#20358 [Com]: Apache is "Segmentation fault" by session_start() with libmm
ID: 20358
Comment by: temnota+php at kmv dot ru
Reported By: mtak at beyondnetworks dot co dot jp
Status: No Feedback
Bug Type: Session related
Operating System: RedHat7.3
PHP Version: 4.3.0-dev
New Comment:
RedHat 7.3, php4-STABLE-200601271135, mm-1.4.0
Same backtrace:
(gdb) bt
#0 0x403f0e18 in ps_sd_lookup (data=0x81e4e38,
key=0x86aa9bc "3fbf8ce3f281344252f22e0103a3ad5e", rw=0)
at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/mod_mm.c:188
#1 0x403f1126 in ps_read_mm (mod_data=0x406847b0,
key=0x86aa9bc "3fbf8ce3f281344252f22e0103a3ad5e", val=0xbfff813c,
vallen=0xbfff8140)
at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/mod_mm.c:328
#2 0x403edb3d in php_session_initialize ()
at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/session.c:657
#3 0x403eed25 in php_session_start ()
at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/session.c:1106
#4 0x403efe95 in zif_session_start (ht=0, return_value=0x863dcac,
this_ptr=0x0, return_value_used=0)
at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/session.c:1566
#5 0x44ce53c7 in zend_optimizer_set_oe_ex ()
from
/usr/local/Zend2510/lib/Optimizer-2.5.10/php-4.4.x/ZendOptimizer.so
#6 0x44ce4a96 in zend_optimizer_set_oe_ex ()
from
/usr/local/Zend2510/lib/Optimizer-2.5.10/php-4.4.x/ZendOptimizer.so
#7 0x44ce9795 in zend_oe ()
from
/usr/local/Zend2510/lib/Optimizer-2.5.10/php-4.4.x/ZendOptimizer.so
#8 0x40462b6e in php_execute_script (primary_file=0xb080)
at /usr/src/redhat/BUILD/php-4.4.x.dev/main/main.c:1753
#9 0x4049ff76 in apache_php_module_main (r=0x81cc56c,
display_source_mode=0)
at
/usr/src/redhat/BUILD/php-4.4.x.dev/sapi/apache/sapi_apache.c:54
#10 0x404a094b in send_php (r=0x81cc56c, display_source_mode=0,
filename=0x0)
at /usr/src/redhat/BUILD/php-4.4.x.dev/sapi/apache/mod_php4.c:629
#11 0x404a098a in send_parsed_php (r=0x81cc56c)
at /usr/src/redhat/BUILD/php-4.4.x.dev/sapi/apache/mod_php4.c:643
#12 0x0805efab in ap_invoke_handler ()
---Type to continue, or q to quit---
#13 0x08076663 in process_request_internal ()
#14 0x08076ad1 in ap_internal_redirect ()
#15 0x42aa5ff0 in mod_gzip_redir1_handler (r=0x81810fc,
dconf=0x81563e4)
at mod_gzip.c:4684
#16 0x42aa42ba in mod_gzip_handler (r=0x81810fc) at mod_gzip.c:2643
#17 0x0805efab in ap_invoke_handler ()
#18 0x08076663 in process_request_internal ()
#19 0x080766c4 in ap_process_request ()
#20 0x0806bc01 in child_main ()
#21 0x0806be93 in make_child ()
#22 0x0806c210 in perform_idle_server_maintenance ()
#23 0x0806c879 in standalone_main ()
#24 0x0806cecf in main ()
#25 0x4017c1c4 in __libc_start_main () from /lib/libc.so.6
#0 0x403f0e18 in ps_sd_lookup (data=0x81e4e38,
key=0x86aa9bc "3fbf8ce3f281344252f22e0103a3ad5e", rw=0)
at /usr/src/redhat/BUILD/php-4.4.x.dev/ext/session/mod_mm.c:188
188 for (prev = NULL, ret = data->hash[slot]; ret; prev =
ret, ret = ret->next)
(gdb) Quit
(gdb) print prev
$1 = (ps_sd *) 0x0
(gdb) print ret
$2 = (ps_sd *) 0x48
(gdb) print data
$3 = (ps_mm *) 0x81e4e38
(gdb) print data[0]
$4 = {mm = 0x42cc8014, hash = 0x42cc8034, hash_max = 511, hash_cnt =
7,owner = 25922}
(gdb) print data->hash
$5 = (ps_sd **) 0x42cc8034
(gdb) print slot
$6 = 46
(gdb) print data->hash[46]
$7 = (ps_sd *) 0x48
Previous Comments:
[2003-08-15 20:46:11] [EMAIL PROTECTED]
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
And I can't reproduce this either..(using latest CVS)
[2003-08-10 21:56:32] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
After 10,000 requests I have yet to see a single crash.
