#38525 [Fbk-Opn]: 5.2.0RC2 + squirrelmail == random segfaults , heap corruption
ID: 38525 User updated by: judas dot iscariote at gmail dot com Reported By: judas dot iscariote at gmail dot com -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: linux PHP Version: 5.2.0RC2 New Comment: tony, Im using 1.4.x Tree from CVS. I hope somebody else can reproduce it, due to the random nature of the problem, is hard to get a short reproduce code... :-( Previous Comments: [2006-08-28 06:55:47] [EMAIL PROTECTED] Christian, what version of SquirrelMail did you use? [2006-08-28 01:19:15] james at digisys dot net FWIW, I'm seeing these same random seg faults with PHP 5.1.4 and Squirrelmail 1.4.8 with an external IMAP server. Switching to the development branch of Squirrelmail (1.5.2) cleared things up. According to the Squirrelmail site the current stable releases (1.4.x) do not work with PHP5, but the CVS version contains fixes which get it working. Not that PHP should fault either way :) [2006-08-26 09:35:25] poeml at suse dot de Hi, on my machine it happens with IMAP server _on localhost_. A how-to-reproduce procedure here is: - open inbox in browser - open first mail - click next mail - proceed with clicking next mail (thereby stepping through mailbox mail by mail), until segfault happens. Sometimes it takes a while, but il WILL happen sooner or later. - now, reloading will trigger the segfault again and again. - viewing the next mail and going back shows the mail without segfault. This also allows to continue to use squirrelmail until the next segfault is encountered. [2006-08-23 23:06:11] [EMAIL PROTECTED] Well, we still need a reproduce case.. [2006-08-23 22:52:46] judas dot iscariote at gmail dot com Tony : Sadly I still get a segfault with a fresh CVS copy :-( =32459== Process terminating with default action of signal 11 (SIGSEGV) ==32459== Bad permissions for mapped region at address 0x18 ==32459==at 0x7BEC108: zend_mm_add_to_free_list (zend_alloc.c:465) ==32459==by 0x7BEDC23: _zend_mm_alloc_int (zend_alloc.c:1233) ==32459==by 0x7BEEB7D: _zend_mm_realloc_int (zend_alloc.c:1543) ==32459==by 0x7BEEE9D: _erealloc (zend_alloc.c:1633) ==32459==by 0x7B84771: php_var_serialize_string (var.c:538) ==32459==by 0x7B86607: php_var_serialize_intern (var.c:701) ==32459==by 0x7B88679: php_var_serialize_intern (var.c:827) ==32459==by 0x7B88679: php_var_serialize_intern (var.c:827) ==32459==by 0x7B89295: php_var_serialize (var.c:845) ==32459==by 0x7B00700: ps_srlzr_encode_php (session.c:479) ==32459==by 0x7B01268: php_session_encode (session.c:581) ==32459==by 0x7B01DDD: php_session_save_current_state (session.c:860) ==32459== ==32459== ERROR SUMMARY: 26 errors from 8 contexts (suppressed: 149 from 1) ==32459== malloc/free: in use at exit: 21,210,557 bytes in 5,186 blocks. ==32459== malloc/free: 169,756 allocs, 164,570 frees, 216,925,409 bytes allocated. ==32459== For counts of detected errors, rerun with: -v ==32459== searching for pointers to 5,186 not-freed blocks. ==32459== checked 19,498,696 bytes. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/38525 -- Edit this bug report at http://bugs.php.net/?id=38525edit=1
#38525 [Fbk-Opn]: 5.2.0RC2 + squirrelmail == random segfaults , heap corruption
ID: 38525 User updated by: judas dot iscariote at gmail dot com Reported By: judas dot iscariote at gmail dot com -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: linux PHP Version: 5.2.0RC2 New Comment: Tony : Sadly I still get a segfault with a fresh CVS copy :-( =32459== Process terminating with default action of signal 11 (SIGSEGV) ==32459== Bad permissions for mapped region at address 0x18 ==32459==at 0x7BEC108: zend_mm_add_to_free_list (zend_alloc.c:465) ==32459==by 0x7BEDC23: _zend_mm_alloc_int (zend_alloc.c:1233) ==32459==by 0x7BEEB7D: _zend_mm_realloc_int (zend_alloc.c:1543) ==32459==by 