Segmentation fault in dcigettext.c:925 using Apache + PHP

[Wiebe Cazemier]

Hi,

We're running an Ubuntu 18.04 server with GNU Gettext 0.19.8.1-6ubuntu0.3, 
Apache 2.4.29-1ubuntu4.13, mod-php 7.2.24-0ubuntu0.18.04.6. We're getting 
occasional segmentation faults in the Apache worker, from dcigettext.c:925:

> Program terminated with signal SIGSEGV, Segmentation fault.
> [...snip...]
> 925     dcigettext.c: No such file or directory.
> (gdb) bt
> #0  _nl_find_msg (domain_file=domain_file@entry=0x55c520144980, 
> domainbinding=domainbinding@entry=0x55c520141aa0, 
> msgid=msgid@entry=0x7fd27b426610 "Home", convert=convert@entry=1, 
> lengthp=lengthp@entry=0x7ffde958b268) at dcigettext.c:925
> #1  0x00007fd29bc6f5eb in __dcigettext (domainname=<optimized out>, 
> msgid1=0x7fd27b426610 "Home", msgid2=0x0, plural=0, n=0, category=5) at 
> dcigettext.c:710
> #2  0x00007fd288adf649 in ?? () from /usr/lib/php/20170718/gettext.so

Full backtrace is attached.

dcigettext.c is actually installed by the gettext package (and it's the same 
one as 'apt-get source gettext' pulls in), but I think that version is not the 
one used to compile. Line 710 is not _nl_find_msg(). In fact, it's a comment.

But, if it is the file, line 925 is the call to W() here:


  /* Locate the MSGID and its translation.  */
  if (domain->hash_tab != NULL)
    {
      /* Use the hashing table.  */
      nls_uint32 len = strlen (msgid);
      nls_uint32 hash_val = __hash_string (msgid);
      nls_uint32 idx = hash_val % domain->hash_size;
      nls_uint32 incr = 1 + (hash_val % (domain->hash_size - 2));

      while (1)
  {
    nls_uint32 nstr =
      W (domain->must_swap_hash_tab, domain->hash_tab[idx]); // <- Line 925.

    if (nstr == 0)
      /* Hash table entry is empty.  */
      return NULL;


Then, the locals:


(gdb) info locals
nstr = <error reading variable nstr (Cannot access memory at address 
0x7fd27a571a08)>
len = <optimized out>
hash_val = <optimized out>
idx = 23
incr = 379
domain = 0x55c520144c10
nstrings = 665
act = <optimized out>
result = <optimized out>
resultlen = <optimized out>


The the domain struct:


(gdb) print *domain
$2 = {data = 0x7fd27a56f000 <error: Cannot access memory at address 
0x7fd27a56f000>, use_mmap = 1, mmap_size = 74773, must_swap = 0, malloced = 
0x0, nstrings = 665, orig_tab = 0x7fd27a56f01c, trans_tab = 0x7fd27a5704e4, 
n_sysdep_strings = 0, orig_sysdep_tab = 0x0, 
  trans_sysdep_tab = 0x0, hash_size = 887, hash_tab = 0x7fd27a5719ac, 
must_swap_hash_tab = 0, conversions = 0x55c51fd8e300, nconversions = 1, 
conversions_lock = {__data = {__readers = 0, __writers = 0, __wrphase_futex = 
0, __writers_futex = 0, __pad3 = 0, __pad4 = 0, 
      __cur_writer = 0, __shared = 0, __rwelision = 0 '\000', __pad1 = 
"\000\000\000\000\000\000", __pad2 = 0, __flags = 0}, __size = '\000' <repeats 
55 times>, __align = 0}, plural = 0x55c520143a00, nplurals = 1}


Then a frame up the trace (frame 1):


(gdb) info locals
domain = 0x55c520144980
binding = <optimized out>
categoryname = <optimized out>
categoryvalue = 0x7fd29186f20e ""
dirname = 0x55c520141ad0 "/var/www/website/includes/locale"
xdirname = 0x0
xdomainname = 0x7ffde958b1c0 "LC_MESSAGES/messages.mo"
single_locale = <optimized out>
retval = <optimized out>
retlen = 140728518357728
saved_errno = 2
search = {domainname = 0x7fd29bdf4830 <_nl_default_default_domain> "messages", 
category = 5, localename = 0x55c52034ab90 "zh_CN", counter = -1734892282, 
domain = 0x0, translation = 0x7fd2918826f8 "Turkish", translation_length = 0, 
msgid = {
    appended = 0x7ffde958b2a8 "\020fB{\322\177", ptr = 0x7fd27b426610 "Home"}}
foundp = 0x55c520144ce0
localename = 0x55c52034ab90 "zh_CN"
domainname_len = 8


Then the args:


(gdb) info args
domainname = <optimized out>
msgid1 = 0x7fd27b426610 "Home"
msgid2 = 0x0
plural = 0
n = 0
category = 5


Any ideas? Or any ideas how to debug further?

Regards,

Wiebe

gettext-backtrace.txt
Description: Text document