[php-maint] Bug#730051: libapache2-mod-php5: Segfault after PDO memory corruption, possibly Apache-related?
Will Aoki
waoki at umnh.utah.edu
Wed Nov 20 18:19:56 UTC 2013
Package: libapache2-mod-php5
Version: 5.4.4-14+deb7u5
Severity: normal
I am unsure as to whether this bug should be filed against PHP or Apache, so I
flipped a coin and filed this against PHP.
After upgrading from squeeze to wheezy, a particular script has started causing
segfaults, but only when it retrieves a particular database record. I have not
yet succeeded at constructing a test case that does not contain private data
and a giant chunk of legacy code.
The segfaults are happening in functions called from PDO's free_statement. The
script uses PDO to connect to a Microsoft SQL Server database.
Findings:
- The crash only happens for me when Apache's mod_deflate is enabled. The crash
does not happen with the command-line PHP interpreter and does not seem to
occur when I hit the site over SSL.
- Although I haven't conducted an exhaustive search, the crash only seems to
happen with a particular database record. I can see nothing unusual about
that record.
- Bug #696590 notwithstanding, the core dumps show crashing in simple functions
called from free_statement. I expect that the actual cause of the problem
lies elsewhere.
- If I delete this line from the script:
<td><p>Special Notes:</p><textarea cols="80" rows="2" name="specialnotes"><?php echo htmlentities($specialnotes); ?></textarea></td>
the crash stops happening. If I alter that line, even going so far as to
delete all the PHP code on that line, the script still crashes, but if I
delete that line, the script does not crash.
- If I look at stmt->columns in free_statement, there seems to be evidence of
memory corruption. See the GDB transcripts.
GDB session transcripts:
Partial GDB session with one core dump:
[...]
#0 zend_mm_remove_from_free_list (heap=0xb7b1d648, mm_block=0xb7dead14)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:833
#1 0xb59f4edf in _zend_mm_free_int (heap=0xb7b1d648, p=0xb7dead1c)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:2101
#2 0xb690c816 in free_statement (stmt=0xb696bd68)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
#3 0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696bd68)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
#4 0xb5a4707f in zend_objects_store_del_ref_by_handle_ex (handle=<unknown type>,
handlers=0x2) at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:220
#5 0xb5a470bf in zend_objects_store_del_ref (zobject=0xb5a1ce39)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:172
#6 0xb5a1ce39 in _zval_dtor_func (zvalue=0xb5a0e1cd)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.c:52
#7 0xb5a0e1cd in _zval_ptr_dtor (zval_ptr=0xb5a2aa86)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.h:35
#8 0xb5a2aa86 in zend_hash_apply_deleter ()
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:650
#9 0xb5a2c4b5 in zend_hash_reverse_apply (ht=0xb59f594b, apply_func=0)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:804
#10 0xb5a0e504 in shutdown_destructors ()
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_execute_API.c:217
#11 0xb5a1df9d in zend_call_destructors ()
at /build/php5-2buXwb/php5-5.4.4/Zend/zend.c:925
#12 0xb59b8235 in php_request_shutdown (dummy=0xb4a70fc8)
at /build/php5-2buXwb/php5-5.4.4/main/main.c:1723
#13 0xb5ad0284 in php_handler (r=0x0)
at /build/php5-2buXwb/php5-5.4.4/sapi/apache2handler/sapi_apache2.c:520
#14 0xb76e0656 in ap_run_handler (r=r at entry=0xb6135058) at config.c:159
#15 0xb76e0aa9 in ap_invoke_handler (r=r at entry=0xb6135058) at config.c:377
#16 0xb76f2d50 in ap_process_request (r=r at entry=0xb6135058) at http_request.c:282
#17 0xb76ef908 in ap_process_http_connection (c=0xb69241f0) at http_core.c:190
#18 0xb76e7b26 in ap_run_process_connection (c=0xb69241f0) at connection.c:43
#19 0xb76e7fd2 in ap_process_connection (c=c at entry=0xb69241f0, csd=0xb6924058)
at connection.c:190
#20 0xb76f83c0 in child_main (child_num_arg=child_num_arg at entry=14) at prefork.c:667
#21 0xb76f8d13 in make_child (slot=14, s=<optimized out>) at prefork.c:768
#22 make_child (s=<optimized out>, slot=14) at prefork.c:696
#23 0xb76f9a4c in perform_idle_server_maintenance (p=<optimized out>)
at prefork.c:903
#24 ap_mpm_run (_pconf=_pconf at entry=0xb767d018, plog=0xb73c6018,
s=s at entry=0xb73f4880) at prefork.c:1107
#25 0xb76c96a4 in main (argc=3, argv=0xbfe10214) at main.c:755
(gdb) frame 2
#2 0xb690c816 in free_statement (stmt=0xb696bd68)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
2400 /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c: No such file or directory.
