ID: 46434 Updated by: [EMAIL PROTECTED] Reported By: charlie dot orford at gmail dot com -Status: Open +Status: Feedback Bug Type: Reproducible crash Operating System: Debian 4/Etch PHP Version: 5.2.6 New Comment:
Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ Previous Comments: ------------------------------------------------------------------------ [2008-10-31 15:10:47] charlie dot orford at gmail dot com Forgot to include hardware and kernel version (in case it is helpful): Linux kernel: 2.6.20.3 Hardware: Dual AMD Opteron 252 with 4GB RAM Memory status at time of segfault: #free -m total used free shared buffers cached Mem: 3903 3804 99 0 210 1707 -/+ buffers/cache: 1885 2017 Swap: 7632 271 7360 ------------------------------------------------------------------------ [2008-10-31 15:04:49] charlie dot orford at gmail dot com Description: ------------ When mm is used as session.save_handler, apache child processes begin to segfault shortly after session.gc_maxlifetime is reached. The work around is to change session.save_handler to "files". This bug is reproducible (for me at least). Apache version: 2.2.10, compiled from source using: ./configure --prefix=/usr/local/apache --disable-cgi --disable-cgid --disable-charset-lite --disable-env --disable-include --disable-autoindex --disable-asis --disable-negotiation --disable-imagemap --disable-actions --disable-userdir --enable-nonportable-atomics --enable-deflate --enable-proxy-ftp=shared --enable-proxy=shared --enable-proxy-connect=shared --enable-proxy-http=shared --enable-cache=shared --enable-setenvif --enable-expires --enable-headers --enable-rewrite --enable-unique-id --enable-dav=shared --enable-dav-fs=shared --enable-ssl --enable-so --with-ssl=/etc/ssl --with-mpm=prefork --with-dbm=db4 --with-berkeley-db=/usr/include:/usr/lib httpd -l output: Compiled in modules: core.c mod_authn_file.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_filter.c mod_deflate.c mod_log_config.c mod_expires.c mod_headers.c mod_unique_id.c mod_setenvif.c mod_ssl.c prefork.c http_core.c mod_mime.c mod_status.c mod_dir.c mod_alias.c mod_rewrite.c mod_so.c PHP version 5.2.6, compiled from source using: ./configure --disable-ipv6 --disable-short-tags --disable-cgi --enable-versioning --enable-url-includes --enable-sysvshm --enable-sysvsem --enable-ftp --enable-calendar --enable-gd-native-ttf --enable-mbstring --enable-libxml --enable-cli --enable-xml --enable-sockets --with-pdflib=/usr/src/PDFlib-6.0.4-Linux-x86_64/bind/c --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql --with-mysql-sock=/var/run/mysqld/mysqld.sock --with-mm=/usr/local/mm-1.4.2 --with-zlib --with-zlib-dir=/usr/lib/ --with-pear --with-gd --with-freetype-dir=/usr/local/lib/ --with-png-dir=/usr/lib/ --with-jpeg-dir=/usr/lib/ --with-ttf --with-libtiff-dir=/usr/lib/ --with-openssl=/usr mm-1.4.2, compiled from source using: ./configure --prefix=/usr/local/mm-1.4.2 Reproduce code: --------------- See: http://pastebin.com/f38b947b Expected result: ---------------- A session marked for garbage collection should be destroyed by the garbage collector. Actual result: -------------- Garbage collection results in an apache child process segfault. I have included two backtraces from two separate child process crashes. Both seem to suggest php-5.2.6/ext/session/mod_mm.c is where the bug resides. GDB backtrace #1: =================================== Core was generated