Bug 892158

Can you please provides the full list of installed extension
  rpm -qa php\*
  php -m

Can you also confirm that the crash still occurs without the XDebug extension (which is not part of RHEL).

Yes, the problem still happens without the XDebug extension.  I installed it after the crashes started happening to see if it would help me debug the issue.

The list of PHP-related RPMS includes:

[jsmith@web1 ~]$ rpm -qa php\*
php-pdo-5.3.3-14.el6_3.x86_64
php-pgsql-5.3.3-14.el6_3.x86_64
php-xml-5.3.3-14.el6_3.x86_64
php-adodb-4.95-1.a.el6.noarch
php-common-5.3.3-14.el6_3.x86_64
php-cli-5.3.3-14.el6_3.x86_64
php-devel-5.3.3-14.el6_3.x86_64
php-mysql-5.3.3-14.el6_3.x86_64
php-soap-5.3.3-14.el6_3.x86_64
php-mbstring-5.3.3-14.el6_3.x86_64
php-pear-1.9.4-4.el6.noarch
php-pecl-xdebug-2.1.4-1.el6.x86_64
php-5.3.3-14.el6_3.x86_64
php-gd-5.3.3-14.el6_3.x86_64

And here is PHP's list of modules:

[jsmith@web1 ~]$ php -m
[PHP Modules]
bz2
calendar
Core
ctype
curl
date
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
json
libxml
mbstring
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_pgsql
pdo_sqlite
pgsql
Phar
readline
Reflection
session
shmop
SimpleXML
soap
sockets
SPL
sqlite3
standard
tokenizer
uploadprogress
wddx
xdebug
xml
xmlreader
xmlwriter
xsl
zip
zlib

[Zend Modules]
Xdebug

Hi Jared - do you have a backtrace from a core dump without Xdebug installed, and with php-debuginfo installed? 

There's a Zend garbage collector issue which could possibly be the cause of this, if we provide test packages would you be able to test them out?

Absolutely Joe-- I'd be more than happy to test out some packages... I just got the RHN administrator at my web host to enable the -debuginfo channel on this subscription, so I'm installing the debuginfo RPMs now.  I've also removed the Xdebug extension, so that we can get a backtrace without.

I'll update the bug in the next 30 minutes or so with an updated backtrace (with the debug symbols).

Created attachment 674917 [details]
Backtrace (with debug symbols)

Thanks.  This might well be unrelated to be the Zend GC issue.  The PHP code is triggering a Zend warning:

#11 0x00007fee1a47c13d in zend_error (type=8192, 
    format=0x7fee1a547070 "Call-time pass-by-reference has been deprecated")
    at /usr/src/debug/php-5.3.3/Zend/zend.c:1101

which is then invoking a Drupal-specified error handler, and the crash happens whilst evaluating that handler.  A simple workaround might be to flip "allow_call_time_pass_reference" to On in /etc/php.ini which should avoid triggering that warning in the first place.  Or there might be a fix to the Drupal code.

Turning off "allow_call_time_pass_reference" avoids triggering the warning and at least so far as kept httpd from segfaulting any more.  On the downside, I know longer when the code is using deprecated functions that need to be fixed :-/

Just so that I understand... are you saying that Drupal is doing something wrong to trigger that crash?  Is there something specific I should share with the Drupal developers to help them better address the issue?  Or is Drupal just hitting an unfortunate corner case in PHP which is causing the crash?

If think "Drupal just hitting an unfortunate corner case in PHP which is causing the crash", as any php code should never cause crash.

We need to get a simple reproducer for this issue (I cannot find one for now)

Which drupal version is it ? and how the error handler look like ?

Searching in PHP stream bug, I found some of interest
https://bugs.php.net/bug.php?id=52935 Call exit in user_error_handler cause stream relate core
https://bugs.php.net/bug.php?id=60738 Allow 'set_error_handler' to handle NULL

I think what I'm hitting is this particular PHP bug: https://bugs.php.net/bug.php?id=55339

The bug report includes a simple reproducer.

In looking at the PHP bug report, it appears that there is already a patch committed, but I don't know the PHP development model well enough to tell if it was simply committed to "trunk" or "head" or backported to PHP 5.3.

Thanks for the upstream link.

We got a simple reproducer now (bug55339.phpt) which raises a segfault:

