php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67493 Crash in _zend_hash_add_or_update
Submitted: 2014-06-22 03:31 UTC Modified: 2018-09-22 21:03 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: majo-bugs dot php dot net at pematon dot com Assigned: cmb (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.4.29 OS: FreeBSD 9.2
Private report: No CVE-ID: None
 [2014-06-22 03:31 UTC] majo-bugs dot php dot net at pematon dot com
Description:
------------
Crashes from time to time in _zend_hash_add_or_update.

Expected result:
----------------
Not crash.

Actual result:
--------------
Core was generated by `httpd'.
Program terminated with signal 10, Bus error.
#0  _zend_hash_add_or_update (ht=0x805c8e590, arKey=0x80ef88ce8 "/srv/konecnekreslim.com/www/public/image.php", nKeyLength=45, pData=0x7fffffffd39c, nDataSize=4, pDest=0x0, flag=2)
    at /tmp/portbuild/usr/ports/www/mod_php5/work/php-5.4.29/Zend/zend_hash.c:220
220	/tmp/portbuild/usr/ports/www/mod_php5/work/php-5.4.29/Zend/zend_hash.c: No such file or directory.
	in /tmp/portbuild/usr/ports/www/mod_php5/work/php-5.4.29/Zend/zend_hash.c
[New Thread 802407400 (LWP 100409/httpd)]
#0  _zend_hash_add_or_update (ht=0x805c8e590, arKey=0x80ef88ce8 "/srv/konecnekreslim.com/www/public/image.php", nKeyLength=45, pData=0x7fffffffd39c, nDataSize=4, pDest=0x0, flag=2)
    at /tmp/portbuild/usr/ports/www/mod_php5/work/php-5.4.29/Zend/zend_hash.c:220
#1  0x000000080c5f1eca in my_compile_file () from /usr/local/lib/php/20100525/apc.so
#2  0x000000080b51c5c4 in phar_compile_file () from /usr/local/lib/php/20100525/phar.so
#3  0x000000080588e6bd in zend_execute_scripts (type=2, retval=0x0, file_count=1) at /tmp/portbuild/usr/ports/www/mod_php5/work/php-5.4.29/Zend/zend.c:1307
#4  0x0000000805937ee1 in php_handler (r=0x8071f6280) at /tmp/portbuild/usr/ports/www/mod_php5/work/php-5.4.29/sapi/apache2handler/sapi_apache2.c:669
#5  0x000000000044e91a in ap_run_handler (r=0x8071f6280) at config.c:169
#6  0x0000000000452682 in ap_invoke_handler (r=0x8071f6280) at config.c:439
#7  0x0000000000463baa in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>) at http_request.c:644
#8  0x000000080546b640 in handler_redirect (r=0x80717b0a0) at mod_rewrite.c:5105
#9  0x000000000044e91a in ap_run_handler (r=0x80717b0a0) at config.c:169
#10 0x0000000000452682 in ap_invoke_handler (r=0x80717b0a0) at config.c:439
#11 0x0000000000463f8e in ap_process_async_request (r=0x80717b0a0) at http_request.c:317
#12 0x00000000004640cf in ap_process_request (r=0x80717b0a0) at http_request.c:363
#13 0x0000000000460815 in ap_process_http_connection (c=0x807145290) at http_core.c:190
#14 0x0000000000458c22 in ap_run_process_connection (c=0x807145290) at connection.c:41
#15 0x000000000046a327 in child_main (child_num_arg=<value optimized out>) at prefork.c:704
#16 0x000000000046a5a4 in make_child (s=0x802453268, slot=2) at prefork.c:800
#17 0x000000000046af06 in prefork_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at prefork.c:902
#18 0x00000000004360b2 in ap_run_mpm (pconf=0x802423028, plog=0x80244f028, s=0x802453268) at mpm_common.c:96
#19 0x000000000043021b in main (argc=2, argv=0x7fffffffdd18) at main.c:777

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-24 05:36 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2014-06-24 05:36 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2014-06-29 08:45 UTC] majo-bugs dot php dot net at pematon dot com
-Status: Feedback +Status: Open
 [2014-06-29 08:45 UTC] majo-bugs dot php dot net at pematon dot com
Unfortunately I am not able to provide a reproducing script because I am not able to reproduce the problem. If I call the script that causes the crash with exactly the same parameters as the one that has crashed it is not crashing any more. However the script is crashing few times a week (with different parameters / conditions).

