From: matteo at beccati dot com Operating system: GNU/Linux 2.6.18 x86_64 PHP version: 5.2.5 PHP Bug Type: Reproducible crash Bug description: Segmentation fault during shutdown
Description: ------------ PHP 5.2.5 sometimes crashes with a segmentation fault after running a specific unit test suite. Unfortunately the issue isn't easily replicable and seems to happen randomly. We have CruiseControl running dozens of builds with different PHP versions back to 4.3 and it just happens that sometimes one of the builds using PHP 5.2.5 fails on a particular test. So far it happened when running tests with PostgreSQL 8.0, 8.1 and MySQL 5.0. I've just tried to replicate the issue on another server and I finally did it. It crashes also on FreeBSD 6.2/amd64 using PHP 5.2.4 and MySQL 5.1. Surprisingly a similarily compiled 5.2.5 doesn't crash on this server. Reproduce code: --------------- svn export -r12748 https://svn.openads.org/openads/trunk OA-trunk cd OA-trunk cp etc/test.conf var/ ; edit var/test.conf.php and set the db parameters cd tests php run.php --type=unit --level=file --layer=dal --folder=lib/OA/Dal/Delivery --file=DeliveryDB.dal.test.php --format=text --host=test Expected result: ---------------- UNIT: Data Abstraction Layer (DB): lib/OA/Dal/Delivery/DeliveryDB.dal.test.php OK Test cases run: 1/1, Passes: 302, Failures: 0, Exceptions: 0 Actual result: -------------- UNIT: Data Abstraction Layer (DB): lib/OA/Dal/Delivery/DeliveryDB.dal.test.php OK Test cases run: 1/1, Passes: 302, Failures: 0, Exceptions: 0 Segmentation fault: 11 (core dumped) gdb output on Linux / PHP 5.2.5 =============================== GNU gdb Red Hat Linux (6.5-16.el5rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/libthread_db.so.1". Reading symbols from /lib64/libcrypt.so.1...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /usr/local/pgsql-8.2.5/lib/libpq.so.5...done. Loaded symbols for /usr/local/pgsql-8.2.5/lib/libpq.so.5 Reading symbols from /lib64/librt.so.1...done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /usr/local/mysql-5.0.45-linux-x86_64-glibc23/lib/libmysqlclient.so.15...done. Loaded symbols for /usr/local/mysql-5.0/lib/libmysqlclient.so.15 Reading symbols from /usr/lib64/libfreetype.so.6...done. Loaded symbols for /usr/lib64/libfreetype.so.6 Reading symbols from /usr/lib64/libpng12.so.0...done. Loaded symbols for /usr/lib64/libpng12.so.0 Reading symbols from /usr/lib64/libjpeg.so.62...done. Loaded symbols for /usr/lib64/libjpeg.so.62 Reading symbols from /usr/lib64/libcurl.so.3...done. Loaded symbols for /usr/lib64/libcurl.so.3 Reading symbols from /lib64/libresolv.so.2...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libm.so.6...done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libdl.so.2...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libnsl.so.1...done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /usr/lib64/libxml2.so.2...done. Loaded symbols for /usr/lib64/libxml2.so.2 Reading symbols from /lib64/libssl.so.6...done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /usr/lib64/libk5crypto.so.3...done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libcom_err.so.2...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libidn.so.11...done. Loaded symbols for /usr/lib64/libidn.so.11 Reading symbols from /lib64/libc.so.6...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libpthread.so.0...done. Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/ld-linux-x86-64.so.2...