157457 – php segfault

Bug 157457 - php segfault

Summary: php segfault

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	php
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-05-11 18:58 UTC by Tim Waugh
Modified:	2008-08-02 23:40 UTC (History)
CC List:	4 users (show)
Fixed In Version:	FC6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-01-22 15:17:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
gdb session (23.30 KB, text/plain) 2005-05-12 09:42 UTC, Tim Waugh	no flags	Details
View All

Description Tim Waugh 2005-05-11 18:58:29 UTC

Description of problem:
I can get php to segfault.  100% reproducible.

Version-Release number of selected component (if applicable):
php-5.0.4-10
httpd-2.0.54-8

How reproducible:
100%

Steps to Reproduce:
1. I have an old version of gallery around that triggers this.

I attached gdb to one of the httpd processes and got this traceback.  What do I
need to do next?:

#0  0x00002aaaaf737a7b in zend_hash_find () from /etc/httpd/modules/libphp5.so
#1  0x00002aaaaf66f314 in php_add_session_var ()
   from /etc/httpd/modules/libphp5.so
#2  0x00002aaaaf671082 in zif_session_cache_expire ()
   from /etc/httpd/modules/libphp5.so
#3  0x00002aaaaf673ad6 in zif_session_register ()
   from /etc/httpd/modules/libphp5.so
#4  0x00002aaaaf750c4d in zend_do_fcall_common_helper ()
   from /etc/httpd/modules/libphp5.so
#5  0x00002aaaaf760919 in zend_do_fcall_handler ()
   from /etc/httpd/modules/libphp5.so
#6  0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#7  0x00002aaaaf763bc7 in zend_include_or_eval_handler ()
   from /etc/httpd/modules/libphp5.so
#8  0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#9  0x00002aaaaf763bc7 in zend_include_or_eval_handler ()
   from /etc/httpd/modules/libphp5.so
#10 0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#11 0x00002aaaaf72f05d in zend_execute_scripts ()
   from /etc/httpd/modules/libphp5.so
#12 0x00002aaaaf6f9fb7 in php_execute_script ()
   from /etc/httpd/modules/libphp5.so
#13 0x00002aaaaf767606 in php_ap2_register_hook ()
#14 0x0000555555572213 in ap_run_handler () from /usr/sbin/httpd
#15 0x0000555555572567 in ap_invoke_handler () from /usr/sbin/httpd
#16 0x000055555556f941 in ap_process_request () from /usr/sbin/httpd
#17 0x000055555556b00f in _start () from /usr/sbin/httpd
#18 0x000055555557b979 in ap_run_process_connection () from /usr/sbin/httpd
#19 0x00005555555706be in ap_graceful_stop_signalled () from /usr/sbin/httpd
#20 0x00005555555708f9 in ap_graceful_stop_signalled () from /usr/sbin/httpd
#21 0x0000555555571360 in ap_mpm_run () from /usr/sbin/httpd
#22 0x000055555557702d in main () from /usr/sbin/httpd

Comment 1 Marius Andreiana 2005-05-12 08:59:59 UTC

Does it crash on the 1st page of gallery (index.php) or later?  If later, what's
the URL previous the crash and what button/link do you press?

Could you make your gallery version available for download so I can try to
replicate too?

Thanks

Comment 2 Joe Orton 2005-05-12 09:09:33 UTC

A "backtrace full" with php-debuginfo and httpd-debuginfo installed would be
useful.  Do

echo CoreDumpDirectory /tmp > /etc/httpd/conf.d/coredump.conf

and restart the server and you'll get cores in /tmp, which is easier to deal with.

Comment 3 Tim Waugh 2005-05-12 09:42:59 UTC

Created attachment 114286 [details]
gdb session

"backtrace full" stopped after the first frame for some reason.  Anyway, here
the locals from each frame.

Core file is:

 http://cyberelk.net/tim/tmp/core.18737

I'll look at making a test case available.  It's not the first page on gallery,
but is only one click away (click on an album).  It's an older version of
gallery, though, and I may well have altered it since release.

