Bug #52797 [Com]: crash because of double free
Edit report at http://bugs.php.net/bug.php?id=52797&edit=1 ID: 52797 Comment by: hossy421 at yahoo dot co dot jp Reported by:hossy421 at yahoo dot co dot jp Summary:crash because of double free Status: Feedback Type: Bug Package:Reproducible crash Operating System: FreeBSD 7.3-RELEASE-p2 PHP Version:5.3.3 Block user comment: N Private report: N New Comment: The patch is not applied to the latest snapshot. I believe the problem is still there. Previous Comments: [2011-01-29 11:31:48] fel...@php.net Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2010-09-08 15:18:45] hossy421 at yahoo dot co dot jp Description: httpd ( Apache 2.2 ) crashes below messages. > pid X(httpd), uid 80: exited on signal 11 X is process id of a httpd child process. Test script: --- independent of script. httpd is crashed by any script. for example PukiWiki. Expected result: all script will run without any error. Actual result: -- I've compiled PHP with --enable-debug option. PHP crash with below message. > --- > Zend/zend_language_scanner.l(704) : Block 0x28f9871c status: > Beginning: Freed > Start: OK > End: Overflown (magic=0x003C instead of 0xC5F842B3) > At least 4 bytes overflown > --- Zend/zend_language_scanner.l(704) is below code. > efree(SCNG(script_org)); `SCNG(script_org)' is saved by `zend_save_lexical_state()' function, and restored by `zend_restore_lexical_state()' function. `SCNG(script_org)' is `unsigned char*', but only the pointers are stored and saved, not the string pointed to. -- Edit this bug report at http://bugs.php.net/bug.php?id=52797&edit=1
[PHP-BUG] Bug #52797 [NEW]: crash because of double free
From: Operating system: FreeBSD 7.3-RELEASE-p2 PHP version: 5.3.3 Package: Reproducible crash Bug Type: Bug Bug description:crash because of double free Description: httpd ( Apache 2.2 ) crashes below messages. > pid X(httpd), uid 80: exited on signal 11 X is process id of a httpd child process. Test script: --- independent of script. httpd is crashed by any script. for example PukiWiki. Expected result: all script will run without any error. Actual result: -- I've compiled PHP with --enable-debug option. PHP crash with below message. > --- > Zend/zend_language_scanner.l(704) : Block 0x28f9871c status: > Beginning: Freed > Start: OK > End: Overflown (magic=0x003C instead of 0xC5F842B3) > At least 4 bytes overflown > --- Zend/zend_language_scanner.l(704) is below code. > efree(SCNG(script_org)); `SCNG(script_org)' is saved by `zend_save_lexical_state()' function, and restored by `zend_restore_lexical_state()' function. `SCNG(script_org)' is `unsigned char*', but only the pointers are stored and saved, not the string pointed to. -- Edit bug report at http://bugs.php.net/bug.php?id=52797&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=52797&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=52797&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=52797&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=52797&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=52797&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=52797&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=52797&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=52797&r=needscript Try newer version: http://bugs.php.net/fix.php?id=52797&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=52797&r=support Expected behavior: http://bugs.php.net/fix.php?id=52797&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=52797&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=52797&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=52797&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=52797&r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=52797&r=dst IIS Stability: http://bugs.php.net/fix.php?id=52797&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=52797&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=52797&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=52797&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=52797&r=mysqlcfg
Bug #51319 [Com]: apache process sigsegv (double free or corruption (fasttop))
Edit report at http://bugs.php.net/bug.php?id=51319&edit=1
ID: 51319
Comment by: hossy421 at yahoo dot co dot jp
Reported by:idsl at cc dot com dot pl
Summary:apache process sigsegv (double free or corruption
(fasttop))
Status: Open
Type: Bug
Package:Apache related
Operating System: Redhat 4U4
PHP Version:5.2.13
Block user comment: N
New Comment:
this is the same problem that I reported before.
apache2handler doesn't have the handler of blocking signals.
please test the patch attached my report.
ref. http://bugs.php.net/bug.php?id=47768
Previous Comments:
[2010-07-23 14:16:41] php-lover at bobmail dot info
Following script could be useful in reproducing issue:
The problem is caused by zend_timeout() signal handler, php now is doing
unsafe operation inside like calling free/malloc. Possible fix is
delaying zend_timeout call.
[2010-03-18 08:35:49] idsl at cc dot com dot pl
Description:
Hello.
We have this problem with 5.2.12 and still with 5.2.13.
