Edit report at https://bugs.php.net/bug.php?id=54488&edit=1
ID: 54488
Updated by: f...@php.net
Reported by: dbetz at df dot eu
Summary: SIGSEGV in zend_assign_to_variable
-Status: Open
+Status: Assigned
Type: Bug
Package: FPM related
Operating System: Gentoo
PHP Version: 5.3.6
-Assigned To:
+Assigned To: fat
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2011-04-15 10:36:04] dbetz at df dot eu
Hello,
here are some more infos
it seems **variable_ptr_ptr is empty
(gdb) print variable_ptr_ptr
$6 = (zval **) 0x9289bb4
(gdb) print *variable_ptr_ptr
$7 = (zval *) 0x5a5a5a5a
(gdb) print **variable_ptr_ptr
Cannot access memory at address 0x5a5a5a5a
(gdb) print opline
$1 = (zend_op *) 0x926d958
(gdb) print *opline
$2 = {handler = 0x865abb8 <ZEND_ASSIGN_SPEC_CV_VAR_HANDLER>, result = {op_type
= 4, u = {constant = {value = {lval = 660,
dval = 3.2608332625522272e-321, str = {val = 0x294 <Address 0x294 out
of bounds>, len = 0}, ht = 0x294, obj = {handle = 660, handlers = 0x0}},
refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 660,
opline_num = 660, op_array = 0x294, jmp_addr = 0x294, EA = {var = 660,
type = 0}}}, op1 = {op_type = 16, u = {constant = {value = {lval = 0,
dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0,
obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6
'\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0,
jmp_addr = 0x0, EA = {var = 0, type = 16}}}, op2 = {op_type = 4, u =
{constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = {
val = 0x280 <Address 0x280 out of bounds>, len = 8}, ht = 0x280,
obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000',
is_ref__gc = 0 '\000'}, var = 640, opline_num = 640, op_array = 0x280,
jmp_addr = 0x280, EA = {var = 640, type = 8}}}, extended_value = 0,
lineno = 403, opcode = 38 '&'}
(gdb) print opline->op2
$3 = {op_type = 4, u = {constant = {value = {lval = 640, dval =
1.6975966643924192e-313, str = {val = 0x280 <Address 0x280 out of bounds>, len
= 8},
ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0,
type = 0 '\000', is_ref__gc = 0 '\000'}, var = 640, opline_num = 640,
op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}}
(gdb) print &opline->op1
$8 = (struct _znode *) 0x926d970
(gdb) print opline->op1
$9 = {op_type = 16, u = {constant = {value = {lval = 0, dval =
3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle =
0,
handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0
'\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {
var = 0, type = 16}}}
(gdb) print (&opline->op1)->u.var
$13 = 0
(gdb) print (&opline->op1)->u
$14 = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str =
{val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}},
refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0,
opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {var = 0, type = 16}}
------------------------------------------------------------------------
[2011-04-07 16:30:05] dbetz at df dot eu
here the php-fpm.conf:
[global]
pid = /var/run/php5-53LATEST.pid
error_log = /var/log/php-fpm.log
log_level = debug
emergency_restart_threshold = 10
[default]
listen = localhost:9000
user = nobody
group = apache
pm = dynamic
pm.max_children = 1000
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000
pm.status_path = /status
[domain.com]
listen = /etc/httpd/fastcgi/domain.com
user = u222227
group = nobody
pm = dynamic
pm.max_children = 1000
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000
------------------------------------------------------------------------
[2011-04-07 16:26:51] dbetz at df dot eu
Configure Command => './configure' '--with-mysql=/usr/local/mysql'
'--enable-debug' '--with-mysqli' '--with-config-file-path=/usr/local/php53-fpm'
'--with-openssl' '--with-gd' '--with-t1lib' '--enable-ftp' '--enable-calendar'
'--with-libxml-dir' '--with-jpeg-dir=../jpeg-6b/'
'--with-freetype-dir=/usr/lib' '--with-gettext'
'--with-zlib-dir=../zlib-1.1.3/' '--with-png-dir=../libpng-1.0.6/'
'--with-gdbm' '--with-ndbm' '--enable-dba' '--with-imap=/usr/local/imap-2007e'
'--with-imap-ssl=/usr/local/imap-2007e' '--enable-wddx' '--enable-bcmath'
'--enable-exif' '--with-curl' '--enable-inline-optimization' '--with-gnu-ld'
'--with-zlib' '--with-mcrypt' '--enable-wddx' '--with-mhash' '--with-pgsql'
'--enable-sockets' '--with-tidy' '--with-xmlrpc' '--enable-zip' '--with-bz2'
'--with-pdo-mysql=/usr' '--with-iconv' '--enable-soap' '--with-ldap'
'--with-xsl' '--with-t1lib' '--enable-fpm' '--enable-mbstring'
------------------------------------------------------------------------
[2011-04-07 16:22:38] dbetz at df dot eu
Description:
------------
Hello,
php-fpm with apache 2.2.16 has random segfaults when making new threads in
vbulletin board.
The POST works, but the redirect segfaults i think.
Here is an backtrace of the php-fpm worker:
Program received signal SIGSEGV, Segmentation fault.
