Bug #61757 [Com]: Apache Segfault zend_hash_quick_find

Junk at Army dot ca Mon, 20 May 2013 03:33:52 -0700

Edit report at https://bugs.php.net/bug.php?id=61757&edit=1


 ID:                 61757
 Comment by:         Junk at Army dot ca
 Reported by:        joe at creativeanvil dot com
 Summary:            Apache Segfault zend_hash_quick_find
 Status:             Closed
 Type:               Bug
 Package:            Apache2 related
 Operating System:   CentOS 6.2
 PHP Version:        5.4.0
 Block user comment: N
 Private report:     N

 New Comment:

I'm seeing this same issue on php 5.4.14, Fedora 17:

Core was generated by `/usr/sbin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fae904dc298 in zend_hash_quick_find (ht=ht@entry=0x7fae9eb26698,
    arKey=0x7fae9f9d3290 "mbstring", nKeyLength=9, h=h@entry=249897825911322699,
    pData=pData@entry=0x7fffdc759548) at /usr/src/debug/php-
5.4.14/Zend/zend_hash.c:950
950             p = ht->arBuckets[nIndex];

Packages:
httpd-2.2.23-1.fc17.x86_64
php-5.4.14-1.fc17.x86_64
php-common-5.4.14-1.fc17.x86_64
php-imap-5.4.14-1.fc17.x86_64
php-pecl-apc-debuginfo-3.1.15-0.3.svn329913.fc17.x86_64
php-pspell-5.4.14-1.fc17.x86_64
php-debuginfo-5.4.14-1.fc17.x86_64
php-pdo-5.4.14-1.fc17.x86_64
php-mysql-5.4.14-1.fc17.x86_64
php-mbstring-5.4.14-1.fc17.x86_64
php-mcrypt-5.4.14-1.fc17.x86_64
php-pear-1.9.4-7.fc17.2.noarch
php-Kohana-2.4-1.rc2.fc17.3.noarch
php-cli-5.4.14-1.fc17.x86_64
php-pgsql-5.4.14-1.fc17.x86_64
php-xml-5.4.14-1.fc17.x86_64
php-gd-5.4.14-1.fc17.x86_64
php-pecl-apc-3.1.15-0.3.svn329913.fc17.x86_64

I have not located the source script yet.


Previous Comments:
------------------------------------------------------------------------
[2012-04-26 21:21:46] joe at creativeanvil dot com

Just upgraded to 5.4.1 and am not seeing this issue any longer. Thank you.

------------------------------------------------------------------------
[2012-04-17 20:50:27] [email protected]

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

GC issues require a full reproduce case for being tracked down properly. Please 
try to reduce your codebase as much as possible (it doesn't bring much to send 
us a large program, as you know the code better than we, I assume, and can 
strip it down better) and make that available. Thanks.

------------------------------------------------------------------------
[2012-04-17 20:22:31] joe at creativeanvil dot com

Also, tried the latest 5.4 build and still have the same issue. 5.3.10 does not 
produce the same problem. Additional backtrace info on latest 5.4 build:

#0  0x00007f5604d87661 in gc_zval_possible_root (zv=0x7f5611cabf20) at 
/usr/local/src/php5.4-201204171930/Zend/zend_gc.c:143
#1  0x00007f5604d9aabd in gc_zval_check_possible_root 
(execute_data=0x7f560f922aa0) at /usr/local/src/php5.4-
201204171930/Zend/zend_gc.h:183
#2  i_zval_ptr_dtor (execute_data=0x7f560f922aa0) at /usr/local/src/php5.4-
201204171930/Zend/zend_execute.h:97
#3  zend_leave_helper_SPEC (execute_data=0x7f560f922aa0) at 
/usr/local/src/php5.4-201204171930/Zend/zend_vm_execute.h:468
#4  0x00007f5604dd0700 in execute (op_array=0x7f5611e80f10) at 
/usr/local/src/php5.4-201204171930/Zend/zend_vm_execute.h:410
#5  0x00007f5604d678cf in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) 
at /usr/local/src/php5.4-201204171930/Zend/zend.c:1272
#6  0x00007f5604d0b3e7 in php_execute_script (primary_file=0x7fff71019fc0) at 
/usr/local/src/php5.4-201204171930/main/main.c:2473
#7  0x00007f5604e11765 in php_handler (r=0x7f5611c6d348) at 
/usr/local/src/php5.4-201204171930/sapi/apache2handler/sapi_apache2.c:667
#8  0x00007f560fa14b00 in ap_run_handler ()
#9  0x00007f560fa183be in ap_invoke_handler ()
#10 0x00007f560fa23a30 in ap_process_request ()
#11 0x00007f560fa208f8 in ?? ()
#12 0x00007f560fa1c608 in ap_run_process_connection ()
#13 0x00007f560fa28807 in ?? ()
#14 0x00007f560fa28b1a in ?? ()
#15 0x00007f560fa28e4b in ap_mpm_run ()
#16 0x00007f560fa00900 in main ()

------------------------------------------------------------------------
[2012-04-17 17:20:25] joe at creativeanvil dot com

Sorry, forgot config line on report:

./configure --with-apxs2=/usr/sbin/apxs --enable-cli --enable-exif 
--enable-mbstring --enable-mbregex --enable-sockets --with-mysql 
--with-mysqli=/usr/bin/mysql_config --with-pdo-
mysql --with-libdir=lib64 --with-zlib --with-gd --with-jpeg-dir=/usr/lib64 
--enable-soap --enable-calendar --with-freetype-dir=/usr/lib64 
--with-libexpat-dir --enable-ftp --enable-
calendar --with-curl

------------------------------------------------------------------------
[2012-04-17 17:16:13] joe at creativeanvil dot com

Description:
------------
Appears that in certain cases when trying to access an array key that does not 
exist, apache segfaults.

Test script:
---------------
$this->line_item_array = array('14441454');

foreach($this->line_item_array as $line_num => $line_item) {
                                        if($line_item['pallets'] > 0) {
                                                $pallets = " on 
{$line_item['pallets']} pallet(s)";
                                        } else {
                                                $pallets = '';
                                        }
                                        $line_num += 1;
                                        $handling_unit = 
strtolower($line_item['handling_unit']);
                                        $dims = (!empty($line_item['length'])) 
? ", {$line_item['length']}x{$line_item['width']}x{$line_item['height']}" : '';
                                        $text .= "{$line_item['pieces']} 
$handling_unit$pallets$dims\n";
                                }

Expected result:
----------------
Notices and warnings thrown about non-existent indexes, not a segfault.

Actual result:
--------------
Loaded symbols for /lib64/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /usr/lib64/apr-util-1/apr_ldap-1.so...(no debugging 
symbols 
found)...done.
Loaded symbols for /usr/lib64/apr-util-1/apr_ldap-1.so
Core was generated by `/usr/sbin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f7683eb9d71 in zend_hash_quick_find (ht=0x7f76912e0f48, 
arKey=0x7f768e9a25a0 "handling_unit", nKeyLength=14, h=12662310260902317513, 
pData=0x7fffa613be18) at /usr/local/src/php-5.4.0/Zend/zend_hash.c:950
950             p = ht->arBuckets[nIndex];



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61757&edit=1

Bug #61757 [Com]: Apache Segfault zend_hash_quick_find

Reply via email to