PHP :: Bug #63516 :: The Process exits random with SEGV

Bug #63516

The Process exits random with SEGV

Submitted:

2012-11-14 14:48 UTC

Modified:

2024-09-07 21:30 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

dpeuscher at gmail dot com

Assigned:

nielsdos (profile)

Status:

Closed

Package:

SOAP related

PHP Version:

5.4.8

OS:

openSUSE 11.0 (X86-64)

Private report:

CVE-ID:

None

View Developer Edit

[2012-11-14 14:48 UTC] dpeuscher at gmail dot com

Description:
------------
I have got a PHP-Script, that is based on the Zend Framework 1.12. It uses its 
MVC-Functionality via Zend_Application, as well as SOAP-Enginge (as Client), the 
Ini- and XML-Extensions for Configuration and Navigation, a Caching-Enginge 
Memcached, the Database is PDO_MYSQL over remote, Zend_Layout, Zend_View, 
Zend_Router, the ZendX-JQuery Extension, Zend_Acl, Firebug-Logger-Extension. I 
think these are the main-features of the Call, where the Segmentation Fault 
happens.

I could not figure out the part where the error happens. I tried to quit the 
script at different lines and it seams like it is always another point. 
Sometimes 
it needs 5 refreshes to reproduce the error. I tried it with a simple script, 
that 
doesn't make use of these Features and it worked fine, but also other pages, 
that 
do use these features. At this point it is impossible for me to give a code-
snippet, I will try to figure out the differences of the scripts that fail and 
those that don't.

Actual result:
--------------
#0  _zend_mm_free_int (heap=0x7dfb40, p=0x656c626973736f50) at /root/php-
5.4.8/Zend/zend_alloc.c:2071
#1  0x00007ffff32022ca in delete_sdl_impl (handle=<value optimized out>)
    at /root/php-5.4.8/ext/soap/php_sdl.c:3427
#2  0x00007ffff334fa82 in list_entry_destructor (ptr=0xf66800) at /root/php-
5.4.8/Zend/zend_list.c:178
#3  0x00007ffff334f386 in zend_hash_del_key_or_index (ht=0x7ffff3b06eb0, 
arKey=0x0, nKeyLength=0, h=130, 
    flag=<value optimized out>) at /root/php-5.4.8/Zend/zend_hash.c:531
#4  0x00007ffff334fd49 in _zend_list_delete (id=<value optimized out>) at 
/root/php-5.4.8/Zend/zend_list.c:57
#5  0x00007ffff333183d in _zval_ptr_dtor (zval_ptr=0x1115c00) at /root/php-
5.4.8/Zend/zend_variables.h:35
#6  0x00007ffff334c830 in zend_hash_destroy (ht=0xf65c80) at /root/php-
5.4.8/Zend/zend_hash.c:560
#7  0x00007ffff336148e in zend_object_std_dtor (object=0xf65170) at /root/php-
5.4.8/Zend/zend_objects.c:44
#8  0x00007ffff3361519 in zend_objects_free_object_storage (object=0x7dfb40)
    at /root/php-5.4.8/Zend/zend_objects.c:137
#9  0x00007ffff3366d5c in zend_objects_store_free_object_storage 
(objects=0x7ffff3b06fe0)
    at /root/php-5.4.8/Zend/zend_objects_API.c:92
#10 0x00007ffff3334283 in shutdown_executor () at /root/php-
5.4.8/Zend/zend_execute_API.c:297
#11 0x00007ffff333fac2 in zend_deactivate () at /root/php-5.4.8/Zend/zend.c:938
#12 0x00007ffff32dbec2 in php_request_shutdown (dummy=<value optimized out>) at 
/root/php-5.4.8/main/main.c:1790
#13 0x00007ffff33f097f in php_handler (r=0x9db5a8) at /root/php-
5.4.8/sapi/apache2handler/sapi_apache2.c:507
#14 0x000000000044b60a in ap_run_handler (r=0x9db5a8) at config.c:169
#15 0x000000000044f4fe in ap_invoke_handler (r=0x9db5a8) at config.c:432
#16 0x0000000000460e10 in ap_internal_redirect (new_uri=<value optimized out>, 
r=<value optimized out>)
    at http_request.c:640
#17 0x00007ffff3b11365 in handler_redirect (r=0x121f4f0) at mod_rewrite.c:5039
#18 0x000000000044b60a in ap_run_handler (r=0x121f4f0) at config.c:169
#19 0x000000000044f4fe in ap_invoke_handler (r=0x121f4f0) at config.c:432
#20 0x0000000000461242 in ap_process_async_request (r=0x121f4f0) at 
http_request.c:317
#21 0x000000000046139f in ap_process_request (r=0x7dfb40) at http_request.c:363
#22 0x000000000045dbe5 in ap_process_http_connection (c=0x9d4f90) at 
http_core.c:190
#23 0x000000000045570a in ap_run_process_connection (c=0x9d4f90) at 
connection.c:41
#24 0x0000000000467877 in child_main (child_num_arg=<value optimized out>) at 
prefork.c:697
#25 0x0000000000467b6f in make_child (s=0x6ba4c0, slot=0) at prefork.c:739
#26 0x000000000046874d in prefork_run (_pconf=<value optimized out>, 
plog=0x6f4528, s=0x6ba4c0) at prefork.c:949
#27 0x0000000000432a08 in ap_run_mpm (pconf=0x691138, plog=0x6f4528, s=0x6ba4c0) 
at mpm_common.c:98
#28 0x000000000042d342 in main (argc=2, argv=0x7fffffffe4c8) at main.c:777

