php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63142 memcache 3.0.7 segfaults with object (un)serialization
Submitted: 2012-09-23 06:48 UTC Modified: 2013-04-08 02:15 UTC
Votes:5
Avg. Score:4.6 ± 0.8
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:1 (20.0%)
From: remi@php.net Assigned: hradtke (profile)
Status: Closed Package: memcache (PECL)
PHP Version: 5.4.7 OS: GNU/Linux (Fedora 18)
Private report: No CVE-ID: None
 [2012-09-23 06:48 UTC] remi@php.net
Description:
------------
php segfault when using memcache and object serialization.

(gdb) bt
#0  zend_mm_remove_from_free_list (heap=0xbae2d0, mm_block=0x7ffff7fc01d7) at /usr/src/debug/php-5.4.7/Zend/zend_alloc.c:833
#1  0x000000000059c660 in _zend_mm_free_int (heap=0xbae2d0, p=0x7ffff7fbd0e7) at /usr/src/debug/php-5.4.7/Zend/zend_alloc.c:2101
#2  0x00000000005e98e3 in zend_objects_store_del_ref_by_handle_ex (handle=11, handlers=<optimized out>)
    at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:220
#3  0x00000000005e9903 in zend_objects_store_del_ref (zobject=0x7fffffffa5c0) at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:172
#4  0x00000000005b429a in _zval_dtor (zvalue=<optimized out>) at /usr/src/debug/php-5.4.7/Zend/zend_variables.h:35
#5  _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:438
#6  _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:427
#7  0x00000000005d0a38 in zend_hash_destroy (ht=0x7ffff7fbd1c8) at /usr/src/debug/php-5.4.7/Zend/zend_hash.c:560
#8  0x00000000005e3b3c in zend_object_std_dtor (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:44
#9  0x00000000005e3bc9 in zend_objects_free_object_storage (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:137
#10 0x00000000005e98e3 in zend_objects_store_del_ref_by_handle_ex (handle=11, handlers=<optimized out>)
    at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:220
#11 0x00000000005e9903 in zend_objects_store_del_ref (zobject=0x7fffffffa5c0) at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:172
#12 0x00000000005b429a in _zval_dtor (zvalue=<optimized out>) at /usr/src/debug/php-5.4.7/Zend/zend_variables.h:35
#13 _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:438
#14 _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:427
#15 0x00000000005d0a38 in zend_hash_destroy (ht=0x7ffff7fbd1c8) at /usr/src/debug/php-5.4.7/Zend/zend_hash.c:560
#16 0x00000000005e3b3c in zend_object_std_dtor (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:44
#17 0x00000000005e3bc9 in zend_objects_free_object_storage (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:137
#18 0x00000000005e98e3 in zend_objects_store_del_ref_by_handle_ex (handle=11, handlers=<optimized out>)
    at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:220
#19 0x00000000005e9903 in zend_objects_store_del_ref (zobject=0x7fffffffa5c0) at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:172
#20 0x00000000005b429a in _zval_dtor (zvalue=<optimized out>) at /usr/src/debug/php-5.4.7/Zend/zend_variables.h:35
#21 _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:438
#22 _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:427
#23 0x00000000005d0a38 in zend_hash_destroy (ht=0x7ffff7fbd1c8) at /usr/src/debug/php-5.4.7/Zend/zend_hash.c:560
#24 0x00000000005e3b3c in zend_object_std_dtor (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:44
#25 0x00000000005e3bc9 in zend_objects_free_object_storage (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:137
#26 0x00000000005e98e3 in zend_objects_store_del_ref_by_handle_ex (handle=11, handlers=<optimized out>)
    at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:220
#27 0x00000000005e9903 in zend_objects_store_del_ref (zobject=0x7fffffffa5c0) at /usr/src/debug/php-5.4.7/Zend/zend_objects_API.c:172
#28 0x00000000005b429a in _zval_dtor (zvalue=<optimized out>) at /usr/src/debug/php-5.4.7/Zend/zend_variables.h:35
#29 _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:438
#30 _zval_ptr_dtor (zval_ptr=0x7fffd7015210) at /usr/src/debug/php-5.4.7/Zend/zend_execute_API.c:427
#31 0x00000000005d0a38 in zend_hash_destroy (ht=0x7ffff7fbd1c8) at /usr/src/debug/php-5.4.7/Zend/zend_hash.c:560
#32 0x00000000005e3b3c in zend_object_std_dtor (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:44
#33 0x00000000005e3bc9 in zend_objects_free_object_storage (object=0x7ffff7fbd0e8) at /usr/src/debug/php-5.4.7/Zend/zend_objects.c:137
#34 0x00000000005e98e3 in zend_objects_store_del_ref_by_handle_ex (handle=11, handlers=<optimized out>)