[2002-11-12 06:01:38] mtak at beyondnetworks dot co dot jp
more info...
(gdb) list
182
183 hv = ps_sd_hash(key, strlen(key));
184 slot = hv & data->hash_max;
185
186 for (prev = NULL, ret = data->hash[slot]; ret; prev =
ret, ret =
ret->next)
187 if (ret->hv == hv && !strcmp(ret->key, key))
188 break;
189
190 if (ret && rw && ret != data->hash[slot]) {
191 /* Move the entry to the top of the linked list
*/
(gdb) print key
$1 = 0x8136f2c "136"
(gdb) print hv
$2 = 1943406893
(gdb) print slot
$3 = 301
(gdb) print data->hash_max
$4 = 511
(gdb) print prev
$5 = (ps_sd *) 0x4413df00
(gdb) print ret
$6 = (ps_sd *) 0x1f
(gdb) print ret->next
Cannot access me
#20358 [Com]: Apache is "Segmentation fault" by session_start() with libmm
ID: 20358
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Verified
Bug Type: Session related
Operating System: RedHat7.3
PHP Version: 4.3.0-dev
New Comment:
Same problem here
Tried the latest snapshot no difference
Willing to produce a backtrace if neccesary
Redhat 7.3
Apache 2.0.43
PHP 4.3.0 and latest snapshot
I have a Typo3 CMS and can make the segmentation fault happen on
command with the install tool.
Previous Comments:
[2002-12-16 14:37:58] [EMAIL PROTECTED]
Same problem here...
Sparc Solaris 8, php-4.2.3, apache-1.3.27
[2002-12-16 02:41:49] [EMAIL PROTECTED]
Hi,
I have experienced the same bug on my linux box with several versions
of httpd/php
Redhat7.3 PHP 4.3.2 4.3.0-pre1 4.3.0-rc1 4.3.0-rc2
Apache 1.3.27.
It can happen at any time (like 24h after launching httpd) and it then
crashes every apache child.
Obviously, the structure data->hash[slot] is not properly initialized
before entering in ps_sd_lookup, but that is quite strange !
It think it should be fixed before 4.3.0 release.
