Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#56 closed defect (fixed)

xcache_set segfaults when xcache.var_size=0

Reported by: judas_iscariote Owned by: moo
Priority: major Milestone: 1.2.1
Component: cacher Version: 1.2-dev
Keywords: Cc:
Application: PHP Version:
Other Exts: SAPI:
Probability: Blocked By:
Blocking:

Description

php -d xcache.var_size=0 -r 'xcache_set("foo","bar");'
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46921336810352 (LWP 32175)]
0x00002aacb99edf1e in xc_entry_init_key_var (xce=0x7ffff1f5d6f0, name=0x2aacb8baeab8,
    tsrm_ls=0x9f5030) at /home/cristian/xcache-trunk/xcache.c:1724
1724            xce->cache = xc_var_caches[cacheid];
(gdb) bt full
#0  0x00002aacb99edf1e in xc_entry_init_key_var (xce=0x7ffff1f5d6f0, name=0x2aacb8baeab8,
    tsrm_ls=0x9f5030) at /home/cristian/xcache-trunk/xcache.c:1724
        hv = 6385231017
        cacheid = 0
#1  0x00002aacb99ee2a6 in zif_xcache_set (ht=2, return_value=0x2aacb8bafdd8,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x9f5030)
    at /home/cristian/xcache-trunk/xcache.c:1783
        xce = {type = 6528, hvalue = 7272903, next = 0x7ffff1f5d8d0, cache = 0x69a333,
  size = 8808992, refcount = 10440752, hits = 0, ctime = 4, atime = 10450816,
  dtime = 46921322003952, ttl = 0, name = {lval = 46921322010752,
    dval = 2.3182213262967284e-310, str = {val = 0x2aacb8bb1880 "foo", len = 3},
    ht = 0x2aacb8bb1880, obj = {handle = 3099269248, handlers = 0x3}}, data = {
    php = 0x7ffff1f5d780, var = 0x7ffff1f5d780}, have_references = 216 '▒'}
        stored_xce = (xc_entry_t *) 0x18
        var = {value = 0x86a3e8}
        name = (zval *) 0x2aacb8baeab8
        value = (zval *) 0x2aacb8baea50
#2  0x000000000074501a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff1f5d930,
    tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2aacb8bafb50
        original_return_value = (zval **) 0xb7ee20
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 0 '\0'
        ctor_opline = (zend_op *) 0xb00000018
#3  0x000000000074c6bf in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff1f5d930,
    tsrm_ls=0x9f5030) at /home/cristian/php5/Zend/zend_vm_execute.h:1681
        opline = (zend_op *) 0x2aacb8bafb50
        fname = (zval *) 0x2aacb8bafb80
#4  0x00000000007449ad in execute (op_array=0x2aacb8baf6c0, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2aacb8bafb50, function_state = {function_symbol_table = 0x0,
    function = 0xb7ee40, reserved = {0x7ffff1f5d980, 0x0, 0x0, 0x0}}, fbc = 0x0,
  op_array = 0x2aacb8baf6c0, object = 0x0, Ts = 0x7ffff1f5d8d0, CVs = 0x7ffff1f5d8c0,
  original_in_execution = 0 '\0', symbol_table = 0x9f9478, prev_execute_data = 0x0,
  old_error_reporting = 0x0}
#5  0x0000000000707ffb in zend_eval_string (str=0x7ffff1f5e35a "xcache_set(\"foo\",\"bar\");",
    retval_ptr=0x0, string_name=0x874324 "Command line code", tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_execute_API.c:1143
        local_retval_ptr = (zval *) 0x0
        original_return_value_ptr_ptr = (zval **) 0x0
        original_opline_ptr = (zend_op **) 0x0
        pv = {value = {lval = 46921322002000, dval = 2.3182213258643221e-310, str = {
      val = 0x2aacb8baf650 "xcache_set(\"foo\",\"bar\");", len = 24}, ht = 0x2aacb8baf650,
    obj = {handle = 3099260496, handlers = 0x18}}, refcount = 12282912, type = 6 '\006',
  is_ref = 0 '\0'}
        new_op_array = (zend_op_array *) 0x2aacb8baf6c0
        original_active_op_array = (zend_op_array *) 0x0
        original_function_state_ptr = (zend_function_state *) 0x0
        original_handle_op_arrays = 1 '\001'
        retval = 6
#6  0x000000000070821f in zend_eval_string_ex (
    str=0x7ffff1f5e35a "xcache_set(\"foo\",\"bar\");", retval_ptr=0x0,
    string_name=0x874324 "Command line code", handle_exceptions=1, tsrm_ls=0x9f5030)
    at /home/cristian/php5/Zend/zend_execute_API.c:1177
        result = 0
#7  0x00000000007a8ce2 in main (argc=5, argv=0x7ffff1f5dee8)
    at /home/cristian/php5/sapi/cli/php_cli.c:1147
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {46921322753024, -69694545747936937, 0, 140737252810464, 0, 0,
      -69694545747935769, -69776305039202519}, __mask_was_saved = 0, __saved_mask = {__val = {
        0, 0, 0, 0, 0, 0, 0, 140737252809792, 0, 0, 0, 0, 4229737018, 46921322755648,
        46921322757472, 281474976710656}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x8742cd "-", opened_path = 0x0, handle = {
    fd = -1180924256, fp = 0x2aacb99c86a0, stream = {handle = 0x2aacb99c86a0,
      reader = 0x177ff8e, closer = 0x42657a, fteller = 0xc, interactive = -1183134696}},
  free_filename = 0 '\0'}
        behavior = 6
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7ffff1f5e35a "xcache_set(\"foo\",\"bar\");"
        arg_excp = (char **) 0x7ffff1f5df08
        script_file = 0x0
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 0
        exec_direct = 0x7ffff1f5e35a "xcache_set(\"foo\",\"bar\");"
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        compiler_globals = (zend_compiler_globals *) 0x9f5030
        executor_globals = (zend_executor_globals *) 0x9f5030
        core_globals = (php_core_globals *) 0x9f5030
        sapi_globals = (sapi_globals_struct *) 0x9f51c0
        tsrm_ls = (void ***) 0x9f5030
        ini_entries_len = 128

