ID: 40926 Comment by: milan dot pikula at ipsec dot info Reported By: seanius at debian dot org Status: Assigned Bug Type: PostgreSQL related Operating System: Debian GNU/Linux PHP Version: 5.2.1 Assigned To: yohgaki New Comment:
hello, I didn't read the sources nor studied it thoroughly, but I don't think it's a matter of callback jumping to an invalid address. I have started the cli php with dmalloc library preloaded, and found a problem in libpq, that calls free() on some invalid pointer or previously deallocated memory. There is no symbol related to any callback in the stack backtrace. Also, the problem is persistent regardless of module loading order, it just doesn't show without dmalloc library in some cases. ** glibc detected *** php: free(): invalid pointer: 0xb6e23380 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb7a187cd] /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7a1be30] /usr/lib/libpq.so.5[0xb7149dfa] /usr/lib/libpq.so.5[0xb714a6d3] /usr/lib/libpq.so.5(PQconnectStart+0x1a)[0xb714b04a] /usr/lib/libpq.so.5(PQconnectdb+0x22)[0xb714b0a2] /usr/lib/php5/20060613+lfs/pgsql.so[0xb713d31f] php[0x82da470] php(execute+0x188)[0x82d93e8] php(zend_execute_scripts+0x84)[0x82b8924] php(php_execute_script+0x246)[0x8270a46] php(main+0xf09)[0x8348fd9] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb79c6ebc] php[0x8096191] ======= Memory map: ======== 08048000-0854e000 r-xp 00000000 09:00 637820 /usr/bin/php5 0854e000-08583000 rw-p 00505000 09:00 637820 /usr/bin/php5 08583000-085a9000 rw-p 08583000 00:00 0 [heap] b6d6c000-b6d77000 r-xp 00000000 09:00 669427 /lib/libgcc_s.so.1 b6d77000-b6d78000 rw-p 0000a000 09:00 669427 /lib/libgcc_s.so.1 b6d82000-b6d83000 rwxp b6d82000 00:00 0 b6d83000-b6d84000 rw-p b6d83000 00:00 0 b6d84000-b6f13000 rwxp b6d84000 00:00 0 b6f13000-b6f1c000 r-xp 00000000 09:00 686412 /lib/tls/i686/cmov/libnss_files-2.5.so b6f1c000-b6f1e000 rw-p 00008000 09:00 686412 /lib/tls/i686/cmov/libnss_files-2.5.so b6f1e000-b6f3b000 rwxp b6f1e000 00:00 0 b6f3b000-b6f3e000 r-xp 00000000 09:00 638515 /usr/lib/libgpg-error.so.0.3.0 b6f3e000-b6f3f000 rw-p 00002000 09:00 638515 /usr/lib/libgpg-error.so.0.3.0 b6f3f000-b6f8e000 r-xp 00000000 09:00 638462 /usr/lib/libgcrypt.so.11.2.2 b6f8e000-b6f90000 rw-p 0004e000 09:00 638462 /usr/lib/libgcrypt.so.11.2.2 b6f90000-b6fc3000 r-xp 00000000 09:00 638730 /usr/lib/libxslt.so.1.1.20 b6fc3000-b6fc4000 rw-p 00032000 09:00 638730 /usr/lib/libxslt.so.1.1.20 b6fc4000-b6fd4000 r-xp 00000000 09:00 638441 /usr/lib/libexslt.so.0.8.13 b6fd4000-b6fd5000 rw-p 0000f000 09:00 638441 /usr/lib/libexslt.so.0.8.13 b6fd5000-b6fdf000 rwxp b6fd5000 00:00 0 b6fdf000-b70eb000 r-xp 00000000 09:00 638662 /usr/lib/librecode.so.0.0.0 b70eb000-b7119000 rw-p 0010b000 09:00 638662 /usr/lib/librecode.so.0.0.0 b7119000-b711b000 rwxp b7119000 00:00 0 b711b000-b711d000 rwxp b711b000 00:00 0 b711d000-b7123000 r-xp 00000000 09:00 753044 /usr/lib/php5/20060613+lfs/xsl.so b7123000-b7124000 rw-p 00005000 09:00 753044 /usr/lib/php5/20060613+lfs/xsl.so b7124000-b7126000 r-xp 00000000 09:00 753041 /usr/lib/php5/20060613+lfs/recode.so b7126000-b7127000 rw-p 