by `/usr/local/apache/bin/httpd -k start'. Program terminated with signal 11, Segmentation fault. #0 zm_shutdown_ps_mm (type=<value optimized out>, module_number=<value optimized out>) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243 243 next = sd->next; (gdb) bt full #0 zm_shutdown_ps_mm (type=<value optimized out>, module_number=<value optimized out>) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:243 No locals. #1 0x00002b814cef0234 in zm_shutdown_session (type=1, module_number=12) at /usr/src/lamp/php-5.2.6/ext/session/session.c:1983 No locals. #2 0x00002b814d00bea1 in module_destructor (module=0x7460f0) at /usr/src/lamp/php-5.2.6/Zend/zend_API.c:1921 No locals. #3 0x00002b814d012642 in zend_hash_apply_deleter (ht=0x2b814d6ab320, p=0x746090) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:611 retval = <value optimized out> #4 0x00002b814d0128b8 in zend_hash_graceful_reverse_destroy ( ht=0x2b814d6ab320) at /usr/src/lamp/php-5.2.6/Zend/zend_hash.c:646 p = (Bucket *) 0x657469735f666572 #5 0x00002b814d008247 in zend_shutdown () at /usr/src/lamp/php-5.2.6/Zend/zend.c:733 No locals. #6 0x00002b814cfc666a in php_module_shutdown () at /usr/src/lamp/php-5.2.6/main/main.c:1888 No locals. #7 0x00002b814cfc6709 in php_module_shutdown_wrapper (sapi_globals=0x1) ---Type <return> to continue, or q <return> to quit--- at /usr/src/lamp/php-5.2.6/main/main.c:1859 No locals. #8 0x00002b814d0898e1 in php_apache_server_shutdown ( tmp=<value optimized out>) at /usr/src/lamp/php-5.2.6/sapi/apache2handler/sapi_apache2.c:352 No locals. #9 0x00002b814c43c62d in run_cleanups (cref=0x5b5158) at memory/unix/apr_pools.c:2306 c = (cleanup_t *) 0x2b814f630058 #10 0x00002b814c43d0b7 in apr_pool_destroy (pool=0x5b5138) at memory/unix/apr_pools.c:774 active = <value optimized out> allocator = <value optimized out> #11 0x00002b814c43d0a5 in apr_pool_destroy (pool=0x5b3128) at memory/unix/apr_pools.c:771 active = <value optimized out> allocator = <value optimized out> #12 0x00000000004296a6 in destroy_and_exit_process (process=0x5b3220, process_exit_value=0) at main.c:270 No locals. #13 0x000000000042a179 in main (argc=3, argv=0x7fff5f238e78) at main.c:747 c = 0 '\0' configtestonly = 0 ---Type <return> to continue, or q <return> to quit--- confname = 0x47d51f "conf/httpd.conf" def_server_root = 0x47d52f "/usr/local/apache" temp_error_log = 0x0 error = <value optimized out> process = (process_rec *) 0x5b3220 server_conf = <value optimized out> pglobal = (apr_pool_t *) 0x5b3128 pconf = (apr_pool_t *) 0x5b5138 plog = (apr_pool_t *) 0x5f9358 ptemp = (apr_pool_t *) 0x5c1198 pcommands = (apr_pool_t *) 0x5b7148 opt = (apr_getopt_t *) 0x5b7240 rv = 0 optarg = 0x2b814c9aa170 "Ô'" (gdb) GDB backtrace #2: =================================== Core was generated by `/usr/local/apache/bin/httpd -k start'. Program terminated with signal 11, Segmentation fault. #0 ps_sd_lookup (data=<value optimized out>, key=0x2b814b91d488 "ufc77adjfgtmpfcju2mgiejf20l6bsd5", rw=0) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:189 189 if (ret->hv == hv && !strcmp(ret->key, key)) (gdb) bt full #0 ps_sd_lookup (data=<value optimized out>, key=0x2b814b91d488 "ufc77adjfgtmpfcju2mgiejf20l6bsd5", rw=0) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:189 hv = 17287314 ret = (ps_sd *) 0x490 prev = (ps_sd *) 0x0 #1 0x00002b814cef68d7 in ps_read_mm (mod_data=<value optimized out>, key=0x2b814b91d488 "ufc77adjfgtmpfcju2mgiejf20l6bsd5", val=0x7fff5f2315b0, vallen=0x7fff5f2315cc) at /usr/src/lamp/php-5.2.6/ext/session/mod_mm.c:334 data = (ps_mm *) 0x78b1e0 sd = <value optimized out> ret = -1 #2 0x00002b814cef321e in php_session_start () at /usr/src/lamp/php-5.2.6/ext/session/session.c:844 value = <value optimized out> ppid = (zval **) 0x2b814b91c2c0 data = (zval **) 0x2b814b91cc58 p = <value optimized out> lensess = <value optimized out> #3 0x00002b814cef3b69 in zif_session_start (ht=1267848328, return_value=0x2b814b91d488, return_value_ptr=0x20, this_ptr=0x20, return_value_used=-16843009) at /usr/src/lamp/php-5.2.6/ext/session/session.c:1815 No locals. #4 0x00002b814d037117 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff5f232ee0) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:200 i = 32767 p = <value optimized out> arg_count = 47834416506944 return_reference = 0 '\0' opline = (zend_op *) 0x2b8151676930 original_return_value = <value optimized out> current_scope = (zend_class_entry *) 0x0 current_this = (zval *) 0x0 return_value_used = -16843009 should_change_scope = 0 '\0' #5 0x00002b814d026f93 in execute (op_array=0x2b814b9232f8) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:92 execute_data = {opline = 0x2b8151676930, function_state = {function_symbol_table = 0x0, function = 0x746f70, reserved = {0x2b814cfda2cc, 0x2b814b920948, 0x0, 0x2b814b920948}}, fbc = 0x0, op_array = 0x2b814b9232f8, object = 0x0, Ts = 0x7fff5f231710, CVs = 0x7fff5f2316f0, original_in_execution = 1 '\001', symbol_table = 0x2b814d6aafc8, prev_execute_data = 0x7fff5f236400, old_error_reporting = 0x0} #6 0x00002b814d0298e5 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fff5f236400) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:2037 saved_object = (zval *) 0x0 saved_function = (zend_function *) 0x2b814b91ce70 opline = (zend_op *) 0x2b815164e4d0 new_op_array = (zend_op_array *) 0x2b814b9232f8 original_return_value = (zval **) 0x7fff5f236520 inc_filename = <value optimized out> tmp_inc_filename = {value = {lval = 140734789529624, dval = 6.9532224681285584e-310, str = {val = 0x7fff5f233018 "\200Õ\220K\201+", len = 1267783040}, ht = 0x7fff5f233018, obj = {handle = 1596141592, handlers = 0x2b814b90d580}}, refcount = 0, type = 0 '\0', is_ref = 0 '\0'} failure_retval = 255 'ÿ' #7 0x00002b814d026f93 in execute (op_array=0x2b814b91ce70) at /usr/src/lamp/php-5.2.6/Zend/zend_vm_execute.h:92 execute_data = {opline = 0x2b815164e4d0, function_state = {function_symbol_table = 0x0, function = 0x2b814b9232f8, reserved = {0x2b814cfda2cc, 0x2b814b91d258, 0x0, 0x2b814b91d258}}, fbc = 0x0, op_array = 0x2b814b91ce70, object = 0x0, Ts = 0x7fff5f233170, CVs = 0x7fff5f233090, original_in_execution = 0 '\0', symbol_table = 0x2b814d6aafc8, prev_execute_data = 0x0, old_error_reporting = 0x0} #8 0x00002b814d007ccd in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3) at /usr/src/lamp/php-5.2.6/Zend/zend.c:1134 files = {{gp_offset = 40, fp_offset = 0, overflow_arg_area = 0x7fff5f236620, reg_save_area = 0x7fff5f236530}} i = 1 file_handle = (zend_file_handle *) 0x7fff5f2388d0 orig_op_array = (zend_op_array *) 0x0 orig_retval_ptr_ptr = (zval **) 0x0 local_retval = (zval *) 0x0 #9 0x00002b814cfc6508 in php_execute_script (primary_file=0x7fff5f2388d0) at /usr/src/lamp/php-5.2.6/main/main.c:2005 realfile = "\000\000\000\000\000\000\000\000nQþK\201+\000\000xv#_ÿ\177", '\0' <repeats 18 times>, "\200q\210\000\000\000\000\000\020w#_ÿ\177\000\000JNþK\201+\000\000\200q\210\000\000\000\000\000\020w#_ÿ\177\000\000\237\017\000\000\000\000\000\000Û\212\bM\201+\000\000¼\v\000\000\000\000\000\000f'", '\0' <repeats 15 times>, "[EMAIL PROTECTED]@®jM\201+\000\000\000¨jM\201+\000\000½ðüL\201+\000\000ò\021\000\000\000\000\000\000o \000\000\000\000\000\000+\036\000\000\000\000\000\000e\"\000\000\000\000\000\000è$\000\000\000"... prepend_file_p = (zend_file_handle *) 0x0 append_file_p = (zend_file_handle *) 0x0 prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'} append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'} old_cwd = 0x7fff5f236630 "/" retval = 0 #10 0x00002b814d08975d in php_handler (r=0x885f38) at /usr/src/lamp/php-5.2.6/sapi/apache2handler/sapi_apache2.c:629 __bailout = {{__jmpbuf = {120, 3, 8937272, 6052448, 8912520, 140734789552784, 140734789552112, 47834343182899}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 17179869184, 8937144, 4623373, 8995888, 16, 8937144, 8994104, 8937144, 8937272, 8871352, 6002672, 8937904, 0, 8937144}}}} ctx = (php_struct * volatile) 0x894540 conf = (void *) 0x604a98 brigade = (apr_bucket_brigade * volatile) 0x895220 bucket = <value optimized out> rv = <value optimized out> parent_req = (request_rec * volatile) 0x0 #11 0x000000000043c179 in ap_run_handler (r=0x885f38) at config.c:157 n = 3 ---Type <return> to continue, or q <return> to quit--- rv = 32 #12 0x000000000043f25c in ap_invoke_handler (r=0x885f38) at config.c:372 handler = 0x65ae80 "application/x-httpd-php" result = 0 old_handler = 0x0 ignore = <value optimized out> #13 0x0000000000464598 in ap_process_request (r=0x885f38) at http_request.c:258 access_status = 1168 #14 0x0000000000461a3c in ap_process_http_connection (c=0x875db8) at http_core.c:190 r = (request_rec *) 0x885f38 csd = (apr_socket_t *) 0x0 #15 0x0000000000442e11 in ap_run_process_connection (c=0x875db8) at connection.c:43 n = 0 rv = 32 #16 0x00000000004736b6 in child_main (child_num_arg=<value optimized out>) at prefork.c:650 numdesc = 1 pdesc = (const apr_pollfd_t *) 0x873e20 current_conn = (conn_rec *) 0x875db8 csd = (void *) 0x875bc8 ptrans = (apr_pool_t *) 0x875b48 allocator = (apr_allocator_t *) 0x873a40 status = <value optimized out> i = <value optimized out> lr = <value optimized out> pollset = (apr_pollset_t *) 0x873d68 sbh = (ap_sb_handle_t *) 0x873d60 bucket_alloc = (apr_bucket_alloc_t *) 0x87fe88 last_poll_idx = 1 #17 0x0000000000473934 in make_child (s=0x5bef68, slot=5) at prefork.c:746 pid = 0 #18 0x00000000004741d6 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at prefork.c:881 pidfile = <value optimized out> active_children = <value optimized out> cutoff = <value optimized out> index = <value optimized out> remaining_children_to_start = 0 rv = <value optimized out> #19 0x000000000042a167 in main (argc=3, argv=0x7fff5f238e78) at main.c:740 c = 0 '\0' configtestonly = 0 confname = 0x47d51f "conf/httpd.conf" def_server_root = 0x47d52f "/usr/local/apache" temp_error_log = 0x0 error = <value optimized out> process = (process_rec *) 0x5b3220 server_conf = <value optimized out> pglobal = (apr_pool_t *) 0x5b3128 pconf = (apr_pool_t *) 0x5b5138 plog = (apr_pool_t *) 0x5f9358 ptemp = (apr_pool_t *) 0x5c1198 pcommands = (apr_pool_t *) 0x5b7148 opt = (apr_getopt_t *) 0x5b7240 rv = 0 optarg = 0x2b814c9aa170 "Ô'" (gdb) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46434&edit=1
