Bug #64606 [Fbk->Opn]: php crashes when wrtiting stream

pbxanime at gmail dot com Mon, 08 Apr 2013 15:58:08 -0700

Edit report at https://bugs.php.net/bug.php?id=64606&edit=1


 ID:                 64606
 User updated by:    pbxanime at gmail dot com
 Reported by:        pbxanime at gmail dot com
 Summary:            php crashes when wrtiting stream
-Status:             Feedback
+Status:             Open
 Type:               Bug
 Package:            Streams related
 Operating System:   Centos 5.8
 PHP Version:        5.4.13
 Block user comment: N
 Private report:     N

 New Comment:

here's php -v:

PHP 5.4.13 (cli) (built: Apr  2 2013 15:57:48)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies


I turned off Xcache and here's results from 5 different core dumps spanning 5 
hours:

#0  0x08304f47 in _php_stream_write (stream=0x90f5b08,
    buf=0xb77495bc "set 34e0f7080b10afd7af2e03e9b1536c33 0 1440 
38\r\nuser_session_last_access|i:1365458365;\r\n", count=88)
    at /usr/src/php-5.4.13/main/streams/streams.c:1238
1238            if (buf == NULL || count == 0 || stream->ops->write == NULL) {


----------------------------


#0  0x04939510 in ?? ()
(gdb) bt
#0  0x04939510 in ?? ()
#1  0x08303995 in _php_stream_write_buffer (stream=0x90f5b18, buf=0x95e6958 
"get 8185df46afa3fa484826ee530507445e\r\n",
    count=38) at /usr/src/php-5.4.13/main/streams/streams.c:1134
#2  0x009a00bb in ?? ()
#3  0x090f5b18 in ?? ()
#4  0x095e6958 in ?? ()
#5  0x00000026 in ?? ()
#6  0x082f5029 in spprintf (pbuf=0x95e9374, max_len=3214955994, format=0x20 
<Address 0x20 out of bounds>)
    at /usr/src/php-5.4.13/main/spprintf.c:818
#7  0x009a346a in ?? ()
#8  0x095e9374 in ?? ()
#9  0xbfa055da in ?? ()
#10 0x00000020 in ?? ()
#11 0xbfa055da in ?? ()
#12 0x00000000 in ?? ()
(gdb) frame 1
#1  0x08303995 in _php_stream_write_buffer (stream=0x90f5b18, buf=0x95e6958 
"get 8185df46afa3fa484826ee530507445e\r\n",
    count=38) at /usr/src/php-5.4.13/main/streams/streams.c:1134
1134                    justwrote = stream->ops->write(stream, buf, towrite 
TSRMLS_CC);
(gdb) frame 6
#6  0x082f5029 in spprintf (pbuf=0x95e9374, max_len=3214955994, format=0x20 
<Address 0x20 out of bounds>)
    at /usr/src/php-5.4.13/main/spprintf.c:818
818             cc = vspprintf(pbuf, max_len, format, ap);

----------------------------

#0  0x08304eb3 in _php_stream_write_filtered (stream=0x90992a0, buf=<value 
optimized out>, count=3214964224, flags=0) at 
/usr/src/php-5.4.13/main/streams/streams.c:1177
1177                    status = filter->fops->filter(stream, filter, brig_inp, 
brig_outp,
(gdb) bt
#0  0x08304eb3 in _php_stream_write_filtered (stream=0x90992a0, buf=<value 
optimized out>, count=3214964224, flags=0) at 
/usr/src/php-5.4.13/main/streams/streams.c:1177
#1  0x009a2506 in ?? ()
#2  0x00000000 in ?? ()
(gdb) frame 0
#0  0x08304eb3 in _php_stream_write_filtered (stream=0x90992a0, buf=<value 
optimized out>, count=3214964224, flags=0) at 
/usr/src/php-5.4.13/main/streams/streams.c:1177
1177                    status = filter->fops->filter(stream, filter, brig_inp, 
brig_outp,

----------------------------

#0  0x30320032 in ?? ()
(gdb) bt
#0  0x30320032 in ?? ()
#1  0x08304ee5 in _php_stream_write_filtered (stream=0x90f5b18, buf=<value 
optimized out>, count=<value optimized out>, flags=0)
    at /usr/src/php-5.4.13/main/streams/streams.c:1177
#2  0x009a00bb in ?? ()
#3  0x00000000 in ?? ()
(gdb) frame 1
#1  0x08304ee5 in _php_stream_write_filtered (stream=0x90f5b18, buf=<value 
optimized out>, count=<value optimized out>, flags=0)
    at /usr/src/php-5.4.13/main/streams/streams.c:1177
1177                    status = filter->fops->filter(stream, filter, brig_inp, 
brig_outp,

----------------------------

#0  0x08304eb3 in _php_stream_write_filtered (stream=0x9098890, buf=<value 
optimized out>, count=3214964224, flags=0) at 
/usr/src/php-5.4.13/main/streams/streams.c:1177
1177                    status = filter->fops->filter(stream, filter, brig_inp, 
brig_outp,
(gdb) bt
#0  0x08304eb3 in _php_stream_write_filtered (stream=0x9098890, buf=<value 
optimized out>, count=3214964224, flags=0) at 
/usr/src/php-5.4.13/main/streams/streams.c:1177
#1  0x009a2506 in ?? ()
#2  0x00000000 in ?? ()
(gdb) frame 0
#0  0x08304eb3 in _php_stream_write_filtered (stream=0x9098890, buf=<value 
optimized out>, count=3214964224, flags=0) at 
/usr/src/php-5.4.13/main/streams/streams.c:1177
1177                    status = filter->fops->filter(stream, filter, brig_inp, 
brig_outp,


Previous Comments:
------------------------------------------------------------------------
[2013-04-08 16:40:32] pbxanime at gmail dot com

No, I haven't tested it with Xcache disabled. I didn't even think Xcache would 
be an issue since it doesn't interact with the writing of the sessions. I will 
disable Xcache for a few hours and see what results, I get thank you for the 
response.