0x7BEEE9D: _erealloc (zend_alloc.c:1633) ==32459==by 0x7B84771: php_var_serialize_string (var.c:538) ==32459==by 0x7B86607: php_var_serialize_intern (var.c:701) ==32459==by 0x7B88679: php_var_serialize_intern (var.c:827) ==32459==by 0x7B88679: php_var_serialize_intern (var.c:827) ==32459==by 0x7B89295: php_var_serialize (var.c:845) ==32459==by 0x7B00700: ps_srlzr_encode_php (session.c:479) ==32459==by 0x7B01268: php_session_encode (session.c:581) ==32459==by 0x7B01DDD: php_session_save_current_state (session.c:860) ==32459== ==32459== ERROR SUMMARY: 26 errors from 8 contexts (suppressed: 149 from 1) ==32459== malloc/free: in use at exit: 21,210,557 bytes in 5,186 blocks. ==32459== malloc/free: 169,756 allocs, 164,570 frees, 216,925,409 bytes allocated. ==32459== For counts of detected errors, rerun with: -v ==32459== searching for pointers to 5,186 not-freed blocks. ==32459== checked 19,498,696 bytes. Previous Comments: [2006-08-23 13:04:57] [EMAIL PROTECTED] This seems to be a duplicate of bug #38265. Dmitry has committed a patch for it several minutes ago, please try the next snapshot (or CVS sources). Thanks. [2006-08-22 08:02:57] [EMAIL PROTECTED] No, using IMAP server on a different machine didn't change anything. It still works fine without any crashes. [2006-08-22 06:14:48] judas dot iscariote at gmail dot com ok. I now checked a fresh copy from the cvs, and reduced my php installation to the really minimum to run the offended app that crashes. my configure line now is : ./configure --enable-debug --with-pcre-regex --with-iconv --enable-session --disable-all --with-libdir=lib64 --with -apxs2=/usr/sbin/apxs2 results : imap server in remote === RANDOM CRASH imap server in localhost === NO CRASH. the gdb and valgrind info are the same. [2006-08-22 03:02:36] judas dot iscariote at gmail dot com Tony, were you tested.. IMAP server was in the same machine or in a remote machine.. ? I think that counts for this problem. I cannot get this crash when imap server is in localhost. [2006-08-21 22:36:58] [EMAIL PROTECTED] I've tested it on 3 different machines (1 x86 and 2 x86-64) and I can't see any crashes whatsoever. Please try to reduce the reproduce code and/or provide access to the machine where it's reproducible. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/38525 -- Edit this bug report at http://bugs.php.net/?id=38525edit=1
#38525 [Fbk-Opn]: 5.2.0RC2 + squirrelmail == random segfaults , heap corruption
ID: 38525 User updated by: judas dot iscariote at gmail dot com Reported By: judas dot iscariote at gmail dot com -Status: Feedback +Status: Open Bug Type: Reproducible crash Operating System: linux PHP Version: 5.2.0RC2 New Comment: took me a while to reproduce it again, oO. that 's whaT I obtained with valgrind. ==15053== Conditional jump or move depends on uninitialised value(s) ==15053==at 0x59E1002: vfprintf (in /lib64/libc-2.4.so) ==15053==by 0x59FE6F8: vsprintf (in /lib64/libc-2.4.so) ==15053==by 0x59E91A7: sprintf (in /lib64/libc-2.4.so) ==15053==by 0x7D120DA: _convert_to_string (zend_operators.c:556) ==15053==by 0x7D1A6C2: zend_make_printable_zval (zend.c:266) ==15053==by 0x7D58B84: ZEND_ADD_VAR_SPEC_TMP_CV_HANDLER (zend_vm_execute.h:6552) ==15053==by 0x7D4407E: execute (zend_vm_execute.h:92) ==15053==by 0x7D4480F: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==15053==by 0x7D454AD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322) ==15053==by 0x7D4407E: execute (zend_vm_execute.h:92) ==15053==by 0x7D1C4DA: zend_execute_scripts (zend.c:1095) ==15053==by 0x7CBE341: php_execute_script (main.c:1759) ==15053== ==15053== Process terminating with default action of signal 11 (SIGSEGV) ==15053== Bad permissions for mapped region at address 0x18 ==15053==at 0x7CF7D50: zend_mm_add_to_free_list (zend_alloc.c:465) ==15053==by 0x7CF986B: _zend_mm_alloc_int (zend_alloc.c:1233) ==15053==by 