From: lazy404 at gmail dot com
Operating system: Linux
PHP version: 5.5.3
Package: *General Issues
Bug Type: Bug
Bug description:reaching max_execution_time might corrupt zend memory heap
Description:
------------
Reaching max_execution_time might corrupt zend memory heap.
Php uses setitimer(ITIMER_PROF) to limit the cpu time used by scripts.
When time is exceeded php is sent a signal. Signal handler calls
zend_error() to
display "Maximum execution time of %d second%s exceeded" message.
Unfortunetly php_error_cb() uses spprintf() which allocates memory from
php
memory heap, This is not safe because php heap might be in an inconsistent
state.
php_eror_cb() also uses free(), which is protected by a lock so this,
can produce a deadlock, if the signal arrived during a free.
Segfault happens more than 1 in 20 runs. Example backtrace follows
#0 0x00007ffb0e0e9757 in kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00000000007958e6 in zend_mm_panic (message=0xbdd6cd "zend_mm_heap
corrupted") at /usr/src/php-5.5.3/Zend/zend_alloc.c:92
#2 0x0000000000798bf3 in _zend_mm_alloc_int (heap=0x24f0300, size=79,
__zend_filename=0xbce3d8 "/usr/src/php-5.5.3/main/spprintf.c",
__zend_lineno=236,
__zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php-
5.5.3/Zend/zend_alloc.c:2018
#3 0x00000000007992fa in _zend_mm_realloc_int (heap=0x24f0300, p=0x0,
size=79,
__zend_filename=0xbce3d8 "/usr/src/php-5.5.3/main/spprintf.c",
__zend_lineno=236, __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/usr/src/php-5.5.3/Zend/zend_alloc.c:2134
#4 0x000000000079a4bc in _erealloc (ptr=0x0, size=79, allow_failure=0,
__zend_filename=0xbce3d8 "/usr/src/php-5.5.3/main/spprintf.c",
__zend_lineno=236,
__zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php-
5.5.3/Zend/zend_alloc.c:2450
#5 0x00000000007429ba in xbuf_format_converter (xbuf=0x7fffb5b48d00,
fmt=0xbcd7dd
"PHP %s: %s in %s on line %d", ap=0x7fffb5b48d50)
at /usr/src/php-5.5.3/main/spprintf.c:236
#6 0x0000000000744bde in vspprintf (pbuf=0x7fffb5b48ea0, max_len=0,
format=0xbcd7dd "PHP %s: %s in %s on line %d", ap=0x7fffb5b48d50)
at /usr/src/php-5.5.3/main/spprintf.c:799
#7 0x0000000000744cc9 in spprintf (pbuf=0x7fffb5b48ea0, max_len=0,
format=0xbcd7dd "PHP %s: %s in %s on line %d") at /usr/src/php-
5.5.3/main/spprintf.c:818
#8 0x000000000073c878 in php_error_cb (type=1,
error_filename=0x7ffb0f1c0610
"/usr/src/php-5.5.3/t.php", error_lineno=7,
format=0xbe05f0 "Maximum execution time of %d second%s exceeded",
args=0x7fffb5b49000) at /usr/src/php-5.5.3/main/main.c:1068
#9 0x00000000007d1cec in zend_error (type=1, format=0xbe05f0 "Maximum
execution
time of %d second%s exceeded") at /usr/src/php-5.5.3/Zend/zend.c:1110
#10 0x00000000007c070c in zend_timeout (dummy=27) at /usr/src/php-
5.5.3/Zend/zend_execute_API.c:1331
#11 <signal handler called>
#12 0x0000000000796208 in zend_mm_remove_from_free_list (heap=0x24f0300,
mm_block=0x7ffb0d305150) at /usr/src/php-5.5.3/Zend/zend_alloc.c:849
#13 0x0000000000799171 in _zend_mm_free_int (heap=0x24f0300,
p=0x7ffb0d3052e0,
__zend_filename=0xbe2d78 "/usr/src/php-5.5.3/Zend/zend_hash.c",
__zend_lineno=565, __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/usr/src/php-5.5.3/Zend/zend_alloc.c:2110
#14 0x000000000079a43f in _efree (ptr=0x7ffb0d3052e0,
__zend_filename=0xbe2d78
"/usr/src/php-5.5.3/Zend/zend_hash.c", __zend_lineno=565,
I have also observed deadlocks coused by free's lock on production servers
running
php as fastcgi.
Test script:
---------------
<?php
ini_set("max_execution_time", 1);
for($a= 0; $a < 100000; $a++) {
$ta=array();
for ($i = 0; $i < 10000; $i++)
{
array_push($ta,$i,$i,$i,$i,$i,$i,$i,$i,$i,$i);
}
}
echo "ok";
Expected result:
----------------
Status: 500 Internal Server Error
X-Powered-By: PHP/5.5.3
Content-type: text/html
PHP Fatal error: Maximum execution time of 1 second exceeded in
/usr/src/php-
5.5.3/t.php on line 11
/usr/src/php-5.5.3/t.php(11) : Fatal error - Maximum execution time of 1
second
exceeded
Actual result:
--------------
Status: 500 Internal Server Error
X-Powered-By: PHP/5.5.3
Content-type: text/html
zend_mm_heap corrupted
Naruszenie ochrony pamiÄci (core dumped)
--
Edit bug report at https://bugs.php.net/bug.php?id=65674&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=65674&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=65674&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=65674&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=65674&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=65674&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=65674&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=65674&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=65674&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=65674&r=support
Expected behavior: https://bugs.php.net/fix.php?id=65674&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=65674&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=65674&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=65674&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65674&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=65674&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=65674&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=65674&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65674&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=65674&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=65674&r=mysqlcfg