(gdb) print stmt
$1 = (pdo_stmt_t *) 0xb696bd68
[...]
(gdb) print i
$4 = 14
(gdb) print stmt->column_count
$5 = 67
(gdb) print cols[14].name
No symbol "cols" in current context.
(gdb) print stmt->columns[14].name
$6 = 0xb7dead1c "City"
(gdb) ^Z
[...]
(gdb) print stmt->columns[13].name
$9 = 0x0
(gdb) print stmt->columns[16].name
$10 = 0xb7deb60c "Zip"
(gdb) print stmt->columns[15].name
$11 = 0xb7deb194 "Stat\024\247\336\267"
(gdb) print stmt->columns[14].name
$12 = 0xb7dead1c "City"
(gdb) ^Z
[...]
$13 = 0xb7dead1c "City"
(gdb) print stmt->columns[15].name
$14 = 0xb7deb194 "Stat\024\247\336\267"
GDB session with another core dump:
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/apache2...Reading symbols from /usr/lib/debug/usr/sbin/apache2-mpm-prefork...done.
done.
warning: core file may not match specified executable file.
[New LWP 23418]
warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).
warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysql.so" does not match "/usr/lib/php5/20100525+lfs/mysql.so" (CRC mismatch).
warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).
warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/mysqli.so" does not match "/usr/lib/php5/20100525+lfs/mysqli.so" (CRC mismatch).
warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).
warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525+lfs/pdo_mysql.so" does not match "/usr/lib/php5/20100525+lfs/pdo_mysql.so" (CRC mismatch).
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0 _zend_mm_free_int (heap=0xb7b1d648, p=0xb7c815dc)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:2100
2100 /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c: No such file or directory.
(gdb) bt
#0 _zend_mm_free_int (heap=0xb7b1d648, p=0xb7c815dc)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_alloc.c:2100
#1 0xb690c816 in free_statement (stmt=0xb696c044)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
#2 0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696c044)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
#3 0xb5a4707f in zend_objects_store_del_ref_by_handle_ex (handle=<unknown type>,
handlers=0x2) at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:220
#4 0xb5a470bf in zend_objects_store_del_ref (zobject=0xb5a1ce39)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:172
#5 0xb5a1ce39 in _zval_dtor_func (zvalue=0xb5a0e1cd)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.c:52
#6 0xb5a0e1cd in _zval_ptr_dtor (zval_ptr=0xb5a2aa86)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_variables.h:35
#7 0xb5a2aa86 in zend_hash_apply_deleter ()
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:650
#8 0xb5a2c4b5 in zend_hash_reverse_apply (ht=0xb59f594b, apply_func=0)
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_hash.c:804
#9 0xb5a0e504 in shutdown_destructors ()
at /build/php5-2buXwb/php5-5.4.4/Zend/zend_execute_API.c:217
#10 0xb5a1df9d in zend_call_destructors ()
at /build/php5-2buXwb/php5-5.4.4/Zend/zend.c:925
#11 0xb59b8235 in php_request_shutdown (dummy=0xb60cffc8)
at /build/php5-2buXwb/php5-5.4.4/main/main.c:1723
#12 0xb5ad0284 in php_handler (r=0x0)
at /build/php5-2buXwb/php5-5.4.4/sapi/apache2handler/sapi_apache2.c:520
#13 0xb76e0656 in ap_run_handler (r=r at entry=0xb68e8058) at config.c:159
#14 0xb76e0aa9 in ap_invoke_handler (r=r at entry=0xb68e8058) at config.c:377
#15 0xb76f2d50 in ap_process_request (r=r at entry=0xb68e8058) at http_request.c:282
#16 0xb76ef908 in ap_process_http_connection (c=0xb69241f0) at http_core.c:190
#17 0xb76e7b26 in ap_run_process_connection (c=0xb69241f0) at connection.c:43
#18 0xb76e7fd2 in ap_process_connection (c=c at entry=0xb69241f0, csd=0xb6924058)
at connection.c:190
#19 0xb76f83c0 in child_main (child_num_arg=child_num_arg at entry=0) at prefork.c:667
#20 0xb76f8d13 in make_child (slot=0, s=<optimized out>) at prefork.c:768
#21 make_child (s=<optimized out>, slot=0) at prefork.c:696
#22 0xb76f8ded in startup_children (number_to_start=number_to_start at entry=5)
at prefork.c:786
#23 0xb76f99f5 in ap_mpm_run (_pconf=_pconf at entry=0xb767d018, plog=0xb73c6018,
s=s at entry=0xb73f4880) at prefork.c:1007
#24 0xb76c96a4 in main (argc=3, argv=0xbfe10214) at main.c:755
(gdb) frame 2
#2 0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696c044)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
2437 /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c: No such file or directory.
(gdb) print i
$1 = -1075775084
(gdb) up
#3 0xb5a4707f in zend_objects_store_del_ref_by_handle_ex (handle=<unknown type>,
handlers=0x2) at /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c:220
220 /build/php5-2buXwb/php5-5.4.4/Zend/zend_objects_API.c: No such file or directory.
(gdb) down
#2 0xb6912fdb in pdo_dbstmt_free_storage (stmt=0xb696c044)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2437
2437 /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c: No such file or directory.
(gdb) down
#1 0xb690c816 in free_statement (stmt=0xb696c044)
at /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c:2400
2400 in /build/php5-2buXwb/php5-5.4.4/ext/pdo/pdo_stmt.c
(gdb) print i
$2 = 5
(gdb) print stmt->columns[5].name
$3 = 0xb7c815dc "\n", ' ' <repeats 12 times>, "<tr>\n", ' ' <repeats 16 times>, "<th align=\"right\">Today is 11/19/2013</th>\n", ' ' <repeats 12 times>, "</tr><tr>\n", ' ' <repeats 16 times>, "<td>Reference Number: 6305</td>\n", ' ' <repeats 12 times>, "</tr><tr>\n", ' ' <repeats 16 times>, "<td> </td"...
(gdb) print stmt->columns[4].name
$4 = 0x0
(gdb) print stmt->columns[5].name
$5 = 0xb7c815dc "\n", ' ' <repeats 12 times>, "<tr>\n", ' ' <repeats 16 times>, "<th align=\"right\">Today is 11/19/2013</th>\n", ' ' <repeats 12 times>, "</tr><tr>\n", ' ' <repeats 16 times>, "<td>Reference Number: 6305</td>\n", ' ' <repeats 12 times>, "</tr><tr>\n", ' ' <repeats 16 times>, "<td> </td"...
(gdb) print stmt->columns[6].name
$6 = 0xb7c81a54 "Request</option><option value=\"6FDEDBF5-07BD-4CCE-93F5-7DEB825CE15F\">Suspended</option><option value=\"C25B79CC-BFAA-4931-BF39-A04144FDD00F\">Waiting List</option></select><br/>", ' ' <repeats 16 times>, "</td>\n "...
(gdb)
End of GDB transcripts.
-- System Information:
Debian Release: 7.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-php5 depends on:
ii apache2-mpm-prefork 2.2.22-13
ii apache2.2-common 2.2.22-13
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38
ii libcomerr2 1.42.5-1.1
ii libdb5.1 5.1.29-5
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u1
ii libk5crypto3 1.10.1+dfsg-5+deb7u1
ii libkrb5-3 1.10.1+dfsg-5+deb7u1
ii libmagic1 5.11-2
ii libonig2 5.9.1-1
ii libpcre3 1:8.30-5
ii libqdbm14 1.8.78-2
ii libssl1.0.0 1.0.1e-2
ii libstdc++6 4.7.2-5
ii libxml2 2.8.0+dfsg1-7+nmu2
ii mime-support 3.52-1
ii php5-common 5.4.4-14+deb7u5
ii tzdata 2013d-0wheezy1
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.4.4-14+deb7u5
Versions of packages libapache2-mod-php5 suggests:
pn php-pear <none>
-- no debconf information
More information about the pkg-php-maint
mailing list