ID: 40926 Comment by: jbq at caraldi dot com Reported By: seanius at debian dot org Status: Assigned Bug Type: PostgreSQL related Operating System: Debian GNU/Linux PHP Version: 5.2.1 Assigned To: yohgaki New Comment:
Another workaround is to recompile PostgreSQL's libpq without OpenSSL support (ie the --with-openssl configure switch). After all, OpenSSL is rarely needed in a typical LAPP installation. Previous Comments: ------------------------------------------------------------------------ [2007-11-12 14:45:13] sam at zoy dot org Hello, I did read the sources and studied them, and I can confirm that it is a matter of callback jumping to an invalid address. libpq's init_ssl_system() installs callbacks by calling CRYPTO_set_id_callback() and CRYPTO_set_locking_callback(). This function is called each time initialize_SSL() is called (for instance through the PHP pg_connect() function) and does not keep a reference counter, so libpq's destroy_SSL() has no way to know that it should call a destroy_ssl_system() function, and there is no such function anyway. So the callbacks are never removed. But then, upon cleanup, PHP calls zend_shutdown() which properly unloads pgsql.so and therefore the unused libpq. Finally, the zend_shutdown procedure calls zm_shutdown_curl() which in turn calls curl_global_cleanup() which leads to an ERR_free_strings() call and eventually a CRYPTO_lock() call. CRYPTO_lock() checks whether there are any callbacks to call, finds one (the one installed by libpg), calls it, and crashes because libpq was unloaded and hence the callback is no longer in mapped memory. There are a few ways to fix the problem, all of which are highly unsatisfying or irrealist: - always ensure that pgsql.so is loaded before (and therefore unloaded after) any other SSL-using library. - fix libpq so that it keeps a reference count when initialize_SSL() is called, updates it when destroy_SSL() is called, and remove SSL callbacks when the reference count reaches zero. - fix libpq so that it removes the SSL callbacks when unloaded (done in the library's .fini section) - hack PHP's module_destructor() so that it does not unload a module if its name was pgsql.so (or maybe there is already a mechanism for that). None of these proposals is really safe because there might be other conflicts due to libssl not being context-aware. There is also the possibility to fix libssl by making it reentrant or context-aware (just kidding, lol). In all cases, libssl can be copiously blamed. ------------------------------------------------------------------------ [2007-05-22 08:13:09] milan dot pikula at ipsec dot info hello, I didn't read the sources nor studied it thoroughly, but I don't think it's a matter of callback jumping to an invalid address. I have started the cli php with dmalloc library preloaded, and found a problem in libpq, that calls free() on some invalid pointer or previously