ID: 36884
Comment by: dombug at aggmedia dot net
Reported By: guenther dot unterrainer at gknsintermetals dot com
Status: No Feedback
Bug Type: Apache related
Operating System: SLES9 SP3 x86-64
PHP Version: 4.4.2
New Comment:
Been seeing the double linked list problem reported in bug #37201 and
tried to reproduce it using simple code, but ended up instead
reproducing this bug instead. I'm guessing they're related.
Working on a more detailed backtrace (w/gdb/enable-debug), php config,
and PHP 4.4.8 (untested), but for now here is the reproduce that
segfaults on PHP 4.3.8 and 4.4.0, followed by the simple backtrace.
Looks like a problem with cyclic references, in that an object with a
dom as a property of itself, will seemingly corrupt memory if the dom is
modified. See the code below.
PHPINFO
-------
PHP Version => 4.4.0
System => Linux lnx04 2.6.16.21-0.8-smp #1 SMP Mon Jul 3 18:25:39 UTC
2006 x86_64
Build Date => Aug 28 2007 12:57:58
Configure Command => './configure' '--prefix=/usr'
'--datadir=/usr/share/php' '--mandir=/usr/share/man' '--bindir=/usr/bin'
'--libdir=/usr/share' '--includedir=/usr/include' '--sysconfdir=/etc'
'--with-_lib=lib64' '--with-config-file-path=/etc'
'--with-exec-dir=/usr/lib64/php/bin' '--disable-debug'
'--enable-inline-optimization' '--enable-memory-limit'
'--enable-magic-quotes' '--enable-safe-mode' '--enable-sigchild'
'--disable-ctype' '--disable-session' '--without-mysql' '--disable-cli'
'--without-pear' '--with-openssl' '--enable-force-cgi-redirect'
'--enable-discard-path' '--enable-cli' '--with-pear'
'x86_64-suse-linux'
REPRODUCE
---------
class dummy {
var $dom = null;
var $me = null;
function setDomByXpath ($xpath, $value) {
$context = $this->dom->xpath_new_context();
$result = xpath_eval($context, $xpath);
$nodes = $result->nodeset;
$nodes[0]->set_content($value);
}
}
$xml = '<a><b/></a>';
$o = new dummy();
$o->dom = domxml_open_mem($xml);
$o->setDomByXpath('/a/b','xxxx'); // comment this out and it works
$o->me = $o;
$o->me = $o; // comment this out and it works
echo $o->dom->dump_mem()."\n";
echo time().': '.memory_get_usage();flush();
SEGFAULT
--------
[EMAIL PROTECTED]:/tmp> ./domtest.php
<?xml version="1.0"?>
<a><b>xxxx</b></a>
1195108231: 46536*** glibc detected *** /usr/local/bin/php: double free
or corruption (!prev): 0x000000000074d310 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2b459279a37e]
/lib64/libc.so.6(__libc_free+0x6c)[0x2b459279b99c]
/usr/local/bin/php(shutdown_memory_manager+0x9b)[0x4cdb4b]
/usr/local/bin/php(php_request_shutdown+0x2ec)[0x4afbbc]
/usr/local/bin/php(main+0x33f)[0x4fb3df]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2b459274c154]
/usr/local/bin/php[0x41fd59]
Previous Comments:
------------------------------------------------------------------------
[2007-05-23 04:41:24] tuliogs at pgt dot mpt dot gov dot br
As noted in the notes for Oracle Funcions online documentation, this
issue was already solved in PECL oci8 1.2.1 and later, but is still
present in 4.4.7. To solve this, you´ll have to go through the following
steps (modified from Rainer Klier´s notes on that page):
0. (before anything): be sure to have the path to instantclient in your
LD_LIBRARY_PATH
1. download latest oci8-package from http://pecl.php.net/package/oci8
(if you already have PHP installed), just do "pecl download oci8"
2. extract package somewhere
3. go to php-4.4.x-source directory
4. rm -rf ext/oci8
5. cp extraceted oci8-1.2.x directory to/as ext/oci8
6. make distclean
7. If you use autoconf 2.5 and later (maybe other versions too),
present in updated RedHat/CentOS 4.4 and 5, you MUST delete PHP´s
configure script, or it will do nothing:
rm configure
8./buildconf --force
9. ./configure (with the options you need)
