Edit report at http://bugs.php.net/bug.php?id=52349&edit=1
ID: 52349
Comment by: jan-php at kantert dot net
Reported by: mbecc...@php.net
Summary: "zend_mm_heap corrupted" error
Status: Feedback
Type: Bug
Package: Reproducible crash
Operating System: FreeBSD 6.2
PHP Version: 5.3.3RC3
Assigned To: dmitry
Block user comment: N
Private report: N
New Comment:
Same bug on Ubuntu 10.04 LTS x86_64
PHP 5.3.2-1ubuntu4.7 with Suhosin-Patch (cli) (built: Jan 12 2011
18:36:55)
Also happens only 30% of the time. Some times "just" segfaults without
error. Sometimes with this error. Happens when running the archive.sh in
piwik.
strace /usr/bin/php5 -q /home/XXX/misc/cron/../../index.php
We did an strace on the process and noticed some things. If it segfaults
(only then) there are a lot brk lines:
brk(0x805a000) = 0x805a000
brk(0x809a000) = 0x809a000
brk(0x80da000) = 0x80da000
brk(0x811a000) = 0x811a000
brk(0x815a000) = 0x815a000
brk(0x819a000) = 0x819a000
brk(0x81da000) = 0x81da000
brk(0x821a000) = 0x821a000
brk(0x825a000) = 0x825a000
brk(0x829a000) = 0x829a000
brk(0x82da000) = 0x82da000
brk(0x831a000) = 0x831a000
brk(0x835a000) = 0x835a000
brk(0x839a000) = 0x839a000
brk(0x83da000) = 0x83da000
At the end:
close(5) = 0
close(4) = 0
munmap(0x7fcae32e3000, 528384) = 0
write(3, "\1\0\0\0\1", 5) = 5
shutdown(3, 2 /* send and receive */) = 0
close(3) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
Previous Comments:
------------------------------------------------------------------------
[2010-07-16 08:23:30] dmi...@php.net
Sorry, but I need a script to reproduce and fix this the bug. In case
it's a big application, I can try to debug it on your system if you give
me SSH access, but it's more difficult.
------------------------------------------------------------------------
[2010-07-15 18:19:34] mbecc...@php.net
Assigning to dmitry, per IRC chat.
------------------------------------------------------------------------
[2010-07-15 18:12:40] mbecc...@php.net
Description:
------------
A few things:
* It happens when running a specific "simpletest" integration test
* It doesn't always happen, roughly 33-50% of the times
* Never happened with 5.3.2, I got a report from Bamboo as soon as I
upgraded to 5.3.3RC3
Of course I can't get a simple reproduce script as the aforementioned
test does tons of things, but of course I can provide more information,
SSH access, or try anything I'm asked to.
Test script:
---------------
n/a
Expected result:
----------------
No failure
Actual result:
--------------
zend_mm_heap corrupted exit message, with the following backtrace
#0 0x000000000079f25b in zval_scan (pz=0x3b31970) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:485
p = (Bucket *) 0x3661108
#1 0x000000000079f6b9 in gc_collect_cycles () at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:535
p = (zval_gc_info *) 0xee5ee0
q = (zval_gc_info *) 0x0
orig_free_list = (zval_gc_info *) 0x7fffffffc6e0
orig_next_to_free = (zval_gc_info *) 0x211ef18
count = 0
#2 0x000000000079fbd8 in gc_zval_possible_root (zv=0x33588b0) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:166
newRoot = (gc_root_buffer *) 0x3627830
#3 0x00000000007a4fde in zend_assign_to_object (result=0x211ef18,
object_ptr=0xe567a0, property_name=0x211ef60, value_op=0x211efb0,
Ts=0x113b228, opcode=136) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute.c:602
object = (zval *) 0x3632b70
free_value = {var = 0x113b701}
value = (zval *) 0x33588b0
retval = (zval **) 0x113b6e0
#4 0x00000000007e2796 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER
(execute_data=0x113b190) at zend_vm_execute.h:17645
opline = (zend_op *) 0x0
#5 0x00000000007a65f9 in execute (op_array=0x2119968) at
zend_vm_execute.h:107
ret = 0
execute_data = (zend_execute_data *) 0x113b190
nested = 1 '\001'
original_in_execution = 1 '\001'
#6 0x0000000000777d94 in zend_call_function (fci=0x7fffffffc970,
fci_cache=0x0) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute_API.c:963
call_via_handler = 34934168
i = 18062328
original_return_value = (zval **) 0x1139bf8
calling_symbol_table = (HashTable *) 0x0
original_op_array = (zend_op_array *) 0x2150d98
original_opline_ptr = (zend_op **) 0x1139f28
current_scope = (zend_class_entry *) 0x2118528
current_called_scope = (zend_class_entry *) 0x2104658
calling_scope = (zend_class_entry *) 0x2104658
called_scope = (zend_class_entry *) 0x2104658
current_this = (zval *) 0x30c9840
execute_data = {opline = 0x0, function_state = {function =
0x2109b78, arguments = 0x113a068}, fbc = 0x0, called_scope = 0x0,
op_array = 0x0, object = 0x3632b70, Ts = 0x1139fe0, CVs = 0x1139fc0,
symbol_table = 0x0,
prev_execute_data = 0x1139f28, old_error_reporting = 0x0, nested = 1
'\001', original_return_value = 0x2104658, current_scope = 0x30c9840,
current_called_scope = 0x0, current_this = 0x0, current_object = 0x0,
call_opline = 0x1139fc8}
#7 0x0000000000728986 in xml_call_handler (parser=0x2f77938,
handler=0x3356688, function_ptr=0x3627830, argc=3, argv=0x7fffffffca50)
at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:530
args = (zval ***) 0x2f7e210
retval = (zval *) 0x0
result = -13744
fci = {size = 72, function_table = 0xe58180, function_name =
0x3356688, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffc968,
param_count = 3, params = 0x2f7e210, object_ptr = 0x3632b70,
no_separation = 0 '\0'}
i = 3
#8 0x000000000072926a in _xml_startElementHandler (userData=0x2f77938,
name=0x11fa8c0 "plugin", attributes=0x0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:822
attrs = (const char **) 0x0
att = 0x0
val = 0x11fa8c0 "plugin"
val_len = 0
retval = (zval *) 0x821ae6ce
args = {0x37ba0f0, 0x3359b18, 0x37ba450}
#9 0x000000000072b56e in _start_element_handler (user=0x2d40860,
name=0x11fa8c0 "plugin", attributes=0x0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:84
qualified_name = (xmlChar *) 0x11fa8c0 "plugin"
#10 0x00000000820fa26a in xmlParseStartTag () from
/usr/local/lib/libxml2.so.5
No symbol table info available.