[2002-12-13 08:46:30] [EMAIL PROTECTED]
FreeBSD, Apache 1.3.27, PHP 4.2.3
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
168 for (prev = data->hash[slot]; prev->next != sd;
prev = prev->next);
(gdb) bt
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
#1 0x4828784f in ps_mm_destroy (data=0x811b0a0) at mod_mm.c:242
#2 0x48287a25 in zm_shutdown_ps_mm (type=1, module_number=11) at
mod_mm.c:293
#3 0x48231e93 in module_destructor (module=0x811c500) at
zend_API.c:1127
#4 0x482338d3 in zend_hash_destroy (ht=0x48333b80) at zend_hash.c:541
#5 0x4822ef3f in zend_shutdown () at zend.c:492
#6 0x4823c107 in php_module_shutdown () at main.c:1052
#7 0x4823c0d4 in php_module_shutdown_wrapper
(sapi_globals=0x48311880)
at main.c:1029
#8 0x48239abc in apache_php_module_shutdown_wrapper () at
mod_php4.c:800
#9 0x805003a in run_cleanups ()
#10 0x804f09f in ap_clear_pool ()
#11 0x804f100 in ap_destroy_pool ()
#12 0x804f08b in ap_clear_pool ()
#13 0x804f100 in ap_destroy_pool ()
#14 0x8059460 in clean_parent_exit ()
#15 0x805b925 in standalone_main ()
#16 0x805bd6b in main ()
#17 0x804eb0d in _start ()
(gdb) print *data
$3 = {mm = 0x4c69b414, hash = 0x4c69b434, hash_max = 511, hash_cnt =
0,
owner = 81324}
(gdb) print *sd
$4 = {next = 0x3e0, hv = 979, ctime = 1282159212, data = 0x74656c73,
datalen = 2087871860, alloclen = 976304755, key = "\""}
(gdb) print slot
$5 = 1282155348
(gdb) print data->hash
$6 = (ps_sd **) 0x4c69b434
(gdb) print *(data->hash)
$7 = (ps_sd *) 0x4c6c2354
(gdb) print *prev
Cannot access memory at address 0x10.
[2002-11-12 06:01:38] [EMAIL PROTECTED]
more info...
(gdb) list
182
183 hv = ps_sd_hash(key, strlen(key));
184 slot = hv & data->hash_max;
185
186 for (prev = NULL, ret = data->hash[slot]; ret; prev =
ret, ret =
ret->next)
187 if (ret->hv == hv && !strcmp(ret->key, key))
188 break;
189
190 if (ret && rw && ret != data->hash[slot]) {
191 /* Move the entry to the top of the linked list
*/
(gdb) print key
$1 = 0x8136f2c "136"
(gdb) print hv
$2 = 1943406893
(gdb) print slot
$3 = 301
(gdb) print data->hash_max
$4 = 511
(gdb) print prev
$5 = (ps_sd *) 0x4413df00
(gdb) print ret
$6 = (ps_sd *) 0x1f
(gdb) print ret->next
Cannot access memory at address 0x1f
(gdb) print data->hash[slot]->next
$7 = (struct ps_sd *) 0x1f
[2002-11-12 05:51:51] [EMAIL PROTECTED]
Apache was re-compiled with -DBIG_SECURITY_HOLE option.
edit /usr/local/apache/conf/httpd.conf
User root
Group root
CoreDumpDirectory /tmp
# /usr/local/apache/bin/apachectl start
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log
[Tue Nov 12 20:41:49 2002] [notice] child pid 23351 exit signal
Segmentation fault (11), possible coredump in /tmp
child proccess of apache was core dumped.
back trace
(gdb) bt
#0 0x40148a33 in ps_sd_lookup (data=0x80d4418, key=0x8136f2c "136",
rw=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:187
#1 0x40148ec8 in ps_read_mm (mod_data=0x4029ea70, key=0x8136f2c
"136",
val=0xbfffd1e0, vallen=0xbfffd1dc)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:326
#2 0x401446b9 in php_session_initialize ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:608
#3 0x40145864 in php_session_start ()
at /home/work/httpd/php-
#20358 [Com]: Apache is "Segmentation fault" by session_start() with libmm
ID: 20358
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Verified
Bug Type: Session related
Operating System: RedHat7.3
PHP Version: 4.3.0-dev
New Comment:
Same problem here...
Sparc Solaris 8, php-4.2.3, apache-1.3.27
Previous Comments:
[2002-12-16 02:41:49] [EMAIL PROTECTED]
Hi,
I have experienced the same bug on my linux box with several versions
of httpd/php
Redhat7.3 PHP 4.3.2 4.3.0-pre1 4.3.0-rc1 4.3.0-rc2
Apache 1.3.27.
It can happen at any time (like 24h after launching httpd) and it then
crashes every apache child.
Obviously, the structure data->hash[slot] is not properly initialized
before entering in ps_sd_lookup, but that is quite strange !