#0  zend_switch_free (execute_data=0x7fffe7f0b268) at /usr/src/debug/php-5.3.3/Zend/zend_execute.c:382
#1  ZEND_SWITCH_FREE_SPEC_VAR_HANDLER (execute_data=0x7fffe7f0b268) at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:8392
#2  0x00000000005cc9c0 in execute (op_array=0xec05b8) at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:107
#3  0x00007ffff1e904b8 in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#4  0x00000000005d374b in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fffe7f0b168)
    at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:1960
#5  0x00000000005cc9c0 in execute (op_array=0xee68f0) at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:107
#6  0x00007ffff1e904b8 in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#7  0x000000000059d845 in zend_call_function (fci=0x7fffffff9850, fci_cache=<value optimized out>)
    at /usr/src/debug/php-5.3.3/Zend/zend_execute_API.c:963
#8  0x000000000059e3e0 in call_user_function_ex (function_table=<value optimized out>, object_pp=<value optimized out>, 
    function_name=<value optimized out>, retval_ptr_ptr=<value optimized out>, param_count=<value optimized out>, 
    params=<value optimized out>, no_separation=1, symbol_table=0x0) at /usr/src/debug/php-5.3.3/Zend/zend_execute_API.c:754
#9  0x00000000005a76fd in zend_error (type=8192, format=0x6732f0 "Call-time pass-by-reference has been deprecated")
    at /usr/src/debug/php-5.3.3/Zend/zend.c:1101
#10 0x0000000000591cbb in zend_do_pass_param (param=0x7fffffff9f60, op=67 'C', offset=2)
    at /usr/src/debug/php-5.3.3/Zend/zend_compile.c:2092
#11 0x000000000057b7a0 in zendparse () at /usr/src/debug/php-5.3.3/Zend/zend_language_parser.c:4029
#12 0x0000000000583340 in compile_string (source_string=0x7fffffffb8f0, filename=0xec1800 "") at Zend/zend_language_scanner.l:513
#13 0x00000000005d34ee in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fffe7f0b050)
    at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:1930
#14 0x00000000005cc9c0 in execute (op_array=0xebd7d8) at /usr/src/debug/php-5.3.3/Zend/zend_vm_execute.h:107
#15 0x00007ffff1e904b8 in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#16 0x00000000005a70fd in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.3.3/Zend/zend.c:1194
#17 0x00000000005551d8 in php_execute_script (primary_file=0x7fffffffe260) at /usr/src/debug/php-5.3.3/main/main.c:2261
#18 0x0000000000630e35 in main (argc=2, argv=0x7fffffffe468) at /usr/src/debug/php-5.3.3/sapi/cli/php_cli.c:1192

I have run a test build, from RHEL-6.3 package with a single patch for this bug applied:
http://people.redhat.com/rcollet/.bug892158/

Jared can you please test it to confirm it fixes your issue.

I'll give those RPMs a shot later today, and let you know how they work.

OK, I've tested your updated RPMs, and they seem to fix the problem.  I've tried it on both the simple reproducer from the PHP bug, and on my production website.  

(As a side note, I'm having another problem with the RPMs in combination with php-pecl-apc, but I'm not sure that's being caused by these new RPMs -- let me do some more testing.)

*** Bug 895201 has been marked as a duplicate of this bug. ***

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

The updated RPMs definitely fixed the problem -- any idea when this fix can be pushed into official RHEL packages?  (I've found several people seeing this problem in Fedora as well, for what it's worth, so I'd love to see this pushed to Fedora packages as well.)

@Jared, thanks for your feedback.

About Fedora, I'm quite surprised by your request, as the patch is a backport from upstream, it is already in Fedora packages (you can open a fedora specific bug).

Any status update on when the bug fixes might be available in updated RPMs for RHEL?

Can I please get a status update, or at a minimum, some updated RPMs with the patch applied?  I see that the RPMs in RHEL 6.4 have moved on to version php-5.3.3-22 and have several security fixes, but don't appear to have the fix identified in this bug report.  

I'm sort of stuck between using the updated RPMs and being vulnerable to the segfaults, or using older RPMs and being vulnerable to the other security issues.

(In reply to comment #21)
> Can I please get a status update, or at a minimum, some updated RPMs with
> the patch applied?  I see that the RPMs in RHEL 6.4 have moved on to version
> php-5.3.3-22 and have several security fixes, but don't appear to have the
> fix identified in this bug report.  

As explain in comment #16, this request was not resolved in time for the 6.4.

> I'm sort of stuck between using the updated RPMs and being vulnerable to the
> segfaults, or using older RPMs and being vulnerable to the other security
> issues.

A new test build, rebased from 6.4 packages, is available:
http://people.redhat.com/rcollet/.bug892158/

(In reply to comment #22)
> A new test build, rebased from 6.4 packages, is available:
> http://people.redhat.com/rcollet/.bug892158/

I finally got around to testing those pacakges this weekend -- but now I'm getting a different segfault :-(

Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  zend_mm_remove_from_free_list (heap=<value optimized out>, 
    mm_block=0x7f114d3ae828)
    at /usr/src/debug/php-5.3.3/Zend/zend_alloc.c:826
826				ZEND_MM_CHECK_TREE(mm_block);


Core file is at http://web2.jaredsmith.net/core.2165, and the backtrace is at http://web2.jaredsmith.net/core.2165.backtrace.txt

@Jared: as this segfault seems closed to bug #910466, can you give a try to 
http://people.redhat.com/rcollet/.bug910466/

This 0.2 build includes the same fix than 0.1 and another for upstream bug #54268 (a double free during request shutdown).

@jared : have you see my comment 24 about 0.2 build ?

As, per your comment 14 and 18 the initial issue seems to be fixed, I propose to open a new bug the the new segfault (if not fixed by bug #910466 fix)

I don't have access to the 910446 bug (apparently it's marked as private), but I can't reproduce the new segfault in comment 23 very easily, so I'm not worried about it any more.  The 0.2 build in comment 24 seems to be working OK for me now, except for the PHP issue I'm still fighting a in bug 915138.

This bug can be closed.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1615.html