ID: 31749
User updated by: phpbug2 at mailinator dot com
Reported By: phpbug2 at mailinator dot com
-Status: Feedback
+Status: Open
Bug Type: Scripting Engine problem
Operating System: Linux 2.4.28, 2.4.21-SMP
PHP Version: 5.0.3, 4.3.10
New Comment:
Hi,
Unfortunately that snapshot did not fix the problem. The child
processes still deadlock.
#0 0x401c10a4 in __pthread_sigsuspend () from
/lib/i686/libpthread.so.0
#1 0x401c0a58 in __pthread_wait_for_restart_signal () from
/lib/i686/libpthread.so.0
#2 0x401c2600 in __pthread_alt_lock () from /lib/i686/libpthread.so.0
#3 0x401bf2e7 in pthread_mutex_lock () from /lib/i686/libpthread.so.0
#4 0x4027caba in free () from /lib/i686/libc.so.6
#5 0x4043d9b8 in shutdown_scanner () at
Zend/zend_language_scanner.c:2881
#6 0x40450aa5 in zend_deactivate () at
/home/r1ch/php4-STABLE-200502171330/Zend/zend.c:689
#7 0x40427d46 in php_request_shutdown (dummy=0x0) at
/home/r1ch/php4-STABLE-200502171330/main/main.c:997
#8 0x404639c7 in php_handler (r=0x81a9628) at
/home/r1ch/php4-STABLE-200502171330/sapi/apache2handler/sapi_apache2.c:567
#9 0x08089d35 in ap_run_handler (r=0x81a9628) at config.c:152
#10 0x0808a340 in ap_invoke_handler (r=0x81a9628) at config.c:364
#11 0x0806eefa in ap_process_request (r=0x81a9628) at
http_request.c:249
#12 0x0806a38d in ap_process_http_connection (c=0x819f418) at
http_core.c:251
#13 0x08094ec5 in ap_run_process_connection (c=0x819f418) at
connection.c:43
#14 0x08088334 in child_main (child_num_arg=-4) at prefork.c:610
#15 0x08088487 in make_child (s=0x401c8398, slot=0) at prefork.c:704
#16 0x080885a8 in startup_children (number_to_start=5) at
prefork.c:722
#17 0x08088e1a in ap_mpm_run (_pconf=0x80cb818, plog=0x81038f8,
s=0x80d0168) at prefork.c:941
#18 0x0808f36d in main (argc=3, argv=0xbffff284) at main.c:618
This backtrace is from a separate Apache 2 server (prefork) since I
cannot test a PHP4 on my production server as it may break a number of
PHP5 features I am using. However it still shows that the libc mutexes
are not getting released, this time in the free() call. A few
additional runs also reveal the gmtime() mutex as the earlier reports
show:
(gdb) bt
#0 0x401c10a4 in __pthread_sigsuspend () from
/lib/i686/libpthread.so.0
#1 0x401c0a58 in __pthread_wait_for_restart_signal () from
/lib/i686/libpthread.so.0
#2 0x401c2600 in __pthread_alt_lock () from /lib/i686/libpthread.so.0
#3 0x401bf2e7 in pthread_mutex_lock () from /lib/i686/libpthread.so.0
#4 0x402a0c05 in __tz_convert () from /lib/i686/libc.so.6
#5 0x4029ed5e in gmtime_r () from /lib/i686/libc.so.6
#6 0x40136f47 in explode_time (xt=0xbfffeb70, t=1108654539401728,
offset=0, use_localtime=0) at time.c:91
#7 0x40136f82 in apr_time_exp_tz (result=0xbfffeb70,
input=4619712010928521212, offs=0) at time.c:114
#8 0x40136fd3 in apr_time_exp_gmt (result=0xfffffffc,
input=4619712010928521212) at time.c:122
#9 0x080947d4 in cached_explode (xt=0xbfffeb70, t=1108654262423791,
cache=0xfffffffc, use_gmt=1) at util_time.c:117
#10 0x08094891 in ap_explode_recent_gmt (tm=0xfffffffc,
t=4619712010928521212) at util_time.c:143
#11 0x08094a95 in ap_recent_rfc822_date (date_str=0x81a7018 "",
t=4619712010928521212) at util_time.c:200
#12 0x0806c1a0 in basic_http_header (r=0x81a5618, bb=0x81a6ff8,
protocol=0xfffffffc <Address 0xfffffffc out of bounds>)
at http_protocol.c:1248
#13 0x0806ca90 in ap_http_header_filter (f=0x81a6298, b=0x81a6f78) at
http_protocol.c:1642
#14 0x080978b1 in ap_pass_brigade (next=0x401c8398, bb=0x8) at
util_filter.c:512
#15 0x08099fef in ap_content_length_filter (f=0x81a6280, b=0x81a6f78)
at protocol.c:1232
#16 0x080978b1 in ap_pass_brigade (next=0x401c8398, bb=0x8) at
util_filter.c:512
#17 0x0806e6b5 in ap_byterange_filter (f=0x81a6268, bb=0x81a6f78) at
http_protocol.c:3031
#18 0x080978b1 in ap_pass_brigade (next=0x401c8398, bb=0x8) at
util_filter.c:512
#19 0x080978b1 in ap_pass_brigade (next=0x401c8398, bb=0x8) at
util_filter.c:512
#20 0x40463a19 in php_handler (r=0x81a5618) at
/home/r1ch/php4-STABLE-200502171330/sapi/apache2handler/sapi_apache2.c:572
#21 0x08089d35 in ap_run_handler (r=0x81a5618) at config.c:152
#22 0x0808a340 in ap_invoke_handler (r=0x81a5618) at config.c:364
#23 0x0806eefa in ap_process_request (r=0x81a5618) at
http_request.c:249
#24 0x0806a38d in ap_process_http_connection (c=0x819f418) at
http_core.c:251
#25 0x08094ec5 in ap_run_process_connection (c=0x819f418) at
connection.c:43
#26 0x08088334 in child_main (child_num_arg=-4) at prefork.c:610
#27 0x08088487 in make_child (s=0x401c8398, slot=5) at prefork.c:704
#28 0x08088719 in perform_idle_server_maintenance (p=0x80cb818) at
prefork.c:839
#29 0x08088e05 in ap_mpm_run (_pconf=0x0, plog=0x81038f8, s=0x3bc) at
prefork.c:1040
#30 0x0808f36d in main (argc=3, argv=0xbffff284) at main.c:618
Please let me know if you need any additional information.
Previous Comments:
------------------------------------------------------------------------
[2005-02-17 13:44:27] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
------------------------------------------------------------------------
[2005-02-07 11:01:26] phpbug2 at mailinator dot com
Reproduced on PHP 4.3.10 with Apache 2 prefork on 2.4.21-4.0.1.ELsmp
#1. Updated summary with clearer description of the problem and I
believe this applies to the Zend Engine rather than the Scripting
Engine.
------------------------------------------------------------------------
[2005-02-03 12:10:41] phpbug2 at mailinator dot com
I believe this is the buggy code. It is setting a signal handler for
SIGPROF that immediately dumps a timeout error message when the signal
is received. However if the signal is delivered whilst PHP is
processing a libc call to time(), a pthread mutex within libc is not
released, causing a deadlock when Apache tries to call time() for the
output.
A fix would be to have PHP set some flag such as "processing time
exceeded" for the request and to then abort the request at the next
available opporunity from within PHP instead of jumping out and leaving
libc in a potentially unstable or dangerous state. Obviously this
reduces the effectiveness of the maximum execution timeout as a
blocking libc call could cause the timeout to be greatly exceeded, but
I see no other safe way of handling this without leaving libc in a
potentially dangerous state. Perhaps two signals could be used, the
first one to break execution if possible at the next available
opportunity and then the current "hard" break if no response within 15
seconds or something.
ZEND_API void zend_timeout(int dummy)
{
TSRMLS_FETCH();
if (zend_on_timeout) {
zend_on_timeout(EG(timeout_seconds) TSRMLS_CC);
}
zend_error(E_ERROR, "Maximum execution time of %d second%s
exceeded",
EG(timeout_seconds), EG(timeout_seconds) == 1
? "" : "s");
}
...
t_r.it_value.tv_sec = seconds;
t_r.it_value.tv_usec = t_r.it_interval.tv_sec =
t_r.it_interval.tv_usec = 0;
setitimer(ITIMER_PROF, &t_r, NULL);
signal(SIGPROF, zend_timeout);
sigemptyset(&sigset);
sigaddset(&sigset, SIGPROF);
sigprocmask(SIG_UNBLOCK, &sigset, NULL);
}
------------------------------------------------------------------------
[2005-01-30 07:01:56] phpbug2 at mailinator dot com
Test case, this almost 100% guarantees a deadlock for me with the
following BT:
(gdb) bt
#0 0x001cf666 in sigsuspend () from /lib/libc.so.6
#1 0x00d0bc28 in __pthread_wait_for_restart_signal () from
/lib/libpthread.so.0
#2 0x00d0def0 in __pthread_alt_lock () from /lib/libpthread.so.0
#3 0x00d0a170 in pthread_mutex_lock () from /lib/libpthread.so.0
#4 0x0023f125 in __tz_convert () from /lib/libc.so.6
#5 0x0023d2a1 in gmtime () from /lib/libc.so.6
#6 0x080801fa in ap_gm_timestr_822 (p=0xfffffffc, sec=1107064749) at
util.c:153
#7 0x0807b7ac in ap_basic_http_header (r=0x2dd1c0) at
http_protocol.c:1585
#8 0x0807b938 in ap_send_http_header (r=0x819ca44) at
http_protocol.c:1852
#9 0x00a74337 in sapi_apache_send_headers (sapi_headers=0xbb0fd8) at
/root/php5cvs/php-src/sapi/apache/mod_php5.c:217
#10 0x009b9923 in sapi_send_headers () at
/root/php5cvs/php-src/main/SAPI.c:760
#11 0x0096741a in php_header () at
/root/php5cvs/php-src/ext/standard/head.c:54
#12 0x009c0764 in php_ub_body_write (str=0xfffffffc <Address 0xfffffffc
out of bounds>, str_length=4294967292)
at /root/php5cvs/php-src/main/output.c:707
#13 0x009bfac6 in php_end_ob_buffer (send_buffer=1 '\001', just_flush=0
'\0') at /root/php5cvs/php-src/main/output.c:297
#14 0x009bfd13 in php_end_ob_buffers (send_buffer=252 'ü') at
/root/php5cvs/php-src/main/output.c:336
#15 0x009b3021 in php_request_shutdown (dummy=0x0) at
/root/php5cvs/php-src/main/main.c:1183
#16 0x00a74112 in apache_php_module_main (r=0x819ca44,
display_source_mode=0)
at /root/php5cvs/php-src/sapi/apache/sapi_apache.c:60
#17 0x00a7490a in send_php (r=0x819ca44, display_source_mode=0,
filename=0x0)
at /root/php5cvs/php-src/sapi/apache/mod_php5.c:631
#18 0x00a74bd7 in send_parsed_php (r=0x819ca44) at
/root/php5cvs/php-src/sapi/apache/mod_php5.c:646
#19 0x0806c842 in ap_invoke_handler (r=0x819ca44) at http_config.c:475
#20 0x0807edb3 in process_request_internal (r=0x819ca44) at
http_request.c:1298
#21 0x0807ef27 in ap_process_request (r=0x819ca44) at
http_request.c:1314
#22 0x080762d0 in child_main (child_num_arg=-1073743648) at
http_main.c:4786
#23 0x08076644 in make_child (s=0x80a929c, slot=4, now=0) at
http_main.c:4956
#24 0x08076704 in startup_children (number_to_start=8) at
http_main.c:4983
#25 0x08077819 in standalone_main (argc=-4, argv=0x0) at
http_main.c:5315
#26 0x080789a7 in main (argc=1, argv=0xbffffed4) at http_main.c:5657
<?php
set_time_limit (10);
header ('Content-Type: text/plain');
while (TRUE)
{
$date = date ('Y');
$time = time ();
$time += time();
$foo = localtime();
$then = date("M-d-Y", mktime(0, 0, 0, 12, 32, 1997));
$something = gmdate("M d Y H:i:s", mktime(0, 0, 0, 1,
1, 1998));
if (time() != $oldtime)
{
$oldtime = time();
print "$foo $date $time $then $something\n";
}
}
?>
------------------------------------------------------------------------
[2005-01-29 01:57:58] phpbug2 at mailinator dot com
Description:
------------
A certain script (phpWebSite) a client of mine is running causes the
Apache child to deadlock after processing is complete. The output is
sent to the client however so to a normal visitor it appears to be
working fine, but on the server a child deadlocks with every hit to the
script.
Srv PID Acc M CPU SS Req Conn Child Slot
Client VHost Request
26-0 24911 1/75/75 W 1.29 15390 0 0.3 0.73 0.73
66.249.xxx.xxx xxxxxxxx.xxx GET
/index.php?module=calendar&calendar%5Bview%5D=month&mo
The request sticks in the "W"riting state until Apache is hupped at
which point it moves to "G"racefully finishing and will remain in that
state indefinitely. Closing Apache results in a "Child xxxx did not
cleanly exit, sending SIGKILL" message in the error_log. No errors are
logged prior to the child deadlocking. The hit that causes the deadlock
does NOT get logged to the Apache access_log.
php.ini is pretty much the stock 5.0.3-recommended. No 3rd party
modules such as Zend or Turck are present. Configure string:
'./configure' '--with-imap=/usr' '--with-expat-dir=/usr'
'--enable-sockets' '--with-zlib-dir=/usr' '--with-mysql=/usr'
'--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mcrypt=/usr'
'--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-freetype-dir=/usr'
'--with-gettext=/usr' '--enable-dba' '--with-db4=/usr'
'--with-gdbm=/usr' '--with-curl=/usr' '--enable-exif' '--with-ttf=/usr'
'--with-apxs=/www/bin/apxs' '--disable-cgi' '--disable-ipv6'
'--enable-gd-native-ttf' '--enable-calendar' '--with-zlib=/usr'
'--with-gd' '--with-gettext' '--disable-posix'
'--with-pgsql=/usr/local/pgsql' '--enable-memory-limit'
'--with-pspell=/usr' '--with-mysqli' '--with-mm' '--with-xsl'
None of the binaries are built with -g which I am afraid seems to limit
the debugging output. -fomit-frame-pointer however is NOT used. Please
inform if this is a problem and I will rebuild.
Reproduce code:
---------------
phpWebSite
http://phpwebsite.appstate.edu/
The "calendar" module seems to be the one that causes it, however I am
unsure as to whether any events need to be added in certain places etc
as the calendar is not maintained by myself.
I believe the phpWebSite script needed a few minor changes in order to
conform to the new OO model in PHP5. If you require an exact copy of
the installed version and/or data please let me know and I will ask my
client.
Expected result:
----------------
Not to deadlock.
Actual result:
--------------
#0 0x001cf666 in sigsuspend () from /lib/libc.so.6
#1 0x00c50c28 in __pthread_wait_for_restart_signal () from
/lib/libpthread.so.0
#2 0x00c52ef0 in __pthread_alt_lock () from /lib/libpthread.so.0
#3 0x00c4f170 in pthread_mutex_lock () from /lib/libpthread.so.0
#4 0x00219fda in free () from /lib/libc.so.6
#5 0x008844f9 in php_error_cb () from /www/libexec/libphp5.so
#6 0x008c2724 in zend_error () from /www/libexec/libphp5.so
#7 0x008b8476 in zend_timeout () from /www/libexec/libphp5.so
#8 0x00c54d0d in __pthread_sighandler () from /lib/libpthread.so.0
#9 <signal handler called>
#10 0x00c530f1 in __pthread_alt_unlock () from /lib/libpthread.so.0
#11 0x00c4f42e in pthread_mutex_unlock () from /lib/libpthread.so.0
#12 0x00219fd3 in free () from /lib/libc.so.6
#13 0x0023fcbd in __tzfile_read () from /lib/libc.so.6
#14 0x0023e3ac in tzset_internal () from /lib/libc.so.6
#15 0x0023ef08 in tzset () from /lib/libc.so.6
#16 0x0081b65f in php_putenv_destructor () from
/www/libexec/libphp5.so
#17 0x008c93b4 in zend_hash_del_key_or_index () from
/www/libexec/libphp5.so
#18 0x0081c828 in zif_putenv () from /www/libexec/libphp5.so
#19 0x008f951c in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#20 0x008f9851 in zend_do_fcall_handler () from
/www/libexec/libphp5.so
#21 0x008e76ec in execute () from /www/libexec/libphp5.so
#22 0x008f8fe3 in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#23 0x008f972f in zend_do_fcall_by_name_handler () from
/www/libexec/libphp5.so
#24 0x008e76ec in execute () from /www/libexec/libphp5.so
#25 0x008f8fe3 in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#26 0x008f972f in zend_do_fcall_by_name_handler () from
/www/libexec/libphp5.so
#27 0x008e76ec in execute () from /www/libexec/libphp5.so
#28 0x008f8fe3 in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#29 0x008f972f in zend_do_fcall_by_name_handler () from
/www/libexec/libphp5.so
#30 0x008e76ec in execute () from /www/libexec/libphp5.so
#31 0x008f8fe3 in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#32 0x008f972f in zend_do_fcall_by_name_handler () from
/www/libexec/libphp5.so
#33 0x008e76ec in execute () from /www/libexec/libphp5.so
#34 0x008f8fe3 in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#35 0x008f972f in zend_do_fcall_by_name_handler () from
/www/libexec/libphp5.so
#36 0x008e76ec in execute () from /www/libexec/libphp5.so
#37 0x008f8fe3 in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#38 0x008f972f in zend_do_fcall_by_name_handler () from
/www/libexec/libphp5.so
#39 0x008e76ec in execute () from /www/libexec/libphp5.so
#40 0x008f8fe3 in zend_do_fcall_common_helper () from
/www/libexec/libphp5.so
#41 0x008f972f in zend_do_fcall_by_name_handler () from
/www/libexec/libphp5.so
#42 0x008e76ec in execute () from /www/libexec/libphp5.so
#43 0x008fe5c9 in zend_include_or_eval_handler () from
/www/libexec/libphp5.so
#44 0x008e76ec in execute () from /www/libexec/libphp5.so
#45 0x008c2cad in zend_execute_scripts () from /www/libexec/libphp5.so
#46 0x008861f5 in php_execute_script () from /www/libexec/libphp5.so
#47 0x00000000 in ?? ()
#48 0x00000003 in ?? ()
#49 0x00000000 in ?? ()
#50 0xbffff310 in ?? ()
#51 0x00000000 in ?? ()
#52 0x00000002 in ?? ()
#53 0x002137bd in _IO_new_file_fopen () from /lib/libc.so.6
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31749&edit=1
