ID: 41370 User updated by: paul at gracion dot com -Summary: hang and crash in libphp5.so after using fopen Reported By: paul at gracion dot com -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: Mac OS X 10.4.9 PHP Version: 5.2.2 New Comment:
See new requested backtraces and error_log below. Simplified steps to reproduce no longer involve fopen. Configure used for debug build: ./configure --with-apxs --enable-debug --with-mysql=/usr/local/mysql --with-xmlrpc --with-pdo-mysql=/usr/ local/mysql Improved steps to reproduce crash: 1 Stop and then start Apache with SSL. 2 Open upload form (https://updebug.html) in browser, choose file (4 to 12K text), submit (HTTPS). 3 If updebug.php page loads, click browser back button and repeat previous 2 steps, until submit does not return data to browser. (happens about 1/3 of the time). 4 Wait for browser to time out (apparently), about 5 minutes. 4a. (error_log records "freeing .... last leak repeated" - see below). 5 Open phpMyAdmin/index.php (2.9.2). This triggers immediate crash of an httpd child thread. updebug.html: <form id="textUploadForm" action="updebug.php" method="post" name="textUploadForm" enctype="multipart/form-data"> <input type="hidden" name="MAX_FILE_SIZE" value="2000000" /> <input type="file" name="texts" size="20"/><br /> <label>textid: </label> <input type="text" name="textid" size="12" /><br /> <label>Number of users: </label> <input type="text" name="numUsers" value="1" size="4" /> <input type="submit" name="submitButtonName" value="Start Upload" /></form> updebug.php: if (array_key_exists('texts', $_FILES) && ($_FILES['texts']['error'] == UPLOAD_ERR_OK)) { print "<p>updebug sees file ok</p>"; } else { print "<p>Error or No upload file.</p>"; } Backtraces (2): Host Name: Ally Date/Time: 2007-05-16 18:30:37.349 -0700 OS Version: 10.4.9 (Build 8P135) Report Version: 4 Command: httpd Path: /usr/sbin/httpd Parent: httpd [28203] Version: ??? (???) PID: 28204 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 libphp5.so 0x0238d420 _zend_hash_add_or_update + 200 (zend_hash.c:218) 1 libphp5.so 0x0231c2d4 zend_symtable_update + 584 (zend_hash.h: 340) 2 libphp5.so 0x0231be4c php_register_variable_ex + 1880 (php_variables.c:215) 3 libphp5.so 0x0209bc9c php_sapi_filter + 1232 (filter.c:399) 4 libphp5.so 0x0231cd5c php_default_treat_data + 1204 (php_variables.c:369) 5 libphp5.so 0x0231e02c php_hash_environment + 944 (php_variables.c:678) 6 libphp5.so 0x02309a94 php_request_startup + 576 (main.c:1144) 7 libphp5.so 0x0242799c apache_php_module_main + 48 (sapi_apache.c: 33) 8 libphp5.so 0x0242907c send_php + 740 (mod_php5.c:666) 9 libphp5.so 0x024290ec send_parsed_php + 48 (mod_php5.c:678) 10 httpd 0x0000dd18 ap_invoke_handler + 232 11 httpd 0x00017dd4 process_request_internal + 640 12 httpd 0x00017e54 ap_process_request + 72 13 httpd 0x00006b60 child_main + 1832 14 httpd 0x00006dc4 make_child + 312 15 httpd 0x00006e7c startup_children + 116 16 httpd 0x000074ec standalone_main + 480 17 httpd 0x00007d74 main + 1052 18 httpd 0x0000238c _start + 348 19 httpd 0x0000222c start + 60 Thread 0 crashed with PPC Thread State 64: srr0: 0x000000000238d420 srr1: 0x100000000200f030 vrsave: 0x0000000000000000 cr: 0x28000208 xer: 0x0000000000000000 lr: 0x000000000238d3f0 ctr: 0x000000000238d054 r0: 0x0000000000000000 r1: 0x00000000bfffe820 r2: 0x0000000000000000 r3: 0x00000000d646a8cc r4: 0x0000000000000009 r5: 0x00000000000000ce r6: 0x00000000bfffe964 r7: 0x0000000000000004 