ID: 20358
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Session related
Operating System: RedHat7.3
PHP Version: 4.3.0-pre2
New Comment:
Apache was re-compiled with -DBIG_SECURITY_HOLE option.
edit /usr/local/apache/conf/httpd.conf
User root
Group root
CoreDumpDirectory /tmp
# /usr/local/apache/bin/apachectl start
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log
[Tue Nov 12 20:41:49 2002] [notice] child pid 23351 exit signal
Segmentation fault (11), possible coredump in /tmp
child proccess of apache was core dumped.
back trace
----
(gdb) bt
#0 0x40148a33 in ps_sd_lookup (data=0x80d4418, key=0x8136f2c "136",
rw=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:187
#1 0x40148ec8 in ps_read_mm (mod_data=0x4029ea70, key=0x8136f2c
"136",
val=0xbfffd1e0, vallen=0xbfffd1dc)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:326
#2 0x401446b9 in php_session_initialize ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:608
#3 0x40145864 in php_session_start ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1004
#4 0x40147438 in zif_session_start (ht=0, return_value=0x8136fd4,
this_ptr=0x0, return_value_used=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1445
#5 0x4022cfc7 in execute (op_array=0x8136c3c)
at /home/work/httpd/php-4.3.0pre2/Zend/zend_execute.c:1595
#6 0x4021a174 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/work/httpd/php-4.3.0pre2/Zend/zend.c:839
#7 0x401e1f13 in php_execute_script (primary_file=0xbffff6b0)
at /home/work/httpd/php-4.3.0pre2/main/main.c:1542
#8 0x40231f36 in apache_php_module_main (r=0x812ff2c,
display_source_mode=0)
at /home/work/httpd/php-4.3.0pre2/sapi/apache/sapi_apache.c:55
#9 0x40232e00 in send_php (r=0x812ff2c, display_source_mode=0,
filename=0x813093c
"/usr/local/apache/htdocs/php/samples/session/bug.phtml")
at /home/work/httpd/php-4.3.0pre2/sapi/apache/mod_php4.c:556
#10 0x40232e6d in send_parsed_php (r=0x812ff2c)
at /home/work/httpd/php-4.3.0pre2/sapi/apache/mod_php4.c:571
#11 0x0806a7bb in ap_invoke_handler ()
#12 0x0807f723 in process_request_internal ()
#13 0x0807f784 in ap_process_request ()
#14 0x080765c1 in child_main ()
#15 0x0807682f in make_child ()
#16 0x08076bac in perform_idle_server_maintenance ()
#17 0x08077181 in standalone_main ()
#18 0x080777bb in main ()
#19 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
Previous Comments:
------------------------------------------------------------------------
[2002-11-11 19:35:46] [EMAIL PROTECTED]
Sorry... My English is weak...
This problem has appeared by 3 different machines(all x86).
# /usr/local/apache/bin/apachectl start
(without -X)
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log
---
In /usr/local/apache/bin/httpd -X, since Segmentation fault did not
occur, php_error(E_WARNING, ...) was written to mod_mm.c and the state
was seen by "tail -f /usr/local/apache/logs/error_log".
example.
static ps_sd *ps_sd_lookup(ps_mm *data, const char *key, int rw)
{
php_uint32 hv, slot;
ps_sd *ret, *prev;
+ pid_t pid = getpid();
hv = ps_sd_hash(key, strlen(key));
slot = hv & data->hash_max;
+ php_error(E_WARNING, "pid[%d] hv:%x key:%x slot:%x", pid, hv,
key, slot);
for (prev = NULL, ret = data->hash[slot]; ret; prev = ret, ret
= ret->next)
:
:
:
------------------------------------------------------------------------
[2002-11-11 09:56:46] [EMAIL PROTECTED]
So what is the 'problem' you think there is?
(works fine here (tm))
------------------------------------------------------------------------
[2002-11-11 07:30:52] [EMAIL PROTECTED]
This problem does not appear at "/usr/local/apache/bin/httpd -X".
I think so because apache is single task...
------------------------------------------------------------------------
[2002-11-11 06:55:23] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php
Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
------------------------------------------------------------------------
[2002-11-11 06:44:58] [EMAIL PROTECTED]
OS: RedHat7.3(Intel)
PHP: 4.2.2, 4.2.3, 4.3.0-pre2
Apache: 1.3.26, 1.3.27
libmm: 1.1.3(RPM), 1.2.1(tar.gz)
Apache:
# ./configure --enable-module=so ...
PHP:
# ./configure --with-apxs=/usr/local/apache/bin/apxs --with-mm .....
# ./cp php.ini-recommended /usr/local/lib/php.ini
# vi /usr/local/lib/php.ini
session.save_handler = files -> session.save_handler = mm
bug.php
-------
<?php
session_start();
?>
.
-------
loop.sh
-------
#!/bin/bash
for((i = 0; i < 2000; ++i));
do wget -O - http://localhost/bug.php?PHPSESSID=$i;
done
-------
# sh loop.sh
..... wait a few minutes
# tail -f /usr/local/apache/logs/error_log
:
[Tue Oct 22 20:50:59 2002] [notice] child pid 26434 exit signal
Segmentation fault (11)
:
:
is this bug?
I think so
"ext/session/mod_mm.c: ps_sd_lookup()" has problem
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=20358&edit=1