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libz.so.1...done. Loaded symbols for /usr/lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libnss_files.so.2...done. Loaded symbols for /lib64/libnss_files.so.2 Core was generated by `/usr/local/php-5.2/bin/php run.php --type=unit --level=file --layer=dal --folde'. Program terminated with signal 11, Segmentation fault. #0 0x000000000069f095 in _zend_mm_free_int (heap=0x129eb330, p=0x13b898d0) at /usr/local/src/php-5.2.5/Zend/zend_alloc.c:807 807 ZEND_MM_CHECK_TREE(mm_block); (gdb) bt full #0 0x000000000069f095 in _zend_mm_free_int (heap=0x129eb330, p=0x13b898d0) at /usr/local/src/php-5.2.5/Zend/zend_alloc.c:807 p = <value optimized out> mm_block = (zend_mm_block *) 0x13b89668 next_block = (zend_mm_block *) 0x13b89920 size = 96 #1 0x00000000006c4aae in zend_hash_destroy (ht=0x13a285e0) at /usr/local/src/php-5.2.5/Zend/zend_hash.c:531 p = (Bucket *) 0x13b421e8 #2 0x00000000006b9a3f in _zval_dtor_func (zvalue=0x139ed0f8) at /usr/local/src/php-5.2.5/Zend/zend_variables.c:43 No locals. #3 0x00000000006ad566 in _zval_ptr_dtor (zval_ptr=0x13a4f258) at /usr/local/src/php-5.2.5/Zend/zend_variables.h:35 No locals. #4 0x00000000006c4a88 in zend_hash_destroy (ht=0x13d28448) at /usr/local/src/php-5.2.5/Zend/zend_hash.c:526 p = (Bucket *) 0x13ba2480 #5 0x00000000006b9a3f in _zval_dtor_func (zvalue=0x13c9e128) at /usr/local/src/php-5.2.5/Zend/zend_variables.c:43 No locals. #6 0x00000000006ad566 in _zval_ptr_dtor (zval_ptr=0x13b7e568) at /usr/local/src/php-5.2.5/Zend/zend_variables.h:35 No locals. #7 0x00000000006c4a88 in zend_hash_destroy (ht=0x13ba3790) at /usr/local/src/php-5.2.5/Zend/zend_hash.c:526 p = (Bucket *) 0x13cd6f68 #8 0x00000000006d4359 in zend_object_std_dtor (object=0x13ca7350) at /usr/local/src/php-5.2.5/Zend/zend_objects.c:45 No locals. #9 0x00000000006d4379 in zend_objects_free_object_storage (object=0x129eb330) at /usr/local/src/php-5.2.5/Zend/zend_objects.c:122 No locals. #10 0x00000000006d73fb in zend_objects_store_free_object_storage ( objects=0xc44a40) at /usr/local/src/php-5.2.5/Zend/zend_objects_API.c:89 i = 39 #11 0x00000000006adaec in shutdown_executor () at /usr/local/src/php-5.2.5/Zend/zend_execute_API.c:299 __bailout = {{__jmpbuf = {12863136, 1788433170706147115, 7051744, 0, 140735876909575, 0, 1788410096376635051, 1788433170712606839}, __mask_was_saved = 0, __saved_mask = {__val = {224601251756, 312816976, 224604232032, 12862816, 1, 0, 140735876909575, 0, 224601251756, 12845728, 0, 12864960, 4805079, 312889664, 12864224, 12862816}}}} #12 0x00000000006ba062 in zend_deactivate () at /usr/local/src/php-5.2.5/Zend/zend.c:860 __orig_bailout = (jmp_buf *) 0x0 __bailout = {{__jmpbuf = {12861248, 1788433170706147115, 1, 0, 140735876909575, 0, 1788410096376619435, 1788433170712543689}, __mask_was_saved = 0, __saved_mask = {__val = {224604232032, 48, 48, 7, 224604232032, 12863136, 1, 0, 140735876909575, 0, 224601251756, 1788410096376627707, 1788433170712238944, 206158430208, 140735876907376, 1}}}} #13 0x000000000067848e in php_request_shutdown (dummy=<value optimized out>) at /usr/local/src/php-5.2.5/main/main.c:1485 __bailout = {{__jmpbuf = {12863136, 1788433170710094219, 1, 0, 140735876909575, 0, 1788410096376619179, 1788433170712290697}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0}}}} report_memleaks = 1 '\001' #14 0x000000000073a285 in main (argc=9, argv=0x7fff9ff346f8) at /usr/local/src/php-5.2.5/sapi/cli/php_cli.c:1321 __bailout = {{__jmpbuf = {0, 1788433170710094218, 7306640099802838133, 8103230749319183720, 110, 7596570286683205949, 1788410096376619979, 1788433170710970368}, __mask_was_saved = 0, __saved_mask = {__val = { 224600799864, 0, 46912507384152, 46912505074424, 224613378969, 224600849328, 224613372088, 4294967296, 4294967449, 46912507387520, 46912505076592, 140735876908224, 140735876908144, 2972705047, 224596626327, 0}}}} exit_status = 0 c = <value optimized out> file_handle = {type = 2 '\002', filename = 0x7fff9ff34a07 "run.php", opened_path = 0x0, handle = {fd = 314281120, fp = 0x12bb8ca0, stream = { handle = 0x12bb8ca0, reader = 0x6cdab0 <zend_stream_stdio_reader>, closer = 0x6cda90 <zend_stream_stdio_closer>, fteller = 0x6cda80 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'} behavior = 1 reflection_what = 0x0 orig_optind = 1 orig_optarg = 0x0 arg_free = <value optimized out> arg_excp = <value optimized out> script_file = 0x7fff9ff34a07 "run.php" interactive = 0 module_started = 1 request_started = 329950032 lineno = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = <value optimized out> hide_argv = 0 ini_entries_len = <value optimized out> gdb output on FreeBSD / PHP 5.2.4 ================================= GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Core was generated by `php'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libcrypt.so.3...done. Loaded symbols for /lib/libcrypt.so.3 Reading symbols from /usr/local/pgsql/lib/libpq.so.5...done. Loaded symbols for /usr/local/pgsql/lib/libpq.so.5 Reading symbols from /usr/local/lib/mysql/libmysqlclient.so.15...done. Loaded symbols for /usr/local/lib/mysql/libmysqlclient.so.15 Reading symbols from /lib/libm.so.4...done. Loaded symbols for /lib/libm.so.4 Reading symbols from /lib/libz.so.3...done. Loaded symbols for /lib/libz.so.3 Reading symbols from /usr/local/lib/libmhash.so.2...done. Loaded symbols for /usr/local/lib/libmhash.so.2 Reading symbols from /usr/local/lib/libmcrypt.so.8...done. Loaded symbols for /usr/local/lib/libmcrypt.so.8 Reading symbols from /usr/local/lib/libltdl.so.4...done. Loaded symbols for /usr/local/lib/libltdl.so.4 Reading symbols from /usr/local/lib/libintl.so.8...done. Loaded symbols for /usr/local/lib/libintl.so.8 Reading symbols from /usr/local/lib/libfreetype.so.9...done. Loaded symbols for /usr/local/lib/libfreetype.so.9 Reading symbols from /usr/local/lib/libpng.so.5...done. Loaded symbols for /usr/local/lib/libpng.so.5 Reading symbols from /usr/local/lib/libjpeg.so.9...done. Loaded symbols for /usr/local/lib/libjpeg.so.9 Reading symbols from /usr/local/lib/libcurl.so.4...done. Loaded symbols for /usr/local/lib/libcurl.so.4 Reading symbols from /usr/lib/libssl.so.4...done. Loaded symbols for /usr/lib/libssl.so.4 Reading symbols from /lib/libcrypto.so.4...done. Loaded symbols for /lib/libcrypto.so.4 Reading symbols from /usr/local/lib/libxml2.so.5...done. Loaded symbols for /usr/local/lib/libxml2.so.5 Reading symbols from /usr/local/lib/libiconv.so.3...done. Loaded symbols for /usr/local/lib/libiconv.so.3 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /libexec/ld-elf.so.1...done. Loaded symbols for /libexec/ld-elf.so.1 #0 _zend_mm_free_int (heap=0xb64000, p=0x205da30) at /array1/compile/php-5.2.4-apache/Zend/zend_alloc.c:806 806 ZEND_MM_CHECK_TREE(mm_block); (gdb) bt full #0 _zend_mm_free_int (heap=0xb64000, p=0x205da30) at /array1/compile/php-5.2.4-apache/Zend/zend_alloc.c:806 p = (zend_mm_free_block **) 0xb64648 mm_block = (zend_mm_block *) 0x1f5ed20 next_block = (zend_mm_block *) 0x1f5ed90 size = 112 #1 0x00000000006dbc1d in zend_hash_destroy (ht=0x1f5ea78) at /array1/compile/php-5.2.4-apache/Zend/zend_hash.c:531 p = (Bucket *) 0x1f12b58 q = (Bucket *) 0x1f5ed30 #2 0x00000000006cf503 in _zval_dtor_func (zvalue=0x1f5ea50) at /array1/compile/php-5.2.4-apache/Zend/zend_variables.c:43 No locals. #3 0x00000000006c17f5 in _zval_ptr_dtor (zval_ptr=0x1f09578) at zend_variables.h:35 No locals. #4 0x00000000006dbc32 in zend_hash_destroy (ht=0x1f50468) at /array1/compile/php-5.2.4-apache/Zend/zend_hash.c:526 p = (Bucket *) 0x1f29040 q = (Bucket *) 0x1f09560 #5 0x00000000006cf503 in _zval_dtor_func (zvalue=0x1f63698) at /array1/compile/php-5.2.4-apache/Zend/zend_variables.c:43 No locals. #6 0x00000000006c17f5 