PHP :: Bug #61996 :: Segfault in php-fpm, no memcached running, sessions in memcached

Bug #61996	Segfault in php-fpm, no memcached running, sessions in memcached
Submitted:	2012-05-10 14:44 UTC	Modified:	2012-05-14 07:27 UTC
From:	radical@php.net	Assigned:	radical (profile)
Status:	Closed	Package:	memcached (PECL)
PHP Version:	5.4.3	OS:
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2012-05-10 14:44 UTC] radical@php.net

Description:
------------
[root@caffeine nginx]# php -v
PHP 5.4.3 (cli) (built: May 10 2012 11:18:42) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

[root@caffeine nginx]# pecl list | grep memcached
memcached 2.0.1   stable

/etc/php.ini - relevant settings
session.save_handler = memcached
session.save_path = "127.0.0.1:11211"
session.serialize_handler=igbinary # disabling this still cause the segfault... 
so it's not igbinary related

Test script:
---------------
<?php

set_error_handler('errorHandler');

session_start();

function errorHandler($errno, $errstr, $errfile = '', $errline = 0, array $errcontext = array())
{
	print_r($errcontext, true);
	// return true; // this line on/off still get the segfault
}

echo 1;

Expected result:
----------------
1

Actual result:
--------------
[root@[REMOVED] nginx]# tail /var/log/messages
May 10 15:29:29 [REMOVED] kernel: php-fpm[11815]: segfault at 0 ip 
000000000077cd16 sp 00007fffe35c2b80 error 6 in php-fpm[400000+8a7000]

nginx says: 502 Bad Gateway
and logs: 

2012/05/10 15:49:43 [error] 8522#0: *364 recv() failed (104: Connection reset by 
peer) while reading response header from upstream, client: [SOME_IP], server: 
[DOMAIN_NAME].ro, request: "GET /sesstest.php HTTP/1.1", upstream: 
"fastcgi://127.0.0.1:9000", host: "[DOMAIN_NAME].ro"

-----------

From my tests I concluded that ALL the following conditions must be met for this 
to occur:
- memcached server stopped
- set_error_handler
- session_start
- print_r($errcontext, true) # even the second param is important leaving it as 
print_r($errcontext) will cause the script to run properly.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-05-10 14:48 UTC] radical@php.net

