Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157457 - php segfault
Summary: php segfault
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: php
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-11 18:58 UTC by Tim Waugh
Modified: 2008-08-02 23:40 UTC (History)
4 users (show)

Fixed In Version: FC6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-01-22 15:17:53 UTC


Attachments (Terms of Use)
gdb session (deleted)
2005-05-12 09:42 UTC, Tim Waugh
no flags Details

Description Tim Waugh 2005-05-11 18:58:29 UTC
Description of problem:
I can get php to segfault.  100% reproducible.

Version-Release number of selected component (if applicable):
php-5.0.4-10
httpd-2.0.54-8

How reproducible:
100%

Steps to Reproduce:
1. I have an old version of gallery around that triggers this.

I attached gdb to one of the httpd processes and got this traceback.  What do I
need to do next?:

#0  0x00002aaaaf737a7b in zend_hash_find () from /etc/httpd/modules/libphp5.so
#1  0x00002aaaaf66f314 in php_add_session_var ()
   from /etc/httpd/modules/libphp5.so
#2  0x00002aaaaf671082 in zif_session_cache_expire ()
   from /etc/httpd/modules/libphp5.so
#3  0x00002aaaaf673ad6 in zif_session_register ()
   from /etc/httpd/modules/libphp5.so
#4  0x00002aaaaf750c4d in zend_do_fcall_common_helper ()
   from /etc/httpd/modules/libphp5.so
#5  0x00002aaaaf760919 in zend_do_fcall_handler ()
   from /etc/httpd/modules/libphp5.so
#6  0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#7  0x00002aaaaf763bc7 in zend_include_or_eval_handler ()
   from /etc/httpd/modules/libphp5.so
#8  0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#9  0x00002aaaaf763bc7 in zend_include_or_eval_handler ()
   from /etc/httpd/modules/libphp5.so
#10 0x00002aaaaf74e2c5 in execute () from /etc/httpd/modules/libphp5.so
#11 0x00002aaaaf72f05d in zend_execute_scripts ()
   from /etc/httpd/modules/libphp5.so
#12 0x00002aaaaf6f9fb7 in php_execute_script ()
   from /etc/httpd/modules/libphp5.so
#13 0x00002aaaaf767606 in php_ap2_register_hook ()
#14 0x0000555555572213 in ap_run_handler () from /usr/sbin/httpd
#15 0x0000555555572567 in ap_invoke_handler () from /usr/sbin/httpd
#16 0x000055555556f941 in ap_process_request () from /usr/sbin/httpd
#17 0x000055555556b00f in _start () from /usr/sbin/httpd
#18 0x000055555557b979 in ap_run_process_connection () from /usr/sbin/httpd
#19 0x00005555555706be in ap_graceful_stop_signalled () from /usr/sbin/httpd
#20 0x00005555555708f9 in ap_graceful_stop_signalled () from /usr/sbin/httpd
#21 0x0000555555571360 in ap_mpm_run () from /usr/sbin/httpd
#22 0x000055555557702d in main () from /usr/sbin/httpd

Comment 1 Marius Andreiana 2005-05-12 08:59:59 UTC
Does it crash on the 1st page of gallery (index.php) or later?  If later, what's
the URL previous the crash and what button/link do you press?

Could you make your gallery version available for download so I can try to
replicate too?

Thanks

Comment 2 Joe Orton 2005-05-12 09:09:33 UTC
A "backtrace full" with php-debuginfo and httpd-debuginfo installed would be
useful.  Do

echo CoreDumpDirectory /tmp > /etc/httpd/conf.d/coredump.conf

and restart the server and you'll get cores in /tmp, which is easier to deal with.

Comment 3 Tim Waugh 2005-05-12 09:42:59 UTC
Created attachment 114286 [details]
gdb session

"backtrace full" stopped after the first frame for some reason.  Anyway, here
the locals from each frame.

Core file is:

 http://cyberelk.net/tim/tmp/core.18737

I'll look at making a test case available.  It's not the first page on gallery,
but is only one click away (click on an album).  It's an older version of
gallery, though, and I may well have altered it since release.

