subject:"#46434 \[Opn\]\: When session.save_handler=mm session garbage collection causes segfault"

#46434 [Opn]: When session.save_handler=mm session garbage collection causes segfault

2008-10-31 Thread charlie dot orford at gmail dot com

 ID:   46434
 User updated by:  charlie dot orford at gmail dot com
 Reported By:  charlie dot orford at gmail dot com
 Status:   Open
 Bug Type: Session related
 Operating System: Debian 4/Etch
 PHP Version:  5.2.6
 New Comment:

GDB backtrace #3:
===

Core was generated by `/usr/local/apache/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x2b121af85f7d in ps_gc_mm (mod_data=,
maxlifetime=1800, nrdels=0x7fff911a30bc)
at /usr/src/lamp/php5.2-200810311530/ext/session/mod_mm.c:422
422 if (sd->ctime < limit) {
(gdb) bt full
#0  0x2b121af85f7d in ps_gc_mm (mod_data=,
maxlifetime=1800, nrdels=0x7fff911a30bc)
at /usr/src/lamp/php5.2-200810311530/ext/session/mod_mm.c:422
data = (ps_mm *) 0x78b210
limit = 1225485826
ohash = (ps_sd **) 0x2b121d6c2060
ehash = (ps_sd **) 0x2b121d6c3058
sd = (ps_sd *) 0x7c65707989b73ff3
next = (ps_sd *) 0x708
#1  0x2b121af82e04 in php_session_start ()
at /usr/src/lamp/php5.2-200810311530/ext/session/session.c:1344
nrdels = 0
ppid = (zval **) 0x2b12199abaa8
data = (zval **) 0x2b12199ac630
p = 0x2b12199b28c0 "X,\233\031\022+"
lensess = 429598912
#2  0x2b121af83689 in zif_session_start (ht=26,
return_value=0x7c65707989b73ff3, return_value_ptr=0x2b121b841960,
this_ptr=0x2b121a82834a, return_value_used=460575968)
at /usr/src/lamp/php5.2-200810311530/ext/session/session.c:1824
No locals.
#3  0x2b121b0c7177 in zend_do_fcall_common_helper_SPEC (
execute_data=0x7fff911a49d0)
---Type  to continue, or q  to quit---
at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:200
i = 32767
p = 
arg_count = 47356836608064
return_reference = 0 '\0'
opline = (zend_op *) 0x2b121f6c7930
original_return_value = 
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 460575968
should_change_scope = 0 '\0'
#4  0x2b121b0b6fa3 in execute (op_array=0x2b12199b1030)
at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b121f6c7930, function_state = {
function_symbol_table = 0x0, function = 0x746fa0, reserved = {
  0x2b121b06a12c, 0x2b12199b1138, 0x0, 0x2b12199b1138}}, fbc =
0x0,
  op_array = 0x2b12199b1030, object = 0x0, Ts = 0x7fff911a3200,
  CVs = 0x7fff911a31e0, original_in_execution = 1 '\001',
  symbol_table = 0x2b121b73d668, prev_execute_data = 0x7fff911a60f0,
  old_error_reporting = 0x0}
#5  0x2b121b0b991f in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
execute_data=0x7fff911a60f0)
at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:2087
---Type  to continue, or q  to quit---
saved_object = (zval *) 0x0
saved_function = (zend_function *) 0x2b12199ad2e8
opline = (zend_op *) 0x2b12199b5308
new_op_array = (zend_op_array *) 0x2b12199b1030
original_return_value = (zval **) 0x7fff911a6358
inc_filename = 
tmp_inc_filename = {value = {lval = 47356769981664,
dval = 2.3397353145946181e-310, str = {
  val = 0x2b121b73d4e0 "(N\032\221ÿ\177", len = 454017753},
ht = 0x2b121b73d4e0, obj = {handle = 460575968,
  handlers = 0x2b121b0fc2d9}}, refcount = 0, type = 0 '\0',
  is_ref = 0 '\0'}
failure_retval = 224 'à'
#6  0x2b121b0b6fa3 in execute (op_array=0x2b12199ad2e8)
at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b12199b5308, function_state = {
function_symbol_table = 0x0, function = 0x2b12199b1030, reserved =
{
  0x2b121b06a12c, 0x2b12199addb8, 0x0, 0x2b12199addb8}}, fbc =
0x0,
  op_array = 0x2b12199ad2e8, object = 0x0, Ts = 0x7fff911a4ba0,
  CVs = 0x7fff911a4b80, original_in_execution = 1 '\001',
  symbol_table = 0x2b121b73d668, prev_execute_data = 0x7fff911a6390,
  old_error_reporting = 0x0}
#7  0x2b121b0b991f in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (
---Type  to continue, or q  to quit---
execute_data=0x7fff911a6390)
at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:2087
saved_object = (zval *) 0x0
saved_function = (zend_function *) 0x2b12199ac848
opline = (zend_op *) 0x2b12199acf48
new_op_array = (zend_op_array *) 0x2b12199ad2e8
original_return_value = (zval **) 0x7fff911a64b0
inc_filename = 
tmp_inc_filename = {value = {lval = 3, dval =
1.4821969375237396e-323,
str = {val = 0x3 , len = 454017753}, ht
= 0x3,
obj = {handle = 3, handlers = 0x2b121b0fc2d9}}, refcount = 0,
  type = 0 '\0', is_ref = 0 '\0'}
failure_retval = 224 'à'
#8  0x2b121b0b6fa3 in execute (op_array=0x2b12199ac848)
at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b12199acf48, function_state