[root@caffeine nginx]# strace -p 12690 -p 13598
Process 12690 attached - interrupt to quit
Process 13598 attached - interrupt to quit
[pid 13598] accept(0,  <unfinished ...>
[pid 12690] accept(0,  <unfinished ...>
[pid 13598] <... accept resumed> {sa_family=AF_INET, sin_port=htons(43156), 
sin_addr=inet_addr("127.0.0.1")}, [16]) = 3
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 530796575}) = 0
[pid 13598] gettimeofday({1336661210, 593804}, NULL) = 0
[pid 13598] times({tms_utime=0, tms_stime=0, tms_cutime=0, tms_cstime=0}) = 
458343203
[pid 13598] poll([{fd=3, events=POLLIN}], 1, 5000) = 1 ([{fd=3, 
revents=POLLIN}])
[pid 13598] read(3, "\1\1\0\1\0\10\0\0", 8) = 8
[pid 13598] read(3, "\0\1\0\0\0\0\0\0", 8) = 8
[pid 13598] read(3, "\1\4\0\1\3\352\6\0", 8) = 8
[pid 13598] read(3, "\17&SCRIPT_FILENAME/www/[DOMAIN_NAME]."..., 1008) = 1008
[pid 13598] read(3, "\1\4\0\1\0\0\0\0", 8) = 8
[pid 13598] gettimeofday({1336661210, 594794}, NULL) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro/Web/www/sesstest.php", 
{st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro/Web/www", {st_mode=S_IFDIR|0755, 
st_size=4096, ...}) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro/Web", {st_mode=S_IFDIR|0755, 
st_size=4096, ...}) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro", {st_mode=S_IFDIR|0755, st_size=4096, 
...}) = 0
[pid 13598] lstat("/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 532597083}) = 0
[pid 13598] gettimeofday({1336661210, 595651}, NULL) = 0
[pid 13598] stat("/www/[DOMAIN_NAME].ro/Web/www/.user.ini", 0x7fffe35c3320) = -1 
ENOENT (No such file or directory)
[pid 13598] setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={240, 0}}, 
NULL) = 0
[pid 13598] rt_sigaction(SIGPROF, {0x770590, [PROF], SA_RESTORER|SA_RESTART, 
0x7f0335e2b900}, {SIG_DFL, [], 0}, 8) = 0
[pid 13598] rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
[pid 13598] gettimeofday({1336661210, 596734}, NULL) = 0
[pid 13598] gettimeofday({1336661210, 596789}, NULL) = 0
[pid 13598] open("/www/[DOMAIN_NAME].ro/Web/www/sesstest.php", O_RDONLY) = 5
[pid 13598] fstat(5, {st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] fstat(5, {st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] fstat(5, {st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] mmap(NULL, 262, PROT_READ, MAP_SHARED, 5, 0) = 0x7f032c463000
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 534541940}) = 0
[pid 13598] getcwd("/www/[DOMAIN_NAME].ro", 4095) = 18
[pid 13598] chdir("/www/[DOMAIN_NAME].ro/Web/www") = 0
[pid 13598] setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={120, 0}}, 
NULL) = 0
[pid 13598] munmap(0x7f032c463000, 262) = 0
[pid 13598] close(5)                    = 0
[pid 13598] gettimeofday({1336661210, 598866}, NULL) = 0
[pid 13598] socket(PF_NETLINK, SOCK_RAW, 0) = 5
[pid 13598] bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
[pid 13598] getsockname(5, {sa_family=AF_NETLINK, pid=13598, groups=00000000}, 
[12]) = 0
[pid 13598] gettimeofday({1336661210, 599356}, NULL) = 0
[pid 13598] sendto(5, "\24\0\0\0\26\0\1\3\332\324\253O\0\0\0\0\0\0\0\0", 20, 0, 
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
[pid 13598] recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, 
groups=00000000}, msg_iov(1)=
[{"0\0\0\0\24\0\2\0\332\324\253O\0365\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\
1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108
[pid 13598] recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, 
groups=00000000}, msg_iov(1)=
[{"@\0\0\0\24\0\2\0\332\324\253O\0365\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0
"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
[pid 13598] recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, 
groups=00000000}, msg_iov(1)=
[{"\24\0\0\0\3\0\2\0\332\324\253O\0365\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
[pid 13598] close(5)                    = 0
[pid 13598] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
[pid 13598] fcntl(5, F_GETFL)           = 0x2 (flags O_RDWR)
[pid 13598] fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 13598] connect(5, {sa_family=AF_INET, sin_port=htons(11211), 
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
[pid 13598] poll([{fd=5, events=POLLOUT}], 1, 4000) = 1 ([{fd=5, 
revents=POLLERR|POLLHUP}])
[pid 13598] getsockopt(5, SOL_SOCKET, SO_ERROR, [17179869295], [4]) = 0
[pid 13598] open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 6
[pid 13598] fstat(6, {st_mode=S_IFREG|0644, st_size=26050, ...}) = 0
[pid 13598] mmap(NULL, 26050, PROT_READ, MAP_SHARED, 6, 0) = 0x7f032c45d000
[pid 13598] close(6)                    = 0
[pid 13598] futex(0x7f0336183f60, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid 13598] close(5)                    = 0
[pid 13598] gettimeofday({1336661210, 601357}, NULL) = 0
[pid 13598] gettimeofday({1336661210, 601416}, NULL) = 0
[pid 13598] chdir("/www/[DOMAIN_NAME].ro")  = 0
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 538570180}) = 0
[pid 13598] times({tms_utime=0, tms_stime=0, tms_cutime=0, tms_cstime=0}) = 
458343204
[pid 13598] gettimeofday({1336661210, 601609}, NULL) = 0
[pid 13598] stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2309, ...}) = 
0
[pid 13598] write(4, "127.0.0.1 -  10/May/2012:16:46:5"..., 64) = 64
[pid 13598] setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) 
= 0
[pid 13598] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
Process 13598 detached
Process 12690 detached

[2012-05-10 19:24 UTC] radical@php.net

-Package: memcache +Package: memcached

[2012-05-10 19:24 UTC] radical@php.net

It's memcached (not memcache).

