Bug #51319 [Com]: apache process sigsegv (double free or corruption (fasttop))

2010-10-20 Thread gms8994 at gmail dot com 
Edit report at http://bugs.php.net/bug.php?id=51319&edit=1

 ID: 51319
 Comment by: gms8994 at gmail dot com
 Reported by:idsl at cc dot com dot pl
 Summary:apache process sigsegv (double free or corruption
 (fasttop))
 Status: Open
 Type:   Bug
 Package:Apache related
 Operating System:   Redhat 4U4
 PHP Version:5.2.13
 Block user comment: N

 New Comment:

For What It's Worth:



I recompiled PHP on 2 of the boxes exhibiting the problem for me to
include --

enable-debug, and the problem has not manifested itself since.
Heisenberg in the 

house?


Previous Comments:

[2010-09-04 10:19:41] hossy421 at yahoo dot co dot jp

this is the same problem that I reported before.

apache2handler doesn't have the handler of blocking signals.



please test the patch attached my report.

ref. http://bugs.php.net/bug.php?id=47768


[2010-07-23 14:16:41] php-lover at bobmail dot info

Following script could be useful in reproducing issue:





The problem is caused by zend_timeout() signal handler, php now is doing
unsafe operation inside like calling free/malloc. Possible fix is
delaying zend_timeout call.


[2010-03-18 08:35:49] idsl at cc dot com dot pl

Description:

Hello.

We have this problem with 5.2.12 and still with 5.2.13.

In very random situation apache process sigsegv with 

this in error log:



*** glibc detected *** double free or corruption (fasttop): 0x88aa9300
***

[Thu Mar 18 06:22:06 2010] [notice] seg fault or similar nasty error
detected in the parent process

[Thu Mar 18 06:22:07 2010] [notice] child pid 1107 exit signal
Segmentation fault (11), possible coredump in /tmp



gdb shows this:



(gdb) backtrace

#0  0x0013a2c2 in abort () from /lib/tls/libc.so.6

#1  0x0016c4ea in __libc_message () from /lib/tls/libc.so.6

#2  0x00172c6f in _int_free () from /lib/tls/libc.so.6

#3  0x00172fea in free () from /lib/tls/libc.so.6

#4  0x01287c44 in php_error_cb (type=1, error_filename=0xc36f894
"theme.php(10) : eval()'d code", 

error_lineno=9, format=0x1570b84 "Maximum execution time of %d
second%s exceeded", 

args=0xa0f6195c "\036") at /tmp/php-5.2.13/main/main.c:836

#5  0x012c8b2a in zend_error (type=1, 

format=0x1570b84 "Maximum execution time of %d second%s exceeded")

at /tmp/php-5.2.13/Zend/zend.c:976

#6  0x012bd76d in zend_timeout (dummy=27) at
/tmp/php-5.2.13/Zend/zend_execute_API.c:1347

#7  

#8  0x00175030 in malloc () from /lib/tls/libc.so.6

#9  0x00179cd0 in strdup () from /lib/tls/libc.so.6

#10 0x012879e7 in php_error_cb (type=2, error_filename=0xc36f894
"theme.php(10) : eval()'d code", 

error_lineno=9, format=0x15723f4 "%s%s%s(): supplied argument is not
a valid %s resource", 

args=0xa0f61d48 "ŃKT\001ŃKT\001OjT\001FŽU\001x\035ö \001") at
/tmp/php-5.2.13/main/main.c:845





Lines of code from backtrace are:



833 /* store the error if it has changed */

834 if (display) {

835 if (PG(last_error_message)) {

836 free(PG(last_error_message));

837 }

838 if (PG(last_error_file)) {

839 free(PG(last_error_file));

840 }

841 if (!error_filename) {

842 error_filename = "Unknown";

843 }

844 PG(last_error_type) = type;

845 PG(last_error_message) = strdup(buffer);

846 PG(last_error_file) = strdup(error_filename);

847 PG(last_error_lineno) = error_lineno;













Test script:
---
It's independent from scripts.

