Bug #54488 [Fbk->Asn]: SIGSEGV in zend_assign_to_variable

Sun, 03 Jul 2011 23:20:39 -0700 

Edit report at https://bugs.php.net/bug.php?id=54488&edit=1

 ID:                 54488
 User updated by:    dbetz at df dot eu
 Reported by:        dbetz at df dot eu
 Summary:            SIGSEGV in zend_assign_to_variable
-Status:             Feedback
+Status:             Assigned
 Type:               Bug
 Package:            FPM related
 Operating System:   Gentoo
 PHP Version:        5.3.6
 Assigned To:        fat
 Block user comment: N
 Private report:     N

 New Comment:

Hello,

the problem ist only in FPM. Running php-cgi works for me.

Thx and greetings


Previous Comments:
------------------------------------------------------------------------
[2011-07-02 12:49:05] f...@php.net

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


Is it possible for you to test without FPM (with php-cgi or mod_php for apache) 
please ?

I'd like to first ensure the bug is exclusively related to FPM.

thx

------------------------------------------------------------------------
[2011-04-15 10:36:04] dbetz at df dot eu

Hello,

here are some more infos

it seems **variable_ptr_ptr is empty

(gdb) print variable_ptr_ptr
$6 = (zval **) 0x9289bb4
(gdb) print *variable_ptr_ptr
$7 = (zval *) 0x5a5a5a5a
(gdb) print **variable_ptr_ptr
Cannot access memory at address 0x5a5a5a5a


(gdb) print opline
$1 = (zend_op *) 0x926d958
(gdb) print *opline
$2 = {handler = 0x865abb8 <ZEND_ASSIGN_SPEC_CV_VAR_HANDLER>, result = {op_type 
= 4, u = {constant = {value = {lval = 660,
          dval = 3.2608332625522272e-321, str = {val = 0x294 <Address 0x294 out 
of bounds>, len = 0}, ht = 0x294, obj = {handle = 660, handlers = 0x0}},
        refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 660, 
opline_num = 660, op_array = 0x294, jmp_addr = 0x294, EA = {var = 660,
        type = 0}}}, op1 = {op_type = 16, u = {constant = {value = {lval = 0, 
dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0,
          obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 
'\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0,
      jmp_addr = 0x0, EA = {var = 0, type = 16}}}, op2 = {op_type = 4, u = 
{constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = {
            val = 0x280 <Address 0x280 out of bounds>, len = 8}, ht = 0x280, 
obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000',
        is_ref__gc = 0 '\000'}, var = 640, opline_num = 640, op_array = 0x280, 
jmp_addr = 0x280, EA = {var = 640, type = 8}}}, extended_value = 0,
  lineno = 403, opcode = 38 '&'}
(gdb) print opline->op2
$3 = {op_type = 4, u = {constant = {value = {lval = 640, dval = 
1.6975966643924192e-313, str = {val = 0x280 <Address 0x280 out of bounds>, len 
= 8},
        ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, 
type = 0 '\000', is_ref__gc = 0 '\000'}, var = 640, opline_num = 640,
    op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}}
(gdb) print &opline->op1
$8 = (struct _znode *) 0x926d970
(gdb) print opline->op1
$9 = {op_type = 16, u = {constant = {value = {lval = 0, dval = 
3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 
0,
          handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 
'\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {
      var = 0, type = 16}}}
(gdb) print (&opline->op1)->u.var
$13 = 0
(gdb) print (&opline->op1)->u
$14 = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = 
{val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}},
    refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, 
opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {var = 0, type = 16}}

------------------------------------------------------------------------
[2011-04-07 16:30:05] dbetz at df dot eu

here the php-fpm.conf:

[global]

pid = /var/run/php5-53LATEST.pid
error_log = /var/log/php-fpm.log
log_level = debug
emergency_restart_threshold = 10

[default]

listen = localhost:9000
user = nobody
group = apache

pm = dynamic
pm.max_children = 1000
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000
pm.status_path = /status