0x7CFA7C5: _zend_mm_realloc_int (zend_alloc.c:1543) ==15053==by 0x7CFAAE5: _erealloc (zend_alloc.c:1633) ==15053==by 0x7C82C92: php_var_serialize_string (var.c:540) ==15053==by 0x7C8650F: php_var_serialize_intern (var.c:810) ==15053==by 0x7C86709: php_var_serialize_intern (var.c:827) ==15053==by 0x7C87325: php_var_serialize (var.c:845) ==15053==by 0x7B8B8D4: ps_srlzr_encode_php (session.c:479) ==15053==by 0x7B8C43C: php_session_encode (session.c:581) ==15053==by 0x7B8CFB1: php_session_save_current_state (session.c:860) ==15053==by 0x7B91F3C: php_session_flush (session.c:1845) ==15053== ==15053== ERROR SUMMARY: 63 errors from 13 contexts (suppressed: 155 from 1) ==15053== malloc/free: in use at exit: 20,326,987 bytes in 11,487 blocks. ==15053== malloc/free: 214,233 allocs, 202,746 frees, 315,649,047 bytes allocated. ==15053== For counts of detected errors, rerun with: -v ==15053== searching for pointers to 11,487 not-freed blocks. ==15053== checked 17,712,560 bytes. ==15053== ==15053== LEAK SUMMARY: ==15053==definitely lost: 924 bytes in 35 blocks. ==15053== possibly lost: 0 bytes in 0 blocks. ==15053==still reachable: 20,326,063 bytes in 11,452 blocks. ==15053== suppressed: 0 bytes in 0 blocks. ==15053== Use --leak-check=full to see details of leaked memory. hell:~ # Previous Comments: [2006-08-21 08:53:05] [EMAIL PROTECTED] Obviously the new heap implementation from Zend is unstable. [2006-08-21 08:39:58] [EMAIL PROTECTED] Could you also please try to see if valgrind tells you anything? valgrind --tool=memcheck --log-file=httpd /path/to/apache/httpd -X And check out httpd.PID file. [2006-08-20 20:27:50] judas dot iscariote at gmail dot com update summary. [2006-08-20 19:00:21] judas dot iscariote at gmail dot com #1 0x2af677a1970e in zend_mm_panic (message=0x2af677b5ade9 Heap corrupted) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:61 No locals. #2 0x2af677a19c00 in zend_mm_remove_from_free_list (heap=0x55867130, mm_block=0x2af679814fc0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:473 prev = (zend_mm_free_block *) 0x55867268 next = (zend_mm_free_block *) 0x3631f6792bdbc8 #3 0x2af677a1c39a in _zend_mm_realloc_int (heap=0x55867130, p=0x2af6797d5060, size=262104, __zend_filename=0x2af677b3bb78 /local/local/bodegon/php-debug/ext/standard/var.c, __zend_lineno=531, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:1450 mm_block = (zend_mm_block *) 0x2af6797d5020 next_block = (zend_mm_block *) 0x2af679814fc0 true_size = 262176 ptr = (void *) 0x23a8 #4 0x2af677a1cae6 in _erealloc (ptr=0x2af6797d5060, size=262104, allow_failure=0, __zend_filename=0x2af677b3bb78 /local/local/bodegon/php-debug/ext/standard/var.c, __zend_lineno=531, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:1633 No locals. #5 0x2af6779a8e47 in php_var_serialize_long (buf=0x7fff362aa7a0, val=407) at
#38525 [Fbk-Opn]: 5.2.0RC2 + squirrelmail == random segfaults , heap corruption
ID: 38525
User updated by: judas dot iscariote at gmail dot com
Reported By: judas dot iscariote at gmail dot com
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: linux
PHP Version: 5.2.0RC2
New Comment:
apache 2.2.X with prefork MPM
Previous Comments:
[2006-08-21 12:11:13] [EMAIL PROTECTED]
Which Apache version is used and what is the MPM ?
[2006-08-21 10:40:32] judas dot iscariote at gmail dot com
well. additionally , this is a 64bit machine,but can be reproduced in
IIRC can be reproduced in 32 bit too. it linux with latest 5.2 CVS,
also reproduced in released RC2 tarball.
not reproducible with 5.1.x cause this is caused by the new memory
manager.
A trace with xdebug loaded also ends abruptly in random places..
sometimes just after end of an IMAP stream,
= ' Logout completed.\r\n'
6.49789175040 - trim(' Logout completed.\r\n')
/srv/www/htdocs/squirrelmail/functions/imap_general.php:203
= 'Logout completed.'
