#46434 [Opn]: When session.save_handler=mm session garbage collection causes segfault
ID: 46434 User updated by: charlie dot orford at gmail dot com Reported By: charlie dot orford at gmail dot com Status: Open Bug Type: Session related Operating System: Debian 4/Etch PHP Version: 5.2.6 New Comment: GDB backtrace #3: === Core was generated by `/usr/local/apache/bin/httpd -k start'. Program terminated with signal 11, Segmentation fault. #0 0x2b121af85f7d in ps_gc_mm (mod_data=, maxlifetime=1800, nrdels=0x7fff911a30bc) at /usr/src/lamp/php5.2-200810311530/ext/session/mod_mm.c:422 422 if (sd->ctime < limit) { (gdb) bt full #0 0x2b121af85f7d in ps_gc_mm (mod_data=, maxlifetime=1800, nrdels=0x7fff911a30bc) at /usr/src/lamp/php5.2-200810311530/ext/session/mod_mm.c:422 data = (ps_mm *) 0x78b210 limit = 1225485826 ohash = (ps_sd **) 0x2b121d6c2060 ehash = (ps_sd **) 0x2b121d6c3058 sd = (ps_sd *) 0x7c65707989b73ff3 next = (ps_sd *) 0x708 #1 0x2b121af82e04 in php_session_start () at /usr/src/lamp/php5.2-200810311530/ext/session/session.c:1344 nrdels = 0 ppid = (zval **) 0x2b12199abaa8 data = (zval **) 0x2b12199ac630 p = 0x2b12199b28c0 "X,\233\031\022+" lensess = 429598912 #2 0x2b121af83689 in zif_session_start (ht=26, return_value=0x7c65707989b73ff3, return_value_ptr=0x2b121b841960, this_ptr=0x2b121a82834a, return_value_used=460575968) at /usr/src/lamp/php5.2-200810311530/ext/session/session.c:1824 No locals. #3 0x2b121b0c7177 in zend_do_fcall_common_helper_SPEC ( execute_data=0x7fff911a49d0) ---Type to continue, or q to quit--- at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:200 i = 32767 p = arg_count = 47356836608064 return_reference = 0 '\0' opline = (zend_op *) 0x2b121f6c7930 original_return_value = current_scope = (zend_class_entry *) 0x0 current_this = (zval *) 0x0 return_value_used = 460575968 should_change_scope = 0 '\0' #4 0x2b121b0b6fa3 in execute (op_array=0x2b12199b1030) at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92 execute_data = {opline = 0x2b121f6c7930, function_state = { function_symbol_table = 0x0, function = 0x746fa0, reserved = { 0x2b121b06a12c, 0x2b12199b1138, 0x0, 0x2b12199b1138}}, fbc = 0x0, op_array = 0x2b12199b1030, object = 0x0, Ts = 0x7fff911a3200, CVs = 0x7fff911a31e0, original_in_execution = 1 '\001', symbol_table = 0x2b121b73d668, prev_execute_data = 0x7fff911a60f0, old_error_reporting = 0x0} #5 0x2b121b0b991f in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER ( execute_data=0x7fff911a60f0) at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:2087 ---Type to continue, or q to quit--- saved_object = (zval *) 0x0 saved_function = (zend_function *) 0x2b12199ad2e8 opline = (zend_op *) 0x2b12199b5308 new_op_array = (zend_op_array *) 0x2b12199b1030 original_return_value = (zval **) 0x7fff911a6358 inc_filename = tmp_inc_filename = {value = {lval = 47356769981664, dval = 2.3397353145946181e-310, str = { val = 0x2b121b73d4e0 "(N\032\221ÿ\177", len = 454017753}, ht = 0x2b121b73d4e0, obj = {handle = 460575968, handlers = 0x2b121b0fc2d9}}, refcount = 0, type = 0 '\0', is_ref = 0 '\0'} failure_retval = 224 'à' #6 0x2b121b0b6fa3 in execute (op_array=0x2b12199ad2e8) at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92 execute_data = {opline = 0x2b12199b5308, function_state = { function_symbol_table = 0x0, function = 0x2b12199b1030, reserved = { 0x2b121b06a12c, 0x2b12199addb8, 0x0, 0x2b12199addb8}}, fbc = 0x0, op_array = 0x2b12199ad2e8, object = 0x0, Ts = 0x7fff911a4ba0, CVs = 0x7fff911a4b80, original_in_execution = 1 '\001', symbol_table = 0x2b121b73d668, prev_execute_data = 0x7fff911a6390, old_error_reporting = 0x0} #7 0x2b121b0b991f in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER ( ---Type to continue, or q to quit--- execute_data=0x7fff911a6390) at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:2087 saved_object = (zval *) 0x0 saved_function = (zend_function *) 0x2b12199ac848 opline = (zend_op *) 0x2b12199acf48 new_op_array = (zend_op_array *) 0x2b12199ad2e8 original_return_value = (zval **) 0x7fff911a64b0 inc_filename = tmp_inc_filename = {value = {lval = 3, dval = 1.4821969375237396e-323, str = {val = 0x3 , len = 454017753}, ht = 0x3, obj = {handle = 3, handlers = 0x2b121b0fc2d9}}, refcount = 0, type = 0 '\0', is_ref = 0 '\0'} failure_retval = 224 'à' #8 0x2b121b0b6fa3 in execute (op_array=0x2b12199ac848) at /usr/src/lamp/php5.2-200810311530/Zend/zend_vm_execute.h:92 execute_data = {opline = 0x2b12199acf48, function_state