I have tried to set "MaxRequestsPerChild 1" in httpd.conf as this has helped somebody in Bug #42475 Got seg fault, core dump in php 5.2.3 code in _zend_hash_add_or_update. It did not help.
 [2014-07-05 21:55 UTC] majo-bugs dot php dot net at pematon dot com
I tried to analyze the crash dump a little more:

#0  0x0000000805944c94 in _zend_hash_add_or_update (ht=0x805ddc1f0, 
    arKey=0x80f56cea8 "/srv/konecnekreslim.com/www/public/image.php", nKeyLength=45, pData=0x7fffffffd37c, 
    nDataSize=4, pDest=0x0, flag=2) at /tmp/portbuild/usr/ports/www/mod_php5/work/php-5.4.29/Zend/zend_hash.c:220
220			if (p->arKey == arKey ||
[New Thread 802407400 (LWP 102051/httpd)]
(gdb) list zend_hash.c:220
215		h = zend_inline_hash_func(arKey, nKeyLength);
216		nIndex = h & ht->nTableMask;
217	
218		p = ht->arBuckets[nIndex];
219		while (p != NULL) {
220			if (p->arKey == arKey ||
221				((p->h == h) && (p->nKeyLength == nKeyLength) && !memcmp(p->arKey, arKey, nKeyLength))) {
222					if (flag & HASH_ADD) {
223						return FAILURE;
224					}
(gdb) p p
$1 = (Bucket *) 0x16800259ff625ff
(gdb) p *p
Cannot access memory at address 0x16800259ff625ff
(gdb) p nIndex
$2 = 15
(gdb) p *ht->arBuckets[nIndex]
$3 = {h = 302, nKeyLength = 0, pData = 0x0, pDataPtr = 0x7d0000000000, pListNext = 0x8073906d8, 
  pListLast = 0x807390768, pNext = 0x8073907c0, pLast = 0x807390790, arKey = 0x7 <Address 0x7 out of bounds>}
(gdb) p *ht->arBuckets[nIndex]->pNext
$4 = {h = 34479906304, nKeyLength = 0, pData = 0xffffffffffffffff, pDataPtr = 0x8073906b8, pListNext = 0x8073907c0, 
  pListLast = 0x4353a0, pNext = 0x42cb54, pLast = 0x8072fa028, arKey = 0x30 <Address 0x30 out of bounds>}

--> Pointers pListLast = 0x4353a0 and pNext = 0x42cb54 do not seem correct, other pointers have 0x80 prefix.

(gdb) p *ht->arBuckets[nIndex]->pNext->pNext
$5 = {h = 18331902444810675711, nKeyLength = 3909091328, pData = 0xff680025a00625ff, pDataPtr = 0xffffeff0e9000000, 
  pListNext = 0x6800259ffe25ff, pListLast = 0xffffefe0e9000001, pNext = 0x16800259ff625ff, 
  pLast = 0xffffefd0e9000001, arKey = 0x26800259fee25ff <Address 0x26800259fee25ff out of bounds>}

--> Looks like random data. pNext = 0x16800259ff625ff is the problematic address, that can not be addressed
 [2015-03-30 11:56 UTC] mike@php.net
-Package: PHAR related +Package: Scripting Engine problem
 [2016-02-08 13:55 UTC] lluis dot garcia at gmail dot com
Same happening here.

PHP version: PHP 5.3.3 (cli) (built: Jul  9 2015 17:39:00)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH

Using CentOS 6.7 with package:
php.x86_64                             5.3.3-46.el6_6

I can't provide a script to reproduce it.

