Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#109 closed defect (fixed)

Increment with ReadOnlyProtection causes crash

Reported by: oli Owned by: moo
Priority: major Milestone: 1.2.1
Component: cacher Version: 1.2-dev
Keywords: good_report Cc:
Application: PHP Version: 5.2.3
Other Exts: SAPI: apache1
Probability: Blocked By:
Blocking:

Description

Hi,

We are running xcache on a medium size website. Lately we experience some stability problem with apache childs crashing. Since we did not used the ReadOnlyProtection? we switched it on. Since then, things got even worse. We found out, that every call to xcache_inc with a previously defined key results in a segfault. You should able to reproduce the crash with the following php code:

<?php
    xcache_set('test', 10, 0);
    xcache_inc('test');
?>

Coredump:

(gdb) bt full
#0  0xb7691423 in xc_var_inc_dec (inc=1, ht=<value optimized out>, return_value=0x80f5778, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=0) at /usr/local/src/apache/xcache-1.2-dev/xcache.c:2012
        __orig_bailout = (jmp_buf *) 0xbfc07ab0
        __bailout = {{__jmpbuf = {-1217819508, -1077913172, 0, -1077913288, -1077913600, -1217850763}, __mask_was_saved = 0,
    __saved_mask = {__val = {0, 3217054008, 3217053728, 3077118116, 0, 0, 0, 0, 136423056, 0, 1, 16, 15, 9, 0, 136452504, 136452504,
        136453080, 136453152, 0, 1, 0, 0, 3077147788, 0, 0, 3217054248, 3217049392, 3077120052, 0, 3078507310, 3080448512}}}}
        xce = {type = XC_TYPE_VAR, hvalue = 7489, next = 0xb7e685a6, cache = 0xb66fd01c, size = 3080447972, refcount = 1,
  hits = 7489, ctime = 24, atime = -1234186212, dtime = 88, ttl = 0, name = {lval = 135235152, dval = 8.5547982065744084e-314,
    str = {val = 0x80f8650 "test", len = 4}, ht = 0x80f8650, obj = {handle = 135235152, handlers = 0x4}}, data = {php = 0xbfc05928,
    var = 0xbfc05928}, have_references = 158 '\236'}
        stored_xce = (xc_entry_t *) 0xb6705068
        var = {value = 0xb76911bb}
        stored_var = (xc_entry_data_var_t *) 0xb23050ac
        name = (zval *) 0x80f5760
        count = 1
        value = <value optimized out>
        oldzval = {value = {lval = 4, dval = 7.4133700810315886e-270, str = {val = 0x4 <Address 0x4 out of bounds>,
      len = 135222496}, ht = 0x4, obj = {handle = 4, handlers = 0x80f54e0}}, refcount = 3217054176, type = 20 '\024',
  is_ref = 0 '\0'}
#1  0xb6cbc6b8 in zend_do_fcall_common_helper_SPEC () from /usr/apache_back/libexec/libphp5.so
No symbol table info available.
#2  0x00000000 in ?? ()
No symbol table info available.

We verified this with two different systems:

  • Debian Linux, Apache 1.3.37, PHP 5.2.1, XCache 1.2 (stable)
  • Debian Linux, Apache 1.3.37, PHP 5.2.3, XCache 1.2.1-dev (latest)

Contact me, if you need any further information.

Best regards,

Oli

Change History (4)

comment:1 Changed 8 years ago by judas_iscariote

  • Keywords good_report added
  • Milestone set to 1.2.1

right. reproduced here. as a workaround turn off the readonly protection and use current 1.2.1-dev where some apache1 incompatibilities were solved recently.

comment:2 Changed 8 years ago by moo

  • Status changed from new to assigned

trying to reproduce

comment:3 Changed 7 years ago by moo

  • Resolution set to fixed
  • Status changed from assigned to closed

fixed [423] [433]

thanks for your nice report

comment:4 Changed 7 years ago by oli

Many thanks for the fast bug fix. Great support and nice work. We currently running 1.2.1-dev-r433 with ReadOnlyProtection? and it seams to work fine. None of the childs died for more then a hour. Without ReadOnlyProtection? this almost never happened.

Note: See TracTickets for help on using tickets.