deallocated memory. There is no symbol related to any callback in the stack backtrace. Also, the problem is persistent regardless of module loading order, it just doesn't show without dmalloc library in some cases. ** glibc detected *** php: free(): invalid pointer: 0xb6e23380 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb7a187cd] /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7a1be30] /usr/lib/libpq.so.5[0xb7149dfa] /usr/lib/libpq.so.5[0xb714a6d3] /usr/lib/libpq.so.5(PQconnectStart+0x1a)[0xb714b04a] /usr/lib/libpq.so.5(PQconnectdb+0x22)[0xb714b0a2] /usr/lib/php5/20060613+lfs/pgsql.so[0xb713d31f] php[0x82da470] php(execute+0x188)[0x82d93e8] php(zend_execute_scripts+0x84)[0x82b8924] php(php_execute_script+0x246)[0x8270a46] php(main+0xf09)[0x8348fd9] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb79c6ebc] php[0x8096191] ======= Memory map: ======== 08048000-0854e000 r-xp 00000000 09:00 637820 /usr/bin/php5 0854e000-08583000 rw-p 00505000 09:00 637820 /usr/bin/php5 08583000-085a9000 rw-p 08583000 00:00 0 [heap] b6d6c000-b6d77000 r-xp 00000000 09:00 669427 /lib/libgcc_s.so.1 b6d77000-b6d78000 rw-p 0000a000 09:00 669427 /lib/libgcc_s.so.1 b6d82000-b6d83000 rwxp b6d82000 00:00 0 b6d83000-b6d84000 rw-p b6d83000 00:00 0 b6d84000-b6f13000 rwxp b6d84000 00:00 0 b6f13000-b6f1c000 r-xp 00000000 09:00 686412 /lib/tls/i686/cmov/libnss_files-2.5.so b6f1c000-b6f1e000 rw-p 00008000 09:00 686412 /lib/tls/i686/cmov/libnss_files-2.5.so b6f1e000-b6f3b000 rwxp b6f1e000 00:00 0 b6f3b000-b6f3e000 r-xp 00000000 09:00 638515 /usr/lib/libgpg-error.so.0.3.0 b6f3e000-b6f3f000 rw-p 00002000 09:00 638515 /usr/lib/libgpg-error.so.0.3.0 b6f3f000-b6f8e000 r-xp 00000000 09:00 638462 /usr/lib/libgcrypt.so.11.2.2 b6f8e000-b6f90000 rw-p 0004e000 09:00 638462 /usr/lib/libgcrypt.so.11.2.2 b6f90000-b6fc3000 r-xp 00000000 09:00 638730 /usr/lib/libxslt.so.1.1.20 b6fc3000-b6fc4000 rw-p 00032000 09:00 638730 /usr/lib/libxslt.so.1.1.20 b6fc4000-b6fd4000 r-xp 00000000 09:00 638441 /usr/lib/libexslt.so.0.8.13 b6fd4000-b6fd5000 rw-p 0000f000 09:00 638441 /usr/lib/libexslt.so.0.8.13 b6fd5000-b6fdf000 rwxp b6fd5000 00:00 0 b6fdf000-b70eb000 r-xp 00000000 09:00 638662 /usr/lib/librecode.so.0.0.0 b70eb000-b7119000 rw-p 0010b000 09:00 638662 /usr/lib/librecode.so.0.0.0 b7119000-b711b000 rwxp b7119000 00:00 0 b711b000-b711d000 rwxp b711b000 00:00 0 b711d000-b7123000 r-xp 00000000 09:00 753044 /usr/lib/php5/20060613+lfs/xsl.so b7123000-b7124000 rw-p 00005000 09:00 753044 /usr/lib/php5/20060613+lfs/xsl.so b7124000-b7126000 r-xp 00000000 09:00 753041 /usr/lib/php5/20060613+lfs/recode.so b7126000-b7127000 rw-p 00001000 09:00 753041 /usr/lib/php5/20060613+lfs/recode.so b7127000-b712a000 rwxp b7127000 00:00 0 b712a000-b7141000 r-xp 00000000 09:00 753040 /usr/lib/php5/20060613+lfs/pgsql.so b7141000-b7142000 rw-p 00017000 09:00 753040 /usr/lib/php5/20060613+lfs/pgsql.so b7142000-b715e000 r-xp 00000000 