Edit report at http://bugs.php.net/bug.php?id=52349&edit=1
ID: 52349 Comment by: jan-php at kantert dot net Reported by: mbecc...@php.net Summary: "zend_mm_heap corrupted" error Status: Feedback Type: Bug Package: Reproducible crash Operating System: FreeBSD 6.2 PHP Version: 5.3.3RC3 Assigned To: dmitry Block user comment: N Private report: N New Comment: Same bug on Ubuntu 10.04 LTS x86_64 PHP 5.3.2-1ubuntu4.7 with Suhosin-Patch (cli) (built: Jan 12 2011 18:36:55) Also happens only 30% of the time. Some times "just" segfaults without error. Sometimes with this error. Happens when running the archive.sh in piwik. strace /usr/bin/php5 -q /home/XXX/misc/cron/../../index.php We did an strace on the process and noticed some things. If it segfaults (only then) there are a lot brk lines: brk(0x805a000) = 0x805a000 brk(0x809a000) = 0x809a000 brk(0x80da000) = 0x80da000 brk(0x811a000) = 0x811a000 brk(0x815a000) = 0x815a000 brk(0x819a000) = 0x819a000 brk(0x81da000) = 0x81da000 brk(0x821a000) = 0x821a000 brk(0x825a000) = 0x825a000 brk(0x829a000) = 0x829a000 brk(0x82da000) = 0x82da000 brk(0x831a000) = 0x831a000 brk(0x835a000) = 0x835a000 brk(0x839a000) = 0x839a000 brk(0x83da000) = 0x83da000 At the end: close(5) = 0 close(4) = 0 munmap(0x7fcae32e3000, 528384) = 0 write(3, "\1\0\0\0\1", 5) = 5 shutdown(3, 2 /* send and receive */) = 0 close(3) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault Previous Comments: ------------------------------------------------------------------------ [2010-07-16 08:23:30] dmi...@php.net Sorry, but I need a script to reproduce and fix this the bug. In case it's a big application, I can try to debug it on your system if you give me SSH access, but it's more difficult. ------------------------------------------------------------------------ [2010-07-15 18:19:34] mbecc...@php.net Assigning to dmitry, per IRC chat. ------------------------------------------------------------------------ [2010-07-15 18:12:40] mbecc...@php.net Description: ------------ A few things: * It happens when running a specific "simpletest" integration test * It doesn't always happen, roughly 33-50% of the times * Never happened with 5.3.2, I got a report from Bamboo as soon as I upgraded to 5.3.3RC3 Of course I can't get a simple reproduce script as the aforementioned test does tons of things, but of course I can provide more information, SSH access, or try anything I'm asked to. Test script: --------------- n/a Expected result: ---------------- No failure Actual result: -------------- zend_mm_heap corrupted exit message, with the following backtrace #0 0x000000000079f25b in zval_scan (pz=0x3b31970) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:485 p = (Bucket *) 0x3661108 #1 0x000000000079f6b9 in gc_collect_cycles () at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:535 p = (zval_gc_info *) 0xee5ee0 q = (zval_gc_info *) 0x0 orig_free_list = (zval_gc_info *) 0x7fffffffc6e0 orig_next_to_free = (zval_gc_info *) 0x211ef18 count = 0 #2 0x000000000079fbd8 in gc_zval_possible_root (zv=0x33588b0) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:166 newRoot = (gc_root_buffer *) 0x3627830 #3 0x00000000007a4fde in zend_assign_to_object (result=0x211ef18, object_ptr=0xe567a0, property_name=0x211ef60, value_op=0x211efb0, Ts=0x113b228, opcode=136) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute.c:602 object = (zval *) 0x3632b70 free_value = {var = 0x113b701} value = (zval *) 0x33588b0 retval = (zval **) 0x113b6e0 #4 0x00000000007e2796 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER (execute_data=0x113b190) at zend_vm_execute.h:17645 opline = (zend_op *) 0x0 #5 0x00000000007a65f9 in execute (op_array=0x2119968) at zend_vm_execute.h:107 ret = 0 execute_data = (zend_execute_data *) 0x113b190 nested = 1 '\001' original_in_execution = 1 '\001' #6 0x0000000000777d94 in zend_call_function (fci=0x7fffffffc970, fci_cache=0x0) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute_API.c:963 call_via_handler = 34934168 i = 18062328 original_return_value = (zval **) 0x1139bf8 calling_symbol_table = (HashTable *) 0x0 original_op_array = (zend_op_array *) 0x2150d98 original_opline_ptr = (zend_op **) 0x1139f28 current_scope = (zend_class_entry *) 0x2118528 current_called_scope = (zend_class_entry *) 0x2104658 calling_scope = (zend_class_entry *) 0x2104658 called_scope = (zend_class_entry *) 0x2104658 current_this = (zval *) 0x30c9840 execute_data = {opline = 0x0, function_state = {function = 0x2109b78, arguments = 0x113a068}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, object = 0x3632b70, Ts = 0x1139fe0, CVs = 0x1139fc0, symbol_table = 0x0, prev_execute_data = 0x1139f28, old_error_reporting = 0x0, nested = 1 '\001', original_return_value = 0x2104658, current_scope = 0x30c9840, current_called_scope = 0x0, current_this = 0x0, current_object = 0x0, call_opline = 0x1139fc8} #7 0x0000000000728986 in xml_call_handler (parser=0x2f77938, handler=0x3356688, function_ptr=0x3627830, argc=3, argv=0x7fffffffca50) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:530 args = (zval ***) 0x2f7e210 retval = (zval *) 0x0 result = -13744 fci = {size = 72, function_table = 0xe58180, function_name = 0x3356688, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffc968, param_count = 3, params = 0x2f7e210, object_ptr = 0x3632b70, no_separation = 0 '\0'} i = 3 #8 0x000000000072926a in _xml_startElementHandler (userData=0x2f77938, name=0x11fa8c0 "plugin", attributes=0x0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:822 attrs = (const char **) 0x0 att = 0x0 val = 0x11fa8c0 "plugin" val_len = 0 retval = (zval *) 0x821ae6ce args = {0x37ba0f0, 0x3359b18, 0x37ba450} #9 0x000000000072b56e in _start_element_handler (user=0x2d40860, name=0x11fa8c0 "plugin", attributes=0x0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:84 qualified_name = (xmlChar *) 0x11fa8c0 "plugin" #10 0x00000000820fa26a in xmlParseStartTag () from /usr/local/lib/libxml2.so.5 No symbol table info available. #11 0x00000000820ff102 in xmlParseTryOrFinish () from /usr/local/lib/libxml2.so.5 No symbol table info available. #12 0x00000000821004ab in xmlParseChunk () from /usr/local/lib/libxml2.so.5 No symbol table info available. #13 0x000000000072c00d in php_XML_Parse (parser=0x2d40860, data=0x3540020 "", data_len=56784944, is_final=0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:605 error = 0 #14 0x000000000072a963 in zif_xml_parse (ht=62069104, return_value=0x374c980, return_value_ptr=0x3627830, this_ptr=0x0, return_value_used=0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:1464 parser = (xml_parser *) 0x2f77938 pind = (zval *) 0x374ccf0 data = 0x3356e18 "<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<?xml-stylesheet type=\"text/xsl\" href=\"\"?>\n\n<plugin>\n <name>apRetargetingDriverExternalUI</name>\n <creationDate>2010-06-10</creationDate>\n <author"... data_len = 1075 ret = 0 isFinal = 1 #15 0x00000000007a7100 in zend_do_fcall_common_helper_SPEC (execute_data=0x1139f28) at zend_vm_execute.h:316 i = 3 p = (zval **) 0x113a048 arg_count = 0 opline = (zend_op *) 0x213f2b8 should_change_scope = 0 '\0' #16 0x00000000007a65f9 in execute (op_array=0x2150d98) at zend_vm_execute.h:107 ret = 0 execute_data = (zend_execute_data *) 0x1139f28 nested = 1 '\001' original_in_execution = 0 '\0' #17 0x0000000000785675 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend.c:1194 files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffcf30, reg_save_area = 0x7fffffffce40}} i = 1 file_handle = (zend_file_handle *) 0x7fffffffe850 orig_op_array = (zend_op_array *) 0x0 orig_retval_ptr_ptr = (zval **) 0x0 #18 0x0000000000735158 in php_execute_script (primary_file=0x7fffffffe850) at /array1/compile/php-5.3.3RC3-fcgi/main/main.c:2260 realfile = "/usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK/tests/run.php\000\000>@Ã\200\000\000\000\000\000\027Ã\200\000\000\000\0000áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000é=Ã\200", '\0' <repeats 13 times>, "rÃ\200\000\000\000\000(áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000páÿÿÿ\177\000\000ç\016", '\0' <repeats 14 times>, "\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000\001<Ã\200\000\000\000"... prepend_file_p = (zend_file_handle *) 0x0 append_file_p = (zend_file_handle *) 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'} old_cwd = 0x7fffffffcf40 "" retval = 0 #19 0x00000000008099fb in main (argc=9, argv=0x7fffffffe948) at /array1/compile/php-5.3.3RC3-fcgi/sapi/cli/php_cli.c:1192 len = 140737488348832 argn = (zval *) 0x80de6600 input = 0x0 index = 9 argi = (zval *) 0x80ee0030 exit_status = 0 c = 0 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffeb75 "run.php", opened_path = 0x0, handle = {fd = 15152376, fp = 0xe734f8, stream = {handle = 0xe734f8, isatty = 0, mmap = {len = 5351, pos = 0, map = 0x80df4000, buf = 0x80df4000 <Address 0x80df4000 out of bounds>, old_handle = 0x8270d840, old_closer = 0x797cd0 <zend_stream_stdio_closer>}, reader = 0x797cb0 <zend_stream_stdio_reader>, fsizer = 0x797cf0 <zend_stream_stdio_fsizer>, closer = 0x797d50 <zend_stream_mmap_closer>}}, free_filename = 0 '\0'} behavior = 1 reflection_what = 0x0 orig_optind = 1 orig_optarg = 0x0 arg_free = 0x7fffffffeb75 "run.php" arg_excp = (char **) 0x3540020 script_file = 0x7fffffffeb75 "run.php" interactive = 0 module_started = 1 request_started = 1 lineno = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = 0x0 hide_argv = 0 ini_entries_len = -6496 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=52349&edit=1