00001000 09:00 753041 /usr/lib/php5/20060613+lfs/recode.so b7127000-b712a000 rwxp b7127000 00:00 0 b712a000-b7141000 r-xp 00000000 09:00 753040 /usr/lib/php5/20060613+lfs/pgsql.so b7141000-b7142000 rw-p 00017000 09:00 753040 /usr/lib/php5/20060613+lfs/pgsql.so b7142000-b715e000 r-xp 00000000 09:00 638656 /usr/lib/libpq.so.5.0 b715e000-b715f000 rw-p 0001c000 09:00 638656 /usr/lib/libpq.so.5.0 b715f000-b7169000 rwxp b715f000 00:00 0 b7169000-b716f000 r-xp 00000000 09:00 753039 /usr/lib/php5/20060613+lfs/pdo_pgsql.so b716f000-b7170000 rw-p 00005000 09:00 753039 /usr/lib/php5/20060613+lfs/pdo_pgsql.so b7170000-b7171000 rwxp b7170000 00:00 0 b7171000-b7177000 r-xp 00000000 09:00 753038 /usr/lib/php5/20060613+lfs/pdo_mysql.so b7177000-b7178000 rw-p 00005000 09:00 753038 /usr/lib/php5/20060613+lfs/pdo_mysql.so b7178000-b718a000 r-xp 00000000 09:00 753037 /usr/lib/php5/20060613+lfs/pdo.so b718a000-b718c000 rw-p 00012000 09:00 753037 /usr/lib/php5/20060613+lfs/pdo.so b718c000-b7193000 rwxp b718c000 00:00 0 b7193000-b71aa000 r-xp 00000000 09:00 753036 /usr/lib/php5/20060613+lfs/mysqli.so b71aa000-b71ac000 rw-p 00017000 09:00 753036 /usr/lib/php5/20060613+lfs/mysqli.so b71ac000-b7348000 r-xp 00000000 09:00 638610 /usr/lib/libmysqlclient.so.15.0.0 b7348000-b738c000 rw-p 0019c000 09:00 638610 /usr/lib/libmysqlclient.so.15.0.0 b738c000-b738d000 rw-p b738c000 00:00 0 b738d000-b7397000 rwxp b738d000 00:00 0 b7397000-b73a2000 r-xp 00000000 09:00 753035 /usr/lib/php5/20060613+lfs/mysql.so b73a2000-b73a3000 rw-p 0000a000 09:00 753035 /usr/lib/php5/20060613+lfs/mysql.so b73a3000-b73b6000 r-xp 00000000 09:00 686417 /lib/tls/i686/cmov/libpthread-2.5.so b73b6000-b73b8000 rw-p 00013000 09:00 686417 /lib/tls/i686/cmov/libpthread-2.5.so b73b8000-b73ba000 rw-p b73b8000 00:00 0 b73ba000-b73d8000 r-xp 00000000 09:00 638440 /usr/lib/libexpat.so.1.0.0 b73d8000-b73da000 rw-p 0001d000 09:00 638440 /usr/lib/libexpat.so.1.0.0 b73da000-b73de000 r-xp 00000000 09:00 638347 /usr/lib/libXdmcp.so.6.0.0 b73de000-b73df000 rw-p 00003000 09:00 638347 /usr/lib/libXdmcp.so.6.0.0 b73df000-b73e1000 r-xp 00000000 09:00 638342 /usr/lib/libXau.so.6.0.0 b73e1000-b73e2000 rw-p 00001000 09:00 638342 /usr/lib/libXau.so.6.0.0 b73e2000-b7405000 r-xp 00000000 09:00 638443 /usr/lib/libfontconfig.so.1.2.0 b7405000-b740d000 rw-p 00023000 09:00 638443 /usr/lib/libfontconfig.so.1.2.0 b740d000-b742b000 r-xp 00000000 09:00 638579 /usr/lib/libjpeg.so.62.0.0 b742b000-b742c000 rw-p 0001d000 09:00 638579 /usr/lib/libjpeg.so.62.0.0 b742c000-b744e000 r-xp 00000000 09:00 638651 /usr/lib/libpng12.so.0.15.0 b744e000-b744f000 rw-p 00021000 09:00 638651 /usr/lib/libpng12.so.0.15.0 b744f000-b745e000 r-xp 00000000 09:00 638358 /usr/lib/libXpm.so.4.11.0 b745e000-b745f000 rw-p 0000f000 09:00 638358 /usr/lib/libXpm.so.4.11.0 b745f000-b754c000 r-xp 00000000 09:00 638339 /usr/lib/libX11.so.6.2.0 b754c000-b7550000 rw-p 000ed000 09:00 638339 /usr/lib/libX11.so.6.2.0 b7550000-b75b8000 r-xp 00000000 09:00 638449 /usr/lib/libfreetype.so.6.3.10 b75b8000-b75bb000 rw-p 00068000 09:00 638449 /usr/lib/libfreetype.so.6.3.10 b75bb000-b75f5000 r-xp 00000000 09:00 638699 /usr/lib/libt1.so.5.1.0 b75f5000-b75f9000 rw-p 00039000 09:00 638699 /usr/lib/libt1.so.5.1.0 b75f9000-b760e000 rw-p b75f9000 00:00 0 b760e000-b762c000 r-xp 00000000 09:00 638463 /usr/lib/libgd.so.2.0.34 b762c000-b764c000 rw-p 0001d000 09:00 638463 /usr/lib/libgd.so.2.0.34 b764c000-b7660000 rw-p b764c000 00:00 0 b7660000-b7676000 r-xp 00000000 09:00 753033 /usr/lib/php5/20060613+lfs/gd.so b7676000-b767a000 rw-p 00015000 09:00 753033 /usr/lib/php5/20060613+lfs/gd.so b767a000-b76a9000 r-xp 00000000 09:00 638572 /usr/lib/libidn.so.11.5.19 b76a9000-b76aa000 rw-p 0002f000 09:00 638572 /usr/lib/libidn.so.11.5.19 b76aa000-b76de000 r-xp 00000000 09:00 638408 /usr/lib/libcurl.so.3.0.0 b76de000-b76df000 rw-p 00034000 09:00 638408 /usr/lib/libcurl.so.3.0.0 b76df000-b76e9000 rwxp b76df000 00:00 0 b76e9000-b76f6000 r-xp 00000000 09:00 753032 /usr/lib/php5/20060613+lfs/curl.so b76f6000-b76f7000 rw-p 0000d000 09:00 753032 /usr/lib/php5/20060613+lfs/curl.so b76f7000-b76fc000 r-xp 00000000 09:00 638593 /usr/lib/libltdl.so.3.1.4 b76fc000-b76fd000 rw-p 00004000 09:00 638593 /usr/lib/libltdl.so.3.1.4 b76fd000-b7722000 r-xp 00000000 09:00 638598 /usr/lib/libmcrypt.so.4.4.7 b7722000-b7724000 rw-p 00025000 09:00 638598 /usr/lib/libmcrypt.so.4.4.7 b7724000-b772a000 rw-p b7724000 00:00 0 b772a000-b7734000 rwxp b772a000 00:00 0 b7734000-b773c000 r-xp 00000000 09:00 753034 /usr/lib/php5/20060613+lfs/mcrypt.so b773c000-b773d000 rw-p 00007000 09:00 753034 /usr/lib/php5/20060613+lfs/mcrypt.so b773d000-b77d2000 rwxp b773d000 00:00 0 b77d2000-b77d7000 rwxp b77d2000 00:00 0 b77d7000-b77de000 r--s 00000000 09:00 81894 /usr/lib/gconv/gconv-modules.cache b77de000-b7819000 r--p 00000000 09:00 703513 /usr/lib/locale/en_US.utf8/LC_CTYPE b7819000-b7868000 rwxp b7819000 00:00 0 b7868000-b786a000 rw-p b7868000 00:00 0 b786a000-b786d000 r-xp 00000000 09:00 638584 /usr/lib/libkrb5support.so.0.0 b786d000-b786e000 rw-p 00003000 09:00 638584 /usr/lib/libkrb5support.so.0.0 b786e000-b786f000 rw-p b786e000 00:00 0 b786f000-b7999000 r-xp 00000000 09:00 703156 /usr/lib/i686/cmov/libcrypto.so.0.9.8 b7999000-b79ad000 rw-p 00129000 09:00 703156 /usr/lib/i686/cmov/libcrypto.so.0.9.8 b79ad000-b79b1000 rw-p b79ad000 00:00 0 b79b1000-b7aec000 r-xp 00000000 09:00 686403 /lib/tls/i686/cmov/libc-2.5.so b7aec000-b7aed000 r--p 0013b000 09:00 686403 /lib/tls/i686/cmov/libc-2.5.so b7aed000-b7aef000 rw-p 0013c000 09:00 686403 /lib/tls/i686/cmov/libc-2.5.so b7aef000-b7af2000 rw-p b7aef000 00:00 0 b7af2000-b7c09000 r-xp 00000000 09:00 638728 /usr/lib/libxml2.so.2.6.27 b7c09000-b7c0f000 rw-p 00116000 09:00 638728 /usr/lib/libxml2.so.2.6.27 b7c0f000-b7c11000 r-xp 00000000 09:00 669404 /lib/libcom_err.so.2.1 b7c11000-b7c12000 rw-p 00001000 09:00 669404 /lib/libcom_err.so.2.1 b7c12000-b7c36000 r-xp 00000000 09:00 638580 /usr/lib/libk5crypto.so.3.0 b7c36000-b7c37000 rw-p 00024000 09:00 638580 /usr/lib/libk5crypto.so.3.0 b7c37000-b7cb2000 r-xp 00000000 09:00 638583 /usr/lib/libkrb5.so.3.2 b7cb2000-b7cb4000 rw-p 0007b000 09:00 638583 /usr/lib/libkrb5.so.3.2 b7cb4000-b7cb5000 rw-p b7cb4000 00:00 0 b7cb5000-b7cd0000 r-xp 00000000 09:00 638525 /usr/lib/libgssapi_krb5.so.2.2 b7cd0000-b7cd1000 rw-p 0001b000 09:00 638525 /usr/lib/libgssapi_krb5.so.2.2 b7cd1000-b7ce4000 r-xp 00000000 09:00 686409 /lib/tls/i686/cmov/libnsl-2.5.so b7ce4000-b7ce6000 rw-p 00012000 09:00 686409 /lib/tls/i686/cmov/libnsl-2.5.so b7ce6000-b7ce8000 rw-p b7ce6000 00:00 0 b7ce8000-b7cea000 r-xp 00000000 09:00 686406 /lib/tls/i686/cmov/libdl-2.5.so b7cea000-b7cec000 rw-p 00001000 09:00 686406 /lib/tls/i686/cmov/libdl-2.5.so b7cec000-b7d11000 r-xp 00000000 09:00 686407 /lib/tls/i686/cmov/libm-2.5.so b7d11000-b7d13000 rw-p 00024000 09:00 686407 /lib/tls/i686/cmov/libm-2.5.so b7d13000-b7d22000 r-xp 00000000 09:00 686418 /lib/tls/i686/cmov/libresolv-2.5.so b7d22000-b7d24000 rw-p 0000f000 09:00 686418 /lib/tls/i686/cmov/libresolv-2.5.so b7d24000-b7d26000 rw-p b7d24000 00:00 0 b7d26000-b7d45000 r-xp 00000000 09:00 638644 /usr/lib/libpcre.so.3.12.0 b7d45000-b7d46000 rw-p 0001f000 09:00 638644 /usr/lib/libpcre.so.3.12.0 b7d46000-b7d47000 rw-p b7d46000 00:00 0 b7d47000-b7d56000 r-xp 00000000 09:00 669399 /lib/libbz2.so.1.0.3 b7d56000-b7d57000 rw-p 0000f000 09:00 669399 /lib/libbz2.so.1.0.3 b7d57000-b7e52000 r-xp 00000000 09:00 638413 /usr/lib/libdb-4.4.so b7e52000-b7e55000 rw-p 000fb000 09:00 638413 /usr/lib/libdb-4.4.so b7e55000-b7e91000 r-xp 00000000 09:00 703157 /usr/lib/i686/cmov/libssl.so.0.9.8 b7e91000-b7e95000 rw-p 0003b000 09:00 703157 /usr/lib/i686/cmov/libssl.so.0.9.8 b7e95000-b7ecf000 r-xp 00000000 09:00 669432 /lib/libncurses.so.5.5 b7ecf000-b7ed8000 rw-p 00039000 09:00 669432 /lib/libncurses.so.5.5 b7ed8000-b7eda000 r-xp 00000000 09:00 638634 /usr/lib/libpanel.so.5.5 b7eda000-b7edb000 rw-p 00001000 09:00 638634 /usr/lib/libpanel.so.5.5 b7edb000-b7eee000 r-xp 00000000 09:00 638731 /usr/lib/libz.so.1.2.3 b7eee000-b7eef000 rw-p 00012000 09:00 638731 /usr/lib/libz.so.1.2.3 b7eef000-b7ef0000 rw-p b7eef000 00:00 0 b7ef0000-b7ef5000 r-xp 00000000 09:00 686405 /lib/tls/i686/cmov/libcrypt-2.5.so b7ef5000-b7ef7000 rw-p 00004000 09:00 686405 /lib/tls/i686/cmov/libcrypt-2.5.so b7ef7000-b7f1e000 rw-p b7ef7000 00:00 0 b7f1e000-b7f28000 rwxp b7f1e000 00:00 0 b7f28000-b7f35000 r-xp 00000000 09:00 639024 /usr/lib/libdmalloc.so.4.8.2 b7f35000-b7f36000 rw-p 0000c000 09:00 639024 /usr/lib/libdmalloc.so.4.8.2 b7f36000-b7faa000 rw-p b7f36000 00:00 0 b7faa000-b7fc3000 r-xp 00000000 09:00 669391 /lib/ld-2.5.so b7fc3000-b7fc5000 rw-p 00019000 09:00 669391 /lib/ld-2.5.so bf975000-bf98b000 rw-p bf975000 00:00 0 [stack] ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso] Aborted (core dumped) Previously I reported it here: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/63141/comments/5 Previous Comments: ------------------------------------------------------------------------ [2007-03-26 22:00:20] [EMAIL PROTECTED] Assigned to the maintainer. See also bug #36152. ------------------------------------------------------------------------ [2007-03-26 21:42:29] seanius at debian dot org Description: ------------ note that this might not be a bug in php, but php is certainly affected by it so it's worth at least a bogus entry in your db so other people can google their way to