r8: 0x00000000bfffe968 r9: 0x00000000d646a8cc r10: 0x000000000238cd28 r11: 0x00000000025ea8b8 r12: 0x0000000090132320 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 r16: 0x0000000000000000 r17: 0x0000000000000000 r18: 0x0000000000000000 r19: 0x0000000000000000 r20: 0x0000000000000000 r21: 0x0000000000000000 r22: 0x0000000000057314 r23: 0x0000000000057314 r24: 0x0000000000057314 r25: 0x0000000000057314 r26: 0x0000000001848638 r27: 0x00000000000001f4 r28: 0x0000000000000017 r29: 0x0000000000259858 r30: 0x00000000bfffe820 r31: 0x000000000238d370 Binary Images Description: 0x1000 - 0x4ffff httpd /usr/sbin/httpd 0x65000 - 0x67fff mod_log_config.so /usr/libexec/httpd/ mod_log_config.so 0x6a000 - 0x6bfff mod_mime.so /usr/libexec/httpd/mod_mime.so 0x6e000 - 0x72fff mod_negotiation.so /usr/libexec/httpd/ mod_negotiation.so 0x75000 - 0x7afff mod_include.so /usr/libexec/httpd/ mod_include.so 0x7e000 - 0x82fff mod_autoindex.so /usr/libexec/httpd/ mod_autoindex.so 0x86000 - 0x86fff mod_dir.so /usr/libexec/httpd/mod_dir.so 0x89000 - 0x8afff mod_cgi.so /usr/libexec/httpd/mod_cgi.so 0x8d000 - 0x8dfff mod_asis.so /usr/libexec/httpd/mod_asis.so 0x90000 - 0x92fff mod_imap.so /usr/libexec/httpd/mod_imap.so 0x95000 - 0x95fff mod_actions.so /usr/libexec/httpd/ mod_actions.so 0x98000 - 0x98fff mod_userdir.so /usr/libexec/httpd/ mod_userdir.so 0x9b000 - 0x9cfff mod_alias.so /usr/libexec/httpd/ mod_alias.so 0x9f000 - 0xa8fff mod_rewrite.so /usr/libexec/httpd/ mod_rewrite.so 0xac000 - 0xadfff mod_access.so /usr/libexec/httpd/ mod_access.so 0xb0000 - 0xb1fff mod_auth.so /usr/libexec/httpd/mod_auth.so 0xb4000 - 0xb5fff mod_log_forensic.so /usr/libexec/httpd/ mod_log_forensic.so 0xb8000 - 0xb8fff mod_setenvif.so /usr/libexec/httpd/ mod_setenvif.so 0xbb000 - 0xd7fff libssl.so /usr/libexec/httpd/libssl.so 0xf4000 - 0xf4fff mod_hfs_apple.so /usr/libexec/httpd/ mod_hfs_apple.so 0xf7000 - 0xfcfff mod_bonjour.so /usr/libexec/httpd/ mod_bonjour.so 0x2008000 - 0x24f1fff libphp5.so /usr/libexec/httpd/libphp5.so 0x8fe00000 - 0x8fe52fff dyld 46.12 /usr/lib/dyld 0x90000000 - 0x901bdfff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x90215000 - 0x9021afff libmathCommon.A.dylib /usr/lib/system/ libmathCommon.A.dylib 0x907bc000 - 0x90895fff com.apple.CoreFoundation 6.4.7 (368.28) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/ CoreFoundation 0x908e0000 - 0x909e2fff libicucore.A.dylib /usr/lib/ libicucore.A.dylib 0x90a3c000 - 0x90ac0fff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90b70000 - 0x90b82fff libauto.dylib /usr/lib/libauto.dylib 0x91110000 - 0x9111efff libz.1.dylib /usr/lib/libz.1.dylib 0x91121000 - 0x912dcfff com.apple.security 4.6 (29770) /System/Library/Frameworks/Security.framework/Versions/A/Security 0x913f7000 - 0x9141ffff com.apple.SystemConfiguration 1.8.3 /System/Library/Frameworks/SystemConfiguration.framework/Versions/ A/SystemConfiguration 0x91a1a000 - 0x91ae1fff libcrypto.0.9.7.dylib /usr/lib/libcrypto. 0.9.7.dylib 0x91d4d000 - 0x91e2bfff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x92a03000 - 0x92af1fff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x93702000 - 0x93722fff com.apple.DirectoryService.Framework 3.1 /System/Library/Frameworks/DirectoryService.framework/Versions/A/ DirectoryService 0x95041000 - 0x95070fff libssl.0.9.7.dylib /usr/lib/libssl. 