Edit report at https://bugs.php.net/bug.php?id=54488&edit=1
ID: 54488 Updated by: f...@php.net Reported by: dbetz at df dot eu Summary: SIGSEGV in zend_assign_to_variable -Status: Open +Status: Assigned Type: Bug Package: FPM related Operating System: Gentoo PHP Version: 5.3.6 -Assigned To: +Assigned To: fat Block user comment: N Private report: N Previous Comments: ------------------------------------------------------------------------ [2011-04-15 10:36:04] dbetz at df dot eu Hello, here are some more infos it seems **variable_ptr_ptr is empty (gdb) print variable_ptr_ptr $6 = (zval **) 0x9289bb4 (gdb) print *variable_ptr_ptr $7 = (zval *) 0x5a5a5a5a (gdb) print **variable_ptr_ptr Cannot access memory at address 0x5a5a5a5a (gdb) print opline $1 = (zend_op *) 0x926d958 (gdb) print *opline $2 = {handler = 0x865abb8 <ZEND_ASSIGN_SPEC_CV_VAR_HANDLER>, result = {op_type = 4, u = {constant = {value = {lval = 660, dval = 3.2608332625522272e-321, str = {val = 0x294 <Address 0x294 out of bounds>, len = 0}, ht = 0x294, obj = {handle = 660, handlers = 0x0}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 660, opline_num = 660, op_array = 0x294, jmp_addr = 0x294, EA = {var = 660, type = 0}}}, op1 = {op_type = 16, u = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {var = 0, type = 16}}}, op2 = {op_type = 4, u = {constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = { val = 0x280 <Address 0x280 out of bounds>, len = 8}, ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 640, opline_num = 640, op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}}, extended_value = 0, lineno = 403, opcode = 38 '&'} (gdb) print opline->op2 $3 = {op_type = 4, u = {constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = {val = 0x280 <Address 0x280 out of bounds>, len = 8}, ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 640, opline_num = 640, op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}} (gdb) print &opline->op1 $8 = (struct _znode *) 0x926d970 (gdb) print opline->op1 $9 = {op_type = 16, u = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = { var = 0, type = 16}}} (gdb) print (&opline->op1)->u.var $13 = 0 (gdb) print (&opline->op1)->u $14 = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {var = 0, type = 16}} ------------------------------------------------------------------------ [2011-04-07 16:30:05] dbetz at df dot eu here the php-fpm.conf: [global] pid = /var/run/php5-53LATEST.pid error_log = /var/log/php-fpm.log log_level = debug emergency_restart_threshold = 10 [default] listen = localhost:9000 user = nobody group = apache pm = dynamic pm.max_children = 1000 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 1 pm.max_requests = 1000 pm.status_path = /status [domain.com] listen = /etc/httpd/fastcgi/domain.com user = u222227 group = nobody pm = dynamic pm.max_children = 1000 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 1 pm.max_requests = 1000 ------------------------------------------------------------------------ [2011-04-07 16:26:51] dbetz at df dot eu Configure Command => './configure' '--with-mysql=/usr/local/mysql' '--enable-debug' '--with-mysqli' '--with-config-file-path=/usr/local/php53-fpm' '--with-openssl' '--with-gd' '--with-t1lib' '--enable-ftp' '--enable-calendar' '--with-libxml-dir' '--with-jpeg-dir=../jpeg-6b/' '--with-freetype-dir=/usr/lib' '--with-gettext' '--with-zlib-dir=../zlib-1.1.3/' '--with-png-dir=../libpng-1.0.6/' '--with-gdbm' '--with-ndbm' '--enable-dba' '--with-imap=/usr/local/imap-2007e' '--with-imap-ssl=/usr/local/imap-2007e' '--enable-wddx' '--enable-bcmath' '--enable-exif' '--with-curl' '--enable-inline-optimization' '--with-gnu-ld' '--with-zlib' '--with-mcrypt' '--enable-wddx' '--with-mhash' '--with-pgsql' '--enable-sockets' '--with-tidy' '--with-xmlrpc' '--enable-zip' '--with-bz2' '--with-pdo-mysql=/usr' '--with-iconv' '--enable-soap' '--with-ldap' '--with-xsl' '--with-t1lib' '--enable-fpm' '--enable-mbstring' ------------------------------------------------------------------------ [2011-04-07 16:22:38] dbetz at df dot eu Description: ------------ Hello, php-fpm with apache 2.2.16 has random segfaults when making new threads in vbulletin board. The POST works, but the redirect segfaults i think. Here is an backtrace of the php-fpm worker: Program received signal SIGSEGV, Segmentation fault. 