09:00 638656 /usr/lib/libpq.so.5.0 b715e000-b715f000 rw-p 0001c000 09:00 638656 /usr/lib/libpq.so.5.0 b715f000-b7169000 rwxp b715f000 00:00 0 b7169000-b716f000 r-xp 00000000 09:00 753039 /usr/lib/php5/20060613+lfs/pdo_pgsql.so b716f000-b7170000 rw-p 00005000 09:00 753039 /usr/lib/php5/20060613+lfs/pdo_pgsql.so b7170000-b7171000 rwxp b7170000 00:00 0 b7171000-b7177000 r-xp 00000000 09:00 753038 /usr/lib/php5/20060613+lfs/pdo_mysql.so b7177000-b7178000 rw-p 00005000 09:00 753038 /usr/lib/php5/20060613+lfs/pdo_mysql.so b7178000-b718a000 r-xp 00000000 09:00 753037 /usr/lib/php5/20060613+lfs/pdo.so b718a000-b718c000 rw-p 00012000 09:00 753037 /usr/lib/php5/20060613+lfs/pdo.so b718c000-b7193000 rwxp b718c000 00:00 0 b7193000-b71aa000 r-xp 00000000 09:00 753036 /usr/lib/php5/20060613+lfs/mysqli.so b71aa000-b71ac000 rw-p 00017000 09:00 753036 /usr/lib/php5/20060613+lfs/mysqli.so b71ac000-b7348000 r-xp 00000000 09:00 638610 /usr/lib/libmysqlclient.so.15.0.0 b7348000-b738c000 rw-p 0019c000 09:00 638610 /usr/lib/libmysqlclient.so.15.0.0 b738c000-b738d000 rw-p b738c000 00:00 0 b738d000-b7397000 rwxp b738d000 00:00 0 b7397000-b73a2000 r-xp 00000000 09:00 753035 /usr/lib/php5/20060613+lfs/mysql.so b73a2000-b73a3000 rw-p 0000a000 09:00 753035 /usr/lib/php5/20060613+lfs/mysql.so b73a3000-b73b6000 r-xp 00000000 09:00 686417 /lib/tls/i686/cmov/libpthread-2.5.so b73b6000-b73b8000 rw-p 00013000 09:00 686417 /lib/tls/i686/cmov/libpthread-2.5.so b73b8000-b73ba000 rw-p b73b8000 00:00 0 b73ba000-b73d8000 r-xp 00000000 09:00 638440 /usr/lib/libexpat.so.1.0.0 b73d8000-b73da000 rw-p 0001d000 09:00 638440 /usr/lib/libexpat.so.1.0.0 b73da000-b73de000 r-xp 00000000 09:00 638347 /usr/lib/libXdmcp.so.6.0.0 b73de000-b73df000 rw-p 00003000 09:00 638347 /usr/lib/libXdmcp.so.6.0.0 b73df000-b73e1000 r-xp 00000000 09:00 638342 /usr/lib/libXau.so.6.0.0 b73e1000-b73e2000 rw-p 00001000 09:00 638342 /usr/lib/libXau.so.6.0.0 b73e2000-b7405000 r-xp 00000000 09:00 638443 /usr/lib/libfontconfig.so.1.2.0 b7405000-b740d000 rw-p 00023000 09:00 638443 /usr/lib/libfontconfig.so.1.2.0 b740d000-b742b000 r-xp 00000000 09:00 638579 /usr/lib/libjpeg.so.62.0.0 b742b000-b742c000 rw-p 0001d000 09:00 638579 /usr/lib/libjpeg.so.62.0.0 b742c000-b744e000 r-xp 00000000 09:00 638651 /usr/lib/libpng12.so.0.15.0 b744e000-b744f000 rw-p 00021000 09:00 638651 /usr/lib/libpng12.so.0.15.0 b744f000-b745e000 r-xp 00000000 09:00 638358 /usr/lib/libXpm.so.4.11.0 b745e000-b745f000 rw-p 0000f000 09:00 638358 /usr/lib/libXpm.so.4.11.0 b745f000-b754c000 r-xp 00000000 09:00 638339 /usr/lib/libX11.so.6.2.0 b754c000-b7550000 rw-p 000ed000 09:00 638339 /usr/lib/libX11.so.6.2.0 b7550000-b75b8000 r-xp 00000000 09:00 638449 /usr/lib/libfreetype.so.6.3.10 b75b8000-b75bb000 rw-p 00068000 09:00 638449 /usr/lib/libfreetype.so.6.3.10 b75bb000-b75f5000 r-xp 00000000 09:00 638699 /usr/lib/libt1.so.5.1.0 b75f5000-b75f9000 rw-p 00039000 09:00 638699 /usr/lib/libt1.so.5.1.0 b75f9000-b760e000 rw-p b75f9000 00:00 0 b760e000-b762c000 r-xp 00000000 09:00 638463 /usr/lib/libgd.so.2.0.34 b762c000-b764c000 rw-p 0001d000 09:00 638463 /usr/lib/libgd.so.2.0.34 b764c000-b7660000 rw-p b764c000 00:00 0 b7660000-b7676000 r-xp 00000000 09:00 753033 /usr/lib/php5/20060613+lfs/gd.so b7676000-b767a000 rw-p 00015000 09:00 753033 /usr/lib/php5/20060613+lfs/gd.so b767a000-b76a9000 r-xp 00000000 09:00 638572 /usr/lib/libidn.so.11.5.19 b76a9000-b76aa000 rw-p 0002f000 09:00 638572 /usr/lib/libidn.so.11.5.19 b76aa000-b76de000 r-xp 00000000 09:00 638408 /usr/lib/libcurl.so.3.0.0 b76de000-b76df000 rw-p 00034000 09:00 638408 /usr/lib/libcurl.so.3.0.0 b76df000-b76e9000 rwxp b76df000 00:00 0 b76e9000-b76f6000 r-xp 00000000 09:00 753032 /usr/lib/php5/20060613+lfs/curl.so b76f6000-b76f7000 rw-p 0000d000 09:00 753032 /usr/lib/php5/20060613+lfs/curl.so b76f7000-b76fc000 r-xp 00000000 09:00 638593 /usr/lib/libltdl.so.3.1.4 b76fc000-b76fd000 rw-p 00004000 09:00 638593 /usr/lib/libltdl.so.3.1.4 b76fd000-b7722000 r-xp 00000000 09:00 638598 /usr/lib/libmcrypt.so.4.4.7 b7722000-b7724000 rw-p 00025000 09:00 638598 /usr/lib/libmcrypt.so.4.4.7 b7724000-b772a000 rw-p b7724000 00:00 0 b772a000-b7734000 rwxp b772a000 00:00 0 b7734000-b773c000 r-xp 00000000 09:00 753034 /usr/lib/php5/20060613+lfs/mcrypt.so b773c000-b773d000 rw-p 00007000 09:00 753034 /usr/lib/php5/20060613+lfs/mcrypt.so b773d000-b77d2000 rwxp b773d000 00:00 0 b77d2000-b77d7000 rwxp b77d2000 00:00 0 b77d7000-b77de000 r--s 00000000 09:00 81894 /usr/lib/gconv/gconv-modules.cache b77de000-b7819000 r--p 00000000 09:00 703513 /usr/lib/locale/en_US.utf8/LC_CTYPE b7819000-b7868000 rwxp b7819000 00:00 0 b7868000-b786a000 rw-p b7868000 00:00 0 b786a000-b786d000 r-xp 00000000 09:00 638584 /usr/lib/libkrb5support.so.0.0 b786d000-b786e000 rw-p 00003000 09:00 638584 /usr/lib/libkrb5support.so.0.0 b786e000-b786f000 rw-p b786e000 00:00 0 b786f000-b7999000 r-xp 00000000 09:00 703156 /usr/lib/i686/cmov/libcrypto.so.0.9.8 b7999000-b79ad000 rw-p 00129000 09:00 703156 /usr/lib/i686/cmov/libcrypto.so.0.9.8 b79ad000-b79b1000 rw-p b79ad000 00:00 0 b79b1000-b7aec000 r-xp 00000000 09:00 686403 /lib/tls/i686/cmov/libc-2.5.so b7aec000-b7aed000 r--p 0013b000 09:00 686403 /lib/tls/i686/cmov/libc-2.5.so b7aed000-b7aef000 rw-p 0013c000 09:00 686403 /lib/tls/i686/cmov/libc-2.5.so b7aef000-b7af2000 rw-p b7aef000 00:00 0 b7af2000-b7c09000 r-xp 00000000 09:00 638728 /usr/lib/libxml2.so.2.6.27 b7c09000-b7c0f000 rw-p 00116000 09:00 638728 /usr/lib/libxml2.so.2.6.27 b7c0f000-b7c11000 r-xp 00000000 09:00 669404 /lib/libcom_err.so.2.1 b7c11000-b7c12000 rw-p 00001000 09:00 669404 /lib/libcom_err.so.2.1 b7c12000-b7c36000 r-xp 00000000 09:00 638580 /usr/lib/libk5crypto.so.3.0 b7c36000-b7c37000 rw-p 00024000 09:00 638580 /usr/lib/libk5crypto.so.3.0 b7c37000-b7cb2000 r-xp 00000000 09:00 638583 /usr/lib/libkrb5.so.3.2 b7cb2000-b7cb4000 