#44152 [NEW]: Apparent memory leak in filter.c leading to Apache segfault

eiwe dot lingefors at miva dot com Mon, 18 Feb 2008 10:07:18 -0800

From:             eiwe dot lingefors at miva dot com
Operating system: RHEL 5
PHP version:      5.2.5
PHP Bug Type:     Filter related
Bug description:  Apparent memory leak in filter.c leading to Apache segfault


Description:
------------
First off, big disclaimer. I'm running Apache 2.2.8 using mpm_event and
php 5.2.5. The fact that I'm using mpm_event might disqualify this bug
report in your eyes but I figured it was worth noting anyway.

First, PHP is configured thusly:

./configure \
--prefix=/usr/local/php \
--disable-ipv6 \
--with-apxs2=/usr/local/apache/bin/apxs \
--with-mysql=/usr/local/mysql \
--with-cdb \
--with-curl \
--with-xsl \
--with-gettext \
--with-gd \
--with-jpeg-dir=/usr \
--with-png-dir=/usr \
--with-mcrypt \
--with-openssl \
--with-zlib \
--with-iconv \
--without-kerberos \
--without-sqlite \
--enable-mbstring \
--enable-mbregex \
--enable-soap \
--enable-inline-optimization \
--disable-cgi \
--enable-debug \
--disable-rpath

I started noticing segfaults of Apache as evidenced by the error_log:
[Mon Feb 18 11:10:03 2008] [notice] child pid 23618 exit signal
Segmentation fault (11)
[Mon Feb 18 11:16:42 2008] [notice] child pid 24547 exit signal
Segmentation fault (11)
[Mon Feb 18 11:18:54 2008] [notice] child pid 24591 exit signal
Segmentation fault (11)
*** glibc detected *** /usr/local/apache/bin/httpd: free(): invalid
pointer: 0xad3e0106 ***
======= Backtrace: =========
/lib/libc.so.6[0x955f7d]
/lib/libc.so.6(cfree+0x90)[0x9595d0]
/usr/local/apache/modules/libphp5.so(zif_openlog+0x65)[0x1044f05]
/usr/local/apache/modules/libphp5.so[0x10f53cf]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so[0x10f4d5b]
/usr/local/apache/modules/libphp5.so(execute+0x18e)[0x10e4aae]
/usr/local/apache/modules/libphp5.so(zend_execute_scripts+0x1d3)[0x10c3bc3]
/usr/local/apache/modules/libphp5.so(php_execute_script+0x242)[0x107c272]
/usr/local/apache/modules/libphp5.so[0x1146385]
/usr/local/apache/bin/httpd(ap_run_handler+0x59)[0x8074f59]
/usr/local/apache/bin/httpd(ap_invoke_handler+0x67)[0x80780c7]
/usr/local/apache/bin/httpd(ap_internal_redirect+0x6a)[0x808884a]
/usr/local/apache/modules/mod_rewrite.so[0x8c0920]
/usr/local/apache/bin/httpd(ap_run_handler+0x59)[0x8074f59]
/usr/local/apache/bin/httpd(ap_invoke_handler+0x67)[0x80780c7]
/usr/local/apache/bin/httpd(ap_process_request+0x178)[0x80889c8]
/usr/local/apache/bin/httpd[0x8085d53]
/usr/local/apache/bin/httpd(ap_run_process_connection+0x59)[0x807bf79]
/usr/local/apache/bin/httpd[0x809479f]
/usr/local/apache/lib/libapr-1.so.0[0x1d1746]
/lib/libpthread.so.0[0xa632db]
/lib/libc.so.6(clone+0x5e)[0x9bd14e]
======= Memory map: ========
[Mon Feb 18 11:23:47 2008] [notice] child pid 24626 exit signal Aborted
(6)

I recompiled php with --enable-debug and saw some more information in the
error_log:

