php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64934 Apache2 with php5apache2_4.dll crash when use get_browser()
Submitted: 2013-05-28 07:45 UTC Modified: 2013-06-06 17:04 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: 37xzxz at gmail dot com Assigned: ab (profile)
Status: Closed Package: Apache2 related
PHP Version: 5.4Git-2013-05-27 (snap) OS: irrelevant
Private report: No CVE-ID: None
 [2013-05-28 07:45 UTC] 37xzxz at gmail dot com
Description:
------------
Tested on php-5.4.15-Win32-VC9-x86 and 5.4.17-dev snapshot 
(http://windows.php.net/downloads/snaps/php-5.4/rbcdac75/php-5.4-ts-windows-vc9-
x86-rbcdac75.zip)

Apache2 crashes when code contain get_browser() and script called multiply 
times in parallel.

[mpm_winnt:notice] [pid 3684:tid 440] AH00428: Parent: child process 4032 exited 
with status 3221225477 -- Restarting.

I perfom search in Google and find this 
http://stackoverflow.com/questions/1138269/apache-error-notice-parent-child-
process-exited-with-status-3221225477-res

pylon said: "I just figured it out that the get_browser() function gives a 
memory error sometimes".

So I perfom tests part of code with get_browser() only and reproduce crashes.

Test script:
---------------
test.php contain code:

<?php
echo $_SERVER[ 'HTTP_USER_AGENT' ] . ' '. time() . "\n";
$browser = get_browser( $_SERVER[ 'HTTP_USER_AGENT' ] );
?>

test_get_browser.php on other server

<?php
set_time_limit( 0 );

$opts = array(
	'http' => array(
		'method' => "GET",
		'header' => "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31\r\n",
		),
	);
$context = stream_context_create( $opts );

$url = 'http://testserver/test.php';

for( $i = 0; $i < 10000; $i++ ) {
	$data = file_get_contents( $url, false, $context );
	echo $data;
}
?>

Run few copies of test_get_browser.php to emulate many clients.

Expected result:
----------------
No crashes, all requests will be served normally.

Actual result:
--------------
Apache2 crashes when I call 2-7 copies of test_get_browser.php.

Thread 11 - System ID 4556
Entry point   libhttpd!ap_regkey_value_remove+1060 
Create time   28.05.2013 11:02:43 
Time spent in user mode   0 Days 0:0:0.62 
Time spent in kernel mode   0 Days 0:0:0.0 

Full Call Stack

Function     Arg 1     Arg 2     Arg 3     Arg 4   Source 
ntdll!NtRaiseException+12     0c58eeec     0c58ef3c     00000000     c0000005    
ntdll!KiUserExceptionDispatcher+29     0c58eeec     0c58ef3c     00000000     
c0000005    

Exception Information
PHP5TS!_ZVAL_PTR_DTOR+3C8In 
httpd__PID__9884__Date__05_28_2013__Time_11_02_44AM__426__Second_Chance_Exceptio
n_C0000005.dmp the assembly instruction at php5ts!_zval_ptr_dtor+3c8 in 
C:\dev\php-5.4.15-Win32-VC9-x86\php5ts.dll from The PHP Group has caused an 
access violation exception (0xC0000005) when trying to read from memory location 
0x0e6dc8a4 on thread 11

Same code work fine on Ubuntu 12.04, I can't find any errors in logs.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-28 08:26 UTC] 37xzxz at gmail dot com
Also error windows, may be it will be helpful http://puu.sh/328qt.png
 [2013-05-28 08:34 UTC] pajoye@php.net
@a can you take a look at that please?
 [2013-05-28 08:34 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ab
 [2013-05-28 15:16 UTC] ab@php.net
@37xzxz what kind of browscap.ini do you use?
 [2013-05-29 06:44 UTC] 37xzxz at gmail dot com
@ab, I use full_php_browscap.ini
http://tempdownloads.browserscap.com/stream.asp?Full_PHP_BrowscapINI

and Apache/2.4.4 (Win32) OpenSSL/0.9.8y from http://www.apachelounge.com/
 [2013-05-29 09:23 UTC] ab@php.net
I got the bt now, looks like it crashes on rshutdown freeing the browser object