Comment 4 Tim Waugh 2005-05-12 10:43:41 UTC

Here is a test case:

 http://cyberelk.net/tim/tmp/phpsegv.tar.bz2

mkdir /tmp/var-www
cd /tmp/var-www
tar jxf ~/phpsegv.tar.bz2
mount --bind /tmp/var-www /var/www/html
mozilla http://localhost/phpsegv

If it doesn't happen the first time, try again, or click on the 'login' link.

Comment 5 Sergio A. Kessler 2005-05-15 23:45:53 UTC

I'm seeing 
[notice] child pid 15204 exit signal Segmentation fault (11)
when calling session_ungerister() from php
and the file in /var/lib/php/session created is of 0 bytes

Comment 6 Tim Waugh 2005-05-20 15:46:58 UTC

For the record: happens on i386 too.

Comment 7 Tim Waugh 2005-05-20 17:13:23 UTC

I recompiled php with "optflags: i386 -g" and found that php_add_session_var was
getting called with *ps_globals.http_session_vars.value corrupted.  I ran gdb
against a running httpd and set a hardware watchpoint and found this:

Breakpoint 1, php_add_session_var (
    name=0xa10d78c "gallery_session_d1484fb089b961bc3938efd0679de2ad",
    namelen=48) at /usr/src/redhat/BUILD/php-5.0.4/ext/session/session.c:267
267             zval **sym_track = NULL;
(gdb) watch (*ps_globals.http_session_vars).value
Hardware watchpoint 2: (*ps_globals.http_session_vars).value
(gdb) c
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 166148036, dval = 2.204083827676867e-314, str = {val = 0x9e737c4
"\b", len = 1}, ht = 0x9e737c4, obj = {handle = 166148036, handlers = 0x1}}
New value =
    {lval = 0, dval = 2.1219957909652723e-314, str = {val = 0x0, len = 1}, ht =
0x0, obj = {handle = 0, handlers = 0x1}}
0x010fb7aa in zend_do_fcall_common_helper (execute_data=0xbfaf6728,
    opline=0xa10a69c, op_array=0xa09a79c)
    at /usr/src/redhat/BUILD/php-5.0.4/Zend/zend_execute.c:2710
2710                    INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
(gdb) c
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 0, dval = 2.1219957909652723e-314, str = {val = 0x0, len = 1}, ht =
0x0, obj = {handle = 0, handlers = 0x1}}
New value =
    {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {handle =
0, handlers = 0x0}}
0x010fb7ab in zend_do_fcall_common_helper (execute_data=0xbfaf6728,
    opline=0xa10a69c, op_array=0xa09a79c)
    at /usr/src/redhat/BUILD/php-5.0.4/Zend/zend_execute.c:2710
2710                    INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
(gdb)
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {handle =
0, handlers = 0x0}}
New value =
    {lval = 0, dval = 6.7903865310888714e-313, str = {val = 0x0, len = 32}, ht =
0x0, obj = {handle = 0, handlers = 0x20}}
0x0103884f in php_if_md5 (ht=1, return_value=0xa10886c, this_ptr=0x0,
    return_value_used=1)
    at /usr/src/redhat/BUILD/php-5.0.4/ext/standard/md5.c:66
66                      RETVAL_STRING(md5str, 1);

So php_if_md5() is getting called with return_value=0xa10886c.  But
ps_globals.http_session_vars==0xa10886c.

This seems to correspond to the PHP fragment:

if (is_array($_SESSION) && !empty($_SESSION)) {
        foreach($_SESSION as $key => $value) {
                $$key =& $_SESSION[$key];
        }
}

Does that shed any more light on this?

Comment 8 Joe Orton 2005-06-24 09:46:25 UTC

bug 160480 is another crash in the session hash manipulation.

Comment 9 Joe Orton 2005-06-24 14:31:49 UTC

That fragment of code is indeed key.  It's a refcounting issue: when that
foreach loop ends, the refcount of the http_session_vars hash table is
prematurely dropped to zero and so the memory gets reused.

Comment 10 Christian Iseli 2007-01-20 00:59:25 UTC

This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.

Comment 11 Tim Waugh 2007-01-22 15:17:53 UTC

Doesn't seem to segfault now (but the original php script fails).

Note You need to log in before you can comment on or make changes to this bug.