[2012-05-10 19:25 UTC] radical@php.net

-Summary: Segfault in php-fpm, no memcache running, sessions in memcahe +Summary: Segfault in php-fpm, no memcached running, sessions in memcahed

[2012-05-10 19:25 UTC] radical@php.net

Updating summary:
- memcache
+ memcached

[2012-05-11 07:55 UTC] tony2001@php.net

-Status: Open +Status: Feedback

[2012-05-11 07:55 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2012-05-11 11:13 UTC] radical@php.net

-Summary: Segfault in php-fpm, no memcached running, sessions in memcahed +Summary: Segfault in php-fpm, no memcached running, sessions in memcached

[2012-05-11 11:13 UTC] radical@php.net

[root@[SERVERNAME] [DOMAINNAME]]# gdb /usr/local/sbin/php-fpm core
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
This GDB was configured as "x86_64-redhat-linux-gnu".
Reading symbols from /usr/local/sbin/php-fpm...done.
[New Thread 354]

Core was generated by `php-fpm: pool [DOMAINNAME]'.
Program terminated with signal 11, Segmentation fault.
#0  zend_stack_push (stack=0xf961a8, element=0x7fff9a080d18, size=8) at /root/installed/PHP/php-5.4.3/Zend/zend_stack.c:42
42		stack->elements[stack->top] = (void *) emalloc(size);
(gdb) bt
#0  zend_stack_push (stack=0xf961a8, element=0x7fff9a080d18, size=8) at /root/installed/PHP/php-5.4.3/Zend/zend_stack.c:42
#1  0x00000000007356f3 in php_output_handler_start (handler=0x7f5427021068) at /root/installed/PHP/php-5.4.3/main/output.c:563
#2  0x0000000000735bf1 in php_output_start_default () at /root/installed/PHP/php-5.4.3/main/output.c:412
#3  0x0000000000676bfd in zif_print_r (ht=<value optimized out>, return_value=0x7f5427023ea8, return_value_ptr=<value optimized out>, 
    this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/ext/standard/basic_functions.c:5496
#4  0x00000000007f9a9f in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/Zend/zend_vm_execute.h:642
#5  0x00000000007e6d60 in execute (op_array=0x2d60a00) at /root/installed/PHP/php-5.4.3/Zend/zend_vm_execute.h:410
#6  0x0000000000772089 in zend_call_function (fci=0x7fff9a081010, fci_cache=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/Zend/zend_execute_API.c:958
#7  0x0000000000772e20 in call_user_function_ex (function_table=<value optimized out>, object_pp=<value optimized out>, 
    function_name=<value optimized out>, retval_ptr_ptr=<value optimized out>, param_count=<value optimized out>, 
    params=<value optimized out>, no_separation=1, symbol_table=0x0) at /root/installed/PHP/php-5.4.3/Zend/zend_execute_API.c:750
#8  0x000000000077e5bd in zend_error (type=2, format=0xc0a002 "%s") at /root/installed/PHP/php-5.4.3/Zend/zend.c:1171
#9  0x0000000000723ef6 in php_verror (docref=<value optimized out>, params=<value optimized out>, type=2, format=<value optimized out>, 
    args=<value optimized out>) at /root/installed/PHP/php-5.4.3/main/main.c:853
#10 0x000000000072450f in php_error_docref0 (docref=<value optimized out>, type=<value optimized out>, format=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/main/main.c:865
#11 0x00000000005ee00f in php_session_save_current_state () at /root/installed/PHP/php-5.4.3/ext/session/session.c:497
#12 0x00000000005ef17c in php_session_flush (type=<value optimized out>, module_number=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/ext/session/session.c:1453
#13 zm_deactivate_session (type=<value optimized out>, module_number=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/ext/session/session.c:2144
#14 0x00000000007846d4 in zend_deactivate_modules () at /root/installed/PHP/php-5.4.3/Zend/zend_API.c:2333
#15 0x00000000007224d5 in php_request_shutdown (dummy=<value optimized out>) at /root/installed/PHP/php-5.4.3/main/main.c:1755
#16 0x0000000000830560 in main (argc=654247680, argv=0x7f5426ff0480) at /root/installed/PHP/php-5.4.3/sapi/fpm/fpm/fpm_main.c:1884
(gdb) quit

[2012-05-11 11:14 UTC] radical@php.net

-Status: Feedback +Status: Open

[2012-05-11 11:14 UTC] radical@php.net

Added backtrace

[2012-05-12 15:30 UTC] laruence@php.net

seems like #61728 , could you please test with the trunk? 

thanks

[2012-05-12 15:31 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2012-05-14 07:27 UTC] radical@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: radical

[2012-05-14 07:27 UTC] radical@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I used the latest version from git.php.net and you were right.
No segfault.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 08:02:42 2024 UTC