#49098 [NoF->Opn]: Using custom session handler causes segfault in session_save_state

jani Mon, 10 Aug 2009 22:16:39 -0700

 ID:               49098
 Updated by:       j...@php.net
 Reported By:      bugs at timj dot co dot uk
-Status:           No Feedback
+Status:           Open
 Bug Type:         Session related
 Operating System: Linux
 PHP Version:      5.2.10
 New Comment:


NEVER ever email me privately test cases. Here's the script you sent
me:

<?php

/*
CREATE TABLE `_session_data` (
  `id` char(32) NOT NULL,
  `expiry` int(10) unsigned NOT NULL,
  `data` text NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8
*/

require_once 'HTTP/Session2.php';

$dsn = 'mysqli://user:p...@localhost/dbname';

$options = array();
$options['dsn']   = $dsn;
$options['table'] = '_session_data';

HTTP_Session2::setContainer('MDB2', $options);
HTTP_Session2::start('mysess');

?>

Installed PEAR packages to make it happen:
HTTP_Session2      0.7.2   beta
MDB2               2.5.0b2 beta
MDB2_Driver_mysqli 1.5.0b2 beta 
 


Previous Comments:
------------------------------------------------------------------------

[2009-08-06 01:00:01] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

------------------------------------------------------------------------

[2009-07-29 12:31:10] j...@php.net

And as expected: We really need proper, short, reproducing script. Now
the problem might be anywhere..

------------------------------------------------------------------------

[2009-07-29 12:30:18] j...@php.net

In the future: PLEASE add the backtraces in separate comments. Now it's
pretty hard to see which is which. 

------------------------------------------------------------------------

[2009-07-29 12:14:23] t...@php.net

N.B. this occurs with both apache2 and CGI SAPIs.

------------------------------------------------------------------------

[2009-07-29 12:12:40] bugs at timj dot co dot uk

Description:
------------
I am seeing segfaults on various pages that don't occur on 5.2.9 (and
the same site has been working on many previous versions of 5.1/5.2). I
have a session handler using PEAR HTTP_Session2, that saves via
MDB2/mysqli to a MySQL database. The segfaults seem to happen during
session_save_state.

Unfortunately I don't currently have a trivial reproduction scenario,
but it does reliably cause a segfault in both 5.2.10 and
5.2SVN-snap200907182030.

I am not a C developer but after a diligent attempt to search the
bugtracker and investigate the bug, I concluded that it was probably
duplicate of bug #48922 and tried to add additional information to that
bug, explaining my reasoning, to avoid filing a duplicate (in accordance
with http://bugs.php.net/report.php). However, Jani disagrees (see
comments in other bug), so I'm filing a new bug.

