PHP :: Bug #65200 :: Seg faults in php_free_pcre

Bug #65200

Seg faults in php_free_pcre_cache on child exit

Submitted:

2013-07-03 23:18 UTC

Modified:

2021-09-05 04:22 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

mmucklo at corp dot oodle dot com

Assigned:

cmb (profile)

Status:

No Feedback

Package:

*General Issues

PHP Version:

5.4.16

OS:

RHEL 6.4

Private report:

CVE-ID:

None

View Developer Edit

[2013-07-03 23:18 UTC] mmucklo at corp dot oodle dot com

Description:
------------
Seeing regular Seg faults during child process clean up.

Apache 2.2.24
PHP 5.4.16

Backtrace:
Core was generated by `/service/local/apache/bin/httpd -f 
/service/conf/httpd.qvc.conf'.
Program terminated with signal 6, Aborted.
#0  0x00000031d26328a5 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-
13.el6_3.1.x86_64 glibc-2.12-1.107.el6.x86_64 libgcc-4.4.7-3.el6.x86_64 
libstdc++-4.4.7-3.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64
(gdb) bt
#0  0x00000031d26328a5 in raise () from /lib64/libc.so.6
#1  0x00000031d2634085 in abort () from /lib64/libc.so.6
#2  0x00000031d26707b7 in __libc_message () from /lib64/libc.so.6
#3  0x00000031d26760e6 in malloc_printerr () from /lib64/libc.so.6
#4  0x00000031d267656d in malloc_consolidate () from /lib64/libc.so.6
#5  0x00000031d2678ba8 in _int_free () from /lib64/libc.so.6
#6  0x00007fbc90e882f3 in php_free_pcre_cache (data=0x3c9c220) at 
/workspace/source/external/build/php-5.4.16-apache/ext/pcre/php_pcre.c:96
#7  0x00007fbc913a8453 in zend_hash_destroy (ht=0x7fbc91c48060) at 
/workspace/source/external/build/php-5.4.16-apache/Zend/zend_hash.c:560
#8  0x00007fbc90e88382 in zm_globals_dtor_pcre (pcre_globals=0x7fbc91c48060) at 
/workspace/source/external/build/php-5.4.16-apache/ext/pcre/php_pcre.c:113
#9  0x00007fbc9139fe71 in module_destructor (module=0x1d80480) at 
/workspace/source/external/build/php-5.4.16-apache/Zend/zend_API.c:2308
#10 0x00007fbc913a8840 in zend_hash_apply_deleter (ht=0x7fbc91c50480, 
p=0x1d80420) at /workspace/source/external/build/php-5.4.16-
apache/Zend/zend_hash.c:650
#11 0x00007fbc913a89db in zend_hash_graceful_reverse_destroy (ht=0x7fbc91c50480) 
at /workspace/source/external/build/php-5.4.16-apache/Zend/zend_hash.c:687
#12 0x00007fbc9139e01e in zend_destroy_modules () at 
/workspace/source/external/build/php-5.4.16-apache/Zend/zend_API.c:1832
#13 0x00007fbc91394fb2 in zend_shutdown () at 
/workspace/source/external/build/php-5.4.16-apache/Zend/zend.c:820
#14 0x00007fbc91302145 in php_module_shutdown () at 
/workspace/source/external/build/php-5.4.16-apache/main/main.c:2367
#15 0x00007fbc91302111 in php_module_shutdown_wrapper 
(sapi_globals=0x7fbc91c2c680) at /workspace/source/external/build/php-5.4.16-
apache/main/main.c:2335
#16 0x00007fbc91440916 in php_apache_child_shutdown (tmp=0x0) at 
/workspace/source/external/build/php-5.4.16-
apache/sapi/apache2handler/sapi_apache2.c:398
#17 0x00007fbc91c6ff2e in run_cleanups (pool=0x2310c08) at 
memory/unix/apr_pools.c:2352
#18 apr_pool_destroy (pool=0x2310c08) at memory/unix/apr_pools.c:814
#19 0x00000000004b8d0e in clean_child_exit (code=0) at prefork.c:196
#20 0x00000000004b9129 in child_main (child_num_arg=<value optimized out>) at 
prefork.c:692
#21 0x00000000004b9374 in make_child (s=0x1bf0c80, slot=12) at prefork.c:768
#22 0x00000000004b9fc7 in perform_idle_server_maintenance (_pconf=<value 
optimized out>, plog=<value optimized out>, s=<value optimized out>) at 
prefork.c:903
#23 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=
<value optimized out>) at prefork.c:1107
#24 0x000000000042e564 in main (argc=3, argv=0x7fff92dd5198) at main.c:753

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-07-04 06:36 UTC] ab@php.net

-Status: Open +Status: Feedback

[2013-07-04 06:36 UTC] ab@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2013-07-06 00:59 UTC] mmucklo at corp dot oodle dot com

It's probably not possible to boil into a single script as we're running symfony2 
which is pulling in probably hundreds of files and various dependencies just to 
generate a single page.