rw-p 0007b000 09:00 638583 /usr/lib/libkrb5.so.3.2 b7cb4000-b7cb5000 rw-p b7cb4000 00:00 0 b7cb5000-b7cd0000 r-xp 00000000 09:00 638525 /usr/lib/libgssapi_krb5.so.2.2 b7cd0000-b7cd1000 rw-p 0001b000 09:00 638525 /usr/lib/libgssapi_krb5.so.2.2 b7cd1000-b7ce4000 r-xp 00000000 09:00 686409 /lib/tls/i686/cmov/libnsl-2.5.so b7ce4000-b7ce6000 rw-p 00012000 09:00 686409 /lib/tls/i686/cmov/libnsl-2.5.so b7ce6000-b7ce8000 rw-p b7ce6000 00:00 0 b7ce8000-b7cea000 r-xp 00000000 09:00 686406 /lib/tls/i686/cmov/libdl-2.5.so b7cea000-b7cec000 rw-p 00001000 09:00 686406 /lib/tls/i686/cmov/libdl-2.5.so b7cec000-b7d11000 r-xp 00000000 09:00 686407 /lib/tls/i686/cmov/libm-2.5.so b7d11000-b7d13000 rw-p 00024000 09:00 686407 /lib/tls/i686/cmov/libm-2.5.so b7d13000-b7d22000 r-xp 00000000 09:00 686418 /lib/tls/i686/cmov/libresolv-2.5.so b7d22000-b7d24000 rw-p 0000f000 09:00 686418 /lib/tls/i686/cmov/libresolv-2.5.so b7d24000-b7d26000 rw-p b7d24000 00:00 0 b7d26000-b7d45000 r-xp 00000000 09:00 638644 /usr/lib/libpcre.so.3.12.0 b7d45000-b7d46000 rw-p 0001f000 09:00 638644 /usr/lib/libpcre.so.3.12.0 b7d46000-b7d47000 rw-p b7d46000 00:00 0 b7d47000-b7d56000 r-xp 00000000 09:00 669399 /lib/libbz2.so.1.0.3 b7d56000-b7d57000 rw-p 0000f000 09:00 669399 /lib/libbz2.so.1.0.3 b7d57000-b7e52000 r-xp 00000000 09:00 638413 /usr/lib/libdb-4.4.so b7e52000-b7e55000 rw-p 000fb000 09:00 638413 /usr/lib/libdb-4.4.so b7e55000-b7e91000 r-xp 00000000 09:00 703157 /usr/lib/i686/cmov/libssl.so.0.9.8 b7e91000-b7e95000 rw-p 0003b000 09:00 703157 /usr/lib/i686/cmov/libssl.so.0.9.8 b7e95000-b7ecf000 r-xp 00000000 09:00 669432 /lib/libncurses.so.5.5 b7ecf000-b7ed8000 rw-p 00039000 09:00 669432 /lib/libncurses.so.5.5 b7ed8000-b7eda000 r-xp 00000000 09:00 638634 /usr/lib/libpanel.so.5.5 b7eda000-b7edb000 rw-p 00001000 09:00 638634 /usr/lib/libpanel.so.5.5 b7edb000-b7eee000 r-xp 00000000 09:00 638731 /usr/lib/libz.so.1.2.3 b7eee000-b7eef000 rw-p 00012000 09:00 638731 /usr/lib/libz.so.1.2.3 b7eef000-b7ef0000 rw-p b7eef000 00:00 0 b7ef0000-b7ef5000 r-xp 00000000 09:00 686405 /lib/tls/i686/cmov/libcrypt-2.5.so b7ef5000-b7ef7000 rw-p 00004000 09:00 686405 /lib/tls/i686/cmov/libcrypt-2.5.so b7ef7000-b7f1e000 rw-p b7ef7000 00:00 0 b7f1e000-b7f28000 rwxp b7f1e000 00:00 0 b7f28000-b7f35000 r-xp 00000000 09:00 639024 /usr/lib/libdmalloc.so.4.8.2 b7f35000-b7f36000 rw-p 0000c000 09:00 639024 /usr/lib/libdmalloc.so.4.8.2 b7f36000-b7faa000 rw-p b7f36000 00:00 0 b7faa000-b7fc3000 r-xp 00000000 09:00 669391 /lib/ld-2.5.so b7fc3000-b7fc5000 rw-p 00019000 09:00 669391 /lib/ld-2.5.so bf975000-bf98b000 rw-p bf975000 00:00 0 [stack] ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso] Aborted (core dumped) Previously I reported it here: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/63141/comments/5 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/40926 -- Edit this bug report at http://bugs.php.net/?id=40926&edit=1