#46434 [Opn]: When session.save_handler=mm session garbage collection causes segfault

2008-10-31 Thread charlie dot orford at gmail dot com

 ID:   46434
 User updated by:  charlie dot orford at gmail dot com
 Reported By:  charlie dot orford at gmail dot com
 Status:   Open
 Bug Type: Reproducible crash
 Operating System: Debian 4/Etch
 PHP Version:  5.2.6
 New Comment:

Forgot to include hardware and kernel version (in case it is helpful):

Linux kernel: 2.6.20.3

Hardware: Dual AMD Opteron 252 with 4GB RAM

Memory status at time of segfault:

#free -m
 total   used   free sharedbuffers
cached
Mem:  3903   3804 99  0210  
1707
-/+ buffers/cache:   1885   2017
Swap: 7632271   7360


Previous Comments:


[2008-10-31 15:04:49] charlie dot orford at gmail dot com

Description:

When mm is used as session.save_handler, apache child processes begin
to segfault shortly after session.gc_maxlifetime is reached. The work
around is to change session.save_handler to "files". This bug is
reproducible (for me at least).


Apache version: 2.2.10, compiled from source using:

./configure --prefix=/usr/local/apache --disable-cgi --disable-cgid
--disable-charset-lite --disable-env --disable-include
--disable-autoindex --disable-asis --disable-negotiation
--disable-imagemap --disable-actions --disable-userdir
--enable-nonportable-atomics --enable-deflate --enable-proxy-ftp=shared
--enable-proxy=shared --enable-proxy-connect=shared
--enable-proxy-http=shared --enable-cache=shared --enable-setenvif
--enable-expires --enable-headers --enable-rewrite --enable-unique-id
--enable-dav=shared --enable-dav-fs=shared --enable-ssl --enable-so
--with-ssl=/etc/ssl --with-mpm=prefork --with-dbm=db4
--with-berkeley-db=/usr/include:/usr/lib


httpd -l output:

Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_filter.c
  mod_deflate.c
  mod_log_config.c
  mod_expires.c
  mod_headers.c
  mod_unique_id.c
  mod_setenvif.c
  mod_ssl.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_dir.c
  mod_alias.c
  mod_rewrite.c
  mod_so.c


PHP version 5.2.6, compiled from source using:

./configure --disable-ipv6 --disable-short-tags --disable-cgi
--enable-versioning --enable-url-includes --enable-sysvshm
--enable-sysvsem --enable-ftp --enable-calendar --enable-gd-native-ttf
--enable-mbstring --enable-libxml --enable-cli --enable-xml
--enable-sockets --with-pdflib=/usr/src/PDFlib-6.0.4-Linux-x86_64/bind/c
--with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql
--with-mysql-sock=/var/run/mysqld/mysqld.sock
--with-mm=/usr/local/mm-1.4.2 --with-zlib --with-zlib-dir=/usr/lib/
--with-pear --with-gd --with-freetype-dir=/usr/local/lib/
--with-png-dir=/usr/lib/ --with-jpeg-dir=/usr/lib/ --with-ttf
--with-libtiff-dir=/usr/lib/ --with-openssl=/usr


mm-1.4.2, compiled from source using:

./configure --prefix=/usr/local/mm-1.4.2






Reproduce code:
---
See: http://pastebin.com/f38b947b

Expected result:

A session marked for garbage collection should be destroyed by the
garbage collector.

Actual result:
--
Garbage collection results in an apache child process segfault. I have
included two backtraces from two separate child process crashes.

Both seem to suggest php-5.2.6/ext/session/mod_mm.c is where the bug
resides.


GDB backtrace #1:
===

Core was generated by `/usr/local/apache/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  zm_shutdown_ps_mm (type=,
module_number=)
at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243
243 next = sd->next;
(gdb) bt full
#0  zm_shutdown_ps_mm (type=,
module_number=)
at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243
No locals.
#1  0x2b814cef0234 in zm_shutdown_session (type=1,
module_number=12)
at /usr/src/lamp/php-5.2.6/ext/session/session.c:1983
No locals.
#2  0x2b814d00bea1 in module_destructor (module=0x7460f0)
at /usr/src/lamp/php-5.2.6/Zend/zend_API.c:1921
No locals.
#3  0x2b814d012642 in zend_hash_apply_deleter (ht=0x2b814d6ab320,
p=0x746090) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:611
retval = 
#4  0x2b814d0128b8 in zend_hash_graceful_reverse_destroy (
ht=0x2b814d6ab320) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:646
p = (Bucket *) 0x657469735f666572
#5  0x2b814d008247 in zend_shutdown ()
at /usr/src/lamp/php-5.2.6/Zend/zend.c:733
No locals.
#6  0x2b814cfc666a in php_module_shutdown ()
at /usr/src/lamp/php-5.2.6/main/main.c:1888
No locals.
#7  0x2b814cfc6709 in php_module_shutdown_wrapper
(sapi_globals=0x1)
---Type  to continue, or q  to quit---
at /usr/src/lamp/php-5.2.6/main/main.c:1859
No locals.
#8  0x2b814d0898e1 in php_apache_server_shutdown (
tmp=)

#46434 [Opn]: When session.save_handler=mm session garbage collection causes segfault

#46434 [Opn]: When session.save_handler=mm session garbage collection causes segfault

2 matches

Site Navigation

Mail list logo

Footer information