------------------------------------------------------------------------
[2013-04-08 16:10:56] s...@php.net

Does it reproduce without XCache?
Do you have a standalone testcase?

------------------------------------------------------------------------
[2013-04-07 19:41:41] pbxanime at gmail dot com

Description:
------------
I use the latest stable XCache and the latest stable Lighttpd.

I store sessions with memcache:

session.save_handler = memcache
session.save_path = 
"unix:///tmp/memcached.socket:0?persistent=1&weight=1&timeout=1&retry_interval=15"

php is compiled with the following, I removed directories, but they are 
correctly linked:

./configure \
--disable-fileinfo \
--disable-pdo \
--enable-exif \
--enable-fpm \
--enable-ftp \
--enable-gd-native-ttf \
--enable-libxml \
--enable-mbstring \
--enable-zip \
--prefix= \
--with-apxs2= \
--with-bz2 \
--with-curl= \
--with-freetype-dir= \
--with-gd \
--with-gettext \
--with-imap= \
--with-imap-ssl= \
--with-jpeg-dir= \
--with-png-dir= \
--with-kerberos \
--with-libxml-dir= \
--with-mcrypt= \
--with-mysql= \
--with-mysql-sock= \
--with-mysqli= \
--with-openssl= \
--with-openssl-dir= \
--with-pcre-regex= \
--with-png-dir= \
--with-xpm-dir= \
--with-zlib \
--with-zlib-dir=

Test script:
---------------
I store sessions like this:

IF (!ISSET($_SESSION)) {
SESSION_START();
}
IF($_SESSION['user_session_last_access']+180 < TIME()){
$_SESSION['user_session_last_access'] = TIME();

}

It's nothing special and it works normally.

Actual result:
--------------
I don't know how to dupicate this bug, it just happens randomly every few to 
several hours:

FPM Log:

[07-Apr-2013 08:35:05.926454] DEBUG: pid 25374, fpm_got_signal(), line 72: 
received SIGCHLD
[07-Apr-2013 08:35:05.926552] WARNING: pid 25374, fpm_children_bury(), line 
252: [pool ] child 534 exited on signal 11 (SIGSEGV - core dumped) after 
34.242946 seconds from start
[07-Apr-2013 08:35:05.926939] NOTICE: pid 25374, fpm_children_make(), line 421: 
[pool ] child 575 started
[07-Apr-2013 08:35:05.926980] DEBUG: pid 25374, fpm_event_loop(), line 411: 
event module triggered 1 events

Backtrace:

#0  0x08304f47 in _php_stream_write (stream=0x9556b88,
    buf=0xb77c5000 "set 0b58f7308927b881bd2d5273f0dc8de7 0 1440 
38\r\nuser_session_last_access|i:1365338080;\r\n", count=88)
    at /usr/src/php-5.4.13/main/streams/streams.c:1238
1238            if (buf == NULL || count == 0 || stream->ops->write == NULL) {
(gdb) bt
#0  0x08304f47 in _php_stream_write (stream=0x9556b88,
    buf=0xb77c5000 "set 0b58f7308927b881bd2d5273f0dc8de7 0 1440 
38\r\nuser_session_last_access|i:1365338080;\r\n", count=88)
    at /usr/src/php-5.4.13/main/streams/streams.c:1238
#1  0x00764506 in ?? ()
#2  0x09556b88 in ?? ()
#3  0xb77c5000 in ?? ()
#4  0x00000058 in ?? ()
#5  0xbfb79f0e in ?? ()
#6  0x00000000 in ?? ()
(gdb) frame 0
#0  0x08304f47 in _php_stream_write (stream=0x9556b88,
    buf=0xb77c5000 "set 0b58f7308927b881bd2d5273f0dc8de7 0 1440 
38\r\nuser_session_last_access|i:1365338080;\r\n", count=88)
    at /usr/src/php-5.4.13/main/streams/streams.c:1238
1238            if (buf == NULL || count == 0 || stream->ops->write == NULL) {


Another Backtrace:


#0  _php_stream_write_filtered (stream=0x95564a8, buf=0x96c9100 "", 
count=3216473280, flags=0) at /usr/src/php-5.4.13/main/streams/streams.c:1177
1177                    status = filter->fops->filter(stream, filter, brig_inp, 
brig_outp,
(gdb) bt
#0  _php_stream_write_filtered (stream=0x95564a8, buf=0x96c9100 "", 
count=3216473280, flags=0) at /usr/src/php-5.4.13/main/streams/streams.c:1177
#1  0x007620bb in ?? ()
#2  0x00000000 in ?? ()
(gdb) frame 0
#0  _php_stream_write_filtered (stream=0x95564a8, buf=0x96c9100 "", 
count=3216473280, flags=0) at /usr/src/php-5.4.13/main/streams/streams.c:1177
1177                    status = filter->fops->filter(stream, filter, brig_inp, 
brig_outp,


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64606&edit=1

Bug #64606 [Fbk->Opn]: php crashes when wrtiting stream

Reply via email to