ius-community team mailing list archive

[Jakov Sosic <jsosic@xxxxxxxxx>]

On 07/27/2015 07:51 PM, Ben Harper wrote:
> Hey Jakov,
>
> Thanks for taking the time to reach out to us about this issue.  Can we
> assume this code and configuration worked with php55u with
> php55u-pecl-memcache?  Also can we assume the code works without the
> memcache module?  Have you tried the memcached module?
>
> With these types of issues, we need to figure out is this an upstream
> issue with the pecl module itself or an issue with the way the module is
> packaged.  While I am not an expert with the memcache module, I don't
> think this is issue with the way we package memcache.
>
> Looking over the output, I do see you are running an older version of
> PHP.  Have you tried with php56u-5.6.11?
>
> Looking over bugs for the memache module[0], I don't see anything that
> jumps out at me.  There are a few bugs that mention memcache_pool.c[1],
> but I am not sure if any of those are related.  It might be worth
> looking through those bugs.
>
> -Ben
>
>
> [0]
> https://bugs.php.net/search.php?cmd=display&status=Open&package_name[]=memcache
>
> [1]
> https://bugs.php.net/search.php?cmd=display&search_for=memcache_pool.c&x=0&y=0

Upon further debugging the page that actually generates segfault, I've 
come up to:

<?php chdir('..'); ?>

This is enough to generate a coredump.

This is backtrace:

Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0x7fc7f1b98200, p=0x7fc7f04c8a80) at 
/usr/src/debug/php-5.6.11/Zend/zend_alloc.c:2104
2104		if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
Missing separate debuginfos, use: debuginfo-install 
libc-client-2007e-11.el6.x86_64 libidn-1.18-2.el6.x86_64 
libtool-ltdl-2.2.6-15.5.el6.x86_64 sqlite-3.6.20-1.el6.x86_64


(gdb) bt
#0  _zend_mm_free_int (heap=0x7fc7f1b98200, p=0x7fc7f04c8a80) at 
/usr/src/debug/php-5.6.11/Zend/zend_alloc.c:2104
#1  0x00007fc7e8f72dc7 in zif_accel_chdir (ht=<value optimized out>, 
return_value=<value optimized out>, return_value_ptr=<value optimized 
out>, this_ptr=<value optimized out>,
    return_value_used=<value optimized out>) at 
/usr/src/debug/php-5.6.11/ext/opcache/ZendAccelerator.c:162
#2  0x00007fc7e8d4674c in xdebug_handle_hit_value@plt () from 
/usr/lib64/php/modules/xdebug.so
#3  0x0000000000000000 in ?? ()


(gdb) print (char *)executor_globals.active_op_array->function_name
$1 = 0x0


(gdb) frame 0
#0  _zend_mm_free_int (heap=0x7fc7f1b98200, p=0x7fc7f04c8a80) at 
/usr/src/debug/php-5.6.11/Zend/zend_alloc.c:2104
2104		if (ZEND_MM_IS_FREE_BLOCK(next_block)) {


(gdb) info frame
Stack level 0, frame at 0x7ffc4bcd9160:
 rip = 0x7fc7ec82f905 in _zend_mm_free_int 
(/usr/src/debug/php-5.6.11/Zend/zend_alloc.c:2104); saved rip 0x7fc7e8f72dc7
 called by frame at 0x7ffc4bcda180
 source language c.
 Arglist at 0x7ffc4bcd9128, args: heap=0x7fc7f1b98200, p=0x7fc7f04c8a80
 Locals at 0x7ffc4bcd9128, Previous frame's sp is 0x7ffc4bcd9160
 Saved registers:
  rbx at 0x7ffc4bcd9130, rbp at 0x7ffc4bcd9138, r12 at 0x7ffc4bcd9140, 
r13 at 0x7ffc4bcd9148, r14 at 0x7ffc4bcd9150, rip at 0x7ffc4bcd9158


(gdb) info locals
mm_block = 0x7fc7f04c8a70
next_block = 0xff8fe0991018
size = 140496706766248


(gdb) print (char *)executor_globals.active_op_array->function_name
$3 = 0x0



Can you guys try to reproduce it?