(gdb) bt
#0  0x00007f9515a7b46d in _zend_hash_add_or_update (ht=0x7f9521821878, arKey=0x7f95223fe028 "REMOTE_ADDR", nKeyLength=12, pData=0x7ffde2894550, nDataSize=8, pDest=0x7ffde2894548, flag=1) at /usr/src/debug/php-5.3.3/Zend/zend_hash.c:218
#1  0x00007f9515a2ad4b in zend_symtable_update (var_name=<value optimized out>, val=0x7ffde28945e0, track_vars_array=0x7f952201f450) at /usr/src/debug/php-5.3.3/Zend/zend_hash.h:346
#2  php_register_variable_ex (var_name=<value optimized out>, val=0x7ffde28945e0, track_vars_array=0x7f952201f450) at /usr/src/debug/php-5.3.3/main/php_variables.c:251
#3  0x00007f951593feb9 in php_sapi_filter (arg=<value optimized out>, var=0x7f95078ced1b "REMOTE_ADDR", val=0x7ffde2894648, val_len=12, new_val_len=0x0) at /usr/src/debug/php-5.3.3/ext/filter/filter.c:484
#4  0x00007f9515a24ecc in sapi_getenv (name=0x7f95078ced1b "REMOTE_ADDR", name_len=<value optimized out>) at /usr/src/debug/php-5.3.3/main/SAPI.c:954
#5  0x00007f95078c535b in suhosin_log () from /usr/lib64/php/modules/suhosin.so
#6  0x00007f95078c0e93 in ?? () from /usr/lib64/php/modules/suhosin.so
#7  0x00007f9515a816a5 in zend_restore_ini_entry_cb (ini_entry=0x7f95212c88b0, stage=8) at /usr/src/debug/php-5.3.3/Zend/zend_ini.c:57
#8  0x00007f9515a81781 in zend_restore_ini_entry_wrapper (ini_entry=<value optimized out>) at /usr/src/debug/php-5.3.3/Zend/zend_ini.c:81
#9  0x00007f9515a79885 in zend_hash_apply (ht=0x7f9521618488, apply_func=0x7f9515a81770 <zend_restore_ini_entry_wrapper>) at /usr/src/debug/php-5.3.3/Zend/zend_hash.c:671
#10 0x00007f9515a81bf0 in zend_ini_deactivate () at /usr/src/debug/php-5.3.3/Zend/zend_ini.c:121
#11 0x00007f9515a6dadf in zend_deactivate () at /usr/src/debug/php-5.3.3/Zend/zend.c:919
#12 0x00007f9515a1b675 in php_request_shutdown (dummy=<value optimized out>) at /usr/src/debug/php-5.3.3/main/main.c:1641
#13 0x00007f9515af60b7 in php_apache_request_dtor (r=0x7f952165a7e8) at /usr/src/debug/php-5.3.3/sapi/apache2handler/sapi_apache2.c:509
#14 php_handler (r=0x7f952165a7e8) at /usr/src/debug/php-5.3.3/sapi/apache2handler/sapi_apache2.c:681
#15 0x00007f95206ffe50 in ap_run_handler (r=0x7f952165a7e8) at /usr/src/debug/httpd-2.2.15/server/config.c:158
#16 0x00007f952070370e in ap_invoke_handler (r=0x7f952165a7e8) at /usr/src/debug/httpd-2.2.15/server/config.c:376
#17 0x00007f952070ee00 in ap_process_request (r=0x7f952165a7e8) at /usr/src/debug/httpd-2.2.15/modules/http/http_request.c:282
#18 0x00007f952070bc48 in ap_process_http_connection (c=0x7f9521633448) at /usr/src/debug/httpd-2.2.15/modules/http/http_core.c:190
#19 0x00007f9520707958 in ap_run_process_connection (c=0x7f9521633448) at /usr/src/debug/httpd-2.2.15/server/connection.c:43
#20 0x00007f9520713b97 in child_main (child_num_arg=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:667
#21 0x00007f9520713eaa in make_child (s=0x7f9521134870, slot=5) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:763
#22 0x00007f95207141db in startup_children (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:781
#23 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:1002
#24 0x00007f95206eba30 in main (argc=1, argv=0x7ffde2899438) at /usr/src/debug/httpd-2.2.15/server/main.c:763
 [2018-09-22 17:19 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2018-09-22 17:19 UTC] cmb@php.net
Does this still happen with any of the actively supported PHP
versions[1]?

[1] <http://php.net/supported-versions.php>
 [2018-09-22 19:53 UTC] majo-bugs dot php dot net at pematon dot com
-Status: Feedback +Status: Assigned
 [2018-09-22 19:53 UTC] majo-bugs dot php dot net at pematon dot com
No, it does not happen anymore. Feel free to close it.
 [2018-09-22 21:03 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2018-09-22 21:03 UTC] cmb@php.net
Thanks!
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed May 22 09:01:25 2019 UTC