#46434 [Opn]: When session.save_handler=mm session garbage collection causes segfault
ID: 46434 User updated by: charlie dot orford at gmail dot com Reported By: charlie dot orford at gmail dot com Status: Open Bug Type: Reproducible crash Operating System: Debian 4/Etch PHP Version: 5.2.6 New Comment: Forgot to include hardware and kernel version (in case it is helpful): Linux kernel: 2.6.20.3 Hardware: Dual AMD Opteron 252 with 4GB RAM Memory status at time of segfault: #free -m total used free sharedbuffers cached Mem: 3903 3804 99 0210 1707 -/+ buffers/cache: 1885 2017 Swap: 7632271 7360 Previous Comments: [2008-10-31 15:04:49] charlie dot orford at gmail dot com Description: When mm is used as session.save_handler, apache child processes begin to segfault shortly after session.gc_maxlifetime is reached. The work around is to change session.save_handler to "files". This bug is reproducible (for me at least). Apache version: 2.2.10, compiled from source using: ./configure --prefix=/usr/local/apache --disable-cgi --disable-cgid --disable-charset-lite --disable-env --disable-include --disable-autoindex --disable-asis --disable-negotiation --disable-imagemap --disable-actions --disable-userdir --enable-nonportable-atomics --enable-deflate --enable-proxy-ftp=shared --enable-proxy=shared --enable-proxy-connect=shared --enable-proxy-http=shared --enable-cache=shared --enable-setenvif --enable-expires --enable-headers --enable-rewrite --enable-unique-id --enable-dav=shared --enable-dav-fs=shared --enable-ssl --enable-so --with-ssl=/etc/ssl --with-mpm=prefork --with-dbm=db4 --with-berkeley-db=/usr/include:/usr/lib httpd -l output: Compiled in modules: core.c mod_authn_file.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_filter.c mod_deflate.c mod_log_config.c mod_expires.c mod_headers.c mod_unique_id.c mod_setenvif.c mod_ssl.c prefork.c http_core.c mod_mime.c mod_status.c mod_dir.c mod_alias.c mod_rewrite.c mod_so.c PHP version 5.2.6, compiled from source using: ./configure --disable-ipv6 --disable-short-tags --disable-cgi --enable-versioning --enable-url-includes --enable-sysvshm --enable-sysvsem --enable-ftp --enable-calendar --enable-gd-native-ttf --enable-mbstring --enable-libxml --enable-cli --enable-xml --enable-sockets --with-pdflib=/usr/src/PDFlib-6.0.4-Linux-x86_64/bind/c --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql --with-mysql-sock=/var/run/mysqld/mysqld.sock --with-mm=/usr/local/mm-1.4.2 --with-zlib --with-zlib-dir=/usr/lib/ --with-pear --with-gd --with-freetype-dir=/usr/local/lib/ --with-png-dir=/usr/lib/ --with-jpeg-dir=/usr/lib/ --with-ttf --with-libtiff-dir=/usr/lib/ --with-openssl=/usr mm-1.4.2, compiled from source using: ./configure --prefix=/usr/local/mm-1.4.2 Reproduce code: --- See: http://pastebin.com/f38b947b Expected result: A session marked for garbage collection should be destroyed by the garbage collector. Actual result: -- Garbage collection results in an apache child process segfault. I have included two backtraces from two separate child process crashes. Both seem to suggest php-5.2.6/ext/session/mod_mm.c is where the bug resides. GDB backtrace #1: === Core was generated by `/usr/local/apache/bin/httpd -k start'. Program terminated with signal 11, Segmentation fault. #0 zm_shutdown_ps_mm (type=, module_number=) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243 243 next = sd->next; (gdb) bt full #0 zm_shutdown_ps_mm (type=, module_number=) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243 No locals. #1 0x2b814cef0234 in zm_shutdown_session (type=1, module_number=12) at /usr/src/lamp/php-5.2.6/ext/session/session.c:1983 No locals. #2 0x2b814d00bea1 in module_destructor (module=0x7460f0) at /usr/src/lamp/php-5.2.6/Zend/zend_API.c:1921 No locals. #3 0x2b814d012642 in zend_hash_apply_deleter (ht=0x2b814d6ab320, p=0x746090) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:611 retval = #4 0x2b814d0128b8 in zend_hash_graceful_reverse_destroy ( ht=0x2b814d6ab320) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:646 p = (Bucket *) 0x657469735f666572 #5 0x2b814d008247 in zend_shutdown () at /usr/src/lamp/php-5.2.6/Zend/zend.c:733 No locals. #6 0x2b814cfc666a in php_module_shutdown () at /usr/src/lamp/php-5.2.6/main/main.c:1888 No locals. #7 0x2b814cfc6709 in php_module_shutdown_wrapper (sapi_globals=0x1) ---Type to continue, or q to quit--- at /usr/src/lamp/php-5.2.6/main/main.c:1859 No locals. #8 0x2b814d0898e1 in php_apache_server_shutdown ( tmp=)