It think it should be fixed before 4.3.0 release.
[2002-12-13 08:46:30] [EMAIL PROTECTED]
FreeBSD, Apache 1.3.27, PHP 4.2.3
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
168 for (prev = data->hash[slot]; prev->next != sd;
prev = prev->next);
(gdb) bt
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
#1 0x4828784f in ps_mm_destroy (data=0x811b0a0) at mod_mm.c:242
#2 0x48287a25 in zm_shutdown_ps_mm (type=1, module_number=11) at
mod_mm.c:293
#3 0x48231e93 in module_destructor (module=0x811c500) at
zend_API.c:1127
#4 0x482338d3 in zend_hash_destroy (ht=0x48333b80) at zend_hash.c:541
#5 0x4822ef3f in zend_shutdown () at zend.c:492
#6 0x4823c107 in php_module_shutdown () at main.c:1052
#7 0x4823c0d4 in php_module_shutdown_wrapper
(sapi_globals=0x48311880)
at main.c:1029
#8 0x48239abc in apache_php_module_shutdown_wrapper () at
mod_php4.c:800
#9 0x805003a in run_cleanups ()
#10 0x804f09f in ap_clear_pool ()
#11 0x804f100 in ap_destroy_pool ()
#12 0x804f08b in ap_clear_pool ()
#13 0x804f100 in ap_destroy_pool ()
#14 0x8059460 in clean_parent_exit ()
#15 0x805b925 in standalone_main ()
#16 0x805bd6b in main ()
#17 0x804eb0d in _start ()
(gdb) print *data
$3 = {mm = 0x4c69b414, hash = 0x4c69b434, hash_max = 511, hash_cnt =
0,
owner = 81324}
(gdb) print *sd
$4 = {next = 0x3e0, hv = 979, ctime = 1282159212, data = 0x74656c73,
datalen = 2087871860, alloclen = 976304755, key = "\""}
(gdb) print slot
$5 = 1282155348
(gdb) print data->hash
$6 = (ps_sd **) 0x4c69b434
(gdb) print *(data->hash)
$7 = (ps_sd *) 0x4c6c2354
(gdb) print *prev
Cannot access memory at address 0x10.
[2002-11-12 06:01:38] [EMAIL PROTECTED]
more info...
(gdb) list
182
183 hv = ps_sd_hash(key, strlen(key));
184 slot = hv & data->hash_max;
185
186 for (prev = NULL, ret = data->hash[slot]; ret; prev =
ret, ret =
ret->next)
187 if (ret->hv == hv && !strcmp(ret->key, key))
188 break;
189
190 if (ret && rw && ret != data->hash[slot]) {
191 /* Move the entry to the top of the linked list
*/
(gdb) print key
$1 = 0x8136f2c "136"
(gdb) print hv
$2 = 1943406893
(gdb) print slot
$3 = 301
(gdb) print data->hash_max
$4 = 511
(gdb) print prev
$5 = (ps_sd *) 0x4413df00
(gdb) print ret
$6 = (ps_sd *) 0x1f
(gdb) print ret->next
Cannot access memory at address 0x1f
(gdb) print data->hash[slot]->next
$7 = (struct ps_sd *) 0x1f
[2002-11-12 05:51:51] [EMAIL PROTECTED]
Apache was re-compiled with -DBIG_SECURITY_HOLE option.
edit /usr/local/apache/conf/httpd.conf
User root
Group root
CoreDumpDirectory /tmp
# /usr/local/apache/bin/apachectl start
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log
[Tue Nov 12 20:41:49 2002] [notice] child pid 23351 exit signal
Segmentation fault (11), possible coredump in /tmp
child proccess of apache was core dumped.