in _zval_ptr_dtor (zval_ptr=0x2179748) at zend_variables.h:35 No locals. #7 0x00000000006dbc32 in zend_hash_destroy (ht=0x1f50960) at /array1/compile/php-5.2.4-apache/Zend/zend_hash.c:526 p = (Bucket *) 0x1ef5ff8 q = (Bucket *) 0x2179730 #8 0x00000000006e9cbd in zend_object_std_dtor (object=0x1f247c0) at /array1/compile/php-5.2.4-apache/Zend/zend_objects.c:45 No locals. #9 0x00000000006e9f79 in zend_objects_free_object_storage (object=0x1f247c0) at /array1/compile/php-5.2.4-apache/Zend/zend_objects.c:122 No locals. #10 0x00000000006ed0f6 in zend_objects_store_free_object_storage ( objects=0xb5f940) at /array1/compile/php-5.2.4-apache/Zend/zend_objects_API.c:89 i = 48 #11 0x00000000006c1e29 in shutdown_executor () at /array1/compile/php-5.2.4-apache/Zend/zend_execute_API.c:299 __orig_bailout = (jmp_buf *) 0x0 __bailout = {{_jb = {7085378, 11925736, 140737488346872, 11924896, 11922496, 0, 0, 0, 140737488290687, 0, 0, 72057594070317848}}} #12 0x00000000006d0195 in zend_deactivate () at /array1/compile/php-5.2.4-apache/Zend/zend.c:860 __orig_bailout = (jmp_buf *) 0x0 __bailout = {{_jb = {7143797, 11922496, 140737488347432, 11924896, 11922496, 0, 0, 0, 11862911, 0, 0, 2184591365}}} #13 0x000000000068d80f in php_request_shutdown (dummy=0x258) at /array1/compile/php-5.2.4-apache/main/main.c:1463 __orig_bailout = (jmp_buf *) 0x0 __bailout = {{_jb = {6870837, 140737488349864, 140737488347768, 140737488349848, 110, 0, 0, 0, 11535231, 0, 0, 140737488348656}}} report_memleaks = 1 '\001' #14 0x0000000000760f8e in main (argc=9, argv=0x7fffffffea98) at /array1/compile/php-5.2.4-apache/sapi/cli/php_cli.c:1321 __bailout = {{_jb = {7736934, 140737488349928, 140737488348856, 1, 110, 0, 0, 0, 2184971135, 0, 0, 2158826496}}} exit_status = 0 c = -1 file_handle = {type = 2 '\002', filename = 0x7fffffffec94 "run.php", opened_path = 0x0, handle = {fd = -2108630976, fp = 0x8250d840, stream = { handle = 0x8250d840, reader = 0x6e3430 <zend_stream_stdio_reader>, closer = 0x6e3450 <zend_stream_stdio_closer>, fteller = 0x6e3470 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'} behavior = 1 reflection_what = 0x0 orig_optind = 1 orig_optarg = 0x0 arg_free = 0x7fffffffec94 "run.php" arg_excp = (char **) 0x258 script_file = 0x7fffffffec94 "run.php" interactive = 0 module_started = 1 request_started = 1 lineno = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = 0x0 hide_argv = 0 ini_entries_len = 110 -- Edit bug report at http://bugs.php.net/?id=43387&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43387&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43387&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43387&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43387&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43387&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43387&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43387&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=43387&r=needscript Try newer version: http://bugs.php.net/fix.php?id=43387&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43387&r=support Expected behavior: http://bugs.php.net/fix.php?id=43387&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43387&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43387&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43387&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43387&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43387&r=dst IIS Stability: http://bugs.php.net/fix.php?id=43387&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43387&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43387&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43387&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=43387&r=mysqlcfg