In very random situation apache process sigsegv with
this in error log:
*** glibc detected *** double free or corruption (fasttop): 0x88aa9300
***
[Thu Mar 18 06:22:06 2010] [notice] seg fault or similar nasty error
detected in the parent process
[Thu Mar 18 06:22:07 2010] [notice] child pid 1107 exit signal
Segmentation fault (11), possible coredump in /tmp
gdb shows this:
(gdb) backtrace
#0 0x0013a2c2 in abort () from /lib/tls/libc.so.6
#1 0x0016c4ea in __libc_message () from /lib/tls/libc.so.6
#2 0x00172c6f in _int_free () from /lib/tls/libc.so.6
#3 0x00172fea in free () from /lib/tls/libc.so.6
#4 0x01287c44 in php_error_cb (type=1, error_filename=0xc36f894
"theme.php(10) : eval()'d code",
error_lineno=9, format=0x1570b84 "Maximum execution time of %d
second%s exceeded",
args=0xa0f6195c "\036") at /tmp/php-5.2.13/main/main.c:836
#5 0x012c8b2a in zend_error (type=1,
format=0x1570b84 "Maximum execution time of %d second%s exceeded")
at /tmp/php-5.2.13/Zend/zend.c:976
#6 0x012bd76d in zend_timeout (dummy=27) at
/tmp/php-5.2.13/Zend/zend_execute_API.c:1347
#7
#8 0x00175030 in malloc () from /lib/tls/libc.so.6
#9 0x00179cd0 in strdup () from /lib/tls/libc.so.6
#10 0x012879e7 in php_error_cb (type=2, error_filename=0xc36f894
"theme.php(10) : eval()'d code",
error_lineno=9, format=0x15723f4 "%s%s%s(): supplied argument is not
a valid %s resource",
args=0xa0f61d48 "ÅKT\001ÅKT\001OjT\001FŽU\001x\035ö \001") at
/tmp/php-5.2.13/main/main.c:845
Lines of code from backtrace are:
833 /* store the error if it has changed */
834 if (display) {
835 if (PG(last_error_message)) {
836 free(PG(last_error_message));
837 }
838 if (PG(last_error_file)) {
839 free(PG(last_error_file));
840 }
841 if (!error_filename) {
842 error_filename = "Unknown";
843 }
844 PG(last_error_type) = type;
845 PG(last_error_message) = strdup(buffer);
846 PG(last_error_file) = strdup(error_filename);
847 PG(last_error_lineno) = error_lineno;
Test script:
---
It's independent from scripts.
For last 12h on over 3mln requests we have only 15 such errors.
Expected result:
We expected not to receive sigsegv's for apache.
--
Edit this bug report at http://bugs.php.net/bug.php?id=51319&edit=1
#47768 [NEW]: httpd ( Apache 2.2 ) crashes of abort() in signal handler
From: hossy421 at yahoo dot co dot jp
Operating system: FreeBSD 6.3-RELEASE-p9
PHP version: 5.2.9
PHP Bug Type: Apache2 related
Bug description: httpd ( Apache 2.2 ) crashes of abort() in signal handler
Description:
httpd ( Apache 2.2 ) crashes below messages.
> httpd in free(): error: recursive call
> [notice] child pid X exit signal Abort trap (6)
X is process id of a httpd child process.
Reproduce code:
---
sorry, I could't repro this bug in another environment.
Actual result:
--
this is backtrace.
Program received signal SIGABRT, Aborted.
0x2836b56f in kill () from /lib/libc.so.6
(gdb) bt
#0 0x2836b56f in kill () from /lib/libc.so.6
#1 0x2828d27b in raise () from /usr/lib/libpthread.so.2
#2 0x2836a2ab in abort () from /lib/libc.so.6
:
#6 0x2830662c in free () from /lib/libc.so.6
#7 0x28617828 in php_error_cb (type=1,
error_filename=0x86b1e38 "/usr/home/hossy/public_html/test.php",
error_lineno=391,
format=0x2874febc "Maximum execution time of %d second%s exceeded",
args=0xbfbf7898 "\n")
at /usr/ports/lang/php5/work/php-5.2.9/main/main.c:824
:
#10 0x282920d3 in sigaction () from /usr/lib/libpthread.so.2
#11
:
#15 0x2830662c in free () from /lib/libc.so.6
#16 0x28644cb5 in zend_mm_mem_malloc_free (storage=0x80a1690,
ptr=0xa81c000)
at /usr/ports/lang/php5/work/php-5.2.9/Zend/zend_alloc.c:276
:
1. httpd cought SIGPROF in free() because of `max_execution_time'
parameter.
2. php_error_cb() called free()
3. free() detected as `recursive call.'
in zend_mm_mem_malloc_free(), signal is blocked from
HANDLE_BLOCK_INTERRUPTIONS macro.
but, apache2handler does't have the function for it.
(gdb) p zend_block_interruptions
$1 = (void (*)(void)) 0
(gdb) p sapi_module
$2 = {name = 0x28759d5d "apache2handler", pretty_name = 0x28759d6c "Apache
2.0 Handler",
:
block_interruptions = 0, unblock_interruptions = 0,
:
(gdb) p apache2_sapi_module
$3 = {name = 0x28759d5d "apache2handler", pretty_name = 0x28759d6c "Apache
2.0 Handler",
:
block_interruptions = 0, unblock_interruptions = 0,
:
in japanese mailing list, I got a patch for this problem.
http://ml.php.gr.jp/pipermail/php-dev/2009-March/001453.html
--
Edit bug report at http://bugs.php.net/?id=47768&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=47768&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=47768&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=47768&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=47768&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=47768&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=47768&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=47768&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=47768&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=47768&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=47768&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=47768&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=47768&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=47768&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=47768&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47768&r=php4
Daylight Savings:http://bugs.php.net/fix.php?id=47768&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=47768&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=47768&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=47768&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=47768&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=47768&r=mysqlcfg