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0) at /usr/src/php-5.3.6/Zend/zend_execute.c:662 662 if (Z_TYPE_P(variable_ptr) == IS_OBJECT && Z_OBJ_HANDLER_P(variable_ptr, set)) { (gdb) bt full #0 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0) at /usr/src/php-5.3.6/Zend/zend_execute.c:662 variable_ptr = 0x5a5a5a5a garbage = {value = {lval = 4, dval = 1.9762625833649862e-323, str = {val = 0x4 <Address 0x4 out of bounds>, len = 0}, ht = 0x4, obj = { handle = 4, handlers = 0x0}}, refcount__gc = 149399716, type = 4 '\004', is_ref__gc = 175 '¯'} #1 0x0865a6d9 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x91207cc) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:27337 opline = 0xad89d7f4 free_op2 = {var = 0xad8994e8} value = 0xad8994e8 variable_ptr_ptr = 0xad882e28 #2 0x085cdc2c in execute (op_array=0x8e9fdd4) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:107 ret = 3 execute_data = 0x91207cc nested = 1 '\001' original_in_execution = 0 '\000' #3 0x085a288e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.3.6/Zend/zend.c:1194 files = 0xbe65f394 "" i = 1 file_handle = 0xbe6636e4 orig_op_array = 0x0 orig_retval_ptr_ptr = 0x0 #4 0x085381b5 in php_execute_script (primary_file=0xbe6636e4) at /usr/src/php-5.3.6/main/main.c:2268 realfile = "W2ÃÂ\000\000\000\000\070\004f¾öÿW\b0\024à \bÃp\205\t\n\000\000\000\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000/\016X\b\001\005\000\001\000\000\000\000H\004f¾E\214f\bÃp\205\t\000s\205\t´\002\000\000¼lY\b\234ÃÃ\b´\002\000\000X\004f¾/\016X\b0\024à \bðr\205\t\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000(\024f¾ñ\bT\bðr\205\t\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000\020\000\000\000Ã\213«\a/\001ÃÂ\000\000\000\000ø\033\002\000X\024f¾ñ\bT\b| ÃÃ\b\024ÃÃ\b¸\004f¾|âÃÂ\000\000\000\000\001\000\000\000"... __orig_bailout = 0xbe6615f8 __bailout = {{__jmpbuf = {-1379008524, 0, -1100606276, -1100606184, -1966102021, -405377897}, __mask_was_saved = 0, __saved_mask = {__val = { 184, 0, 1302178070, 0, 1298211931, 0, 1302178636, 0, 6916987, 0, 146923508, 0, 0, 3194360904, 141417788, 3, 4, 3194360996, 137660206, 3194361112, 139709081, 4, 3194360996, 1, 1, 0, 0, 3194361112, 140936771, 0, 2915958772, 0}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} old_cwd = 0xbe65f3b0 "/" use_heap = 0 '\000' retval = 0 #5 0x08671d6c in main (argc=3, argv=0xbe663844) at /usr/src/php-5.3.6/sapi/fpm/fpm/fpm_main.c:1917 status_buffer = 0x0 status_content_type = 0x0 __orig_bailout = 0x0 __bailout = {{__jmpbuf = {-1379008524, 0, 0, -1100597368, -1929188869, -1894015849}, __mask_was_saved = 0, __saved_mask = {__val = { 0 <repeats 32 times>}}}} free_query_string = 0 exit_status = 0 cgi = 0 c = -1 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8db4700 "/var/www/testforen/domaingo/showthread.php", opened_path = 0x0, handle = {fd = 148727672, fp = 0x8dd6778, stream = {handle = 0x8dd6778, isatty = 0, mmap = {len = 83287, pos = 0, map = 0xadb82000, ---Type <return> to continue, or q <return> to quit--- buf = 0xadb82000 <Address 0xadb82000 out of bounds>, old_handle = 0x8df61d8, old_closer = 0x85baa1d <zend_stream_stdio_closer>}, reader = 0x85ba9f4 <zend_stream_stdio_reader>, fsizer = 0x85baa42 <zend_stream_stdio_fsizer>, closer = 0x85bab31 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'} orig_optind = 1 orig_optarg = 0x0 ini_entries_len = 0 max_requests = 1000 requests = 21 fcgi_fd = 0 request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xbe6616cc "\001\006", out_buf = "\001\006\000\001\000·\001\000Status: 302 Moved Temporarily\r\nX-Powered-By: PHP/5.3.6\r\nLocation: https://forum.domain.com/threads/10432-fsadfsdaf?p=57751#post57751\r\nContent-type: text/html\r\n\r\n\000\001\003\000\001\000\b\000\000\000\000\000\000\000"..., reserved = '\000' <repeats 15 times>, env = 0x8dadc84} fpm_config = 0xbe6639dd "infactory-kunde.de" fpm_prefix = 0x0 test_conf = 0 (gdb) Test script: --------------- Sorry, can reproduce only in vbulletin board. Expected result: ---------------- The redirection to the thread works Actual result: -------------- An SIGSEGV ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=54488&edit=1