= array (0 = array (0 = '* BYE
Logging out\r\n'))
= array (0 = '* BYE Logging
out\r\n')
= array (0 = '* BYE Logging out\r\n')
= NULL
= 1
6.54155767168
TRACE END [2006-08-20 18:37:19]
or in other ocassions (weird) it segfaults **just after that** when
squirelmail tries to register and object in a session , session
variable si created and then die, :(
also, the random error happends not only with right_main.php of SM but
with read_body.php or the simple login.php.
Im done, I don't know how else to look, not sure If I can provide
reproduce code either. any clues ?
[2006-08-21 10:18:19] judas dot iscariote at gmail dot com
took me a while to reproduce it again, oO.
that 's whaT I obtained with valgrind.
==15053== Conditional jump or move depends on uninitialised value(s)
==15053==at 0x59E1002: vfprintf (in /lib64/libc-2.4.so)
==15053==by 0x59FE6F8: vsprintf (in /lib64/libc-2.4.so)
==15053==by 0x59E91A7: sprintf (in /lib64/libc-2.4.so)
==15053==by 0x7D120DA: _convert_to_string (zend_operators.c:556)
==15053==by 0x7D1A6C2: zend_make_printable_zval (zend.c:266)
==15053==by 0x7D58B84: ZEND_ADD_VAR_SPEC_TMP_CV_HANDLER
(zend_vm_execute.h:6552)
==15053==by 0x7D4407E: execute (zend_vm_execute.h:92)
==15053==by 0x7D4480F: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==15053==by 0x7D454AD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)
==15053==by 0x7D4407E: execute (zend_vm_execute.h:92)
==15053==by 0x7D1C4DA: zend_execute_scripts (zend.c:1095)
==15053==by 0x7CBE341: php_execute_script (main.c:1759)
==15053==
==15053== Process terminating with default action of signal 11
(SIGSEGV)
==15053== Bad permissions for mapped region at address 0x18
==15053==at 0x7CF7D50: zend_mm_add_to_free_list (zend_alloc.c:465)
==15053==by 0x7CF986B: _zend_mm_alloc_int (zend_alloc.c:1233)
==15053==by 0x7CFA7C5: _zend_mm_realloc_int (zend_alloc.c:1543)
==15053==by 0x7CFAAE5: _erealloc (zend_alloc.c:1633)
==15053==by 0x7C82C92: php_var_serialize_string (var.c:540)
==15053==by 0x7C8650F: php_var_serialize_intern (var.c:810)
==15053==by 0x7C86709: php_var_serialize_intern (var.c:827)
==15053==by 0x7C87325: php_var_serialize (var.c:845)
==15053==by 0x7B8B8D4: ps_srlzr_encode_php (session.c:479)
==15053==by 0x7B8C43C: php_session_encode (session.c:581)
==15053==by 0x7B8CFB1: php_session_save_current_state
(session.c:860)
==15053==by 0x7B91F3C: php_session_flush (session.c:1845)
==15053==
==15053== ERROR SUMMARY: 63 errors from 13 contexts (suppressed: 155
from 1)
==15053== malloc/free: in use at exit: 20,326,987 bytes in 11,487
blocks.
==15053== malloc/free: 214,233 allocs, 202,746 frees, 315,649,047 bytes
allocated.
==15053== For counts of detected errors, rerun with: -v
==15053== searching for pointers to 11,487 not-freed blocks.
==15053== checked 17,712,560 bytes.
==15053==
==15053== LEAK SUMMARY:
==15053==definitely lost: 924 bytes in 35 blocks.
==15053== possibly lost: 0 bytes in 0 blocks.
==15053==still reachable: 20,326,063 bytes in 11,452 blocks.
==15053== suppressed: 0 bytes in 0 blocks.
==15053== Use --leak-check=full to see details of leaked memory.
hell:~ #
[2006-08-21 08:53:05] [EMAIL PROTECTED]
Obviously the new heap implementation from Zend is unstable.
[2006-08-21 08:39:58]
#38525 [Fbk-Opn]: 5.2.0RC2 + squirrelmail == random segfaults , heap corruption
ID: 38525
User updated by: judas dot iscariote at gmail dot com
Reported By: judas dot iscariote at gmail dot com
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: linux
PHP Version: 5.2.0RC2
New Comment:
Tony, were you tested.. IMAP server was in the same machine or in a
remote machine.. ? I think that counts for this problem. I cannot get
this crash when imap server is in localhost.
