Drizzle PHP Extension

Segfaults due to double free

Bug #818657 reported by Piotr Przybylski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Drizzle PHP Extension
New
Undecided
Unassigned

Bug Description

I had some "double free" errors in my Apache error log, but after doing some recompiling and reinstalling I stopped getting extensive information on segfaults and have only short notes about segmentation faults in child precesses so I can't provide more information. The one thing that survived in my code comments is:
zif_drizzle_column_free+0x25

Right now I am getting PHP segfaults after some scripts using drizzle module are executed: putting flush() in register_shutdown_function makes my code (phpMyAdmin) usable in my development environment, but it obviously can't be used in stable version.

See original description
Piotr Przybylski (crack)
description: updated
Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

ok, a couple of questions here.

1. do you have any sample PHP code that reproduces this problem?
2. what version of libdrizzle are you using?

Revision history for this message
Piotr Przybylski (crack) wrote :

1. I couldn't make any sample code for that even when I recreated all calls to drizzle module, I can only say that it's not random because it occurs always on the same pages of phpMyAdmin. If you can provide me with some instructions on how I can generate some useful debug information I will gladly help.
2. I tested with 2011.03.13 GA and latest development version.

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

Thanks for the info.

unfortunately the verbosity settings have not been added to the PHP extension. Without a stack trace or a reproducible test case this will be difficult to debug. My guess is it is happening during the cleanup though.

Revision history for this message
Piotr Przybylski (crack) wrote :

If you can direct me to some information on generating a stack trace I can try to provide one.

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

https://bugs.php.net/bugs-generating-backtrace.php

If you are using Fedora or RedHat you may need to install debug packages too. The output of gdb will give you more information if this is the case.

Revision history for this message
Piotr Przybylski (crack) wrote :
Download full text (3.7 KiB)

I am using Ubuntu. After installing php5-dbg and running Apache with gdb:

Program received signal SIGSEGV, Segmentation fault.
zend_hash_destroy (ht=0xde18059d80d4971f) at /build/buildd/php5-5.3.5/Zend/zend_hash.c:723
723 /build/buildd/php5-5.3.5/Zend/zend_hash.c: No such file or directory.
        in /build/buildd/php5-5.3.5/Zend/zend_hash.c
(gdb) bt
#0 zend_hash_destroy (ht=0xde18059d80d4971f) at /build/buildd/php5-5.3.5/Zend/zend_hash.c:723
#1 0x00007ffff4141819 in zend_object_std_dtor (object=0x7ffff8c043a0) at /build/buildd/php5-5.3.5/Zend/zend_objects.c:45
#2 0x00007fffef6e5ed3 in drizzle_con_obj_free (object=0x7ffff8c043a0) at /root/drizzle-php-ext-0.5/php_drizzle.c:1571
#3 0x00007ffff4145801 in zend_objects_store_del_ref_by_handle_ex (handle=32767, handlers=0x7ffff8b3f300)
    at /build/buildd/php5-5.3.5/Zend/zend_objects_API.c:220
#4 0x00007ffff4145823 in zend_objects_store_del_ref (zobject=0x7ffff8c14898)
    at /build/buildd/php5-5.3.5/Zend/zend_objects_API.c:172
#5 0x00007ffff4112392 in _zval_ptr_dtor (zval_ptr=0x7ffff8c044b0) at /build/buildd/php5-5.3.5/Zend/zend_variables.h:35
#6 0x00007ffff412e043 in zend_hash_destroy (ht=0x7ffff8c04420) at /build/buildd/php5-5.3.5/Zend/zend_hash.c:729
#7 0x00007ffff4141819 in zend_object_std_dtor (object=0x7ffff8b301c0) at /build/buildd/php5-5.3.5/Zend/zend_objects.c:45
#8 0x00007ffff4141839 in zend_objects_free_object_storage (object=0x7ffff8b301c0)
    at /build/buildd/php5-5.3.5/Zend/zend_objects.c:126
#9 0x00007ffff4145801 in zend_objects_store_del_ref_by_handle_ex (handle=32767, handlers=0x7ffff8b3f300)
    at /build/buildd/php5-5.3.5/Zend/zend_objects_API.c:220
#10 0x00007ffff4145823 in zend_objects_store_del_ref (zobject=0x7ffff8c04350)
    at /build/buildd/php5-5.3.5/Zend/zend_objects_API.c:172
#11 0x00007ffff4112392 in _zval_ptr_dtor (zval_ptr=0x7ffff8b3f268) at /build/buildd/php5-5.3.5/Zend/zend_variables.h:35
#12 0x00007ffff412c87e in zend_hash_apply_deleter (ht=0x7ffff485b9c8, p=0x7ffff8b3f250)
    at /build/buildd/php5-5.3.5/Zend/zend_hash.c:816
#13 0x00007ffff412e1b8 in zend_hash_graceful_reverse_destroy (ht=0x7ffff485b9c8)
    at /build/buildd/php5-5.3.5/Zend/zend_hash.c:851
#14 0x00007ffff4112b6e in shutdown_executor () at /build/buildd/php5-5.3.5/Zend/zend_execute_API.c:256
#15 0x00007ffff4120a05 in zend_deactivate () at /build/buildd/php5-5.3.5/Zend/zend.c:962
#16 0x00007ffff40cd9ff in php_request_shutdown (dummy=0xde18059d80d4971f) at /build/buildd/php5-5.3.5/main/main.c:1649
#17 0x00007ffff41b8287 in php_handler (r=0x7ffff41b8287) at /build/buildd/php5-5.3.5/sapi/apache2handler/sapi_apache2.c:526
#18 0x00007ffff7fd5348 in ap_run_handler (r=0x7ffff8628250) at /build/buildd/apache2-2.2.17/server/config.c:159
#19 0x00007ffff7fd57ac in ap_invoke_handler (r=0x7ffff8628250) at /build/buildd/apache2-2.2.17/server/config.c:377
#20 0x00007ffff7fe5580 in ap_process_request (r=0x7ffff8628250) at /build/buildd/apache2-2.2.17/modules/http/http_request.c:282
#21 0x00007ffff7fe2558 in ap_process_http_connection (c=0x7ffff86220a0)
    at /build/buildd/apache2-2.2.17/modules/http/http_core.c:190
#22 0x00007ffff7fdbf28 in ap_run_process_connection (c=0x7ffff86220a0) at /build/...

Read more...

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

ok, looks like a bad mix of the zend allocation/free system and libdrizzle's allocation/free system. I unfortunately don't have time to fix this any time soon.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.