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-11-14 15:03 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2012-11-14 15:03 UTC] laruence@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

thanks, could you please try to get a reproduce script? that is really important..

[2012-11-14 15:48 UTC] dpeuscher at gmail dot com

-Status: Feedback +Status: Open

[2012-11-14 15:48 UTC] dpeuscher at gmail dot com

I know that it is important for you to replicate the bug but I really have no clue 
how to find the snippet that is the problem. Can you guess at which part I should 
take a deeper look depending on the backtrace? Or telling me the environment I 
need to analyse in gdb? Especially with the using of the Zend Framework it might 
be nearly impossible to get the part.
I would like to give a better example but doesn't really know how.

[2012-11-15 00:00 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2012-11-15 00:00 UTC] felipe@php.net

Please, try isolating the SOAP related part of code.

[2012-11-15 14:16 UTC] dpeuscher at gmail dot com

-Status: Feedback +Status: Open -Package: Apache2 related +Package: SOAP related

[2012-11-15 14:16 UTC] dpeuscher at gmail dot com

That was a great hint. I got it isolated! It seams like the problem occurs when the ini-option wsdl_cache is set to 3 (WSDL_CACHE_BOTH), maybe also 2 (WSDL_CACHE_MEMORY). I 
initialized 5 WSDL-Files that are nearly empty (just to don't throw any exceptions like "Could not find any usable binding services in WSDL.". They all look like this:

http://pastebin.com/e6QBUkeh (Wasn't allowed to put it in here because of possible Spam)

with 5 different names. I named them s1.wsdl, ... s5.wsdl. Afterwards I initialized an ebay-Webservice. The test-Script looks like this:

http://pastebin.com/dWxg1qL7

Sometimes the SEGV appears after 50 calls, sometimes on the first call. It doesn't apper on WSDL_CACHE_DISK or WSDL_CACHE_NONE.

[2013-06-06 11:25 UTC] arjen at react dot dom

I can confirm this under 5.4.15, got the same backtrace using the testscript.

[2013-06-06 15:57 UTC] dpeuscher at gmail dot com

-Package: SOAP related +Package: Apache2 related

[2013-06-06 15:57 UTC] dpeuscher at gmail dot com

Have you tried the WSDL_CACHE_DISK caching method instead of WSDL_CACHE_BOTH?

[2013-06-06 15:59 UTC] dpeuscher at gmail dot com

-Package: Apache2 related +Package: SOAP related

[2013-06-06 15:59 UTC] dpeuscher at gmail dot com

Accidentally changed the package to apache2-related, sorry.