Actual result:
--------------
Here's 5.2.10: (crash in version_compare):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1ea4d3f in _zend_mm_free_int (heap=0x7ffff8396480,
p=0x7ffff8bb7010) at /usr/src/debug/php-5.2.10/Zend/zend_alloc.c:1978
1978            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0  0x00007ffff1ea4d3f in _zend_mm_free_int (heap=0x7ffff8396480,
p=0x7ffff8bb7010) at /usr/src/debug/php-5.2.10/Zend/zend_alloc.c:1978
#1  0x00007ffff1ea5af4 in _efree (ptr=0x7ffff8bb7010) at
/usr/src/debug/php-5.2.10/Zend/zend_alloc.c:2311
#2  0x00007ffff1e3f4ff in php_version_compare
(orig_ver1=0x7ffff87b7538
"5.2.10", orig_ver2=0x7ffff8e41ac0 "5.0") at
/usr/src/debug/php-5.2.10/ext/standard/versioning.c:202
#3  0x00007ffff1e3f58b in zif_version_compare (ht=3,
return_value=0x7ffff87bc458, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1) at
/usr/src/debug/php-5.2.10/ext/standard/versioning.c:222
#4  0x00007ffff1ef028d in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffac00) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:200
#5  0x00007ffff1ef4235 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fffffffac00) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:1739
#6  0x00007ffff1eefd6f in execute (op_array=0x7ffff8a028c0) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92
#7  0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffba00) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234
#8  0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fffffffba00) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322
#9  0x00007ffff1eefd6f in execute (op_array=0x7ffff8b696e8) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92
#10 0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffbf60) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234
#11 0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fffffffbf60) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322
#12 0x00007ffff1eefd6f in execute (op_array=0x7ffff8b69588) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92
#13 0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffc2d0) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234
#14 0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fffffffc2d0) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322
#15 0x00007ffff1eefd6f in execute (op_array=0x7ffff8b6a728) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92
#16 0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffd1c0) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234
#17 0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fffffffd1c0) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322
#18 0x00007ffff1eefd6f in execute (op_array=0x7ffff8e29300) at
/usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92
#19 0x00007ffff1eb816b in zend_call_function (fci=0x7fffffffd440,
fci_cache=0x0) at
/usr/src/debug/php-5.2.10/Zend/zend_execute_API.c:1032
#20 0x00007ffff1eb66d4 in call_user_function_ex
(function_table=0x7ffff8396d20, object_pp=0x0,
function_name=0x7ffff8e3eea0, retval_ptr_ptr=0x7fffffffd4e8,
param_count=2, params=0x7ffff87b7670, no_separation=1, 
    symbol_table=0x0) at
/usr/src/debug/php-5.2.10/Zend/zend_execute_API.c:640
#21 0x00007ffff1eb65af in call_user_function
(function_table=0x7ffff8396d20, object_pp=0x0,
function_name=0x7ffff8e3eea0, retval_ptr=0x7ffff87b7c18,
param_count=2,
params=0x7fffffffd590)
    at /usr/src/debug/php-5.2.10/Zend/zend_execute_API.c:613
#22 0x00007ffff1da4785 in ps_call_handler (func=0x7ffff8e3eea0,
argc=2,
argv=0x7fffffffd590) at
/usr/src/debug/php-5.2.10/ext/session/mod_user.c:53
#23 0x00007ffff1da4c2d in ps_write_user (mod_data=0x7ffff221db60,
key=0x7ffff8e3f7c0 "59ufo7hqslet38p73jp9na8577", 
    val=0x7ffff8fb1e88
"__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id
le_TS|i:1247951369;user_id|s:1:\"6\";audit_user|N;", vallen=119) at
/usr/src/debug/php-5.2.10/ext/session/mod_user.c:141
#24 0x00007ffff1d9d8ba in php_session_save_current_state () at
/usr/src/debug/php-5.2.10/ext/session/session.c:556
#25 0x00007ffff1da0fbb in php_session_flush () at
/usr/src/debug/php-5.2.10/ext/session/session.c:1408
#26 0x00007ffff1da31cc in zm_deactivate_session (type=1,
module_number=17) at
/usr/src/debug/php-5.2.10/ext/session/session.c:2010
#27 0x00007ffff1ecd24b in module_registry_cleanup
(module=0x7ffff83c8550) at
/usr/src/debug/php-5.2.10/Zend/zend_API.c:1976
#28 0x00007ffff1ed2ba7 in zend_hash_reverse_apply (ht=0x7ffff2221e20,
apply_func=0x7ffff1ecd20c <module_registry_cleanup>) at
/usr/src/debug/php-5.2.10/Zend/zend_hash.c:755
#29 0x00007ffff1ec5628 in zend_deactivate_modules () at
/usr/src/debug/php-5.2.10/Zend/zend.c:838
#30 0x00007ffff1e6de29 in php_request_shutdown (dummy=0x0) at
/usr/src/debug/php-5.2.10/main/main.c:1468
#31 0x00007ffff1f475f9 in php_apache_request_dtor (r=0x7ffff87edb38)
at
/usr/src/debug/php-5.2.10/sapi/apache2handler/sapi_apache2.c:472
#32 0x00007ffff1f47e6a in php_handler (r=0x7ffff87edb38) at
/usr/src/debug/php-5.2.10/sapi/apache2handler/sapi_apache2.c:644
#33 0x00007ffff7fd9600 in ap_run_handler (r=0x7ffff87edb38) at
/usr/src/debug/httpd-2.2.11/server/config.c:158
#34 0x00007ffff7fdce98 in ap_invoke_handler (r=0x7ffff87edb38) at
/usr/src/debug/httpd-2.2.11/server/config.c:372
#35 0x00007ffff7fe852e in ap_process_request (r=0x7ffff87edb38) at
/usr/src/debug/httpd-2.2.11/modules/http/http_request.c:282
#36 0x00007ffff7fe5328 in ap_process_http_connection
(c=0x7ffff87e7cf8)
at /usr/src/debug/httpd-2.2.11/modules/http/http_core.c:190
#37 0x00007ffff7fe1048 in ap_run_process_connection (c=0x7ffff87e7cf8)
at /usr/src/debug/httpd-2.2.11/server/connection.c:43
#38 0x00007ffff7fecf78 in child_main (child_num_arg=<value optimized
out>) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:650
#39 0x00007ffff7fed1f6 in make_child (s=0x7ffff8212f90, slot=0) at
/usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:690
#40 0x00007ffff7fed853 in ap_mpm_run (_pconf=<value optimized out>,
plog=<value optimized out>, s=<value optimized out>) at
/usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:966
#41 0x00007ffff7fc56d0 in main (argc=14, argv=0x7fffffffe128) at
/usr/src/debug/httpd-2.2.11/server/main.c:740
(gdb) frame 2
#2  0x00007ffff1e3f4ff in php_version_compare
(orig_ver1=0x7ffff87b7538
"5.2.10", orig_ver2=0x7ffff8e41ac0 "5.0") at
/usr/src/debug/php-5.2.10/ext/standard/versioning.c:202
202             efree(ver1);