[Mon Feb 18 11:43:37 2008]  Script:  '/home/httpd/my/my/www/top.php'
/var/home/eiwe/download/php-5.2.5/ext/filter/filter.c(414) :  Freeing
0x09FCA518 (2 bytes), script=/home/httpd/my/my/www/top.php
Last leak repeated 16 times
=== Total 17 memory leaks detected ===
[Mon Feb 18 11:43:37 2008]  Script:  '/home/httpd/my/my/www/top.php'
/var/home/eiwe/download/php-5.2.5/ext/filter/filter.c(414) :  Freeing
0x09FCA7EC (2 bytes), script=/home/httpd/my/my/www/top.php
Last leak repeated 16 times
=== Total 17 memory leaks detected ===
[Mon Feb 18 11:43:37 2008]  Script:  '/home/httpd/my/my/www/index.php'
/var/home/eiwe/download/php-5.2.5/ext/filter/filter.c(414) :  Freeing
0x09FC6974 (14 bytes), script=/home/httpd/my/my/www/index.php
Last leak repeated 8 times

A backtrace using gdb looks like this:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1537336432 (LWP 27844)]
0x0095958c in free () from /lib/libc.so.6
(gdb) bt
#0  0x0095958c in free () from /lib/libc.so.6
#1  0x010c295b in zif_openlog () from
/usr/local/apache/modules/libphp5.so
#2  0x0119977a in execute () from /usr/local/apache/modules/libphp5.so
#3  0x011a00bb in execute () from /usr/local/apache/modules/libphp5.so
#4  0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#5  0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#6  0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#7  0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#8  0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#9  0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#10 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#11 0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#12 0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#13 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#14 0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#15 0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#16 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#17 0x011999ca in execute () from /usr/local/apache/modules/libphp5.so
#18 0x0119a76b in execute () from /usr/local/apache/modules/libphp5.so
#19 0x01199222 in execute () from /usr/local/apache/modules/libphp5.so
#20 0x01170a88 in zend_execute_scripts () from
/usr/local/apache/modules/libphp5.so
#21 0x0110dbad in php_execute_script () from
/usr/local/apache/modules/libphp5.so
#22 0x011f6592 in zend_get_zval_ptr_ptr () from
/usr/local/apache/modules/libphp5.so
#23 0x08074f59 in ap_run_handler (r=0xa26c31d8) at config.c:157
#24 0x080780c7 in ap_invoke_handler (r=0xa26c31d8) at config.c:372
#25 0x0808884a in ap_internal_redirect (new_uri=0xa26c3180
"/top.php?src_id=11006&tb_version=1.2.0.192&install_time=2008-02-18T11%3A47%3A00%2B0000",

    r=0xa26ba6a0) at http_request.c:477
#26 0x00120920 in handler_redirect (r=0xa26ba6a0) at mod_rewrite.c:4762
#27 0x08074f59 in ap_run_handler (r=0xa26ba6a0) at config.c:157
#28 0x080780c7 in ap_invoke_handler (r=0xa26ba6a0) at config.c:372
#29 0x080889c8 in ap_process_request (r=0xa26ba6a0) at http_request.c:258
#30 0x08085d53 in ap_process_http_async_connection (c=0xa26b6888) at
http_core.c:145
#31 0x0807bf79 in ap_run_process_connection (c=0xa26b6888) at
connection.c:43
#32 0x0809479f in worker_thread (thd=0x9d7f868, dummy=0x9f4ea48) at
event.c:637
#33 0x00305746 in dummy_worker (opaque=0x9d7f868) at
threadproc/unix/thread.c:142
#34 0x00a632db in start_thread () from /lib/libpthread.so.0
#35 0x009bd14e in clone () from /lib/libc.so.6

This is my first bug report to PHP and I apologize in advance for any
omissions that should have been included. I'll be happy to provide any
additional info should you require it.


Reproduce code:
---------------
I can not reliable reproduce this. The segfaults are intermittent. If you
have any suggestions on how I might trigger this I would be grateful.


-- 
Edit bug report at http://bugs.php.net/?id=44152&edit=1
-- 
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=44152&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=44152&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=44152&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=44152&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=44152&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=44152&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=44152&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=44152&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=44152&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=44152&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=44152&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=44152&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=44152&r=globals
PHP 4 support discontinued:   http://bugs.php.net/fix.php?id=44152&r=php4
Daylight Savings:             http://bugs.php.net/fix.php?id=44152&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=44152&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=44152&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=44152&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=44152&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=44152&r=mysqlcfg

#44152 [NEW]: Apparent memory leak in filter.c leading to Apache segfault

Reply via email to