From: bugs at timj dot co dot uk Operating system: Linux PHP version: 5.2.10 PHP Bug Type: Reproducible crash Bug description: Using custom session handler causes segfault in session_save_state
Description: ------------ I am seeing segfaults on various pages that don't occur on 5.2.9 (and the same site has been working on many previous versions of 5.1/5.2). I have a session handler using PEAR HTTP_Session2, that saves via MDB2/mysqli to a MySQL database. The segfaults seem to happen during session_save_state. Unfortunately I don't currently have a trivial reproduction scenario, but it does reliably cause a segfault in both 5.2.10 and 5.2SVN-snap200907182030. I am not a C developer but after a diligent attempt to search the bugtracker and investigate the bug, I concluded that it was probably duplicate of bug #48922 and tried to add additional information to that bug, explaining my reasoning, to avoid filing a duplicate (in accordance with http://bugs.php.net/report.php). However, Jani disagrees (see comments in other bug), so I'm filing a new bug. Actual result: -------------- Here's 5.2.10: (crash in version_compare): Program received signal SIGSEGV, Segmentation fault. 0x00007ffff1ea4d3f in _zend_mm_free_int (heap=0x7ffff8396480, p=0x7ffff8bb7010) at /usr/src/debug/php-5.2.10/Zend/zend_alloc.c:1978 1978 if (ZEND_MM_IS_FREE_BLOCK(next_block)) { (gdb) bt #0 0x00007ffff1ea4d3f in _zend_mm_free_int (heap=0x7ffff8396480, p=0x7ffff8bb7010) at /usr/src/debug/php-5.2.10/Zend/zend_alloc.c:1978 #1 0x00007ffff1ea5af4 in _efree (ptr=0x7ffff8bb7010) at /usr/src/debug/php-5.2.10/Zend/zend_alloc.c:2311 #2 0x00007ffff1e3f4ff in php_version_compare (orig_ver1=0x7ffff87b7538 "5.2.10", orig_ver2=0x7ffff8e41ac0 "5.0") at /usr/src/debug/php-5.2.10/ext/standard/versioning.c:202 #3 0x00007ffff1e3f58b in zif_version_compare (ht=3, return_value=0x7ffff87bc458, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /usr/src/debug/php-5.2.10/ext/standard/versioning.c:222 #4 0x00007ffff1ef028d in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffac00) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:200 #5 0x00007ffff1ef4235 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fffffffac00) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:1739 #6 0x00007ffff1eefd6f in execute (op_array=0x7ffff8a028c0) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92 #7 0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffba00) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234 #8 0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffffffba00) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322 #9 0x00007ffff1eefd6f in execute (op_array=0x7ffff8b696e8) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92 #10 0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffbf60) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234 #11 0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffffffbf60) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322 #12 0x00007ffff1eefd6f in execute (op_array=0x7ffff8b69588) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92 #13 0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffc2d0) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234 #14 0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffffffc2d0) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322 #15 0x00007ffff1eefd6f in execute (op_array=0x7ffff8b6a728) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92 #16 0x00007ffff1ef043e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffd1c0) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:234 #17 0x00007ffff1ef0984 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffffffd1c0) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:322 #18 0x00007ffff1eefd6f in execute (op_array=0x7ffff8e29300) at /usr/src/debug/php-5.2.10/Zend/zend_vm_execute.h:92 #19 0x00007ffff1eb816b in zend_call_function (fci=0x7fffffffd440, fci_cache=0x0) at /usr/src/debug/php-5.2.10/Zend/zend_execute_API.c:1032 #20 0x00007ffff1eb66d4 in call_user_function_ex (function_table=0x7ffff8396d20, object_pp=0x0, function_name=0x7ffff8e3eea0, retval_ptr_ptr=0x7fffffffd4e8, param_count=2, params=0x7ffff87b7670, no_separation=1, symbol_table=0x0) at /usr/src/debug/php-5.2.10/Zend/zend_execute_API.c:640 #21 0x00007ffff1eb65af in call_user_function (function_table=0x7ffff8396d20, object_pp=0x0, function_name=0x7ffff8e3eea0, retval_ptr=0x7ffff87b7c18, param_count=2, params=0x7fffffffd590) at /usr/src/debug/php-5.2.10/Zend/zend_execute_API.c:613 #22 0x00007ffff1da4785 in ps_call_handler (func=0x7ffff8e3eea0, argc=2, argv=0x7fffffffd590) at /usr/src/debug/php-5.2.10/ext/session/mod_user.c:53 #23 0x00007ffff1da4c2d in ps_write_user (mod_data=0x7ffff221db60, key=0x7ffff8e3f7c0 "59ufo7hqslet38p73jp9na8577", val=0x7ffff8fb1e88 "__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id le_TS|i:1247951369;user_id|s:1:\"6\";audit_user|N;", vallen=119) at /usr/src/debug/php-5.2.10/ext/session/mod_user.c:141 #24 0x00007ffff1d9d8ba in php_session_save_current_state () at /usr/src/debug/php-5.2.10/ext/session/session.c:556 #25 0x00007ffff1da0fbb in php_session_flush () at /usr/src/debug/php-5.2.10/ext/session/session.c:1408 #26 0x00007ffff1da31cc in zm_deactivate_session (type=1, module_number=17) at /usr/src/debug/php-5.2.10/ext/session/session.c:2010 #27 0x00007ffff1ecd24b in module_registry_cleanup (module=0x7ffff83c8550) at /usr/src/debug/php-5.2.10/Zend/zend_API.c:1976 #28 0x00007ffff1ed2ba7 in zend_hash_reverse_apply (ht=0x7ffff2221e20, apply_func=0x7ffff1ecd20c <module_registry_cleanup>) at /usr/src/debug/php-5.2.10/Zend/zend_hash.c:755 #29 0x00007ffff1ec5628 in zend_deactivate_modules () at /usr/src/debug/php-5.2.10/Zend/zend.c:838 #30 0x00007ffff1e6de29 in php_request_shutdown (dummy=0x0) at /usr/src/debug/php-5.2.10/main/main.c:1468 #31 0x00007ffff1f475f9 in php_apache_request_dtor (r=0x7ffff87edb38) at /usr/src/debug/php-5.2.10/sapi/apache2handler/sapi_apache2.c:472 #32 0x00007ffff1f47e6a in php_handler (r=0x7ffff87edb38) at /usr/src/debug/php-5.2.10/sapi/apache2handler/sapi_apache2.c:644 #33 0x00007ffff7fd9600 in ap_run_handler (r=0x7ffff87edb38) at /usr/src/debug/httpd-2.2.11/server/config.c:158 #34 0x00007ffff7fdce98 in ap_invoke_handler (r=0x7ffff87edb38) at /usr/src/debug/httpd-2.2.11/server/config.c:372 #35 0x00007ffff7fe852e in ap_process_request (r=0x7ffff87edb38) at /usr/src/debug/httpd-2.2.11/modules/http/http_request.c:282 #36 0x00007ffff7fe5328 in ap_process_http_connection (c=0x7ffff87e7cf8) at /usr/src/debug/httpd-2.2.11/modules/http/http_core.c:190 #37 0x00007ffff7fe1048 in ap_run_process_connection (c=0x7ffff87e7cf8) at /usr/src/debug/httpd-2.2.11/server/connection.c:43 #38 0x00007ffff7fecf78 in child_main (child_num_arg=<value optimized out>) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:650 #39 0x00007ffff7fed1f6 in make_child (s=0x7ffff8212f90, slot=0) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:690 #40 0x00007ffff7fed853 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:966 #41 0x00007ffff7fc56d0 in main (argc=14, argv=0x7fffffffe128) at /usr/src/debug/httpd-2.2.11/server/main.c:740 (gdb) frame 2 #2 0x00007ffff1e3f4ff in php_version_compare (orig_ver1=0x7ffff87b7538 "5.2.10", orig_ver2=0x7ffff8e41ac0 "5.0") at /usr/src/debug/php-5.2.10/ext/standard/versioning.c:202 202 efree(ver1); The above call appears to have come via "version_compare(phpversion(), "5.0", ">="))" in MDB2::classExists(). However, running exactly the same page with the 5.2 snapshot from 200907182030 results in apparently the same behaviour (segfault) but in a completely different function: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff1ea373a in _zend_mm_alloc_int (heap=0x7ffff83964a0, size=12) at /usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:1785 1785 heap->cache[index] = best_fit->prev_free_block; (gdb) bt #0 0x00007ffff1ea373a in _zend_mm_alloc_int (heap=0x7ffff83964a0, size=12) at /usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:1785 #1 0x00007ffff1ea4bbc in _emalloc (size=12) at /usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:2300 #2 0x00007ffff1ea4d49 in _safe_emalloc (nmemb=3, size=4, offset=0) at /usr/src/debug/php5.2-200907182030/Zend/zend_alloc.c:2391 #3 0x00007ffff1d3d24c in php_pcre_match_impl (pce=0x7ffff8bd8360, subject=0x7ffff8b998a8 "__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id le_TS|i:1247953764;user_id|s:1:\"6\";audit_user|N;", subject_len=119, return_value=0x7ffff87b99f0, subpats=0x0, global=0, use_flags=0, flags=0, start_offset=0) at /usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:603 #4 0x00007ffff1d3cfe8 in php_do_pcre_match (ht=2, return_value=0x7ffff87b99f0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, global=0) at /usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:513 #5 0x00007ffff1d3db55 in zif_preg_match (ht=2, return_value=0x7ffff87b99f0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:762 #6 0x00007ffff1eef409 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffbfe0) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:200 #7 0x00007ffff1ef33b1 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fffffffbfe0) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:1739 #8 0x00007ffff1eeeeeb in execute (op_array=0x7ffff8ec85a0) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:92 #9 0x00007ffff1eef5ba in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffc2d0) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:234 #10 0x00007ffff1eefb00 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffffffc2d0) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:322 #11 0x00007ffff1eeeeeb in execute (op_array=0x7ffff8b69d80) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:92 #12 0x00007ffff1eef5ba in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffd1c0) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:234 #13 0x00007ffff1eefb00 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fffffffd1c0) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:322 #14 0x00007ffff1eeeeeb in execute (op_array=0x7ffff8e29508) at /usr/src/debug/php5.2-200907182030/Zend/zend_vm_execute.h:92 #15 0x00007ffff1eb727b in zend_call_function (fci=0x7fffffffd440, fci_cache=0x0) at /usr/src/debug/php5.2-200907182030/Zend/zend_execute_API.c:1032 #16 0x00007ffff1eb57e4 in call_user_function_ex (function_table=0x7ffff8396d40, object_pp=0x0, function_name=0x7ffff8e3f1f0, retval_ptr_ptr=0x7fffffffd4e8, param_count=2, params=0x7ffff87b7850, no_separation=1, symbol_table=0x0) at /usr/src/debug/php5.2-200907182030/Zend/zend_execute_API.c:640 #17 0x00007ffff1eb56bf in call_user_function (function_table=0x7ffff8396d40, object_pp=0x0, function_name=0x7ffff8e3f1f0, retval_ptr=0x7ffff87b75f0, param_count=2, params=0x7fffffffd590) at /usr/src/debug/php5.2-200907182030/Zend/zend_execute_API.c:613 #18 0x00007ffff1da385d in ps_call_handler (func=0x7ffff8e3f1f0, argc=2, argv=0x7fffffffd590) at /usr/src/debug/php5.2-200907182030/ext/session/mod_user.c:53 #19 0x00007ffff1da3d05 in ps_write_user (mod_data=0x7ffff221db20, key=0x7ffff8d8e290 "l41av5sk36mub26qvgm1t61672", val=0x7ffff8fb2470 "__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id le_TS|i:1247953764;user_id|s:1:\"6\";audit_user|N;", vallen=119) at /usr/src/debug/php5.2-200907182030/ext/session/mod_user.c:141 #20 0x00007ffff1d9c98a in php_session_save_current_state () at /usr/src/debug/php5.2-200907182030/ext/session/session.c:556 #21 0x00007ffff1da008b in php_session_flush () at /usr/src/debug/php5.2-200907182030/ext/session/session.c:1408 #22 0x00007ffff1da229c in zm_deactivate_session (type=1, module_number=17) at /usr/src/debug/php5.2-200907182030/ext/session/session.c:2010 #23 0x00007ffff1ecc35b in module_registry_cleanup (module=0x7ffff83c86f0) at /usr/src/debug/php5.2-200907182030/Zend/zend_API.c:1976 #24 0x00007ffff1ed1cb7 in zend_hash_reverse_apply (ht=0x7ffff2221de0, apply_func=0x7ffff1ecc31c <module_registry_cleanup>) at /usr/src/debug/php5.2-200907182030/Zend/zend_hash.c:755 #25 0x00007ffff1ec4738 in zend_deactivate_modules () at /usr/src/debug/php5.2-200907182030/Zend/zend.c:838 #26 0x00007ffff1e6cf1c in php_request_shutdown (dummy=0x0) at /usr/src/debug/php5.2-200907182030/main/main.c:1463 #27 0x00007ffff1f46775 in php_apache_request_dtor (r=0x7ffff87edd18) at /usr/src/debug/php5.2-200907182030/sapi/apache2handler/sapi_apache2.c:47 2 #28 0x00007ffff1f46fe6 in php_handler (r=0x7ffff87edd18) at /usr/src/debug/php5.2-200907182030/sapi/apache2handler/sapi_apache2.c:64 4 #29 0x00007ffff7fd9600 in ap_run_handler (r=0x7ffff87edd18) at /usr/src/debug/httpd-2.2.11/server/config.c:158 #30 0x00007ffff7fdce98 in ap_invoke_handler (r=0x7ffff87edd18) at /usr/src/debug/httpd-2.2.11/server/config.c:372 #31 0x00007ffff7fe852e in ap_process_request (r=0x7ffff87edd18) at /usr/src/debug/httpd-2.2.11/modules/http/http_request.c:282 #32 0x00007ffff7fe5328 in ap_process_http_connection (c=0x7ffff87e7ed8) at /usr/src/debug/httpd-2.2.11/modules/http/http_core.c:190 #33 0x00007ffff7fe1048 in ap_run_process_connection (c=0x7ffff87e7ed8) at /usr/src/debug/httpd-2.2.11/server/connection.c:43 #34 0x00007ffff7fecf78 in child_main (child_num_arg=<value optimized out>) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:650 #35 0x00007ffff7fed1f6 in make_child (s=0x7ffff8212f90, slot=0) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:690 #36 0x00007ffff7fed853 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>) at /usr/src/debug/httpd-2.2.11/server/mpm/prefork/prefork.c:966 #37 0x00007ffff7fc56d0 in main (argc=14, argv=0x7fffffffe128) at /usr/src/debug/httpd-2.2.11/server/main.c:740 (gdb) frame 3 #3 0x00007ffff1d3d24c in php_pcre_match_impl (pce=0x7ffff8bd8360, subject=0x7ffff8b998a8 "__HTTP_Session2_Info|i:2;__HTTP_Session2_Idle|i:3600;__HTTP_Session2_Id le_TS|i:1247953764;user_id|s:1:\"6\";audit_user|N;", subject_len=119, return_value=0x7ffff87b99f0, subpats=0x0, global=0, use_flags=0, flags=0, start_offset=0) at /usr/src/debug/php5.2-200907182030/ext/pcre/php_pcre.c:603 603 offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0); -- Edit bug report at http://bugs.php.net/?id=49098&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49098&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49098&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49098&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49098&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49098&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49098&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49098&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49098&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49098&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49098&r=support Expected behavior: http://bugs.php.net/fix.php?id=49098&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49098&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49098&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49098&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49098&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=49098&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49098&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49098&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49098&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49098&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49098&r=mysqlcfg