Test script:
---------------
<?php
echo "Test: PHP-".phpversion()."/memcache-".phpversion('memcache');
$obj = new StdClass;
$obj->obj = $obj;
$memcache = new Memcache;
$memcache->connect('127.0.0.1', 11211);
$memcache->set('x', $obj, false, 300);
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".";
$x = $memcache->get('x'); echo ".\n";


Expected result:
----------------
Test: PHP-5.4.7/memcache-3.0.7.........


Actual result:
--------------
Test: PHP-5.4.7/memcache-3.0.7.........
Segmentation fault


Patches

bug63142.diff (last revision 2013-03-19 09:05 UTC) by tony2001@php.net)
php-pecl-memcache-3.0.5-get-mem-corrupt.patch (last revision 2012-09-23 06:49 UTC) by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-23 06:49 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: php-pecl-memcache-3.0.5-get-mem-corrupt.patch
Revision:   1348382954
URL:        https://bugs.php.net/patch-display.php?bug=63142&patch=php-pecl-memcache-3.0.5-get-mem-corrupt.patch&revision=1348382954
 [2012-09-23 06:55 UTC] remi@php.net
The attached patch (not from me), used in Fedora, fixes the segfault.
 [2012-09-23 07:29 UTC] hradtke@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: hradtke
 [2012-09-23 07:30 UTC] hradtke@php.net
This patch causes memory leaks. I will take a look and see if I can fix the issue.
 [2012-09-23 08:32 UTC] hradtke@php.net
-Status: Assigned +Status: Closed
 [2012-09-23 08:32 UTC] hradtke@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

This code produced some memory leaks before the patch. The patch did introduce 
some more memory leaks, but I have fixed those.

Note to myself to find the other memory leaks: 
valgrind --leak-check=full --show-reachable=yes php -d 
extension=modules/memcache.so tests/pecl63142.php
 [2012-09-23 16:01 UTC] hradtke@php.net
Automatic comment from SVN on behalf of hradtke
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=327756
Log: Added test for pecl bug #63142
 [2012-09-25 07:07 UTC] remi@php.net
-Status: Closed +Status: Re-Opened
 [2012-09-25 07:07 UTC] remi@php.net
Sorry to reopen, but with commit 327754 things are really awfull. 
Much more segfault (ex with the simple test/002.phpt)
 [2012-09-25 07:25 UTC] hradtke@php.net
The entire test-suite passed for me. I will take another look though.
 [2012-09-25 07:25 UTC] hradtke@php.net
-Status: Re-Opened +Status: Assigned
 [2012-09-25 07:36 UTC] remi@php.net
With php 5.4.7 + memcache 3.0.7 + commit 327754
(gdb) run 002.php
...
bool(true)
bool(true)

Program received signal SIGSEGV, Segmentation fault.