The above call appears to have come via "version_compare(phpversion(),
"5.0", ">="))" in MDB2::classExists().

However, running exactly the same page with the 5.2 snapshot from
200907182030 results in apparently the same behaviour (segfault) but
in
a completely different function:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1ea373a in _zend_mm_alloc_int (heap=0x7ffff83964a0,
size=12)
at /usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:1785
1785                            heap->cache[index] = best_fit->prev_free_block;
(gdb) bt
#0  0x00007ffff1ea373a in _zend_mm_alloc_int (heap=0x7ffff83964a0,
size=12) at /usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:1785
#1  0x00007ffff1ea4bbc in _emalloc (size=12) at
/usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:2300
#2  0x00007ffff1ea4d49 in _safe_emalloc (nmemb=3, size=4, offset=0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:2391
#3  0x00007ffff1d3d24c in php_pcre_match_impl (pce=0x7ffff8bd8360,
subject=0x7ffff8b998a8
"__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id
le_TS|i:1247953764;user_id|s:1:\"6\";audit_user|N;", 
    subject_len=119, return_value=0x7ffff87b99f0, subpats=0x0,
global=0,
use_flags=0, flags=0, start_offset=0) at
/usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:603
#4  0x00007ffff1d3cfe8 in php_do_pcre_match (ht=2,
return_value=0x7ffff87b99f0, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1, global=0) at
/usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:513
#5  0x00007ffff1d3db55 in zif_preg_match (ht=2,
return_value=0x7ffff87b99f0, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1) at
/usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:762
#6  0x00007ffff1eef409 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffbfe0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:200
#7  0x00007ffff1ef33b1 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fffffffbfe0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:1739
#8  0x00007ffff1eeeeeb in execute (op_array=0x7ffff8ec85a0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:92
#9  0x00007ffff1eef5ba in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffc2d0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:234
#10 0x00007ffff1eefb00 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fffffffc2d0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:322
#11 0x00007ffff1eeeeeb in execute (op_array=0x7ffff8b69d80) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:92
#12 0x00007ffff1eef5ba in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffffd1c0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:234
#13 0x00007ffff1eefb00 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fffffffd1c0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:322
#14 0x00007ffff1eeeeeb in execute (op_array=0x7ffff8e29508) at
/usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:92
#15 0x00007ffff1eb727b in zend_call_function (fci=0x7fffffffd440,
fci_cache=0x0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_execute_API.c:1032
#16 0x00007ffff1eb57e4 in call_user_function_ex
(function_table=0x7ffff8396d40, object_pp=0x0,
function_name=0x7ffff8e3f1f0, retval_ptr_ptr=0x7fffffffd4e8,
param_count=2, params=0x7ffff87b7850, no_separation=1, 
    symbol_table=0x0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_execute_API.c:640
#17 0x00007ffff1eb56bf in call_user_function
(function_table=0x7ffff8396d40, object_pp=0x0,
function_name=0x7ffff8e3f1f0, retval_ptr=0x7ffff87b75f0,
param_count=2,
params=0x7fffffffd590)