For last 12h on over 3mln requests we have only 15 such errors.



Expected result:

We expected not to receive sigsegv's for apache.







-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51319&edit=1

Bug #51319 [Com]: apache process sigsegv (double free or corruption (fasttop))

2010-09-04 Thread hossy421 at yahoo dot co dot jp 
Edit report at http://bugs.php.net/bug.php?id=51319&edit=1

 ID: 51319
 Comment by: hossy421 at yahoo dot co dot jp
 Reported by:idsl at cc dot com dot pl
 Summary:apache process sigsegv (double free or corruption
 (fasttop))
 Status: Open
 Type:   Bug
 Package:Apache related
 Operating System:   Redhat 4U4
 PHP Version:5.2.13
 Block user comment: N

 New Comment:

this is the same problem that I reported before.

apache2handler doesn't have the handler of blocking signals.



please test the patch attached my report.

ref. http://bugs.php.net/bug.php?id=47768


Previous Comments:

[2010-07-23 14:16:41] php-lover at bobmail dot info

Following script could be useful in reproducing issue:





The problem is caused by zend_timeout() signal handler, php now is doing
unsafe operation inside like calling free/malloc. Possible fix is
delaying zend_timeout call.


[2010-03-18 08:35:49] idsl at cc dot com dot pl

Description:

Hello.

We have this problem with 5.2.12 and still with 5.2.13.

In very random situation apache process sigsegv with 

this in error log:



*** glibc detected *** double free or corruption (fasttop): 0x88aa9300
***

[Thu Mar 18 06:22:06 2010] [notice] seg fault or similar nasty error
detected in the parent process

[Thu Mar 18 06:22:07 2010] [notice] child pid 1107 exit signal
Segmentation fault (11), possible coredump in /tmp



gdb shows this:



(gdb) backtrace

#0  0x0013a2c2 in abort () from /lib/tls/libc.so.6

#1  0x0016c4ea in __libc_message () from /lib/tls/libc.so.6

#2  0x00172c6f in _int_free () from /lib/tls/libc.so.6

#3  0x00172fea in free () from /lib/tls/libc.so.6

#4  0x01287c44 in php_error_cb (type=1, error_filename=0xc36f894
"theme.php(10) : eval()'d code", 

error_lineno=9, format=0x1570b84 "Maximum execution time of %d
second%s exceeded", 

args=0xa0f6195c "\036") at /tmp/php-5.2.13/main/main.c:836

#5  0x012c8b2a in zend_error (type=1, 

format=0x1570b84 "Maximum execution time of %d second%s exceeded")

at /tmp/php-5.2.13/Zend/zend.c:976

#6  0x012bd76d in zend_timeout (dummy=27) at
/tmp/php-5.2.13/Zend/zend_execute_API.c:1347

#7  

#8  0x00175030 in malloc () from /lib/tls/libc.so.6

#9  0x00179cd0 in strdup () from /lib/tls/libc.so.6

#10 0x012879e7 in php_error_cb (type=2, error_filename=0xc36f894
"theme.php(10) : eval()'d code", 

error_lineno=9, format=0x15723f4 "%s%s%s(): supplied argument is not
a valid %s resource", 

args=0xa0f61d48 "ŃKT\001ŃKT\001OjT\001FŽU\001x\035ö \001") at
/tmp/php-5.2.13/main/main.c:845





Lines of code from backtrace are:



833 /* store the error if it has changed */

834 if (display) {

835 if (PG(last_error_message)) {

836 free(PG(last_error_message));

837 }

838 if (PG(last_error_file)) {

839 free(PG(last_error_file));

840 }

841 if (!error_filename) {

842 error_filename = "Unknown";

843 }

844 PG(last_error_type) = type;

845 PG(last_error_message) = strdup(buffer);

846 PG(last_error_file) = strdup(error_filename);

847 PG(last_error_lineno) = error_lineno;













Test script:
---
It's independent from scripts.