It does seem to happen rather consistently under simple manual testing of our site 
on a QA machine.

Is there anything else we can do to help isolate the issue?

[2013-07-08 07:16 UTC] ab@php.net

From what i could analyse yet, this issue locale related. It happens on prefork 
child shutdown, so also PHP module shutdown. From this point not very bad. The 
PCRE patterns are cached by locale, so it might be reproduceable with a scenario 
like this

- set locale
- do some pcre stuff
- change locale
- do some pcre stuff
.......

This is most likely a race condition in MSHUTDOWN while freeing PCRE cache under 
Apache prefork.

You could try a simple script with this scenario. I'll be doing the same in the 
meantime. Or maybe you recognize this pattern in your app? Unfortunately that's 
all I could read from the BT so far.

Thanks

[2013-07-15 22:46 UTC] mmucklo at corp dot oodle dot com

Upgraded to PHP 5.4.17, fewer cores, it seems, but still seeing a couple so 
far...

The backtrace has changed, though:
----------------------------------

Core was generated by `/service/local/apache/bin/httpd -f 
/service/conf/httpd.qvc.conf'.
Program terminated with signal 11, Segmentation fault.
#0  __memcmp_sse2 () at ../sysdeps/x86_64/memcmp.S:57
57		movl	(%rdi),	%eax
(gdb) bt
#0  __memcmp_sse2 () at ../sysdeps/x86_64/memcmp.S:57
#1  0x00007f15016adb0a in zend_mm_check_ptr (heap=0xdc3a10, ptr=0x7f14dc01e2a8, 
silent=0, __zend_filename=0x7f1501c250a8 "/workspace/source/external/build/php-
5.4.17-apache/Zend/zend_opcode.c", __zend_lineno=364, __zend_orig_filename=0x0, 
__zend_orig_lineno=0)
    at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c:1515
#2  0x00007f15016ad65a in zend_mm_check_ptr (heap=0xdc3a10, ptr=0x7f14dc01e2a8, 
silent=1, __zend_filename=0x7f1501c250a8 "/workspace/source/external/build/php-
5.4.17-apache/Zend/zend_opcode.c", __zend_lineno=364, __zend_orig_filename=0x0, 
__zend_orig_lineno=0)
    at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c:1416
#3  0x00007f15016af182 in _zend_mm_free_int (heap=0xdc3a10, p=0x7f14dc01e2a8, 
__zend_filename=0x7f1501c250a8 "/workspace/source/external/build/php-5.4.17-
apache/Zend/zend_opcode.c", __zend_lineno=364, __zend_orig_filename=0x0, 
__zend_orig_lineno=0)
    at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c:2064
#4  0x00007f15016b080d in _efree (ptr=0x7f14dc01e2a8, 
__zend_filename=0x7f1501c250a8 "/workspace/source/external/build/php-5.4.17-
apache/Zend/zend_opcode.c", __zend_lineno=364, __zend_orig_filename=0x0, 
__zend_orig_lineno=0) at /workspace/source/external/build/php-5.4.17-
apache/Zend/zend_alloc.c:2436
#5  0x00007f15016d95a1 in destroy_op_array (op_array=0x1470ab8) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_opcode.c:364
#6  0x00007f15016d890f in destroy_zend_function (function=0x1470ab8) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_opcode.c:112
#7  0x00007f15016d8929 in zend_function_dtor (function=0x1470ab8) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_opcode.c:124
#8  0x00007f15016f9ecf in zend_hash_destroy (ht=0x1470698) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_hash.c:560
#9  0x00007f15016d923d in destroy_zend_class (pce=0x3586b48) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_opcode.c:296
#10 0x00007f15016fa2bc in zend_hash_apply_deleter (ht=0xdc4370, p=0x3586b30) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_hash.c:650
#11 0x00007f15016fa979 in zend_hash_reverse_apply (ht=0xdc4370, 
apply_func=0x7f15016d200e <clean_non_persistent_class>) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_hash.c:804
#12 0x00007f15016d287e in shutdown_executor () at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_execute_API.c:303
#13 0x00007f15016e6e56 in zend_deactivate () at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend.c:938
#14 0x00007f1501652b03 in php_request_shutdown (dummy=0x0) at 
/workspace/source/external/build/php-5.4.17-apache/main/main.c:1800
#15 0x00007f1501792808 in php_apache_request_dtor (r=0x1383150) at 
/workspace/source/external/build/php-5.4.17-
apache/sapi/apache2handler/sapi_apache2.c:507
#16 0x00007f1501793079 in php_handler (r=0x1383150) at 
/workspace/source/external/build/php-5.4.17-
apache/sapi/apache2handler/sapi_apache2.c:679
#17 0x0000000000441d90 in ap_run_handler (r=0x1383150) at config.c:158
#18 0x00000000004453ee in ap_invoke_handler (r=0x1383150) at config.c:376
#19 0x000000000048ca60 in ap_process_request (r=0x1383150) at http_request.c:282
#20 0x0000000000489a08 in ap_process_http_connection (c=0x13752d0) at 
http_core.c:190
#21 0x0000000000449330 in ap_run_process_connection (c=0x13752d0) at 
connection.c:43
#22 0x00000000004b9bc8 in child_main (child_num_arg=<value optimized out>) at 
prefork.c:667
#23 0x00000000004b9ec4 in make_child (s=0xc51c80, slot=16) at prefork.c:768
#24 0x00000000004bab17 in perform_idle_server_maintenance (_pconf=<value 
optimized out>, plog=<value optimized out>, s=<value optimized out>) at 
prefork.c:903
#25 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=
<value optimized out>) at prefork.c:1107
#26 0x000000000042e524 in main (argc=3, argv=0x7fffd6d0d018) at main.c:753