back trace
(gdb) bt
#0 0x40148a33 in ps_sd_lookup (data=0x80d4418, key=0x8136f2c "136",
rw=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:187
#1 0x40148ec8 in ps_read_mm (mod_data=0x4029ea70, key=0x8136f2c
"136",
val=0xbfffd1e0, vallen=0xbfffd1dc)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:326
#2 0x401446b9 in php_session_initialize ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:608
#3 0x40145864 in php_session_start ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1004
#4 0x40147438 in zif_session_start (ht=0, return_value=0x8136fd4,
this_ptr=0x0, return_value_used=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1445
#5 0x4022cfc7 in execute (op_array=0x8136c3c)
at /home/work/httpd/php-4.3.0pre2/Zend/zend_execute.c:1595
#6 0x4021a174 in zend_execute_scripts (type=8, ret
#20358 [Com]: Apache is "Segmentation fault" by session_start() with libmm
ID: 20358
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Verified
Bug Type: Session related
Operating System: RedHat7.3
PHP Version: 4.3.0-dev
New Comment:
Hi,
I have experienced the same bug on my linux box with several versions
of httpd/php
Redhat7.3 PHP 4.3.2 4.3.0-pre1 4.3.0-rc1 4.3.0-rc2
Apache 1.3.27.
It can happen at any time (like 24h after launching httpd) and it then
crashes every apache child.
Obviously, the structure data->hash[slot] is not properly initialized
before entering in ps_sd_lookup, but that is quite strange !
It think it should be fixed before 4.3.0 release.
Previous Comments:
[2002-12-13 08:46:30] [EMAIL PROTECTED]
FreeBSD, Apache 1.3.27, PHP 4.2.3
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
168 for (prev = data->hash[slot]; prev->next != sd;
prev = prev->next);
(gdb) bt
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
#1 0x4828784f in ps_mm_destroy (data=0x811b0a0) at mod_mm.c:242
#2 0x48287a25 in zm_shutdown_ps_mm (type=1, module_number=11) at
mod_mm.c:293
#3 0x48231e93 in module_destructor (module=0x811c500) at
zend_API.c:1127
#4 0x482338d3 in zend_hash_destroy (ht=0x48333b80) at zend_hash.c:541
#5 0x4822ef3f in zend_shutdown () at zend.c:492
#6 0x4823c107 in php_module_shutdown () at main.c:1052
#7 0x4823c0d4 in php_module_shutdown_wrapper
(sapi_globals=0x48311880)
at main.c:1029
#8 0x48239abc in apache_php_module_shutdown_wrapper () at
mod_php4.c:800
#9 0x805003a in run_cleanups ()
#10 0x804f09f in ap_clear_pool ()
#11 0x804f100 in ap_destroy_pool ()
#12 0x804f08b in ap_clear_pool ()
#13 0x804f100 in ap_destroy_pool ()
#14 0x8059460 in clean_parent_exit ()
#15 0x805b925 in standalone_main ()
#16 0x805bd6b in main ()
#17 0x804eb0d in _start ()
(gdb) print *data
$3 = {mm = 0x4c69b414, hash = 0x4c69b434, hash_max = 511, hash_cnt =
0,
owner = 81324}
(gdb) print *sd
$4 = {next = 0x3e0, hv = 979, ctime = 1282159212, data = 0x74656c73,
datalen = 2087871860, alloclen = 976304755, key = "\""}
(gdb) print slot
$5 = 1282155348
(gdb) print data->hash
$6 = (ps_sd **) 0x4c69b434
(gdb) print *(data->hash)
$7 = (ps_sd *) 0x4c6c2354
(gdb) print *prev
Cannot access memory at address 0x10.
[2002-11-12 06:01:38] [EMAIL PROTECTED]
more info...
