This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 157457 - php segfault
php segfault
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: php (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-11 14:58 EDT by Tim Waugh
Modified: 2008-08-02 19:40 EDT (History)
4 users (show)

See Also:
Fixed In Version: FC6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-22 10:17:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
gdb session (23.30 KB, text/plain)
2005-05-12 05:42 EDT, Tim Waugh
no flags Details

  None (edit)
Description Tim Waugh 2005-05-11 14:58:29 EDT
Description of problem:
I can get php to segfault.  100% reproducible.

Version-Release number of selected component (if applicable):
php-5.0.4-10
httpd-2.0.54-8

How reproducible:
100%

Steps to Reproduce:
1. I have an old version of gallery around that triggers this.

I attached gdb to one of the httpd processes and got this traceback.  What do I
need to do next?:

#0  0x00002aaaaf737a7b in zend_hash_find () from /etc/httpd/modules/libphp5.so
#1  0x00002aaaaf66f314 in php_add_session_var ()
   from /etc/httpd/modules/libphp5.so
#2  0x00002aaaaf671082 in zif_session_cache_expire ()
   from /etc/httpd/modules/libphp5.so
#3  0x00002aaaaf673ad6 in zif_session_register ()
   from /etc/httpd/modules/libphp5.so
#4  0x00002aaaaf750c4d in zend_do_fcall_common_helper ()
   from /etc/httpd/modules/libphp5.so
#5  0x00002aaaaf760919 in zend_do_fcall_handler ()
   from /etc/httpd/modules/libphp5.so
#6  0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#7  0x00002aaaaf763bc7 in zend_include_or_eval_handler ()
   from /etc/httpd/modules/libphp5.so
#8  0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#9  0x00002aaaaf763bc7 in zend_include_or_eval_handler ()
   from /etc/httpd/modules/libphp5.so
#10 0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#11 0x00002aaaaf72f05d in zend_execute_scripts ()
   from /etc/httpd/modules/libphp5.so
#12 0x00002aaaaf6f9fb7 in php_execute_script ()
   from /etc/httpd/modules/libphp5.so
#13 0x00002aaaaf767606 in php_ap2_register_hook ()
#14 0x0000555555572213 in ap_run_handler () from /usr/sbin/httpd
#15 0x0000555555572567 in ap_invoke_handler () from /usr/sbin/httpd
#16 0x000055555556f941 in ap_process_request () from /usr/sbin/httpd
#17 0x000055555556b00f in _start () from /usr/sbin/httpd
#18 0x000055555557b979 in ap_run_process_connection () from /usr/sbin/httpd
#19 0x00005555555706be in ap_graceful_stop_signalled () from /usr/sbin/httpd
#20 0x00005555555708f9 in ap_graceful_stop_signalled () from /usr/sbin/httpd
#21 0x0000555555571360 in ap_mpm_run () from /usr/sbin/httpd
#22 0x000055555557702d in main () from /usr/sbin/httpd
Comment 1 Marius Andreiana 2005-05-12 04:59:59 EDT
Does it crash on the 1st page of gallery (index.php) or later?  If later, what's
the URL previous the crash and what button/link do you press?

Could you make your gallery version available for download so I can try to
replicate too?

Thanks
Comment 2 Joe Orton 2005-05-12 05:09:33 EDT
A "backtrace full" with php-debuginfo and httpd-debuginfo installed would be
useful.  Do

echo CoreDumpDirectory /tmp > /etc/httpd/conf.d/coredump.conf

and restart the server and you'll get cores in /tmp, which is easier to deal with.
Comment 3 Tim Waugh 2005-05-12 05:42:59 EDT
Created attachment 114286 [details]
gdb session

"backtrace full" stopped after the first frame for some reason.  Anyway, here
the locals from each frame.