For last 12h on over 3mln requests we have only 15 such errors.



Expected result:

We expected not to receive sigsegv's for apache.







-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51319&edit=1

Bug #51319 [Com]: apache process sigsegv (double free or corruption (fasttop))

2010-07-23 Thread php-lover at bobmail dot info 
Edit report at http://bugs.php.net/bug.php?id=51319&edit=1

 ID:   51319
 Comment by:   php-lover at bobmail dot info
 Reported by:  idsl at cc dot com dot pl
 Summary:  apache process sigsegv (double free or corruption
   (fasttop))
 Status:   Open
 Type: Bug
 Package:  Apache related
 Operating System: Redhat 4U4
 PHP Version:  5.2.13

 New Comment:

Following script could be useful in reproducing issue:





The problem is caused by zend_timeout() signal handler, php now is doing
unsafe operation inside like calling free/malloc. Possible fix is
delaying zend_timeout call.


Previous Comments:

[2010-03-18 08:35:49] idsl at cc dot com dot pl

Description:

Hello.

We have this problem with 5.2.12 and still with 5.2.13.

In very random situation apache process sigsegv with 

this in error log:



*** glibc detected *** double free or corruption (fasttop): 0x88aa9300
***

[Thu Mar 18 06:22:06 2010] [notice] seg fault or similar nasty error
detected in the parent process

[Thu Mar 18 06:22:07 2010] [notice] child pid 1107 exit signal
Segmentation fault (11), possible coredump in /tmp



gdb shows this:



(gdb) backtrace

#0  0x0013a2c2 in abort () from /lib/tls/libc.so.6

#1  0x0016c4ea in __libc_message () from /lib/tls/libc.so.6

#2  0x00172c6f in _int_free () from /lib/tls/libc.so.6

#3  0x00172fea in free () from /lib/tls/libc.so.6

#4  0x01287c44 in php_error_cb (type=1, error_filename=0xc36f894
"theme.php(10) : eval()'d code", 

error_lineno=9, format=0x1570b84 "Maximum execution time of %d
second%s exceeded", 

args=0xa0f6195c "\036") at /tmp/php-5.2.13/main/main.c:836

#5  0x012c8b2a in zend_error (type=1, 

format=0x1570b84 "Maximum execution time of %d second%s exceeded")

at /tmp/php-5.2.13/Zend/zend.c:976

#6  0x012bd76d in zend_timeout (dummy=27) at
/tmp/php-5.2.13/Zend/zend_execute_API.c:1347

#7  

#8  0x00175030 in malloc () from /lib/tls/libc.so.6

#9  0x00179cd0 in strdup () from /lib/tls/libc.so.6

#10 0x012879e7 in php_error_cb (type=2, error_filename=0xc36f894
"theme.php(10) : eval()'d code", 

error_lineno=9, format=0x15723f4 "%s%s%s(): supplied argument is not
a valid %s resource", 

args=0xa0f61d48 "ŃKT\001ŃKT\001OjT\001FŽU\001x\035ö \001") at
/tmp/php-5.2.13/main/main.c:845





Lines of code from backtrace are:



833 /* store the error if it has changed */

834 if (display) {

835 if (PG(last_error_message)) {

836 free(PG(last_error_message));

837 }

838 if (PG(last_error_file)) {

839 free(PG(last_error_file));

840 }

841 if (!error_filename) {

842 error_filename = "Unknown";

843 }

844 PG(last_error_type) = type;

845 PG(last_error_message) = strdup(buffer);

846 PG(last_error_file) = strdup(error_filename);

847 PG(last_error_lineno) = error_lineno;













Test script:
---
It's independent from scripts.

For last 12h on over 3mln requests we have only 15 such errors.



Expected result:

We expected not to receive sigsegv's for apache.







-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51319&edit=1