this is branch 1.2 (even though the directory is called xcache-trunk)

Change History (6)

comment:1 Changed 7 years ago by moo

  • Status changed from new to assigned

comment:2 Changed 7 years ago by moo

  • Resolution set to fixed
  • Status changed from assigned to closed

fixed in [324]

comment:3 Changed 7 years ago by judas_iscariote

  • Resolution fixed deleted
  • Status changed from closed to reopened

now try

php -d xcache.var_size=-1 -r 'xcache_set("foo","bar");'

result

PHP Fatal error: XCache: internal error at /home/cristian/xcache-trunk/mmap.c#293 in Unknown on line 0

PHP Fatal error: XCache: Failed init memory allocator in Unknown on line 0

PHP Fatal error: XCache: failed init variable cache in Unknown on line 0

PHP Fatal error: XCache: Cannot init in Unknown on line 0

PHP Fatal error: Unable to start XCache module in Unknown on line 0

As an user I don't expect to see the message , "internal error"( I'll inmnediately think there is a bug ) specially due to the fact, that for most of the other php.ini settings that recieves numeric values "-1" means unlimited...

comment:4 Changed 7 years ago by moo

  • Resolution set to fixed
  • Status changed from reopened to closed

it is a bug that it didn't handle all the error case reaching "the impossible"

fixed in #334, with robust error handling (shouldn't sigsegv in any case), and add a validation to avoid warning about internal error

comment:5 Changed 7 years ago by moo

[334] i meant

comment:6 Changed 7 years ago by judas_iscariote

ok.much better now, however last commit left debug code.

patch:

Index: xcache.c
===================================================================
--- xcache.c    (revisión: 338)
+++ xcache.c    (copia de trabajo)
@@ -1378,8 +1378,10 @@
                xc_var_caches = NULL;
        }
        xc_var_hcache.size = 0;
+
+#ifdef DEBUG
        fprintf(stderr, "set 0\n");
-
+#endif
        if (shm) {
                xc_shm_destroy(shm);
        }

Note: See TracTickets for help on using tickets.