0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28,
value=0xad8994e8, is_tmp_var=0)
at /usr/src/php-5.3.6/Zend/zend_execute.c:662
662 if (Z_TYPE_P(variable_ptr) == IS_OBJECT &&
Z_OBJ_HANDLER_P(variable_ptr, set)) {
(gdb) bt full
#0 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28,
value=0xad8994e8, is_tmp_var=0)
at /usr/src/php-5.3.6/Zend/zend_execute.c:662
variable_ptr = 0x5a5a5a5a
garbage = {value = {lval = 4, dval = 1.9762625833649862e-323, str =
{val = 0x4 <Address 0x4 out of bounds>, len = 0}, ht = 0x4, obj = {
handle = 4, handlers = 0x0}}, refcount__gc = 149399716, type = 4
'\004', is_ref__gc = 175 '¯'}
#1 0x0865a6d9 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x91207cc) at
/usr/src/php-5.3.6/Zend/zend_vm_execute.h:27337
opline = 0xad89d7f4
free_op2 = {var = 0xad8994e8}
value = 0xad8994e8
variable_ptr_ptr = 0xad882e28
#2 0x085cdc2c in execute (op_array=0x8e9fdd4) at
/usr/src/php-5.3.6/Zend/zend_vm_execute.h:107
ret = 3
execute_data = 0x91207cc
nested = 1 '\001'
original_in_execution = 0 '\000'
#3 0x085a288e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at
/usr/src/php-5.3.6/Zend/zend.c:1194
files = 0xbe65f394 ""
i = 1
file_handle = 0xbe6636e4
orig_op_array = 0x0
orig_retval_ptr_ptr = 0x0
#4 0x085381b5 in php_execute_script (primary_file=0xbe6636e4) at
/usr/src/php-5.3.6/main/main.c:2268
realfile =
"W2ÃÂ\000\000\000\000\070\004f¾öÿW\b0\024Ã
\bÃp\205\t\n\000\000\000\210R¹\bÃ
\001\000\000\000\000\000\000\000\000\000\000/\016X\b\001\005\000\001\000\000\000\000H\004f¾E\214f\bÃp\205\t\000s\205\t´\002\000\000¼lY\b\234ÃÃ\b´\002\000\000X\004f¾/\016X\b0\024Ã
\bðr\205\t\210R¹\bÃ
\001\000\000\000\000\000\000\000\000\000\000(\024f¾ñ\bT\bðr\205\t\210R¹\bÃ
\001\000\000\000\000\000\000\000\000\000\000\020\000\000\000Ã\213«\a/\001ÃÂ\000\000\000\000ø\033\002\000X\024f¾ñ\bT\b|
ÃÃ\b\024ÃÃ\b¸\004f¾|âÃÂ\000\000\000\000\001\000\000\000"...
__orig_bailout = 0xbe6615f8
__bailout = {{__jmpbuf = {-1379008524, 0, -1100606276, -1100606184,
-1966102021, -405377897}, __mask_was_saved = 0, __saved_mask = {__val = {
184, 0, 1302178070, 0, 1298211931, 0, 1302178636, 0, 6916987,
0, 146923508, 0, 0, 3194360904, 141417788, 3, 4, 3194360996, 137660206,
3194361112, 139709081, 4, 3194360996, 1, 1, 0, 0, 3194361112,
140936771, 0, 2915958772, 0}}}}
prepend_file_p = 0x0
append_file_p = 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty =
0,
mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0,
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
free_filename = 0 '\000'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0,
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
free_filename = 0 '\000'}
old_cwd = 0xbe65f3b0 "/"
use_heap = 0 '\000'
retval = 0
#5 0x08671d6c in main (argc=3, argv=0xbe663844) at
/usr/src/php-5.3.6/sapi/fpm/fpm/fpm_main.c:1917
status_buffer = 0x0
status_content_type = 0x0
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {-1379008524, 0, 0, -1100597368, -1929188869,
-1894015849}, __mask_was_saved = 0, __saved_mask = {__val = {
0 <repeats 32 times>}}}}
free_query_string = 0
exit_status = 0
cgi = 0
c = -1
file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8db4700
"/var/www/testforen/domaingo/showthread.php", opened_path = 0x0,
handle = {fd = 148727672, fp = 0x8dd6778, stream = {handle =
0x8dd6778, isatty = 0, mmap = {len = 83287, pos = 0, map = 0xadb82000,
---Type <return> to continue, or q <return> to quit---
buf = 0xadb82000 <Address 0xadb82000 out of bounds>, old_handle
= 0x8df61d8, old_closer = 0x85baa1d <zend_stream_stdio_closer>},
reader = 0x85ba9f4 <zend_stream_stdio_reader>, fsizer = 0x85baa42
<zend_stream_stdio_fsizer>,
closer = 0x85bab31 <zend_stream_mmap_closer>}}, free_filename = 0
'\000'}
orig_optind = 1
orig_optarg = 0x0
ini_entries_len = 0
max_requests = 1000
requests = 21
fcgi_fd = 0
request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0,
in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xbe6616cc "\001\006",
out_buf = "\001\006\000\001\000·\001\000Status: 302 Moved
Temporarily\r\nX-Powered-By: PHP/5.3.6\r\nLocation:
https://forum.domain.com/threads/10432-fsadfsdaf?p=57751#post57751\r\nContent-type:
text/html\r\n\r\n\000\001\003\000\001\000\b\000\000\000\000\000\000\000"...,
reserved = '\000' <repeats 15 times>, env = 0x8dadc84}
fpm_config = 0xbe6639dd "infactory-kunde.de"
fpm_prefix = 0x0
test_conf = 0
(gdb)
Test script:
---------------
Sorry, can reproduce only in vbulletin board.
Expected result:
----------------
The redirection to the thread works
Actual result:
--------------
An SIGSEGV
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=54488&edit=1