0.9.7.dylib ********** Host Name: Ally Date/Time: 2007-05-16 22:48:20.816 -0700 OS Version: 10.4.9 (Build 8P135) Report Version: 4 Command: httpd Path: /usr/sbin/httpd Parent: httpd [233] Version: ??? (???) PID: 234 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x636d6428 Thread 0 Crashed: 0 libphp5.so 0x0238cc10 _zend_is_inconsistent + 44 (zend_hash.c:53) 1 libphp5.so 0x0238d3a8 _zend_hash_add_or_update + 80 (zend_hash.c: 208) 2 libphp5.so 0x0231c2d4 zend_symtable_update + 584 (zend_hash.h: 340) 3 libphp5.so 0x0231be4c php_register_variable_ex + 1880 (php_variables.c:215) 4 libphp5.so 0x0209bc9c php_sapi_filter + 1232 (filter.c:399) 5 libphp5.so 0x0231cd5c php_default_treat_data + 1204 (php_variables.c:369) 6 libphp5.so 0x0231e02c php_hash_environment + 944 (php_variables.c:678) 7 libphp5.so 0x02309a94 php_request_startup + 576 (main.c:1144) 8 libphp5.so 0x0242799c apache_php_module_main + 48 (sapi_apache.c: 33) 9 libphp5.so 0x0242907c send_php + 740 (mod_php5.c:666) 10 libphp5.so 0x024290ec send_parsed_php + 48 (mod_php5.c:678) 11 httpd 0x0000dd18 ap_invoke_handler + 232 12 httpd 0x00017dd4 process_request_internal + 640 13 httpd 0x00017e54 ap_process_request + 72 14 httpd 0x00006b60 child_main + 1832 15 httpd 0x00006dc4 make_child + 312 16 httpd 0x00006e7c startup_children + 116 17 httpd 0x000074ec standalone_main + 480 18 httpd 0x00007d74 main + 1052 19 httpd 0x0000238c _start + 348 20 httpd 0x0000222c start + 60 Thread 0 crashed with PPC Thread State 64: srr0: 0x000000000238cc10 srr1: 0x100000000000f030 vrsave: 0x0000000000000000 cr: 0x28000204 xer: 0x0000000000000000 lr: 0x000000000238cbfc ctr: 0x0000000000000000 r0: 0x000000000238d3a8 r1: 0x00000000bfffe7d0 r2: 0x00000000636d6400 r3: 0x00000000636d6400 r4: 0x000000000248a9b0 r5: 0x00000000000000ce r6: 0x00000000bfffe964 r7: 0x0000000000000004 r8: 0x00000000bfffe968 r9: 0x0000000000000001 r10: 0x0000000002469a34 r11: 0x00000000025ea8b8 r12: 0x0000000090132320 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 r16: 0x0000000000000000 r17: 0x0000000000000000 r18: 0x0000000000000000 r19: 0x0000000000000000 r20: 0x0000000000000000 r21: 0x0000000000000000 r22: 0x0000000000057314 r23: 0x0000000000057314 r24: 0x0000000000057314 r25: 0x0000000000057314 r26: 0x0000000001848638 r27: 0x00000000000001f4 r28: 0x0000000000000017 r29: 0x00000000002598cc r30: 0x00000000bfffe7d0 r31: 0x000000000238cbfc Binary Images Description (same as above) error_log: [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/ext/filter/ filter.c(364) : Freeing 0x00259980 (16 bytes), script=/Library/ WebServer/Documents/ecomm/web-content/backend/updebug.php Last leak repeated 2 times [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/ext/filter/ filter.c(393) : Freeing 0x00259A98 (11 bytes), script=/Library/ WebServer/Documents/ecomm/web-content/backend/updebug.php Last leak repeated 1 time [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/main/ php_variables.c(191) : Freeing 0x00259AD0 (16 bytes), script=/ Library/WebServer/Documents/ecomm/web-content/backend/updebug.php Last leak repeated 1 time [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/Zend/ zend_hash.c(247) : Freeing 0x00259B48 (39 bytes), script=/Library/ WebServer/Documents/ecomm/web-content/backend/updebug.php Last leak repeated 1 time [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/main/ rfc1867.c(360) : Freeing 0x00259EF8 (28 bytes), script=/Library/ WebServer/Documents/ecomm/web-content/backend/updebug.php /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/Zend/ zend_alloc.c(2314) : Actual location (location was