[2013-07-16 11:52 UTC] ab@php.net

Yep, the last BT is very far from the first one. It even doesn't mention PCRE at 
all. But nevertheless, seems the last BT is done with a debug build. Was there 
something interesting on stderr? Also the last BT might be not reproducable with a 
release build. I'm stuck reproducing your first BT, sadly.

[2013-07-16 17:47 UTC] mmucklo at corp dot oodle dot com

-Status: Feedback +Status: Open

[2013-07-16 17:47 UTC] mmucklo at corp dot oodle dot com

I'm not understanding you about the "debug" build part?  I don't think it gives a 
backtrace without --enable-debug, unless you are referring to apache being 
compiled in Debug mode as well...

[2013-07-17 06:48 UTC] ab@php.net

Yes, i meant PHP --enable-debug. That's a bit tricky, with gcc using --enable-
debug directly will define some macros which switch the code parts. Using no --
enable-debug one still can enforce debug symbols using sometihng like
CFLAGS="-ggdb -O3" CXXFLAGS="$CFLAGS" ./configure
That's why i meant it might be not reproduceable without --enable-debug as the 
code corresponding to the last BT is different then. Despite all that, i think the  
first PCRE backtrace is a real bug.

[2013-07-18 18:58 UTC] mmucklo at corp dot oodle dot com

Okay, I recompiled without --enable-debug, and pounded the server and got two core files that are exactly the same backtrace-wise...


Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0x1bea970, p=0x7f1393ded878) at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c:2100
2100	/workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c: No such file or directory.
	in /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c
(gdb) bt
#0  _zend_mm_free_int (heap=0x1bea970, p=0x7f1393ded878) at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c:2100
#1  0x00007f13b8619e65 in destroy_op_array (op_array=0x28ba910) at /workspace/source/external/build/php-5.4.17-
apache/Zend/zend_opcode.c:364
#2  0x00007f13b863062b in zend_hash_destroy (ht=0x28b9748) at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_hash.c:560
#3  0x00007f13b861a22e in destroy_zend_class (pce=<value optimized out>) at /workspace/source/external/build/php-5.4.17-
apache/Zend/zend_opcode.c:296
#4  0x00007f13b86302b5 in zend_hash_apply_deleter (ht=0x1beb2d0, p=0x27a7a10) at /workspace/source/external/build/php-5.4.17-
apache/Zend/zend_hash.c:650
#5  0x00007f13b86303c9 in zend_hash_reverse_apply (ht=0x1beb2d0, apply_func=0x7f13b8614c30 <clean_non_persistent_class>) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_hash.c:804
#6  0x00007f13b8618486 in shutdown_executor () at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_execute_API.c:303
#7  0x00007f13b86239e2 in zend_deactivate () at /workspace/source/external/build/php-5.4.17-apache/Zend/zend.c:938
#8  0x00007f13b85bff3b in php_request_shutdown (dummy=<value optimized out>) at /workspace/source/external/build/php-5.4.17-
apache/main/main.c:1800
#9  0x00007f13b86d08e7 in php_apache_request_dtor (r=0x30de620) at /workspace/source/external/build/php-5.4.17-
apache/sapi/apache2handler/sapi_apache2.c:507
#10 php_handler (r=0x30de620) at /workspace/source/external/build/php-5.4.17-apache/sapi/apache2handler/sapi_apache2.c:679
#11 0x0000000000441d20 in ap_run_handler (r=0x30de620) at config.c:158
#12 0x000000000044534e in ap_invoke_handler (r=0x30de620) at config.c:376
#13 0x000000000048c180 in ap_process_request (r=0x30de620) at http_request.c:282
#14 0x0000000000489140 in ap_process_http_connection (c=0x219b640) at http_core.c:190
#15 0x00000000004492b0 in ap_run_process_connection (c=0x219b640) at connection.c:43
#16 0x00000000004b9078 in child_main (child_num_arg=<value optimized out>) at prefork.c:667
#17 0x00000000004b9374 in make_child (s=0x1a78c80, slot=14) at prefork.c:768
#18 0x00000000004b9fc7 in perform_idle_server_maintenance (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized 
out>) at prefork.c:903
#19 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at prefork.c:1107
#20 0x000000000042e564 in main (argc=3, argv=0x7fff7846b3c8) at main.c:753

