php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61238 malloc: freeing unallocated pointer
Submitted: 2012-03-02 08:02 UTC Modified: 2012-07-03 14:16 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:1 (33.3%)
From: gzilirion at gmail dot com Assigned: pajoye (profile)
Status: Closed Package: APC (PECL)
PHP Version: 5.4.0 OS: Mac OS X 10.7.3 Lion
Private report: No CVE-ID: None
 [2012-03-02 08:02 UTC] gzilirion at gmail dot com
Description:
------------
When apc is enabled php-fpm -i gives this:

php-fpm(74478) malloc: *** error for object 0x10c4da9b8: pointer being freed was 
not allocated
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

also when apc.enable_cli=1 php -i gives same error.


Patches

interned_string_double_free_fix2 (last revision 2012-03-11 15:36 UTC by ab@php.net)
interned_string_double_free_fix (last revision 2012-03-06 09:32 UTC by ab@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-03 17:46 UTC] leocardia77 at gmail dot com
zend api header was changed zend_class_entry definition.
simply mark the free in zend/zend_opcode.c at 295 and 328
str_free(ce->name) or efree 
name has been changed from char to const char.
 [2012-03-06 09:27 UTC] ab@php.net
-Assigned To: +Assigned To: ab
 [2012-03-06 09:32 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: interned_string_double_free_fix
Revision:   1331026333
URL:        https://bugs.php.net/patch-display.php?bug=61238&patch=interned_string_double_free_fix&revision=1331026333
 [2012-03-06 09:35 UTC] ab@php.net
In the patch supplied we duplicate ce->name and info->name as otherwise they 
would be freed twice - by interned storage shutdown and by ZE.
 [2012-03-07 11:40 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=323990
Log: - fix bug #61238, double free of interned string
 [2012-03-07 11:40 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=323991
Log: - fix bug #61238, double free of interned string
 [2012-03-07 11:40 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
 [2012-03-07 11:40 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-03-07 13:17 UTC] pierre at archlinux dot de
This bug might still not be fixed; at least if it is indeed the same as #61236. I tried trunk revision at 323991. (This is on x86_64 Linux)
 [2012-03-09 16:15 UTC] ab@php.net
This needs further fixing as the issue behaves different way on TS and NTS. 
Currently interned strings are only handled on NTS builds.
 [2012-03-11 05:43 UTC] locuse at mm dot st
building php 54 from sources,

	svn info
		Path: .
		URL: https://svn.php.net/repository/php/php-src/branches/PHP_5_4
		Repository Root: https://svn.php.net/repository
		Repository UUID: c90b9560-bf6c-de11-be94-00142212c4b1
		Revision: 324092
		Node Kind: directory
		Schedule: normal
		Last Changed Author: cataphract
		Last Changed Rev: 324082
		Last Changed Date: 2012-03-10 09:19:39 -0800 (Sat, 10 Mar 2012)

with gcc version 4.6.3 (SUSE Linux) on x86_64-suse-linux,

	php -v
		PHP 5.4.1RC1-dev (cli) (built: Mar 10 2012 20:21:53)
		Copyright (c) 1997-2012 The PHP Group
		Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
		    with Xdebug v2.2.0-dev, Copyright (c) 2002-2012, by Derick Rethans

co of APC trunk sources

	svn co http://svn.php.net/repository/pecl/apc/trunk apc
	svn info
		Path: .
		URL: http://svn.php.net/repository/pecl/apc/trunk
		Repository Root: http://svn.php.net/repository
		Repository UUID: c90b9560-bf6c-de11-be94-00142212c4b1
		Revision: 324092
		Node Kind: directory
		Schedule: normal
		Last Changed Author: pajoye
		Last Changed Rev: 324037
		Last Changed Date: 2012-03-08 16:01:32 -0800 (Thu, 08 Mar 2012)

attemtping the patch,

	wget -k -O /usr/local/src/interned_string_double_free_fix.patch.TRUNK "https://bugs.php.net/patch-display.php?bug_id=61238&patch=interned_string_double_free_fix&revision=1331026333&download=1"

	cd apc
	patch -p0 < ../interned_string_double_free_fix.patch

		patching file apc_zend.h
		Reversed (or previously applied) patch detected!  Assume -R? [n]^C

looks applied already

@ build

	phpize
	./configure --prefix=/usr/local/apc -enable-apc
	make -j20

		Build complete.
		Don't forget to run 'make test'.