--with-oci8=instantclient,/path/to/instantclient
(notice you´ll be using PHP5 syntax for --with-oci8)
10. make
11. ONLY for x86_64, and not really mandatory (same effect as manually
editing "memory_limit = 128M" in php.ini, if existing):
11.1. create pear-install.ini:
-----------------------------------------------
[PHP]
memory_limit = 128M
------------------------------------------------
11.2. edit Makefile:
replace:
PEAR_INSTALL_FLAGS = -n -dshort_open_tag=0 -dsafe_mode=0
with:
PEAR_INSTALL_FLAGS = -cpear-install.ini -dshort_open_tag=0
-dsafe_mode=0
12. make install
13. if not already, set
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/path/to/instantclient" in your
environment (one of profile, apachectl, or /etc/rc.d/init.d/httpd
scripts, as you prefer) BEFORE starting Apache. No need to set TNS_ADMIN
and tnsnames.ora for Instant Client, IF and only if Oracle´s easy syntax
is available - see
http://download-east.oracle.com/docs/cd/B12037_01/network.101/b10775/naming.htm#i498306
14. have fun!
One example of easily reproducing sample for this issue is
phpBB-3.0-RC1. I know it´s not small, but it´s very easy and simple to
pick, and you´ll probably get this kind of error still in the install
screens, past the database settings.
Now I think it´s past time to update oci8, ;) this bug is really more
than just an annoyance.
*Note: presently, oci8 v1.2.3 may cause the following warning in some
scripts: "ocilogoff(): supplied resource is not a valid oci8 connection
resource in /path/to/script", but this is less troublesome and easily
treated with adjusting logging facilities in php.ini while the scripts
are adjusted. Cheers!
------------------------------------------------------------------------
[2006-10-13 08:13:02] kutovoy at gmail dot com
I found out that this problem (in my case) was connected with unpacking
(gz) corrupted(truncated) data from database after some headeik with
debugging and testing. I stored compressed data in TEXT field, but data
was 85Kb length and was truncated to 65535. I think gzuncompress cause
that glibc errors. After altering field to LONGBLOB problem gone.
Good luck!
------------------------------------------------------------------------
[2006-10-11 14:01:11] kutovoy at gmail dot com
The same errors on big arrays of objects. on PHP 4.4.2, I'm now trying
to figure out working version of PHP.
*** glibc detected *** free(): invalid pointer: 0x08925b00 ***
[Wed Oct 11 09:26:06 2006] [notice] child pid 2610 exit signal Aborted
(6)
[Wed Oct 11 09:28:38 2006] [error] [client 194.247.xxx.yyy] File does
not exist: /xxx/htdocs/yyy/favicon.ico
[Wed Oct 11 10:58:43 2006] [notice] child pid 4059 exit signal
Segmentation fault (11)
and similar with *** glibc detected *** corrupted double-linked list:
------------------------------------------------------------------------
[2006-10-05 21:14:55] ndickerson at gmi-mr dot com
I have also encountered this bug on php 4.3.10 using php xmlrpc
libraries(phpxmlrpc.sourceforge.net) and processing an array of 20,000
records using the library, which happens to create a large number of
objects.
*** glibc detected *** double free or corruption (!prev): 0x0fbf24b8
***
is followed by some
*** glibc detected *** corrupted double-linked list: 0x006f4858 ***
There are also some other errors that I have lost that occur in the
place of the double free or corruption error..
This works fine when it is not processing as many objects.
------------------------------------------------------------------------
[2006-10-05 16:53:12] egon at inf dot ufpr dot br
The above code works fine in 5.1. It crashes on PHP 4.3.4, 4.4.2 and
4.4.4 on both linux/windows.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/36884
--
Edit this bug report at http://bugs.php.net/?id=36884&edit=1
