
#5  0x00007f344e7c5d32 in php_mmc_store (ht=<value optimized out>, 
return_value=0x7f345f721720, return_value_ptr=<value optimized out>, this_ptr=
<value optimized out>, return_value_used=<value optimized out>, op=1) at 
/usr/src/debug/php-pecl-memcache-3.0.5/memcache-3.0.5/memcache.c:520
        pool = 0x7f345f5ee0c8
        request = <value optimized out>
        keys = 0x7f345f721820
        value = 0x7f345f6e3f38
        mmc_object = 0x7f345f5f2700
        flags = 0
        exptime = 3600
        cas = 0
#6  0x00007f34544eda58 in zend_do_fcall_common_helper_SPEC (execute_data=<value 
optimized out>) at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:316
        opline = <value optimized out>
        should_change_scope = 1 '\001'
#7  0x00007f34544c4d80 in execute (op_array=0x7f345f5f3320) at 
/usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:107
        ret = <value optimized out>
        execute_data = 0x7f345f85a2e0
        nested = 1 '\001'
        original_in_execution = 0 '\000'
#8  0x00007f345449f47d in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /usr/src/debug/php-5.3.3/Zend/zend.c:1194
        files = {{gp_offset = 40, fp_offset = 32767, overflow_arg_area = 
0x7fffa42d71c0, reg_save_area = 0x7fffa42d7150}}
        i = <value optimized out>
        file_handle = 0x7fffa42d94e0
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0

#9  0x00007f345444d748 in php_execute_script (primary_file=0x7fffa42d94e0) at 
/usr/src/debug/php-5.3.3/main/main.c:2260
        realfile = 
"\377\377\377\377\377\177\000\000\000\000\000\000\000\000\000\000\214\206-
\244\377\177\000\000\234\204-
\244\001\000\000\000\030\000\000\000\377\177\000\000p\204-\244\377\177\000\000 
\204-\244\377\177\000\000XYE_4\177\000\000\340\332v_4\177\000\000\350\204-
\244\377\177\000\000XYE_4\177\000\000\v", '\000' <repeats 15 times>, 
"C\274\n]4\177\000\000<?php\000\nini_set('memory_limit', 
'512M');\nmb_internal_encoding('U\000\000\000\000\000\000\000\000\000\261\365\37
1c;T\212\231\006\000\000\000\004\000\000\000\070\202G_4\177\000\000\000\205-
\244\377\177\000\000\377\377\377\377\000\000\000\000\070\000\000\000\000\000\000
\000\350FY^4\177\000\000\030\365\177^4\177"...
        __orig_bailout = 0x7fffa42d9410
        __bailout = {{__jmpbuf = {139862732847936, 1758628069745435855, 
139862913548856, 0, -4294967295, 139862900471064, 1758628066459198671, 
1869000699703272655}, __mask_was_saved = 0, __saved_mask = {__val = 
{139862913535504, 139862927498320, 139862876011587, 139862913535592, 
139862886427163, 0, 140735947833992, 0, 0, 0, 0, 139862913523208, 
139862886426286, 0, 139862913523208, 140735947834144}}}}
        prepend_file_p = <value optimized out>
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = 
{len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, 
reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = 
{len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, 
reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
        old_cwd = 0x7fffa42d71d0 "/"
        use_heap = 0 '\000'
        retval = 0
#10 0x00007f3454528425 in php_handler (r=0x7f345f478238) at /usr/src/debug/php-
5.3.3/sapi/apache2handler/sapi_apache2.c:669
        zfd = {type = ZEND_HANDLE_FILENAME, filename = 0x7f34601d29e8 
"/var/www/app/www.example.org/current/htdocs/index.php", opened_path = 0x0, 
handle = {fd = 1593208992, fp = 0x7f345ef670a0, stream = {handle = 
0x7f345ef670a0, isatty = 0, mmap = {len = 139862913548856, pos = 
139862913341960, map = 0x7f345f4784b0, buf = 0x7f345f445a88 "0bD_4\177", 
old_handle = 0x7f345e5dca31, old_closer = 0x7f345f478238}, reader = 
0x7f345f455cb8, fsizer = 0x7fffa42d9590, closer = 0x7f345f4784c0}}, 
free_filename = 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {139862907840360, -1758463573704891185, 
139862913548856, 0, -4294967295, 139862900471064, 1758628069571372239, 
1869000539895047375}, __mask_was_saved = 0, __saved_mask = {__val = 
{139861315026952, 0, 139862913547752, 139862913407320, 139862913407320, 
139862913547064, 139862916651656, 38654705664, 11063748048646174129, 
18446744073709551615, 139862784509049, 18446744073709551615, 
18446744073709551615, 139862927550952, 139862769682950, 18446744073709551615}}}}
        ctx = 0x7f345f76de30
        conf = 0x7f345f04db08
        brigade = 0x7f345f76e918
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = 0x0
#11 0x00007f345e5d1980 in ?? ()
No symbol table info available.
#12 0x00007f345f478238 in ?? ()
No symbol table info available.
#13 0x00007f345f109998 in ?? ()
No symbol table info available.
#14 0x00007f345f4559d8 in ?? ()
No symbol table info available.
#15 0x00007f345e5d523e in ?? ()
No symbol table info available.
#16 0x0000000000000000 in ?? ()
No symbol table info available.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-14 17:33 UTC] pada at hrz dot tu-chemnitz dot de
It seems that the zend garbage collector collects the objects whose references are passed to the memcache set() function.

See also http://www.php.net/manual/en/features.gc.collecting-cycles.php 

With the following workaround in .htaccess file, we get no SegFaults:

# Disable Zend Garbage Collection
php_flag zend.enable_gc 0
 [2012-05-25 20:46 UTC] alexkress at rogers dot com
We are experiencing the same problem. However the workaround does not seem to 
work. The segfault is happening in exactly the same place as in the bug 
description.

Any word on when this will get fixed?
 [2013-02-05 15:23 UTC] rene dot kerner at trivago dot com
please compare with:
https://bugs.php.net/bug.php?id=64144

we got that issue reproduced on multi-gets when there is no answer from memcache-server or network-latence > memcache-timeout (1second is default)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Sep 21 22:01:26 2019 UTC