#41370 [NEW]: hang and crash in libphp5.so after using fopen

paul at gracion dot com Fri, 11 May 2007 17:15:52 -0700

From:             paul at gracion dot com
Operating system: Mac OS X 10.4.9
PHP version:      5.2.2
PHP Bug Type:     Reproducible crash
Bug description:  hang and crash in libphp5.so after using fopen


Description:
------------
Bad(?) PHP code causes non-response to web browser, minutes later 
(during subsequent hits to other php pages) an apache process crashes. 
What code does: given an HTTP file upload, reads the temporary file with 
fopen/fgets and writes to MySQL using PDO. fclose() was not called, 
workaround may to be to call fclose(). Reproducable by one user but not 
by another.

(Mac OS X Client 10.4.9's bundled apache, php5.2.2 binary from http://
www.entropy.ch/software/macosx/php/ )

Reproduce code:
---------------
$gSQL = new PDO('mysql:unix_socket=/tmp/mysql.sock;dbname=xxxxx',
SQL_USER, SQL_PASS);
$gSQL-> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if (isset($_FILES['widgets']) && ($_FILES['widgets']['error'] ==
UPLOAD_ERR_OK)) {
        $fhndl = fopen($_FILES['widgets']['tmp_name'], 'r');
        $st = $gSQL->prepare('INSERT INTO widgets (wigitid, wigit, numUsers,
created) VALUES (?, ?, ?, NOW())');
        $i = 0;
        while (!feof($fhndl)) {
                if ($line = fgets($fhndl)) { // line is about 15 chars, file is 
5-10
lines.
                        $st->execute(array($_POST['serialid'], $line, 
$_POST['numUsers']));
                        $i += 1;
                        print "."; // progress shown in web browser
                }
        }  // should be fclose() here
        print "<p>$i widgets imported successfully.</p>";
} else {
                print "<p>Error {$_FILES['widgets']['error']} uploading widgets
file.</p>";
}                       

Expected result:
----------------
Browser displays "$N widgets imported successfully". httpd child process 
doesn't crash (later).

Actual result:
--------------
Nothing returned to browser, which times out after about 3 minutes. 
Then, user hits some phpMyAdmin 2.9.2 pages. On one of the hits, an 
httpd child crashes (the user hitting phpMyAdmin sees nothing wrong). 
got 3 different backtraces:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000014

Thread 0 Crashed:
0   libphp5.so  0x023a6cf7 zend_mm_remove_from_free_list + 33
1   libphp5.so  0x023a7cc4 _zend_mm_free_int + 551
2   libphp5.so  0x023a86b6 _efree + 63
3   libphp5.so  0x023d12f2 zend_hash_destroy + 205
4   libphp5.so  0x023c4701 _zval_dtor_func + 153
5   libphp5.so  0x023b7181 _zval_dtor + 28
6   libphp5.so  0x023b73be _zval_ptr_dtor + 51
7   libphp5.so  0x0237242e php_request_shutdown + 534
8   libphp5.so  0x0243701f apache_php_module_main + 229
9   libphp5.so  0x02438077 send_php + 707
10  libphp5.so  0x024380d8 send_parsed_php + 39
11  httpd       0x00005861 ap_invoke_handler + 182
12  httpd       0x000192d1 process_request_internal + 817
13  httpd       0x000199c4 ap_process_request + 58
14  httpd       0x000101e3 child_main + 1822
15  httpd       0x00010742 make_child + 351
16  httpd       0x0001192c standalone_main + 4434
17  httpd       0x0001253c main + 2200
18  httpd       0x000017e6 _start + 228
19  httpd       0x00001701 start + 41

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00000008  ebx: 0x023a6ce2  ecx: 0x0000e4d0  edx: 0x00000031
  edi: 0x01838b64  esi: 0x00000017  ebp: 0xbffff1e8  esp: 0xbffff1c0
   ss: 0x0000001f  efl: 0x00010286  eip: 0x023a6cf7   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037

---
Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x6f696365

Thread 0 Crashed:
0   libphp5.so  0x023d0068 _zend_hash_add_or_update + 56
1   libphp5.so  0x023808bf zend_symtable_update + 410
2   libphp5.so  0x023805c6 php_register_variable_ex + 1299
3   libphp5.so  0x0209660e php_sapi_filter + 809
4   libphp5.so  0x02380fab php_default_treat_data + 867
5   libphp5.so  0x02381e07 php_hash_environment + 853
6   libphp5.so  0x02371f1f php_request_startup + 523
7   libphp5.so  0x02436f55 apache_php_module_main + 27
8   libphp5.so  0x02438077 send_php + 707
9   libphp5.so  0x024380d8 send_parsed_php + 39
10  httpd       0x00005861 ap_invoke_handler + 182
11  httpd       0x000192d1 process_request_internal + 817
12  httpd       0x000199c4 ap_process_request + 58
13  httpd       0x000101e3 child_main + 1822
14  httpd       0x00010742 make_child + 351
15  httpd       0x0001192c standalone_main + 4434
16  httpd       0x0001253c main + 2200
17  httpd       0x000017e6 _start + 228
18  httpd       0x00001701 start + 41

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x6f696361  ebx: 0x023d003e  ecx: 0x0059778b  edx: 0x0b8868eb
  edi: 0x005c775d  esi: 0x00000017  ebp: 0xbffff088  esp: 0xbffff030
   ss: 0x0000001f  efl: 0x00010286  eip: 0x023d0068   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037

---
Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000005

Thread 0 Crashed:
0   libphp5.so  0x023d0080 _zend_hash_add_or_update + 80 (was +56 
above, otherwise same trace)
1   libphp5.so  0x023808bf zend_symtable_update + 410
2   libphp5.so  0x023805c6 php_register_variable_ex + 1299
3   libphp5.so  0x0209660e php_sapi_filter + 809
4   libphp5.so  0x02380fab php_default_treat_data + 867
5   libphp5.so  0x02381e07 php_hash_environment + 853
6   libphp5.so  0x02371f1f php_request_startup + 523
7   libphp5.so  0x02436f55 apache_php_module_main + 27
8   libphp5.so  0x02438077 send_php + 707
9   libphp5.so  0x024380d8 send_parsed_php + 39
10  httpd       0x00005861 ap_invoke_handler + 182
11  httpd       0x000192d1 process_request_internal + 817
12  httpd       0x000199c4 ap_process_request + 58
13  httpd       0x000101e3 child_main + 1822
14  httpd       0x00010742 make_child + 351
15  httpd       0x0001192c standalone_main + 4434
16  httpd       0x0001253c main + 2200
17  httpd       0x000017e6 _start + 228
18  httpd       0x00001701 start + 41

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00000005  ebx: 0x023d003e  ecx: 0x1070cd46  edx: 0x00000005
  edi: 0x005c7781  esi: 0x00000017  ebp: 0xbffff088  esp: 0xbffff030
   ss: 0x0000001f  efl: 0x00010246  eip: 0x023d0080   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037

-- 
Edit bug report at http://bugs.php.net/?id=41370&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=41370&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=41370&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=41370&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=41370&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=41370&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=41370&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=41370&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=41370&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=41370&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=41370&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=41370&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=41370&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=41370&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=41370&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=41370&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=41370&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=41370&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=41370&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=41370&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=41370&r=mysqlcfg

#41370 [NEW]: hang and crash in libphp5.so after using fopen

Reply via email to