[2013-06-07 13:30 UTC] arjen at react dot com

Does not crash with WSDL_CACHE_DISK,
DOES crash with WSDL_CACHE_MEMORY.

[2014-05-22 20:12 UTC] sblackstone at gmail dot com

I am able to replicate this bug with WSDL_CACHE_BOTH set as my caching strategy, so far I haven't seen it with CACHE_NONE..

I am iterating on a long set of objects 25 at a time, and once in a blue moon, it seg faults - the loop is using exactly the same code for each object - so I think you're looking at a race condition of some kind.

Below is my stack trace and lines up with the OP. 






Core was generated by `php /var/www/sites/public_crm/scripts/backfiller/backfiller.php 190.4.94.3'.
Program terminated with signal 11, Segmentation fault.
#0  zend_hash_destroy (ht=0xd726170) at /usr/src/debug/php-5.4.28/Zend/zend_hash.c:558
558			p = p->pListNext;
(gdb) bt
#0  zend_hash_destroy (ht=0xd726170) at /usr/src/debug/php-5.4.28/Zend/zend_hash.c:558
#1  0x00002b8b41a8f9b9 in delete_sdl_impl (handle=0xd726170) at /usr/src/debug/php-5.4.28/ext/soap/php_sdl.c:3426
#2  0x00000000005e6a17 in list_entry_destructor (ptr=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_list.c:178
#3  0x00000000005e47d4 in zend_hash_del_key_or_index (ht=0x9d6c70, arKey=0x0, nKeyLength=0, h=234, flag=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_hash.c:531
#4  0x00000000005e6cc9 in _zend_list_delete (id=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_list.c:57
#5  0x00000000005c8a15 in _zval_dtor (zval_ptr=0x2b8b43706f30) at /usr/src/debug/php-5.4.28/Zend/zend_variables.h:35
#6  _zval_ptr_dtor (zval_ptr=0x2b8b43706f30) at /usr/src/debug/php-5.4.28/Zend/zend_execute_API.c:436
#7  0x00000000005e3c78 in zend_hash_destroy (ht=0x2b8b43705300) at /usr/src/debug/php-5.4.28/Zend/zend_hash.c:560
#8  0x00000000005f79fc in zend_object_std_dtor (object=0x2b8b436cd9e8) at /usr/src/debug/php-5.4.28/Zend/zend_objects.c:44
#9  0x00000000005f7a79 in zend_objects_free_object_storage (object=0xd726170) at /usr/src/debug/php-5.4.28/Zend/zend_objects.c:137
#10 0x00000000005fd6a5 in zend_objects_store_del_ref_by_handle_ex (handle=141, handlers=<value optimized out>) at /usr/src/debug/php-5.4.28/Zend/zend_objects_API.c:226
#11 0x00000000005fd6e3 in zend_objects_store_del_ref (zobject=0x2b8b436ce8f8) at /usr/src/debug/php-5.4.28/Zend/zend_objects_API.c:178
#12 0x000000000065b70f in ZEND_ASSIGN_DIM_SPEC_VAR_CV_HANDLER (execute_data=0x2b8b3b039390) at /usr/src/debug/php-5.4.28/Zend/zend_variables.h:35
#13 0x000000000060b8ae in execute (op_array=0x2b8b436e6098) at /usr/src/debug/php-5.4.28/Zend/zend_vm_execute.h:410
#14 0x00000000005d618e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.4.28/Zend/zend.c:1315
#15 0x000000000057b918 in php_execute_script (primary_file=0x7fff00afd180) at /usr/src/debug/php-5.4.28/main/main.c:2502
#16 0x000000000067e1ad in do_cli (argc=3, argv=0x7fff00afe4b8) at /usr/src/debug/php-5.4.28/sapi/cli/php_cli.c:989

[2024-09-07 21:30 UTC] nielsdos@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nielsdos

[2024-09-07 21:30 UTC] nielsdos@php.net

This ticket is inactionable because of no reproducer and too little information and because the version used is so old by now that there's a chance even that the bug is already fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 10:01:29 2024 UTC