ID: 46434
User updated by: charlie dot orford at gmail dot com
Reported By: charlie dot orford at gmail dot com
Status: Open
Bug Type: Reproducible crash
Operating System: Debian 4/Etch
PHP Version: 5.2.6
New Comment:
Forgot to include hardware and kernel version (in case it is helpful):
Linux kernel: 2.6.20.3
Hardware: Dual AMD Opteron 252 with 4GB RAM
Memory status at time of segfault:
#free -m
total used free shared buffers
cached
Mem: 3903 3804 99 0 210
1707
-/+ buffers/cache: 1885 2017
Swap: 7632 271 7360
Previous Comments:
------------------------------------------------------------------------
[2008-10-31 15:04:49] charlie dot orford at gmail dot com
Description:
------------
When mm is used as session.save_handler, apache child processes begin
to segfault shortly after session.gc_maxlifetime is reached. The work
around is to change session.save_handler to "files". This bug is
reproducible (for me at least).
Apache version: 2.2.10, compiled from source using:
./configure --prefix=/usr/local/apache --disable-cgi --disable-cgid
--disable-charset-lite --disable-env --disable-include
--disable-autoindex --disable-asis --disable-negotiation
--disable-imagemap --disable-actions --disable-userdir
--enable-nonportable-atomics --enable-deflate --enable-proxy-ftp=shared
--enable-proxy=shared --enable-proxy-connect=shared
--enable-proxy-http=shared --enable-cache=shared --enable-setenvif
--enable-expires --enable-headers --enable-rewrite --enable-unique-id
--enable-dav=shared --enable-dav-fs=shared --enable-ssl --enable-so
--with-ssl=/etc/ssl --with-mpm=prefork --with-dbm=db4
--with-berkeley-db=/usr/include:/usr/lib
httpd -l output:
Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_filter.c
mod_deflate.c
mod_log_config.c
mod_expires.c
mod_headers.c
mod_unique_id.c
mod_setenvif.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_dir.c
mod_alias.c
mod_rewrite.c
mod_so.c
PHP version 5.2.6, compiled from source using:
./configure --disable-ipv6 --disable-short-tags --disable-cgi
--enable-versioning --enable-url-includes --enable-sysvshm
--enable-sysvsem --enable-ftp --enable-calendar --enable-gd-native-ttf
--enable-mbstring --enable-libxml --enable-cli --enable-xml
--enable-sockets --with-pdflib=/usr/src/PDFlib-6.0.4-Linux-x86_64/bind/c
--with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql
--with-mysql-sock=/var/run/mysqld/mysqld.sock
--with-mm=/usr/local/mm-1.4.2 --with-zlib --with-zlib-dir=/usr/lib/
--with-pear --with-gd --with-freetype-dir=/usr/local/lib/
--with-png-dir=/usr/lib/ --with-jpeg-dir=/usr/lib/ --with-ttf
--with-libtiff-dir=/usr/lib/ --with-openssl=/usr
mm-1.4.2, compiled from source using:
./configure --prefix=/usr/local/mm-1.4.2
Reproduce code:
---------------
See: http://pastebin.com/f38b947b
Expected result:
----------------
A session marked for garbage collection should be destroyed by the
garbage collector.
Actual result:
--------------
Garbage collection results in an apache child process segfault. I have
included two backtraces from two separate child process crashes.
Both seem to suggest php-5.2.6/ext/session/mod_mm.c is where the bug
resides.
GDB backtrace #1:
===================================
Core was generated by `/usr/local/apache/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0 zm_shutdown_ps_mm (type=<value optimized out>,
module_number=<value optimized out>)
at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243
243 next = sd->next;
(gdb) bt full
#0 zm_shutdown_ps_mm (type=<value optimized out>,
module_number=<value optimized out>)
at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243
No locals.
#1 0x00002b814cef0234 in zm_shutdown_session (type=1,
module_number=12)
at /usr/src/lamp/php-5.2.6/ext/session/session.c:1983
No locals.