Comment 4 Tim Waugh 2005-05-12 10:43:41 UTC
Here is a test case:

 http://cyberelk.net/tim/tmp/phpsegv.tar.bz2

mkdir /tmp/var-www
cd /tmp/var-www
tar jxf ~/phpsegv.tar.bz2
mount --bind /tmp/var-www /var/www/html
mozilla http://localhost/phpsegv

If it doesn't happen the first time, try again, or click on the 'login' link.


Comment 5 Sergio A. Kessler 2005-05-15 23:45:53 UTC
I'm seeing 
[notice] child pid 15204 exit signal Segmentation fault (11)
when calling session_ungerister() from php
and the file in /var/lib/php/session created is of 0 bytes


Comment 6 Tim Waugh 2005-05-20 15:46:58 UTC
For the record: happens on i386 too.

Comment 7 Tim Waugh 2005-05-20 17:13:23 UTC
I recompiled php with "optflags: i386 -g" and found that php_add_session_var was
getting called with *ps_globals.http_session_vars.value corrupted.  I ran gdb
against a running httpd and set a hardware watchpoint and found this:

Breakpoint 1, php_add_session_var (
    name=0xa10d78c "gallery_session_d1484fb089b961bc3938efd0679de2ad",
    namelen=48) at /usr/src/redhat/BUILD/php-5.0.4/ext/session/session.c:267
267             zval **sym_track = NULL;
(gdb) watch (*ps_globals.http_session_vars).value
Hardware watchpoint 2: (*ps_globals.http_session_vars).value
(gdb) c
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 166148036, dval = 2.204083827676867e-314, str = {val = 0x9e737c4
"\b", len = 1}, ht = 0x9e737c4, obj = {handle = 166148036, handlers = 0x1}}
New value =
    {lval = 0, dval = 2.1219957909652723e-314, str = {val = 0x0, len = 1}, ht =
0x0, obj = {handle = 0, handlers = 0x1}}
0x010fb7aa in zend_do_fcall_common_helper (execute_data=0xbfaf6728,
    opline=0xa10a69c, op_array=0xa09a79c)
    at /usr/src/redhat/BUILD/php-5.0.4/Zend/zend_execute.c:2710
2710                    INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
(gdb) c
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 0, dval = 2.1219957909652723e-314, str = {val = 0x0, len = 1}, ht =
0x0, obj = {handle = 0, handlers = 0x1}}
New value =
    {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {handle =
0, handlers = 0x0}}
0x010fb7ab in zend_do_fcall_common_helper (execute_data=0xbfaf6728,
    opline=0xa10a69c, op_array=0xa09a79c)
    at /usr/src/redhat/BUILD/php-5.0.4/Zend/zend_execute.c:2710
2710                    INIT_ZVAL(*(EX_T(opline->result.u.var).var.ptr));
(gdb)
Continuing.
Hardware watchpoint 2: (*ps_globals.http_session_vars).value

Old value =
    {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {handle =
0, handlers = 0x0}}
New value =
    {lval = 0, dval = 6.7903865310888714e-313, str = {val = 0x0, len = 32}, ht =
0x0, obj = {handle = 0, handlers = 0x20}}
0x0103884f in php_if_md5 (ht=1, return_value=0xa10886c, this_ptr=0x0,
    return_value_used=1)
    at /usr/src/redhat/BUILD/php-5.0.4/ext/standard/md5.c:66
66                      RETVAL_STRING(md5str, 1);

So php_if_md5() is getting called with return_value=0xa10886c.  But
ps_globals.http_session_vars==0xa10886c.

This seems to correspond to the PHP fragment:

if (is_array($_SESSION) && !empty($_SESSION)) {
        foreach($_SESSION as $key => $value) {
                $$key =& $_SESSION[$key];
        }
}

Does that shed any more light on this?

Comment 8 Joe Orton 2005-06-24 09:46:25 UTC
bug 160480 is another crash in the session hash manipulation.

Comment 9 Joe Orton 2005-06-24 14:31:49 UTC
That fragment of code is indeed key.  It's a refcounting issue: when that
foreach loop ends, the refcount of the http_session_vars hash table is
prematurely dropped to zero and so the memory gets reused.

Comment 10 Christian Iseli 2007-01-20 00:59:25 UTC
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.

Comment 11 Tim Waugh 2007-01-22 15:17:53 UTC
Doesn't seem to segfault now (but the original php script fails).


Note You need to log in before you can comment on or make changes to this bug.