Previous Comments:
[2006-08-21 22:36:58] [EMAIL PROTECTED]
I've tested it on 3 different machines (1 x86 and 2 x86-64) and I can't
see any crashes whatsoever.
Please try to reduce the reproduce code and/or provide access to the
machine where it's reproducible.
[2006-08-21 15:18:53] judas dot iscariote at gmail dot com
apache 2.2.X with prefork MPM
[2006-08-21 12:11:13] [EMAIL PROTECTED]
Which Apache version is used and what is the MPM ?
[2006-08-21 10:40:32] judas dot iscariote at gmail dot com
well. additionally , this is a 64bit machine,but can be reproduced in
IIRC can be reproduced in 32 bit too. it linux with latest 5.2 CVS,
also reproduced in released RC2 tarball.
not reproducible with 5.1.x cause this is caused by the new memory
manager.
A trace with xdebug loaded also ends abruptly in random places..
sometimes just after end of an IMAP stream,
= ' Logout completed.\r\n'
6.49789175040 - trim(' Logout completed.\r\n')
/srv/www/htdocs/squirrelmail/functions/imap_general.php:203
= 'Logout completed.'
= array (0 = array (0 = '* BYE
Logging out\r\n'))
= array (0 = '* BYE Logging
out\r\n')
= array (0 = '* BYE Logging out\r\n')
= NULL
= 1
6.54155767168
TRACE END [2006-08-20 18:37:19]
or in other ocassions (weird) it segfaults **just after that** when
squirelmail tries to register and object in a session , session
variable si created and then die, :(
also, the random error happends not only with right_main.php of SM but
with read_body.php or the simple login.php.
Im done, I don't know how else to look, not sure If I can provide
reproduce code either. any clues ?
[2006-08-21 10:18:19] judas dot iscariote at gmail dot com
took me a while to reproduce it again, oO.
that 's whaT I obtained with valgrind.
==15053== Conditional jump or move depends on uninitialised value(s)
==15053==at 0x59E1002: vfprintf (in /lib64/libc-2.4.so)
==15053==by 0x59FE6F8: vsprintf (in /lib64/libc-2.4.so)
==15053==by 0x59E91A7: sprintf (in /lib64/libc-2.4.so)
==15053==by 0x7D120DA: _convert_to_string (zend_operators.c:556)
==15053==by 0x7D1A6C2: zend_make_printable_zval (zend.c:266)
==15053==by 0x7D58B84: ZEND_ADD_VAR_SPEC_TMP_CV_HANDLER
(zend_vm_execute.h:6552)
==15053==by 0x7D4407E: execute (zend_vm_execute.h:92)
==15053==by 0x7D4480F: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==15053==by 0x7D454AD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:322)
==15053==by 0x7D4407E: execute (zend_vm_execute.h:92)
==15053==by 0x7D1C4DA: zend_execute_scripts (zend.c:1095)
==15053==by 0x7CBE341: php_execute_script (main.c:1759)
==15053==
==15053== Process terminating with default action of signal 11
(SIGSEGV)
==15053== Bad permissions for mapped region at address 0x18
==15053==at 0x7CF7D50: zend_mm_add_to_free_list (zend_alloc.c:465)
==15053==by 0x7CF986B: _zend_mm_alloc_int (zend_alloc.c:1233)
==15053==by 0x7CFA7C5: _zend_mm_realloc_int (zend_alloc.c:1543)
==15053==by 0x7CFAAE5: _erealloc (zend_alloc.c:1633)
==15053==by 0x7C82C92: php_var_serialize_string (var.c:540)
==15053==by 0x7C8650F: php_var_serialize_intern (var.c:810)
==15053==by 0x7C86709: php_var_serialize_intern (var.c:827)
==15053==by 0x7C87325: php_var_serialize (var.c:845)
==15053==by 0x7B8B8D4: ps_srlzr_encode_php (session.c:479)
==15053==by 0x7B8C43C: php_session_encode (session.c:581)
==15053==by 0x7B8CFB1: php_session_save_current_state
(session.c:860)
==15053==by 0x7B91F3C: php_session_flush (session.c:1845)
==15053==
==15053== ERROR SUMMARY: 63 errors from 13 contexts (suppressed: 155
from 1)
==15053== malloc/free: in use at exit: 20,326,987 bytes in 11,487
blocks.
==15053== malloc/free: 214,233 allocs, 202,746 frees, 315,649,047 bytes
allocated.
==15053== For counts of detected errors, rerun with: -v
==15053== searching for pointers to 11,487 not-freed blocks.