#2 0x00002b814d00bea1 in module_destructor (module=0x7460f0)
at /usr/src/lamp/php-5.2.6/Zend/zend_API.c:1921
No locals.
#3 0x00002b814d012642 in zend_hash_apply_deleter (ht=0x2b814d6ab320,
p=0x746090) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:611
retval = <value optimized out>
#4 0x00002b814d0128b8 in zend_hash_graceful_reverse_destroy (
ht=0x2b814d6ab320) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:646
p = (Bucket *) 0x657469735f666572
#5 0x00002b814d008247 in zend_shutdown ()
at /usr/src/lamp/php-5.2.6/Zend/zend.c:733
No locals.
#6 0x00002b814cfc666a in php_module_shutdown ()
at /usr/src/lamp/php-5.2.6/main/main.c:1888
No locals.
#7 0x00002b814cfc6709 in php_module_shutdown_wrapper
(sapi_globals=0x1)
---Type <return> to continue, or q <return> to quit---
at /usr/src/lamp/php-5.2.6/main/main.c:1859
No locals.
#8 0x00002b814d0898e1 in php_apache_server_shutdown (
tmp=<value optimized out>)
at /usr/src/lamp/php-5.2.6/sapi/apache2handler/sapi_apache2.c:352
No locals.
#9 0x00002b814c43c62d in run_cleanups (cref=0x5b5158)
at memory/unix/apr_pools.c:2306
c = (cleanup_t *) 0x2b814f630058
#10 0x00002b814c43d0b7 in apr_pool_destroy (pool=0x5b5138)
at memory/unix/apr_pools.c:774
active = <value optimized out>
allocator = <value optimized out>
#11 0x00002b814c43d0a5 in apr_pool_destroy (pool=0x5b3128)
at memory/unix/apr_pools.c:771
active = <value optimized out>
allocator = <value optimized out>
#12 0x00000000004296a6 in destroy_and_exit_process (process=0x5b3220,
process_exit_value=0) at main.c:270
No locals.
#13 0x000000000042a179 in main (argc=3, argv=0x7fff5f238e78) at
main.c:747
c = 0 '\0'
configtestonly = 0
---Type <return> to continue, or q <return> to quit---
confname = 0x47d51f "conf/httpd.conf"
def_server_root = 0x47d52f "/usr/local/apache"
temp_error_log = 0x0
error = <value optimized out>
process = (process_rec *) 0x5b3220
server_conf = <value optimized out>
pglobal = (apr_pool_t *) 0x5b3128
pconf = (apr_pool_t *) 0x5b5138
plog = (apr_pool_t *) 0x5f9358
ptemp = (apr_pool_t *) 0x5c1198
pcommands = (apr_pool_t *) 0x5b7148
opt = (apr_getopt_t *) 0x5b7240
rv = 0
optarg = 0x2b814c9aa170 "Ô'"
(gdb)
GDB backtrace #2:
===================================
Core was generated by `/usr/local/apache/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0 ps_sd_lookup (data=<value optimized out>, key=0x2b814b91d488
"ufc77adjfgtmpfcju2mgiejf20l6bsd5", rw=0) at
/usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:189
189 if (ret->hv == hv && !strcmp(ret->key, key))
(gdb) bt full
#0 ps_sd_lookup (data=<value optimized out>, key=0x2b814b91d488
"ufc77adjfgtmpfcju2mgiejf20l6bsd5", rw=0) at
/usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:189
hv = 17287314
ret = (ps_sd *) 0x490
prev = (ps_sd *) 0x0
#1 0x00002b814cef68d7 in ps_read_mm (mod_data=<value optimized out>,
key=0x2b814b91d488 "ufc77adjfgtmpfcju2mgiejf20l6bsd5",
val=0x7fff5f2315b0, vallen=0x7fff5f2315cc) at
/usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:334
data = (ps_mm *) 0x78b1e0
sd = <value optimized out>
ret = -1
#2 0x00002b814cef321e in php_session_start () at
/usr/src/lamp/php-5.2.6/ext/session/session.c:844
value = <value optimized out>
ppid = (zval **) 0x2b814b91c2c0
data = (zval **) 0x2b814b91cc58
p = <value optimized out>
lensess = <value optimized out>
#3 0x00002b814cef3b69 in zif_session_start (ht=1267848328,
return_value=0x2b814b91d488, return_value_ptr=0x20, this_ptr=0x20,
return_value_used=-16843009) at
/usr/src/lamp/php-5.2.6/ext/session/session.c:1815
No locals.