relayed) [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/main/ rfc1867.c(365) : Freeing 0x00259F40 (5121 bytes), script=/Library/ WebServer/Documents/ecomm/web-content/backend/updebug.php /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/Zend/ zend_alloc.c(2314) : Actual location (location was relayed) [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/main/ spprintf.c(222) : Freeing 0x0025B370 (79 bytes), script=/Library/ WebServer/Documents/ecomm/web-content/backend/updebug.php Last leak repeated 1 time [Wed May 16 18:30:23 2007] Script: '/Library/WebServer/Documents/ ecomm/web-content/backend/updebug.php' /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/main/ rfc1867.c(837) : Freeing 0x0025B470 (32 bytes), script=/Library/ WebServer/Documents/ecomm/web-content/backend/updebug.php /Users/paul/Gray/Documents/Business/eComm/phpdev/php-5.2.2/Zend/ zend_alloc.c(2314) : Actual location (location was relayed) === Total 14 memory leaks detected === [Wed May 16 18:30:39 2007] [notice] child pid 28204 exit signal Bus error (10) Previous Comments: ------------------------------------------------------------------------ [2007-05-16 13:02:09] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php for *NIX and http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32 Once you have generated a backtrace, please submit it to this bug report and change the status back to "Open". Thank you for helping us make PHP better. ------------------------------------------------------------------------ [2007-05-12 00:15:38] paul at gracion dot com Description: ------------ Bad(?) PHP code causes non-response to web browser, minutes later (during subsequent hits to other php pages) an apache process crashes. What code does: given an HTTP file upload, reads the temporary file with fopen/fgets and writes to MySQL using PDO. fclose() was not called, workaround may to be to call fclose(). Reproducable by one user but not by another. (Mac OS X Client 10.4.9's bundled apache, php5.2.2 binary from http:// www.entropy.ch/software/macosx/php/ ) Reproduce code: --------------- $gSQL = new PDO('mysql:unix_socket=/tmp/mysql.sock;dbname=xxxxx', SQL_USER, SQL_PASS); $gSQL-> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); if (isset($_FILES['widgets']) && ($_FILES['widgets']['error'] == UPLOAD_ERR_OK)) { $fhndl = fopen($_FILES['widgets']['tmp_name'], 'r'); $st = $gSQL->prepare('INSERT INTO widgets (wigitid, wigit, numUsers, created) VALUES (?, ?, ?, NOW())'); $i = 0; while (!feof($fhndl)) { if ($line = fgets($fhndl)) { // line is about 15 chars, file is 5-10 lines. $st->execute(array($_POST['serialid'], $line, $_POST['numUsers'])); $i += 1; print "."; // progress shown in web browser } } // should be fclose() here print "<p>$i widgets imported successfully.</p>"; } else { print "<p>Error {$_FILES['widgets']['error']} uploading widgets file.</p>"; } Expected result: ---------------- Browser displays "$N widgets imported successfully". httpd child process doesn't crash (later). Actual result: -------------- Nothing returned to browser, which times out after about 3 minutes. Then, user hits some phpMyAdmin 2.9.2 pages. On one of the hits, an httpd child crashes (the user hitting phpMyAdmin sees nothing wrong). got 3 different backtraces: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000014 Thread 0 Crashed: 0 libphp5.so 0x023a6cf7 zend_mm_remove_from_free_list + 33 1 libphp5.so 0x023a7cc4 _zend_mm_free_int + 551 2 libphp5.so 0x023a86b6 _efree + 63 3 libphp5.so 0x023d12f2 zend_hash_destroy + 205 4 libphp5.so 0x023c4701 _zval_dtor_func + 153 5 libphp5.so 0x023b7181 _zval_dtor + 28 6 libphp5.so 0x023b73be _zval_ptr_dtor + 51 7 libphp5.so 0x0237242e php_request_shutdown + 534 8 libphp5.so 0x0243701f apache_php_module_main + 229 9 libphp5.so 0x02438077 send_php + 707 10 libphp5.so 0x024380d8 send_parsed_php + 39 11 httpd 0x00005861 ap_invoke_handler + 182 12 httpd 0x000192d1 process_request_internal + 817 13 httpd 0x000199c4 ap_process_request + 58 14 httpd 0x000101e3 child_main + 1822 15 httpd 0x00010742 make_child + 351 16 httpd 0x0001192c standalone_main + 4434 17 httpd 0x0001253c main + 2200 18 httpd 0x000017e6 _start + 228 19 httpd 0x00001701 start + 41 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00000008 ebx: 0x023a6ce2 ecx: 0x0000e4d0 edx: 0x00000031 edi: 0x01838b64 esi: 0x00000017 ebp: 0xbffff1e8 esp: 0xbffff1c0 ss: 0x0000001f efl: 0x00010286 eip: 0x023a6cf7 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 --- Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x6f696365 Thread 0 Crashed: 0 libphp5.so 0x023d0068 _zend_hash_add_or_update + 56 1 libphp5.so 0x023808bf zend_symtable_update + 410 2 libphp5.so 0x023805c6 php_register_variable_ex + 1299 3 libphp5.so 0x0209660e php_sapi_filter + 809 4 libphp5.so 0x02380fab php_default_treat_data + 867 5 libphp5.so 0x02381e07 php_hash_environment + 853 6 libphp5.so 0x02371f1f php_request_startup + 523 7 libphp5.so 0x02436f55 apache_php_module_main + 27 8 libphp5.so 0x02438077 send_php + 707 9 libphp5.so 0x024380d8 send_parsed_php + 39 10 httpd 0x00005861 ap_invoke_handler + 182 11 httpd 0x000192d1 process_request_internal + 817 12 httpd 0x000199c4 ap_process_request + 58 13 httpd 0x000101e3 child_main + 1822 14 httpd 0x00010742 make_child + 351 15 httpd 0x0001192c standalone_main + 4434 16 httpd 0x0001253c main + 2200 17 httpd 0x000017e6 _start + 228 18 httpd 0x00001701 start + 41 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x6f696361 ebx: 0x023d003e ecx: 0x0059778b edx: 0x0b8868eb edi: 0x005c775d esi: 0x00000017 ebp: 0xbffff088 esp: 0xbffff030 ss: 0x0000001f efl: 0x00010286 eip: 0x023d0068 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 --- Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000005 Thread 0 Crashed: 0 libphp5.so 0x023d0080 _zend_hash_add_or_update + 80 (was +56 above, otherwise same trace) 1 libphp5.so 0x023808bf zend_symtable_update + 410 2 libphp5.so 0x023805c6 php_register_variable_ex + 1299 3 libphp5.so 0x0209660e php_sapi_filter + 809 4 libphp5.so 0x02380fab php_default_treat_data + 867 5 libphp5.so 0x02381e07 php_hash_environment + 853 6 libphp5.so 0x02371f1f php_request_startup + 523 7 libphp5.so 0x02436f55 apache_php_module_main + 27 8 libphp5.so 0x02438077 send_php + 707 9 libphp5.so 0x024380d8 send_parsed_php + 39 10 httpd 0x00005861 ap_invoke_handler + 182 11 httpd 0x000192d1 process_request_internal + 817 12 httpd 0x000199c4 ap_process_request + 58 13 httpd 0x000101e3 child_main + 1822 14 httpd 0x00010742 make_child + 351 15 httpd 0x0001192c standalone_main + 4434 16 httpd 0x0001253c main + 2200 17 httpd 0x000017e6 _start + 228 18 httpd 0x00001701 start + 41 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00000005 ebx: 0x023d003e ecx: 0x1070cd46 edx: 0x00000005 edi: 0x005c7781 esi: 0x00000017 ebp: 0xbffff088 esp: 0xbffff030 ss: 0x0000001f efl: 0x00010246 eip: 0x023d0080 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41370&edit=1