(gdb) list
182
183 hv = ps_sd_hash(key, strlen(key));
184 slot = hv & data->hash_max;
185
186 for (prev = NULL, ret = data->hash[slot]; ret; prev =
ret, ret =
ret->next)
187 if (ret->hv == hv && !strcmp(ret->key, key))
188 break;
189
190 if (ret && rw && ret != data->hash[slot]) {
191 /* Move the entry to the top of the linked list
*/
(gdb) print key
$1 = 0x8136f2c "136"
(gdb) print hv
$2 = 1943406893
(gdb) print slot
$3 = 301
(gdb) print data->hash_max
$4 = 511
(gdb) print prev
$5 = (ps_sd *) 0x4413df00
(gdb) print ret
$6 = (ps_sd *) 0x1f
(gdb) print ret->next
Cannot access memory at address 0x1f
(gdb) print data->hash[slot]->next
$7 = (struct ps_sd *) 0x1f
[2002-11-12 05:51:51] [EMAIL PROTECTED]
Apache was re-compiled with -DBIG_SECURITY_HOLE option.
edit /usr/local/apache/conf/httpd.conf
User root
Group root
CoreDumpDirectory /tmp
# /usr/local/apache/bin/apachectl start
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log
[Tue Nov 12 20:41:49 2002] [notice] child pid 23351 exit signal
Segmentation fault (11), possible coredump in /tmp
child proccess of apache was core dumped.
back trace
(gdb) bt
#0 0x40148a33 in ps_sd_lookup (data=0x80d4418, key=0x8136f2c "136",
rw=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:187
#1 0x40148ec8 in ps_read_mm (mod_data=0x4029ea70, key=0x8136f2c
"136",
val=0xbfffd1e0, vallen=0xbfffd1dc)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:326
#2 0x401446b9 in php_session_initialize ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:608
#3 0x40145864 in php_session_start ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1004
#4 0x40147438 in zif_session_start (ht=0, return_value=0x8136fd4,
this_ptr=0x0, return_value_used=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1445
#5 0x4022cfc7 in execute (op_array=0x8136c3c)
at /home/work/httpd/php-4.3.0pre2/Zend/zend_execute.c:1595
#6 0x4021a174 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/work/httpd/php-4.3.0pre2/Zend/zend.c:839
#7 0x401e1f13 in php_execute_script (primary_file=0xb6b0)
at /home/work/httpd/php-4.3.0pre2
#20358 [Com]: Apache is "Segmentation fault" by session_start() with libmm
ID: 20358
Comment by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Verified
Bug Type: Session related
Operating System: RedHat7.3
PHP Version: 4.3.0-dev
New Comment:
FreeBSD, Apache 1.3.27, PHP 4.2.3
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
168 for (prev = data->hash[slot]; prev->next != sd;
prev = prev->next);
(gdb) bt
#0 0x48287655 in ps_sd_destroy (data=0x811b0a0, sd=0x4c6c2354) at
mod_mm.c:168
#1 0x4828784f in ps_mm_destroy (data=0x811b0a0) at mod_mm.c:242
#2 0x48287a25 in zm_shutdown_ps_mm (type=1, module_number=11) at
mod_mm.c:293
#3 0x48231e93 in module_destructor (module=0x811c500) at
zend_API.c:1127
#4 0x482338d3 in zend_hash_destroy (ht=0x48333b80) at zend_hash.c:541
#5 0x4822ef3f in zend_shutdown () at zend.c:492
#6 0x4823c107 in php_module_shutdown () at main.c:1052
#7 0x4823c0d4 in php_module_shutdown_wrapper
(sapi_globals=0x48311880)
at main.c:1029
#8 0x48239abc in apache_php_module_shutdown_wrapper () at
mod_php4.c:800
#9 0x805003a in run_cleanups ()
#10 0x804f09f in ap_clear_pool ()
#11 0x804f100 in ap_destroy_pool ()
#12 0x804f08b in ap_clear_pool ()
#13 0x804f100 in ap_destroy_pool ()
#14 0x8059460 in clean_parent_exit ()
#15 0x805b925 in standalone_main ()
#16 0x805bd6b in main ()
#17 0x804eb0d in _start ()
(gdb) print *data
$3 = {mm = 0x4c69b414, hash = 0x4c69b434, hash_max = 511, hash_cnt =
0,
owner = 81324}
(gdb) print *sd
$4 = {next = 0x3e0, hv = 979, ctime = 1282159212, data = 0x74656c73,
datalen = 2087871860, alloclen = 976304755, key = "\""}
(gdb) print slot
$5 = 1282155348
(gdb) print data->hash
$6 = (ps_sd **) 0x4c69b434
(gdb) print *(data->hash)
$7 = (ps_sd *) 0x4c6c2354
(gdb) print *prev
Cannot access memory at address 0x10.