(gdb) bt
#0  zend_std_get_properties (object=0x7fffd0bde618) at /usr/src/debug/php-5.4.7/Zend/zend_object_handlers.c:98
#1  0x000000000053b657 in php_var_dump (struc=0x7ffff7f85428, level=level@entry=1) at /usr/src/debug/php-5.4.7/ext/standard/var.c:129
#2  0x000000000053b9aa in zif_var_dump (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, 
    this_ptr=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.4.7/ext/standard/var.c:183
#3  0x0000000000669db2 in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /usr/src/debug/php-5.4.7/Zend/zend_vm_execute.h:642
#4  0x0000000000623af7 in execute (op_array=0x7ffff7fbda68) at /usr/src/debug/php-5.4.7/Zend/zend_vm_execute.h:410
#5  0x00000000005c48ec in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/src/debug/php-5.4.7/Zend/zend.c:1286
#6  0x000000000056445d in php_execute_script (primary_file=primary_file@entry=0x7fffffffcba0) at /usr/src/debug/php-5.4.7/main/main.c:2473
#7  0x000000000066c476 in do_cli (argc=2, argv=0x7fffffffe038) at /usr/src/debug/php-5.4.7/sapi/cli/php_cli.c:988
#8  0x000000000042597a in main (argc=2, argv=0x7fffffffe038) at /usr/src/debug/php-5.4.7/sapi/cli/php_cli.c:1364

I can do more test if you need
 [2012-09-26 07:06 UTC] hradtke@php.net
I just realized this bug has all to do with the fact that the object references 
itself:
$obj->obj = $obj;

I can also reproduce with
$arr['arr'] = $arr;
 [2013-03-18 20:50 UTC] evangelos at foutrelis dot com
Is there going to be a fix for this?

I have a pending request to downgrade the Arch Linux php-memcache package to 2.2.7 [1] due to these segfaults, but most Linux distributions appear to ship 3.0.x so I'd rather not go back to 2.2.x.

[1] https://bugs.archlinux.org/task/34293
 [2013-03-18 21:12 UTC] hradtke@php.net
This bug is some internals voodoo that is beyond me. I will ask again for some 
direction from some of the more experienced PHP people.
 [2013-03-19 09:05 UTC] tony2001@php.net
The following patch has been added/updated:

Patch Name: bug63142.diff
Revision:   1363683957
URL:        https://bugs.php.net/patch-display.php?bug=63142&patch=bug63142.diff&revision=1363683957
 [2013-03-19 09:06 UTC] tony2001@php.net
Try the new patch (attached).
 [2013-03-19 12:59 UTC] evangelos at foutrelis dot com
bug63142.diff seems to fix the issue for me; no segfaults and no apparent memory leaks.

Thanks.

(8 of the 72 tests fail for me, but they also fail without the patch so I suppose it's not related.)
 [2013-03-19 13:08 UTC] hradtke@php.net
All tests pass if the environment is setup correctly. Give me a few hours and I 
will run through everything and merge in.

Thanks Tony!
 [2013-03-19 14:34 UTC] tony2001@php.net
There's a minor problem in tests/053.phpt:
==28901== Conditional jump or move depends on uninitialised value(s)
==28901==    at 0x5D702B: ps_write_memcache (memcache_session.c:426)
==28901==    by 0x4E285A: php_session_save_current_state (session.c:489)
==28901==    by 0x4E669D: php_session_flush (session.c:1453)
==28901==    by 0x4E810B: zif_session_write_close (session.c:1910)

But it's not related to this particular issue in any way.
 [2013-03-19 22:39 UTC] hradtke@php.net
Automatic comment from SVN on behalf of hradtke
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=329835
Log: Fix Bug #63142 - memcache client Segmentation fault
 [2013-03-19 22:39 UTC] hradtke@php.net
Committed the changes. Will do a release this weekend.
 [2013-03-27 12:27 UTC] arjen at react dot com
This fix works fine. Thanks!

However, without a new version we have no way to detect if we have a good or bad 
memcache 3.0.7 release. Could you release a new 3.0.8 version?
 [2013-04-08 02:15 UTC] hradtke@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC