[php-maint] Bug#537794: Frequent segfaults from multiple sources

Jason Wies jason at xc.net
Mon Jul 20 23:54:17 UTC 2009 

Package: php5
Version: 5.2.6.dfsg.1-1+lenny3
Severity: important

We have been experiencing frequent segfaults recently on three different web servers.  The segfaults started occurring at roughly the same time on all of the servers.  The backtraces are included below from two different machines.  At first glance they don't appear related, but it's hard to think that there would suddenly be three different sources of segfaults where there were none before.

These systems have been stable for years, even after upgrading to Lenny recently.  The segfaults happen more frequently during periods of high traffic (e.g. almost never overnight).  A recent sustained increase in traffic may be the root trigger, so it's possible that multiple sources of segfaults were exposed at the same time.  The PHP file being executed is different across the core dumps.

# gdb /usr/sbin/apache2 /tmp/core
GNU gdb 6.8-debian
This GDB was configured as "x86_64-linux-gnu"...

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
[New process 29275]
#0  0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007f48361a0084 in execute (op_array=0x23b3ee8) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
#2  0x00007f48361a3034 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fff45061360)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:2037
#3  0x00007f48361a0084 in execute (op_array=0x23b3b48) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
#4  0x00007f483617bec8 in zend_execute_scripts (type=32767, retval=0x0, file_count=1158026376)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend.c:1215
#5  0x00007f4836136788 in php_execute_script (primary_file=Cannot access memory at address 0x8000450603f0
) at /tmp/buildd/php5-5.2.6.dfsg.1/main/main.c:2028
#6  0x00007f48361f1b29 in php_handler (r=0x3024688a0) at /tmp/buildd/php5-5.2.6.dfsg.1/sapi/apache2handler/sapi_apache2.c:648
#7  0x0000000000438ee3 in ap_run_handler (r=0x2450088)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:159
#8  0x000000000043c4af in ap_invoke_handler (r=0x2450088)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:373
#9  0x000000000044964e in ap_process_request (r=0x2450088)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_request.c:258
#10 0x0000000000446778 in ap_process_http_connection (c=0x243ef88)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_core.c:190
#11 0x0000000000440403 in ap_run_process_connection (c=0x243ef88)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/connection.c:43
#12 0x000000000044dc50 in child_main (child_num_arg=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:680
#13 0x000000000044dfa4 in make_child (s=0x1e30968, slot=105)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:777
#14 0x000000000044ebe6 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:912
#15 0x0000000000425be5 in main (argc=3, argv=0x7fff45063df8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/main.c:732
(gdb) frame 1
#1  0x00007f48361a0084 in execute (op_array=0x23b3ee8) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x0
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0


---------------------------------------------------------------------------------------------------
# gdb /usr/sbin/apache2 /tmp/core2
GNU gdb 6.8-debian
This GDB was configured as "x86_64-linux-gnu"...

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
[New process 4432]
#0  0x00007f4831ee417b in mmc_value_handler_single () from /usr/lib/php5/20060613/memcache.so
(gdb) bt
#0  0x00007f4831ee417b in mmc_value_handler_single () from /usr/lib/php5/20060613/memcache.so
#1  0x00007f4831eeae4b in mmc_unpack_value () from /usr/lib/php5/20060613/memcache.so
#2  0x00007f4831eeda2b in ?? () from /usr/lib/php5/20060613/memcache.so
#3  0x00007f4831eea074 in mmc_pool_select () from /usr/lib/php5/20060613/memcache.so
#4  0x00007f4831eea4dd in mmc_pool_run () from /usr/lib/php5/20060613/memcache.so
#5  0x00007f4831ee5bc2 in ?? () from /usr/lib/php5/20060613/memcache.so
#6  0x00007f48361b4b4d in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff4505c640)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:200
#7  0x00007f48361a0084 in execute (op_array=0x24bcf18) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
#8  0x00007f48361b445e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff450612d0)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:234
#9  0x00007f48361a0084 in execute (op_array=0x24bc998) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
#10 0x00007f483617bec8 in zend_execute_scripts (type=32767, retval=0x0, file_count=1158026232)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend.c:1215
#11 0x00007f4836136788 in php_execute_script (primary_file=Cannot access memory at address 0x800045060360
) at /tmp/buildd/php5-5.2.6.dfsg.1/main/main.c:2028
#12 0x00007f48361f1b29 in php_handler (r=0x246bfd8) at /tmp/buildd/php5-5.2.6.dfsg.1/sapi/apache2handler/sapi_apache2.c:648
#13 0x0000000000438ee3 in ap_run_handler (r=0x2496a78)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:159
#14 0x000000000043c4af in ap_invoke_handler (r=0x2496a78)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:373
#15 0x00000000004494b0 in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_request.c:477
#16 0x00007f483571eac5 in handler_redirect (r=0x249bdb8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/mappers/mod_rewrite.c:4787
#17 0x0000000000438ee3 in ap_run_handler (r=0x249bdb8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:159
#18 0x000000000043c4af in ap_invoke_handler (r=0x249bdb8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:373
#19 0x000000000044964e in ap_process_request (r=0x249bdb8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_request.c:258
#20 0x0000000000446778 in ap_process_http_connection (c=0x243ef88)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_core.c:190
#21 0x0000000000440403 in ap_run_process_connection (c=0x243ef88)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/connection.c:43
#22 0x000000000044dc50 in child_main (child_num_arg=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:680
#23 0x000000000044dfa4 in make_child (s=0x1e30968, slot=1)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:777
#24 0x000000000044e3f8 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=0x1e30968)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:1077
#25 0x0000000000425be5 in main (argc=3, argv=0x7fff45063df8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/main.c:732
#7  0x00007f48361a0084 in execute (op_array=0x24bcf18) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x7f4831ef0280 "set"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x7f482e3ab748 "Execute"


---------------------------------------------------------------------------------------------------
# gdb /usr/sbin/apache2 /tmp/core3
GNU gdb 6.8-debian
This GDB was configured as "x86_64-linux-gnu"...

Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
[New process 1767]
#0  0x00007fc5c4b74b84 in apc_cache_find_slot () from /usr/lib/php5/20060613/apc.so
(gdb) bt
#0  0x00007fc5c4b74b84 in apc_cache_find_slot () from /usr/lib/php5/20060613/apc.so
#1  0x00007fc5c4b74dd0 in apc_cache_find () from /usr/lib/php5/20060613/apc.so
#2  0x00007fc5c4b79bc7 in ?? () from /usr/lib/php5/20060613/apc.so
#3  0x00007fc5c666f204 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fffd5528a60)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:1991
#4  0x00007fc5c666c084 in execute (op_array=0x250f470) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
#5  0x00007fc5c666f034 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0x7fffd552d710)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:2037
#6  0x00007fc5c666c084 in execute (op_array=0x250eee8) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
#7  0x00007fc5c6647ec8 in zend_execute_scripts (type=32767, retval=0x0, file_count=-715990984)
    at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend.c:1215
#8  0x00007fc5c6602788 in php_execute_script (primary_file=Cannot access memory at address 0x8000d552c7a0
) at /tmp/buildd/php5-5.2.6.dfsg.1/main/main.c:2028
#9  0x00007fc5c66bdb29 in php_handler (r=0x3026d34a8) at /tmp/buildd/php5-5.2.6.dfsg.1/sapi/apache2handler/sapi_apache2.c:648
#10 0x0000000000438ee3 in ap_run_handler (r=0x2705908)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:159
#11 0x000000000043c4af in ap_invoke_handler (r=0x2705908)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:373
#12 0x00000000004494b0 in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_request.c:477
#13 0x00007fc5c5beaac5 in handler_redirect (r=0x27027f8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/mappers/mod_rewrite.c:4787
#14 0x0000000000438ee3 in ap_run_handler (r=0x27027f8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:159
#15 0x000000000043c4af in ap_invoke_handler (r=0x27027f8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:373
#16 0x00000000004494b0 in ap_internal_redirect (new_uri=<value optimized out>, r=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_request.c:477
#17 0x00007fc5c5beaac5 in handler_redirect (r=0x270bfc8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/mappers/mod_rewrite.c:4787
#18 0x0000000000438ee3 in ap_run_handler (r=0x270bfc8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:159
#19 0x000000000043c4af in ap_invoke_handler (r=0x270bfc8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/config.c:373
#20 0x000000000044964e in ap_process_request (r=0x270bfc8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_request.c:258
#21 0x0000000000446778 in ap_process_http_connection (c=0x26af1c8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/modules/http/http_core.c:190
#22 0x0000000000440403 in ap_run_process_connection (c=0x26af1c8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/connection.c:43
#23 0x000000000044dc50 in child_main (child_num_arg=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:680
#24 0x000000000044dfa4 in make_child (s=0x20a0968, slot=79)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:777
#25 0x000000000044ebe6 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/mpm/prefork/prefork.c:912
#26 0x0000000000425be5 in main (argc=3, argv=0x7fffd55302c8)
    at /build/buildd-apache2_2.2.9-10+lenny4-amd64-wTiRUQ/apache2-2.2.9/server/main.c:732
(gdb) frame 4
#4  0x00007fc5c666c084 in execute (op_array=0x250f470) at /tmp/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
92                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x0
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0

Jason

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5 depends on:
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii  php5-common        5.2.6.dfsg.1-1+lenny3 Common files for packages built fr

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information

More information about the pkg-php-maint mailing list