Previous Comments:
[2002-11-12 06:01:38] [EMAIL PROTECTED]
more info...
(gdb) list
182
183 hv = ps_sd_hash(key, strlen(key));
184 slot = hv & data->hash_max;
185
186 for (prev = NULL, ret = data->hash[slot]; ret; prev =
ret, ret =
ret->next)
187 if (ret->hv == hv && !strcmp(ret->key, key))
188 break;
189
190 if (ret && rw && ret != data->hash[slot]) {
191 /* Move the entry to the top of the linked list
*/
(gdb) print key
$1 = 0x8136f2c "136"
(gdb) print hv
$2 = 1943406893
(gdb) print slot
$3 = 301
(gdb) print data->hash_max
$4 = 511
(gdb) print prev
$5 = (ps_sd *) 0x4413df00
(gdb) print ret
$6 = (ps_sd *) 0x1f
(gdb) print ret->next
Cannot access memory at address 0x1f
(gdb) print data->hash[slot]->next
$7 = (struct ps_sd *) 0x1f
[2002-11-12 05:51:51] [EMAIL PROTECTED]
Apache was re-compiled with -DBIG_SECURITY_HOLE option.
edit /usr/local/apache/conf/httpd.conf
User root
Group root
CoreDumpDirectory /tmp
# /usr/local/apache/bin/apachectl start
# sh loop.sh
# tail -f /usr/local/apache/logs/error_log
[Tue Nov 12 20:41:49 2002] [notice] child pid 23351 exit signal
Segmentation fault (11), possible coredump in /tmp
child proccess of apache was core dumped.
back trace
(gdb) bt
#0 0x40148a33 in ps_sd_lookup (data=0x80d4418, key=0x8136f2c "136",
rw=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:187
#1 0x40148ec8 in ps_read_mm (mod_data=0x4029ea70, key=0x8136f2c
"136",
val=0xbfffd1e0, vallen=0xbfffd1dc)
at /home/work/httpd/php-4.3.0pre2/ext/session/mod_mm.c:326
#2 0x401446b9 in php_session_initialize ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:608
#3 0x40145864 in php_session_start ()
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1004
#4 0x40147438 in zif_session_start (ht=0, return_value=0x8136fd4,
this_ptr=0x0, return_value_used=0)
at /home/work/httpd/php-4.3.0pre2/ext/session/session.c:1445
#5 0x4022cfc7 in execute (op_array=0x8136c3c)
at /home/work/httpd/php-4.3.0pre2/Zend/zend_execute.c:1595
#6 0x4021a174 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/work/httpd/php-4.3.0pre2/Zend/zend.c:839
#7 0x401e1f13 in php_execute_script (primary_file=0xb6b0)
at /home/work/httpd/php-4.3.0pre2/main/main.c:1542
#8 0x40231f36 in apache_php_module_main (r=0x812ff2c,
display_source_mode=0)
at /home/work/httpd/php-4.3.0pre2/sapi/apache/sapi_apache.c:55
#9 0x40232e00 in send_php (r=0x812ff2c, display_source_mode=0,
filename=0x813093c
"/usr/local/apache/htdocs/php/samples/session/bug.phtml")
at /home/work/httpd/php-4.3.0pre2/sapi/apache/mod_php4.c:556
#10 0x40232e6d in send_parsed_php (r=0x812ff2c)
at /home/work/httpd/php-4.3.0pre2/sapi/apache/mod_php4.c:571
#11 0x0806a7bb in ap_invoke_handler ()
#12 0x0807f723 in process_reques