Core was generated by `/service/local/apache/bin/httpd -f /service/conf/httpd.qvc.conf'.
Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0x1bea970, p=0x7f1393ded878) at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c:2100
2100	/workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c: No such file or directory.
	in /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c
(gdb) bt
#0  _zend_mm_free_int (heap=0x1bea970, p=0x7f1393ded878) at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_alloc.c:2100
#1  0x00007f13b8619e65 in destroy_op_array (op_array=0x5953800) at /workspace/source/external/build/php-5.4.17-
apache/Zend/zend_opcode.c:364
#2  0x00007f13b863062b in zend_hash_destroy (ht=0x5a51cc8) at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_hash.c:560
#3  0x00007f13b861a22e in destroy_zend_class (pce=<value optimized out>) at /workspace/source/external/build/php-5.4.17-
apache/Zend/zend_opcode.c:296
#4  0x00007f13b86302b5 in zend_hash_apply_deleter (ht=0x1beb2d0, p=0x4e33d70) at /workspace/source/external/build/php-5.4.17-
apache/Zend/zend_hash.c:650
#5  0x00007f13b86303c9 in zend_hash_reverse_apply (ht=0x1beb2d0, apply_func=0x7f13b8614c30 <clean_non_persistent_class>) at 
/workspace/source/external/build/php-5.4.17-apache/Zend/zend_hash.c:804
#6  0x00007f13b8618486 in shutdown_executor () at /workspace/source/external/build/php-5.4.17-apache/Zend/zend_execute_API.c:303
#7  0x00007f13b86239e2 in zend_deactivate () at /workspace/source/external/build/php-5.4.17-apache/Zend/zend.c:938
#8  0x00007f13b85bff3b in php_request_shutdown (dummy=<value optimized out>) at /workspace/source/external/build/php-5.4.17-
apache/main/main.c:1800
#9  0x00007f13b86d08e7 in php_apache_request_dtor (r=0x21a94c0) at /workspace/source/external/build/php-5.4.17-
apache/sapi/apache2handler/sapi_apache2.c:507
#10 php_handler (r=0x21a94c0) at /workspace/source/external/build/php-5.4.17-apache/sapi/apache2handler/sapi_apache2.c:679
#11 0x0000000000441d20 in ap_run_handler (r=0x21a94c0) at config.c:158
#12 0x000000000044534e in ap_invoke_handler (r=0x21a94c0) at config.c:376
#13 0x000000000048c180 in ap_process_request (r=0x21a94c0) at http_request.c:282
#14 0x0000000000489140 in ap_process_http_connection (c=0x219b640) at http_core.c:190
#15 0x00000000004492b0 in ap_run_process_connection (c=0x219b640) at connection.c:43
#16 0x00000000004b9078 in child_main (child_num_arg=<value optimized out>) at prefork.c:667
#17 0x00000000004b9374 in make_child (s=0x1a78c80, slot=4) at prefork.c:768
#18 0x00000000004b967e in startup_children (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at 
prefork.c:786
#19 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at prefork.c:1007
#20 0x000000000042e564 in main (argc=3, argv=0x7fff7846b3c8) at main.c:753
(gdb) quit

[2021-08-23 17:48 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-08-23 17:48 UTC] cmb@php.net

Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-09-05 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 16:01:38 2025 UTC