then testing

	grep enable php5/conf.d/apc.ini
		apc.enabled="1"
		apc.enable_cli="1"
	make test
		*** glibc detected *** /usr/local/php5/bin/php: double free or corruption (out): 0x00007f5c116ded30 ***
		======= Backtrace: =========
		/lib64/libc.so.6(+0x74c06)[0x7f5c0fb94c06]
		/usr/local/php5/bin/php(destroy_zend_class+0x23d)[0x5abddd]
		/usr/local/php5/bin/php(zend_hash_clean+0x68)[0x5c3bc8]
		/usr/local/src/apc/modules/apc.so(apc_interned_strings_shutdown+0x20)[0x7f5c0f48b940]
		/usr/local/src/apc/modules/apc.so(apc_module_shutdown+0x12d)[0x7f5c0f48514d]
		/usr/local/src/apc/modules/apc.so(+0xb78f)[0x7f5c0f47a78f]
		/usr/local/php5/bin/php[0x5bd1b3]
		/usr/local/php5/bin/php[0x5c2494]
		/usr/local/php5/bin/php(zend_hash_graceful_reverse_destroy+0x28)[0x5c3ca8]
		/usr/local/php5/bin/php[0x5b5b3e]
		/usr/local/php5/bin/php(php_module_shutdown+0x25)[0x553a65]
		/usr/local/php5/bin/php[0x420405]
		/lib64/libc.so.6(__libc_start_main+0xed)[0x7f5c0fb4123d]
		/usr/local/php5/bin/php[0x4205e1]
		======= Memory map: ========
		00400000-00742000 r-xp 00000000 fd:04 2621493                            /usr/local/php5/bin/php
		00942000-009c7000 r--p 00342000 fd:04 2621493                            /usr/local/php5/bin/php
		009c7000-009cb000 rw-p 003c7000 fd:04 2621493                            /usr/local/php5/bin/php
		009cb000-00af0000 rw-p 00000000 00:00 0                                  [heap]
		7f5c06e56000-7f5c0ee56000 rw-s 00000000 00:12 7440333                    /tmp/apc.EfDVAW (deleted)
		7f5c0ee56000-7f5c0efeb000 r-xp 00000000 fd:04 7210289                    /usr/local/ssl/lib/libcrypto.so.1.0.0
		7f5c0efeb000-7f5c0f1eb000 ---p 00195000 fd:04 7210289                    /usr/local/ssl/lib/libcrypto.so.1.0.0
		7f5c0f1eb000-7f5c0f204000 r--p 00195000 fd:04 7210289                    /usr/local/ssl/lib/libcrypto.so.1.0.0
		...
 [2012-03-11 15:36 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: interned_string_double_free_fix2
Revision:   1331480212
URL:        https://bugs.php.net/patch-display.php?bug=61238&patch=interned_string_double_free_fix2&revision=1331480212
 [2012-03-11 15:43 UTC] ab@php.net
The supplied patch interned_string_double_free_fix2 completely disables interned 
string handling in TS builds reverting the previous patch (which is already 
commited). This way APC stays compatible with ZE where inderned strings are 
ignored as well.
 [2012-03-11 17:21 UTC] locuse at mm dot st
applying "interned_string_double_free_fix2" patch to apc/trunk w/ php5.4,

...
make test
	=====================================================================
	TEST RESULT SUMMARY
	---------------------------------------------------------------------
	Exts skipped    :    0
	Exts tested     :   13
	---------------------------------------------------------------------

	Number of tests :   26                25
	Tests skipped   :    1 (  3.8%) --------
	Tests warned    :    0 (  0.0%) (  0.0%)
	Tests failed    :    0 (  0.0%) (  0.0%)
	Expected fail   :    0 (  0.0%) (  0.0%)
	Tests passed    :   25 ( 96.2%) (100.0%)
	---------------------------------------------------------------------
	Time taken      :    1 seconds
	=====================================================================

php -i | grep -i apc | head -n 3
	Additional .ini files parsed => /usr/local/etc/php5/conf.d/apc.ini,
	apc
	APC Support => enabled

thank you
 [2012-03-12 07:37 UTC] pajoye@php.net
-Assigned To: ab +Assigned To: pajoye
 [2012-03-12 07:37 UTC] pajoye@php.net
-Status: Closed +Status: Assigned
 [2012-03-12 11:38 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=324145
Log: - disable here too, (bug #61238)
 [2012-03-12 14:52 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2012-03-12 14:52 UTC] ab@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-07-03 14:10 UTC] tom at punkave dot com
I am still seeing this bug in a brand new PHP 5.4.4 build with APC freshly built 
via pecl. Is this fix included in 5.4.4 and the latest APC? If not, what has to 
happen to move it past the "fixed in SVN" stage to the "available standard" stage? 
Thanks.
 [2012-07-03 14:13 UTC] gopalv@php.net
A whole week where I have nothing else to do, a computer and a loop of some good house music.

The last time I had to debug things similarly, I had to patch valgrind to report back on memory overwrites & run almost 100k randomly ordered requests.

I wish fixing APC was my day job again :(
 [2012-07-03 14:16 UTC] tom at punkave dot com
I hear you! But what about the fix already committed in svn? Does it just need 
publication as part of a new release or is there some problem with that fix not 
reflected here in the ticket?
 [2012-07-03 14:16 UTC] rasmus@php.net
We have a few more issues to track down before we are ready for a release. 
Install from SVN for now. It is trivial to do:

svn checkout http://svn.php.net:/repository/pecl/apc/trunk apc
cd apc
phpize
./configure --enable-apc-pthreadrwlocks
make 
make install
 [2012-07-03 14:36 UTC] tom at punkave dot com
OK, that's what I'll do for now. Thanks.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Apr 05 02:01:23 2020 UTC