#4 0x00002b814d037117 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5f232ee0) at
/usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:200
i = 32767
p = <value optimized out>
arg_count = 47834416506944
return_reference = 0 '\0'
opline = (zend_op *) 0x2b8151676930
original_return_value = <value optimized out>
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = -16843009
should_change_scope = 0 '\0'
#5 0x00002b814d026f93 in execute (op_array=0x2b814b9232f8) at
/usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b8151676930, function_state =
{function_symbol_table = 0x0, function = 0x746f70, reserved =
{0x2b814cfda2cc, 0x2b814b920948, 0x0, 0x2b814b920948}}, fbc = 0x0,
op_array = 0x2b814b9232f8, object = 0x0,
Ts = 0x7fff5f231710, CVs = 0x7fff5f2316f0, original_in_execution = 1
'\001', symbol_table = 0x2b814d6aafc8, prev_execute_data =
0x7fff5f236400, old_error_reporting = 0x0}
#6 0x00002b814d0298e5 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER
(execute_data=0x7fff5f236400) at
/usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:2037
saved_object = (zval *) 0x0
saved_function = (zend_function *) 0x2b814b91ce70
opline = (zend_op *) 0x2b815164e4d0
new_op_array = (zend_op_array *) 0x2b814b9232f8
original_return_value = (zval **) 0x7fff5f236520
inc_filename = <value optimized out>
tmp_inc_filename = {value = {lval = 140734789529624, dval =
6.9532224681285584e-310, str = {val = 0x7fff5f233018 "\200Õ\220K\201+",
len = 1267783040}, ht = 0x7fff5f233018, obj = {handle = 1596141592,
handlers = 0x2b814b90d580}},
refcount = 0, type = 0 '\0', is_ref = 0 '\0'}
failure_retval = 255 'ÿ'
#7 0x00002b814d026f93 in execute (op_array=0x2b814b91ce70) at
/usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b815164e4d0, function_state =
{function_symbol_table = 0x0, function = 0x2b814b9232f8, reserved =
{0x2b814cfda2cc, 0x2b814b91d258, 0x0, 0x2b814b91d258}}, fbc = 0x0,
op_array = 0x2b814b91ce70,
object = 0x0, Ts = 0x7fff5f233170, CVs = 0x7fff5f233090,
original_in_execution = 0 '\0', symbol_table = 0x2b814d6aafc8,
prev_execute_data = 0x0, old_error_reporting = 0x0}
#8 0x00002b814d007ccd in zend_execute_scripts (type=8, retval=<value
optimized out>, file_count=3) at
/usr/src/lamp/php-5.2.6/Zend/zend.c:1134
files = {{gp_offset = 40, fp_offset = 0, overflow_arg_area =
0x7fff5f236620, reg_save_area = 0x7fff5f236530}}
i = 1
file_handle = (zend_file_handle *) 0x7fff5f2388d0
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval **) 0x0
local_retval = (zval *) 0x0
#9 0x00002b814cfc6508 in php_execute_script
(primary_file=0x7fff5f2388d0) at
/usr/src/lamp/php-5.2.6/main/main.c:2005
realfile =
"\000\000\000\000\000\000\000\000nQþK\201+\000\000xv#_ÿ\177", '\0'
<repeats 18 times>,
"\200q\210\000\000\000\000\000\020w#_ÿ\177\000\000JNþK\201+\000\000\200q\210\000\000\000\000\000\020w#_ÿ\177\000\000\237\017\000\000\000\000\000\000Û\212\bM\201+\000\000¼\v\000\000\000\000\000\000f'",
'\0' <repeats 15 times>,
"[EMAIL
PROTECTED]@®jM\201+\000\000\000¨jM\201+\000\000½ðüL\201+\000\000ò\021\000\000\000\000\000\000o
\000\000\000\000\000\000+\036\000\000\000\000\000\000e\"\000\000\000\000\000\000è$\000\000\000"...
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
old_cwd = 0x7fff5f236630 "/"
retval = 0
#10 0x00002b814d08975d in php_handler (r=0x885f38) at
/usr/src/lamp/php-5.2.6/sapi/apache2handler/sapi_apache2.c:629
__bailout = {{__jmpbuf = {120, 3, 8937272, 6052448, 8912520,
140734789552784, 140734789552112, 47834343182899}, __mask_was_saved = 0,
__saved_mask = {__val = {0, 0, 17179869184, 8937144, 4623373, 8995888,
16, 8937144, 8994104,
8937144, 8937272, 8871352, 6002672, 8937904, 0, 8937144}}}}
ctx = (php_struct * volatile) 0x894540
conf = (void *) 0x604a98
brigade = (apr_bucket_brigade * volatile) 0x895220
bucket = <value optimized out>
rv = <value optimized out>
parent_req = (request_rec * volatile) 0x0
#11 0x000000000043c179 in ap_run_handler (r=0x885f38) at config.c:157
n = 3
---Type <return> to continue, or q <return> to quit---
rv = 32
#12 0x000000000043f25c in ap_invoke_handler (r=0x885f38) at
config.c:372
handler = 0x65ae80 "application/x-httpd-php"
result = 0
old_handler = 0x0
ignore = <value optimized out>
#13 0x0000000000464598 in ap_process_request (r=0x885f38) at
http_request.c:258
access_status = 1168
#14 0x0000000000461a3c in ap_process_http_connection (c=0x875db8) at
http_core.c:190
r = (request_rec *) 0x885f38
csd = (apr_socket_t *) 0x0
#15 0x0000000000442e11 in ap_run_process_connection (c=0x875db8) at
connection.c:43
n = 0
rv = 32
#16 0x00000000004736b6 in child_main (child_num_arg=<value optimized
out>) at prefork.c:650
numdesc = 1
pdesc = (const apr_pollfd_t *) 0x873e20
current_conn = (conn_rec *) 0x875db8
csd = (void *) 0x875bc8
ptrans = (apr_pool_t *) 0x875b48
allocator = (apr_allocator_t *) 0x873a40
status = <value optimized out>
i = <value optimized out>
lr = <value optimized out>
pollset = (apr_pollset_t *) 0x873d68
sbh = (ap_sb_handle_t *) 0x873d60
bucket_alloc = (apr_bucket_alloc_t *) 0x87fe88
last_poll_idx = 1
#17 0x0000000000473934 in make_child (s=0x5bef68, slot=5) at
prefork.c:746
pid = 0
#18 0x00000000004741d6 in ap_mpm_run (_pconf=<value optimized out>,
plog=<value optimized out>, s=<value optimized out>) at prefork.c:881
pidfile = <value optimized out>
active_children = <value optimized out>
cutoff = <value optimized out>
index = <value optimized out>
remaining_children_to_start = 0
rv = <value optimized out>
#19 0x000000000042a167 in main (argc=3, argv=0x7fff5f238e78) at
main.c:740
c = 0 '\0'
configtestonly = 0
confname = 0x47d51f "conf/httpd.conf"
def_server_root = 0x47d52f "/usr/local/apache"
temp_error_log = 0x0
error = <value optimized out>
process = (process_rec *) 0x5b3220
server_conf = <value optimized out>
pglobal = (apr_pool_t *) 0x5b3128
pconf = (apr_pool_t *) 0x5b5138
plog = (apr_pool_t *) 0x5f9358
ptemp = (apr_pool_t *) 0x5c1198
pcommands = (apr_pool_t *) 0x5b7148
opt = (apr_getopt_t *) 0x5b7240
rv = 0
optarg = 0x2b814c9aa170 "Ô'"
(gdb)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=46434&edit=1