it. if you compile curl and pgsql as shared extensions and then load them in the same order from php.ini, any script that establishes a postgres connection will result in a segfault before the script quits. the problem seems to be that the postgresql libpq library registers a callback function (pq_lockingcallback) for openssl-related locking. around exit time, when php unloads the various extensions, if any modules reference openssl routines in their shutdown methods that indirectly call openssl locking routines, the ssl library will try and call the callback function, which now points at invalid memory since the libpq library has already been dlclose()'d somewhere. if it's been closed directly by php (you guys would know better than me) then i'd say it's a php bug, but if it's closed indirectly by some pq shutdown routine, then you're just innocent victims. anyway, there's a pretty simple workaround for the time being. if you reverse the module loading so order so that pgsql is loaded first (and thus unloaded last by the current php engine), then the callback function never references invalid memory and no segfault happens. btw this was reported a couple times in the debian bts, most of the information can be found at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=411982 (this is for 5.2.0, but i've verified it against the latest 5.2.1 as well) also, i found #36152 in your bts after writing this up, but it seems that was marked closed in 2006. i think the suggestion in there about overriding libpq's callbacks with your own would probably be the most appropriate if possible. Reproduce code: --------------- <?php // curl.so is loaded before pgsql.so in php.ini $conn_string = "host=localhost dbname=data user=user password=pword"; $dbconn = pg_connect($conn_string); $query = "SELECT count(1) FROM table"; $result = pg_query($dbconn, $query); pg_close($dbconn); ?> Expected result: ---------------- either a successfull connection or error messages about failed connection Actual result: -------------- the expected errors/success, followed by a segfault: copelandia[~]23:30:08$ php foo.php Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL: password authentication failed for user "user" in /home/seanius/foo.php on line 6 Warning: pg_query(): supplied argument is not a valid PostgreSQL link resource in /home/seanius/foo.php on line 8 Warning: pg_close(): supplied argument is not a valid PostgreSQL link resource in /home/seanius/foo.php on line 9 zsh: segmentation fault php foo.php (gdb) bt #0 0x00002b71ee8889a0 in ?? () #1 0x00002b71edf446df in int_err_del () at err.c:353 #2 0x00002b71ee4e9ef9 in Curl_ossl_cleanup () at ../../../lib/ssluse.c:580 #3 0x00002b71ee4f93e2 in Curl_ssl_cleanup () at ../../../lib/sslgen.c:185 #4 0x00002b71ee4f2233 in curl_global_cleanup () at ../../../lib/easy.c:294 #5 0x00002b71ee3a3699 in zm_shutdown_curl (type=9, module_number=1) at /tmp/buildd/php5-5.2.0/ext/curl/interface.c:668 ... where 0x00002b71ee8889a0 was formerly the address of the above mentioned locking callback function ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40926&edit=1