Core file is:

 http://cyberelk.net/tim/tmp/core.18737

I'll look at making a test case available.  It's not the first page on gallery,
but is only one click away (click on an album).  It's an older version of
gallery, though, and I may well have altered it since release.
Comment 4 Tim Waugh 2005-05-12 06:43:41 EDT
Here is a test case:

 http://cyberelk.net/tim/tmp/phpsegv.tar.bz2

mkdir /tmp/var-www
cd /tmp/var-www
tar jxf ~/phpsegv.tar.bz2
mount --bind /tmp/var-www /var/www/html
mozilla http://localhost/phpsegv

If it doesn't happen the first time, try again, or click on the 'login' link.
Comment 5 Sergio A. Kessler 2005-05-15 19:45:53 EDT
I'm seeing 
[notice] child pid 15204 exit signal Segmentation fault (11)
when calling session_ungerister() from php
and the file in /var/lib/php/session created is of 0 bytes
Comment 6 Tim Waugh 2005-05-20 11:46:58 EDT
For the record: happens on i386 too.
Comment 7 Tim Waugh 2005-05-20 13:13:23 EDT
I recompiled php with "optflags: i386 -g" and found that php_add_session_var was
getting called with *ps_globals.http_session_vars.value corrupted.  I ran gdb
against a running httpd and set a hardware watchpoint and found this:

Breakpoint 1, php_add_session_var (
    name=0xa10d78c "gallery_session_d1484fb089b961bc3938efd0679de2ad",
    namelen=48) at /usr/src/redhat/BUILD/php-5.0.4/ext/session/session.c:267
267             zval **sym_track = NULL;
(gdb) watch (*ps_globals.http_session_vars).value
Hardware watchpoint 2: (*ps_globals.http_session_vars).value
(gdb) c
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 166148036, dval = 2.204083827676867e-314, str = {val = 0x9e737c4
"\b", len = 1}, ht = 0x9e737c4, obj = {handle = 166148036, handlers = 0x1}}
New value =
    {lval = 0, dval = 2.1219957909652723e-314, str = {val = 0x0, len = 1}, ht =
0x0, obj = {handle = 0, handlers = 0x1}}
0x010fb7aa in zend_do_fcall_common_helper (execute_data=0xbfaf6728,
    opline=0xa10a69c, op_array=0xa09a79c)
    at /usr/src/redhat/BUILD/php-5.0.4/Zend/zend_execute.c:2710
2710                    INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
(gdb) c
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 0, dval = 2.1219957909652723e-314, str = {val = 0x0, len = 1}, ht =
0x0, obj = {handle = 0, handlers = 0x1}}
New value =
    {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {handle =
0, handlers = 0x0}}
0x010fb7ab in zend_do_fcall_common_helper (execute_data=0xbfaf6728,
    opline=0xa10a69c, op_array=0xa09a79c)
    at /usr/src/redhat/BUILD/php-5.0.4/Zend/zend_execute.c:2710
2710                    INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
(gdb)
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {handle =
0, handlers = 0x0}}
New value =
    {lval = 0, dval = 6.7903865310888714e-313, str = {val = 0x0, len = 32}, ht =
0x0, obj = {handle = 0, handlers = 0x20}}
0x0103884f in php_if_md5 (ht=1, return_value=0xa10886c, this_ptr=0x0,
    return_value_used=1)
    at /usr/src/redhat/BUILD/php-5.0.4/ext/standard/md5.c:66
66                      RETVAL_STRING(md5str, 1);

So php_if_md5() is getting called with return_value=0xa10886c.  But
ps_globals.http_session_vars==0xa10886c.

This seems to correspond to the PHP fragment:

if (is_array($_SESSION) && !empty($_SESSION)) {
        foreach($_SESSION as $key => $value) {
                $$key =& $_SESSION[$key];
        }
}

Does that shed any more light on this?
Comment 8 Joe Orton 2005-06-24 05:46:25 EDT
bug 160480 is another crash in the session hash manipulation.
Comment 9 Joe Orton 2005-06-24 10:31:49 EDT
That fragment of code is indeed key.  It's a refcounting issue: when that
foreach loop ends, the refcount of the http_session_vars hash table is
prematurely dropped to zero and so the memory gets reused.
Comment 10 Christian Iseli 2007-01-19 19:59:25 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 11 Tim Waugh 2007-01-22 10:17:53 EST
Doesn't seem to segfault now (but the original php script fails).

Note You need to log in before you can comment on or make changes to this bug.