    at /usr/src/debug/php5.2-200907182030/Zend/zend_execute_API.c:613
#18 0x00007ffff1da385d in ps_call_handler (func=0x7ffff8e3f1f0,
argc=2,
argv=0x7fffffffd590) at
/usr/src/debug/php5.2-200907182030/ext/session/mod_user.c:53
#19 0x00007ffff1da3d05 in ps_write_user (mod_data=0x7ffff221db20,
key=0x7ffff8d8e290 "l41av5sk36mub26qvgm1t61672", 
    val=0x7ffff8fb2470
"__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id
le_TS|i:1247953764;user_id|s:1:\"6\";audit_user|N;", vallen=119) at
/usr/src/debug/php5.2-200907182030/ext/session/mod_user.c:141
#20 0x00007ffff1d9c98a in php_session_save_current_state () at
/usr/src/debug/php5.2-200907182030/ext/session/session.c:556
#21 0x00007ffff1da008b in php_session_flush () at
/usr/src/debug/php5.2-200907182030/ext/session/session.c:1408
#22 0x00007ffff1da229c in zm_deactivate_session (type=1,
module_number=17) at
/usr/src/debug/php5.2-200907182030/ext/session/session.c:2010
#23 0x00007ffff1ecc35b in module_registry_cleanup
(module=0x7ffff83c86f0) at
/usr/src/debug/php5.2-200907182030/Zend/zend_API.c:1976
#24 0x00007ffff1ed1cb7 in zend_hash_reverse_apply (ht=0x7ffff2221de0,
apply_func=0x7ffff1ecc31c <module_registry_cleanup>) at
/usr/src/debug/php5.2-200907182030/Zend/zend_hash.c:755
#25 0x00007ffff1ec4738 in zend_deactivate_modules () at
/usr/src/debug/php5.2-200907182030/Zend/zend.c:838
#26 0x00007ffff1e6cf1c in php_request_shutdown (dummy=0x0) at
/usr/src/debug/php5.2-200907182030/main/main.c:1463
#27 0x00007ffff1f46775 in php_apache_request_dtor (r=0x7ffff87edd18)
at
/usr/src/debug/php5.2-200907182030/sapi/apache2handler/sapi_apache2.c:47
2
#28 0x00007ffff1f46fe6 in php_handler (r=0x7ffff87edd18) at
/usr/src/debug/php5.2-200907182030/sapi/apache2handler/sapi_apache2.c:64
4
#29 0x00007ffff7fd9600 in ap_run_handler (r=0x7ffff87edd18) at
/usr/src/debug/httpd-2.2.11/server/config.c:158
#30 0x00007ffff7fdce98 in ap_invoke_handler (r=0x7ffff87edd18) at
/usr/src/debug/httpd-2.2.11/server/config.c:372
#31 0x00007ffff7fe852e in ap_process_request (r=0x7ffff87edd18) at
/usr/src/debug/httpd-2.2.11/modules/http/http_request.c:282
#32 0x00007ffff7fe5328 in ap_process_http_connection
(c=0x7ffff87e7ed8)
at /usr/src/debug/httpd-2.2.11/modules/http/http_core.c:190
#33 0x00007ffff7fe1048 in ap_run_process_connection (c=0x7ffff87e7ed8)
at /usr/src/debug/httpd-2.2.11/server/connection.c:43
#34 0x00007ffff7fecf78 in child_main (child_num_arg=<value optimized
out>) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:650
#35 0x00007ffff7fed1f6 in make_child (s=0x7ffff8212f90, slot=0) at
/usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:690
#36 0x00007ffff7fed853 in ap_mpm_run (_pconf=<value optimized out>,
plog=<value optimized out>, s=<value optimized out>) at
/usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:966
#37 0x00007ffff7fc56d0 in main (argc=14, argv=0x7fffffffe128) at
/usr/src/debug/httpd-2.2.11/server/main.c:740
(gdb) frame 3
#3  0x00007ffff1d3d24c in php_pcre_match_impl (pce=0x7ffff8bd8360,
subject=0x7ffff8b998a8
"__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id
le_TS|i:1247953764;user_id|s:1:\"6\";audit_user|N;", 
    subject_len=119, return_value=0x7ffff87b99f0, subpats=0x0,
global=0,
use_flags=0, flags=0, start_offset=0) at
/usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:603
603             offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0);



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49098&edit=1

#49098 [NoF->Opn]: Using custom session handler causes segfault in session_save_state

Reply via email to