 	php5ts_debug.dll!gc_remove_from_buffer(_gc_root_buffer * root, void * * * tsrm_ls) Line 189	C
 	php5ts_debug.dll!gc_remove_zval_from_buffer(_zval_struct * zv, void * * * tsrm_ls) Line 265	C
 	php5ts_debug.dll!_zval_ptr_dtor(_zval_struct * * zval_ptr, const char * __zend_filename, const unsigned int __zend_lineno) Line 437	C
 	php5ts_debug.dll!_zval_ptr_dtor_wrapper(_zval_struct * * zval_ptr) Line 182	C
 	php5ts_debug.dll!zend_hash_destroy(_hashtable * ht) Line 560	C
>	php5ts_debug.dll!zend_object_std_dtor(_zend_object * object, void * * * tsrm_ls) Line 44	C
 	php5ts_debug.dll!zend_objects_free_object_storage(_zend_object * object, void * * * tsrm_ls) Line 137	C
 	php5ts_debug.dll!zend_objects_store_del_ref_by_handle_ex(unsigned int handle, const _zend_object_handlers * handlers, void * * * tsrm_ls) Line 
221	C
 	php5ts_debug.dll!zend_objects_store_del_ref(_zval_struct * zobject, void * * * tsrm_ls) Line 173	C
 	php5ts_debug.dll!_zval_dtor_func(_zval_struct * zvalue, const char * __zend_filename, const unsigned int __zend_lineno) Line 54	C
 	php5ts_debug.dll!_zval_dtor(_zval_struct * zvalue, const char * __zend_filename, const unsigned int __zend_lineno) Line 35	C
 	php5ts_debug.dll!_zval_ptr_dtor(_zval_struct * * zval_ptr, const char * __zend_filename, const unsigned int __zend_lineno) Line 438	C
 	php5ts_debug.dll!_zval_ptr_dtor_wrapper(_zval_struct * * zval_ptr) Line 182	C
 	php5ts_debug.dll!zend_hash_apply_deleter(_hashtable * ht, bucket * p) Line 650	C
 	php5ts_debug.dll!zend_hash_reverse_apply(_hashtable * ht, int (void *, void * * *) * apply_func, void * * * tsrm_ls) Line 804	C
 	php5ts_debug.dll!shutdown_destructors(void * * * tsrm_ls) Line 217	C
 	php5ts_debug.dll!zend_call_destructors(void * * * tsrm_ls) Line 922	C
 	php5ts_debug.dll!php_request_shutdown(void * dummy) Line 1742	C
 	php5apache2_4.dll!php_apache_request_dtor(request_rec * r, void * * * tsrm_ls) Line 507	C
 	php5apache2_4.dll!php_handler(request_rec * r) Line 679	C
 [2013-05-29 09:23 UTC] ab@php.net
-Status: Assigned +Status: Verified
 [2013-05-29 12:03 UTC] ab@php.net
-Operating System: Win 7 x64 SP1, WinServ 2008 R2 +Operating System: irrelevant
 [2013-05-29 12:03 UTC] ab@php.net
Well, looks like it isn't a Windows only issue, looks very similar on linux x64 TS build. 

