Ubuntu
php5 package

Segmentation fault in PHP5 with pgsql module

Bug #607646 reported by Miroslav Zacek on 2010-07-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	php5 (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: php5

The apache exits with signal 11 Segmentation fault randomly (the same request but a very complex php application, the backend can do different things).

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3d98343 in _zend_mm_free_canary_int (heap=0x7ffff83fdca0, p=0x37000000d1) at /build/buildd/php5-5.3.2/Zend/zend_alloc_canary.c:2090

php5: 5.3.2-1ubuntu4.2
apache2.2: 2.2.14-5ubuntu8

Tags:

Related branches

lp:~clint-fewbar/ubuntu/maverick/php5/maverick-beta-papercuts

Merged into lp:ubuntu/maverick/php5

Thierry Carrez (community): Approve on 2010-09-06

Ubuntu branches: Pending requested 2010-08-13

lp:ubuntu/maverick/php5

Revision history for this message

Miroslav Zacek (miroslav-zacek-skype) wrote on 2010-07-20:

backtrace Edit (15.7 KiB, text/plain)

Revision history for this message

Miroslav Zacek (miroslav-zacek-skype) wrote on 2010-07-20:

It looks like something similar was already here one year ago...

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542514

Revision history for this message

Miroslav Zacek (miroslav-zacek-skype) wrote on 2010-07-20:

backtrace Edit (12.9 KiB, text/plain)

I tried recompile php without the suhosin patch and it is still segfaulting.

See the *notice in frame #2 "address is out of bounds" (in function _php_pgsql_notice_ptr_dtor)

This bug look very similar to php5 bug #542514 which was found in 5.2.10 and fixed in 5.2.11.

Revision history for this message

Miroslav Zacek (miroslav-zacek-skype) wrote on 2010-07-21:

pgsql.patch Edit (2.0 KiB, text/plain)

I think I've found the problem. It is in the pgsql extension. The memory for the notices is allocated as non persistent but the whole structure is persistent. The destructor tries to free memory that was already cleaned by the garbage collector which causes the segmentation fault. I've created a simple patch and it works for me now.

Brian Murray (brian-murray) on 2010-07-21

tags:

added: patch

Revision history for this message

Chuck Short (zulcss) wrote on 2010-07-26:

Thanks for the patch. Ill submit this patch upstream.

chuck

Changed in php5 (Ubuntu):
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Miroslav Zacek (miroslav-zacek-skype) wrote on 2010-07-26:

Your welcome. I've submited the patch to PHP already, see http://bugs.php.net/bug.php?id=52389 because we've detected this bug in Mac and Windows as well.

Clint Byrum (clint-fewbar) on 2010-08-13

Changed in php5 (Ubuntu):
status:	Triaged → In Progress
assignee:	nobody → Clint Byrum (clint-fewbar)

Clint Byrum (clint-fewbar) on 2010-08-13

Changed in php5 (Ubuntu):
status:	In Progress → Confirmed
assignee:	Clint Byrum (clint-fewbar) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-08-20:

This bug was fixed in the package php5 - 5.3.3-1ubuntu4

---------------
php5 (5.3.3-1ubuntu4) maverick; urgency=low

  * debian/php5-module.ini: # replaced with ; (LP: #591286)
  * debian/patches/php52389-pgsql-segfault.patch (LP: #607646)
    - Applying patch for upstream bug that causes segfaults in pgsql
-- Clint Byrum <email address hidden> Fri, 13 Aug 2010 00:07:15 -0700

Changed in php5 (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2010-08-23:

Miroslav, this is fixed in Maverick, and it is probably a reasonable candidate for SRU to Lucid.

However, I haven't seen your response in the upstream bug to the PHP developers asking for a clear test case.

Until somebody has provided them with a test case there, I don't think we should move forward with an SRU.

Revision history for this message

JamesL (jamesly0n) wrote on 2010-10-11:

I just upgraded to Maverick this morning and this patch has broken pgsql quite badly. The following code now causes PHP to silently die (with valid connection details):

$conn = pg_connect($details);
pg_last_error($conn);

This caused my MediaWiki installation to suddenly stop working. I've rebuilt the package without this patch (php52389-pgsql-segfault.patch) and everything works fine again. Can I suggest reverting the patch until a test case for the original bug exists?

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2010-10-12:

#10

Hi JamesL, thanks for the heads up, and I am sorry that you are experiencing problems.

Can you please open a new bug report for this? Any details you can provide would be very helpful. Specifically:

* A repeatable test case (I'm installing mediawiki now to give it a go, but if you have something smaller that would be great)
* A coredump (if so, make it a private bug report)
* A backtrace with debug symbols (apt-get install php5-dbg)

After you create the bug report, if you could subscribe me, that would be appreciated.

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2010-10-14:

#11

BTW, I suspect this is the issue JamesL was reporting here:

https://bugs.launchpad.net/ubuntu/+source/php5/+bug/660227

It does seem logical to remove this patch, as Miroslav has failed to produce a reproducible test case.

Revision history for this message

Martin Pitt (pitti) wrote on 2010-10-15:

#12

An updated php5 was just uploaded to maverick-proposed which reverts this patch, see bug 660227. Can you please check if the original crash here is still an issue with that?

Revision history for this message

Miroslav Zacek (miroslav-zacek-skype) wrote on 2010-10-18:

#13

A colleague of mine, Jaromir, provided a fixed patch and reproducible test case. Please check the main stream bug report http://bugs.php.net/bug.php?id=52389 for details