#11 0x00000000820ff102 in xmlParseTryOrFinish () from
/usr/local/lib/libxml2.so.5
No symbol table info available.
#12 0x00000000821004ab in xmlParseChunk () from
/usr/local/lib/libxml2.so.5
No symbol table info available.
#13 0x000000000072c00d in php_XML_Parse (parser=0x2d40860,
data=0x3540020 "", data_len=56784944, is_final=0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:605
error = 0
#14 0x000000000072a963 in zif_xml_parse (ht=62069104,
return_value=0x374c980, return_value_ptr=0x3627830, this_ptr=0x0,
return_value_used=0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:1464
parser = (xml_parser *) 0x2f77938
pind = (zval *) 0x374ccf0
data = 0x3356e18 "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"
?>\n<?xml-stylesheet type=\"text/xsl\" href=\"\"?>\n\n<plugin>\n
<name>apRetargetingDriverExternalUI</name>\n
<creationDate>2010-06-10</creationDate>\n <author"...
data_len = 1075
ret = 0
isFinal = 1
#15 0x00000000007a7100 in zend_do_fcall_common_helper_SPEC
(execute_data=0x1139f28) at zend_vm_execute.h:316
i = 3
p = (zval **) 0x113a048
arg_count = 0
opline = (zend_op *) 0x213f2b8
should_change_scope = 0 '\0'
#16 0x00000000007a65f9 in execute (op_array=0x2150d98) at
zend_vm_execute.h:107
ret = 0
execute_data = (zend_execute_data *) 0x1139f28
nested = 1 '\001'
original_in_execution = 0 '\0'
#17 0x0000000000785675 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend.c:1194
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffffffcf30, reg_save_area = 0x7fffffffce40}}
i = 1
file_handle = (zend_file_handle *) 0x7fffffffe850
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval **) 0x0
#18 0x0000000000735158 in php_execute_script
(primary_file=0x7fffffffe850) at
/array1/compile/php-5.3.3RC3-fcgi/main/main.c:2260
realfile =
"/usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK/tests/run.php\000\000>@Ã\200\000\000\000\000\000\027Ã\200\000\000\000\0000áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000é=Ã\200",
'\0' <repeats 13 times>,
"rÃ\200\000\000\000\000(áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000páÿÿÿ\177\000\000ç\016",
'\0' <repeats 14 times>,
"\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000\001<Ã\200\000\000\000"...
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle =
0x0, old_closer = 0},
reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle =
0x0, old_closer = 0},
reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
old_cwd = 0x7fffffffcf40 ""
retval = 0
#19 0x00000000008099fb in main (argc=9, argv=0x7fffffffe948) at
/array1/compile/php-5.3.3RC3-fcgi/sapi/cli/php_cli.c:1192
len = 140737488348832
argn = (zval *) 0x80de6600
input = 0x0
index = 9
argi = (zval *) 0x80ee0030
exit_status = 0
c = 0
file_handle = {type = ZEND_HANDLE_MAPPED, filename =
0x7fffffffeb75 "run.php", opened_path = 0x0, handle = {fd = 15152376, fp
= 0xe734f8, stream = {handle = 0xe734f8, isatty = 0, mmap = {len = 5351,
pos = 0, map = 0x80df4000,
buf = 0x80df4000 <Address 0x80df4000 out of bounds>, old_handle
= 0x8270d840, old_closer = 0x797cd0 <zend_stream_stdio_closer>}, reader
= 0x797cb0 <zend_stream_stdio_reader>, fsizer = 0x797cf0
<zend_stream_stdio_fsizer>,
closer = 0x797d50 <zend_stream_mmap_closer>}}, free_filename = 0
'\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffffffeb75 "run.php"
arg_excp = (char **) 0x3540020
script_file = 0x7fffffffeb75 "run.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = 0x0
hide_argv = 0
ini_entries_len = -6496
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=52349&edit=1