#0  0x00007ffff33c43c0 in gc_remove_from_buffer (root=0x20, tsrm_ls=0x7fff740008c0) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_gc.h:189
#1  0x00007ffff33c529f in gc_remove_zval_from_buffer (zv=0x100d730, tsrm_ls=0x7fff740008c0) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_gc.c:265
#2  0x00007ffff337bae6 in i_zval_ptr_dtor (zval_ptr=0x100d730,
    __zend_filename=0x7ffff38f8a30 "/home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.c", __zend_lineno=182)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_execute.h:80
#3  0x00007ffff337dd91 in _zval_ptr_dtor (zval_ptr=0x7fff7403e708,
    __zend_filename=0x7ffff38f8a30 "/home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.c", __zend_lineno=182)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_execute_API.c:428
#4  0x00007ffff33919e9 in _zval_ptr_dtor_wrapper (zval_ptr=0x7fff7403e708) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.c:182
#5  0x00007ffff33aa295 in zend_hash_destroy (ht=0x7fff7403ed08) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_hash.c:560
#6  0x00007ffff33cb5fe in zend_object_std_dtor (object=0x7fff7403eb38, tsrm_ls=0x7fff740008c0)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_objects.c:44
#7  0x00007ffff33cbcd2 in zend_objects_free_object_storage (object=0x7fff7403eb38, tsrm_ls=0x7fff740008c0)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_objects.c:137
#8  0x00007ffff33d3da8 in zend_objects_store_del_ref_by_handle_ex (handle=1, handlers=0x7ffff3c42fe0 <std_object_handlers>, 
tsrm_ls=0x7fff740008c0)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_objects_API.c:221
#9  0x00007ffff33d38e9 in zend_objects_store_del_ref (zobject=0x7fff7403e670, tsrm_ls=0x7fff740008c0)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_objects_API.c:173
#10 0x00007ffff33915c1 in _zval_dtor_func (zvalue=0x7fff7403e670,
    __zend_filename=0x7ffff38f75f8 "/home/anatol/dws/src/php-5.5-ts/Zend/zend_execute.h", __zend_lineno=81)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.c:54
#11 0x00007ffff337ba00 in _zval_dtor (zvalue=0x7fff7403e670, __zend_filename=0x7ffff38f75f8 "/home/anatol/dws/src/php-5.5-ts/Zend/zend_execute.h",
    __zend_lineno=81) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.h:35
#12 0x00007ffff337bafe in i_zval_ptr_dtor (zval_ptr=0x7fff7403e670,
    __zend_filename=0x7ffff38f8a30 "/home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.c", __zend_lineno=182)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_execute.h:81
#13 0x00007ffff337dd91 in _zval_ptr_dtor (zval_ptr=0x7fff74040ea8,
    __zend_filename=0x7ffff38f8a30 "/home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.c", __zend_lineno=182)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_execute_API.c:428
#14 0x00007ffff33919e9 in _zval_ptr_dtor_wrapper (zval_ptr=0x7fff74040ea8) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_variables.c:182
#15 0x00007ffff33aa681 in zend_hash_apply_deleter (ht=0x7fff740c32f8, p=0x7fff74040e90) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_hash.c:650
#16 0x00007ffff33aad2b in zend_hash_reverse_apply (ht=0x7fff740c32f8, apply_func=0x7ffff337c9e4 <zval_call_destructor>, tsrm_ls=0x7fff740008c0)
    at /home/anatol/dws/src/php-5.5-ts/Zend/zend_hash.c:804
#17 0x00007ffff337cb2a in shutdown_destructors (tsrm_ls=0x7fff740008c0) at /home/anatol/dws/src/php-5.5-ts/Zend/zend_execute_API.c:217
#18 0x00007ffff3394ba4 in zend_call_destructors (tsrm_ls=0x7fff740008c0) at /home/anatol/dws/src/php-5.5-ts/Zend/zend.c:923
#19 0x00007ffff32d58d5 in php_request_shutdown (dummy=0x0) at /home/anatol/dws/src/php-5.5-ts/main/main.c:1742
#20 0x00007ffff3455eb5 in php_apache_request_dtor (r=0x7fffc8303d20, tsrm_ls=0x7fff740008c0)
    at /home/anatol/dws/src/php-5.5-ts/sapi/apache2handler/sapi_apache2.c:507
#21 0x00007ffff3456a17 in php_handler (r=0x7fffc8303d20) at /home/anatol/dws/src/php-5.5-ts/sapi/apache2handler/sapi_apache2.c:679
#22 0x000000000044e51e in ap_run_handler (r=0x7fffc8303d20) at config.c:169
#23 0x000000000044ee6c in ap_invoke_handler (r=0x7fffc8303d20) at config.c:432
#24 0x0000000000469edb in ap_process_async_request (r=0x7fffc8303d20) at http_request.c:317
#25 0x0000000000469fc0 in ap_process_request (r=0x7fffc8303d20) at http_request.c:363
#26 0x0000000000466865 in ap_process_http_sync_connection (c=0x7fffd0002d38) at http_core.c:190
#27 0x000000000046697b in ap_process_http_connection (c=0x7fffd0002d38) at http_core.c:231


@37xzxz you were probably testing on ubuntu standard, it's always prefork there.
 [2013-05-30 12:06 UTC] 37xzxz at gmail dot com
@ab, I performed tests for this issue on ubuntu-12.04.2-desktop-amd64
 [2013-06-06 16:54 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1aee7ad63672747bd941f169ef42bed5765137e0
Log: Fixed bug #64934 Apache2 TS crash with get_browser()
 [2013-06-06 16:54 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2013-06-06 17:04 UTC] ab@php.net
@37xzxz exactly, the standard apache build in ubuntu is NTS, this issue couldn't 
be reproduced with it.

If you were so kind and pick some of the next snapshots starting with Jul 7 from 
http://windows.php.net/downloads/snaps/ to verify this issue is gone :)

Thanks
 [2013-06-24 07:12 UTC] 37xzxz at gmail dot com
All fine on php 5.5.0
 [2014-10-07 23:19 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=1aee7ad63672747bd941f169ef42bed5765137e0
Log: Fixed bug #64934 Apache2 TS crash with get_browser()
 [2014-10-07 23:30 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=1aee7ad63672747bd941f169ef42bed5765137e0
Log: Fixed bug #64934 Apache2 TS crash with get_browser()
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC