#50438 [NEW]: destroy_op_array refcount invalid ptr / apache filter sapi

[m dot moeller at bigpoint dot net]

From:             m dot moeller at bigpoint dot net
Operating system: Linux / Debian
PHP version:      5.2.11
PHP Bug Type:     Reproducible crash
Bug description:  destroy_op_array refcount invalid ptr / apache filter sapi

Description:
------------
if apache receives a shutdown signal, php occasionally triggers a
segfault, because the refcount pointer of an op_array points to an invalid
address.

Program terminated with signal 11, Segmentation fault.
[New process 1475]
#0  0x00007f801f93f390 in ?? ()
(gdb) bt
#0  0x00007f801f93f390 in ?? ()
#1  <signal handler called>
#2  destroy_op_array (op_array=0x1c5fde0) at
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c:232
#3  0x00007f8023642088 in zend_hash_destroy (ht=0x1928a00) at
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_hash.c:717
#4  0x00007f802363779a in zend_shutdown () at
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend.c:816
#5  0x00007f80235f0df5 in php_module_shutdown () at
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/main/main.c:1921
#6  0x00007f80235f0e99 in php_module_shutdown_wrapper (sapi_globals=0x0)
at
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/main/main.c:1892
#7  0x00007f80236ac2b1 in php_apache_child_shutdown (tmp=0x0) at
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/sapi/apache2handler/sapi_apache2.c:362
#8  0x00007f80284bb4fb in ?? () from /usr/lib/libapr-1.so.0
#9  0x00007f80284ba401 in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#10 0x0000000000450d3e in clean_child_exit (code=0) at
/root/apache2-backport/httpd-2.2.14/server/mpm/prefork/prefork.c:196
#11 0x000000000045140b in just_die (sig=<value optimized out>) at
/root/apache2-backport/httpd-2.2.14/server/mpm/prefork/prefork.c:328
#12 <signal handler called>
#13 0x00007f8027ffe190 in __connect_nocancel () from /lib/libc.so.6
#14 0x00007f801bfc65b5 in ?? ()
#15 0x0000000001c26458 in ?? ()
#16 0x0000000001b3f528 in ?? ()
#17 0x00007f801c30e940 in ?? ()
#18 0x0000000000000015 in ?? ()
#19 0x0000000001c26458 in ?? ()
#20 0x0000000001b3f528 in ?? ()
#21 0x00007f801c30e940 in ?? ()
#22 0x0000000001b41300 in ?? ()
#23 0x00007fff41c64dc0 in ?? ()
#24 0x00007f801bfc7142 in ?? ()
#25 0x0000000100000001 in ?? ()
#26 0x000000004b20862f in ?? ()
#27 0x3020302000000035 in ?? ()
#28 0x0000000000000000 in ?? ()
(gdb) frame 2
#2  destroy_op_array (op_array=0x1c5fde0) at
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c:232
232    
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c:
No such file or directory.
        in
/home/custompackages/tmp/build/php5_5.2.11.dfsg.1-1.dsc.17103/build/Zend/zend_opcode.c
(gdb) print *op_array->refcount
Cannot access memory at address 0x7f801fb5da28


[reopened http://bugs.php.net/bug.php?id=49922 with current php ver]

Reproduce code:
---------------
while true; do
  curl http://localhost/testpage.php &
  apachectl restart
done


Expected result:
----------------
clear error log

Actual result:
--------------
segfault

-- 
Edit bug report at http://bugs.php.net/?id=50438&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=50438&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=50438&r=trysnapshot53
Try a snapshot (PHP 6.0):            
http://bugs.php.net/fix.php?id=50438&r=trysnapshot60
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=50438&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=50438&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=50438&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=50438&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=50438&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=50438&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=50438&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=50438&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=50438&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=50438&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=50438&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=50438&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=50438&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=50438&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=50438&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=50438&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=50438&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=50438&r=mysqlcfg