[domain.com]

listen = /etc/httpd/fastcgi/domain.com
user = u222227
group = nobody

pm = dynamic
pm.max_children = 1000
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000

------------------------------------------------------------------------
[2011-04-07 16:26:51] dbetz at df dot eu

Configure Command =>  './configure'  '--with-mysql=/usr/local/mysql' 
'--enable-debug' '--with-mysqli' '--with-config-file-path=/usr/local/php53-fpm' 
'--with-openssl' '--with-gd' '--with-t1lib' '--enable-ftp' '--enable-calendar' 
'--with-libxml-dir' '--with-jpeg-dir=../jpeg-6b/' 
'--with-freetype-dir=/usr/lib' '--with-gettext' 
'--with-zlib-dir=../zlib-1.1.3/' '--with-png-dir=../libpng-1.0.6/' 
'--with-gdbm' '--with-ndbm' '--enable-dba' '--with-imap=/usr/local/imap-2007e' 
'--with-imap-ssl=/usr/local/imap-2007e' '--enable-wddx' '--enable-bcmath' 
'--enable-exif' '--with-curl' '--enable-inline-optimization' '--with-gnu-ld' 
'--with-zlib' '--with-mcrypt' '--enable-wddx' '--with-mhash' '--with-pgsql' 
'--enable-sockets' '--with-tidy' '--with-xmlrpc' '--enable-zip' '--with-bz2' 
'--with-pdo-mysql=/usr' '--with-iconv' '--enable-soap' '--with-ldap' 
'--with-xsl' '--with-t1lib' '--enable-fpm' '--enable-mbstring'

------------------------------------------------------------------------
[2011-04-07 16:22:38] dbetz at df dot eu

Description:
------------
Hello,

php-fpm with apache 2.2.16 has random segfaults when making new threads in 
vbulletin board.
The POST works, but the redirect segfaults i think.

Here is an backtrace of the php-fpm worker:

Program received signal SIGSEGV, Segmentation fault.
0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, 
value=0xad8994e8, is_tmp_var=0)
    at /usr/src/php-5.3.6/Zend/zend_execute.c:662
662             if (Z_TYPE_P(variable_ptr) == IS_OBJECT && 
Z_OBJ_HANDLER_P(variable_ptr, set)) {
(gdb) bt full
#0  0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, 
value=0xad8994e8, is_tmp_var=0)
    at /usr/src/php-5.3.6/Zend/zend_execute.c:662
        variable_ptr = 0x5a5a5a5a
        garbage = {value = {lval = 4, dval = 1.9762625833649862e-323, str = 
{val = 0x4 <Address 0x4 out of bounds>, len = 0}, ht = 0x4, obj = {
              handle = 4, handlers = 0x0}}, refcount__gc = 149399716, type = 4 
'\004', is_ref__gc = 175 '¯'}
#1  0x0865a6d9 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x91207cc) at 
/usr/src/php-5.3.6/Zend/zend_vm_execute.h:27337
        opline = 0xad89d7f4
        free_op2 = {var = 0xad8994e8}
        value = 0xad8994e8
        variable_ptr_ptr = 0xad882e28
#2  0x085cdc2c in execute (op_array=0x8e9fdd4) at 
/usr/src/php-5.3.6/Zend/zend_vm_execute.h:107
        ret = 3
        execute_data = 0x91207cc
        nested = 1 '\001'
        original_in_execution = 0 '\000'
#3  0x085a288e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at 
/usr/src/php-5.3.6/Zend/zend.c:1194
        files = 0xbe65f394 ""
        i = 1
        file_handle = 0xbe6636e4
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
#4  0x085381b5 in php_execute_script (primary_file=0xbe6636e4) at 
/usr/src/php-5.3.6/main/main.c:2268
        realfile = 
"W2Á­\000\000\000\000\070\004f¾öÿW\b0\024Å\bÌp\205\t\n\000\000\000\210R¹\bÅ\001\000\000\000\000\000\000\000\000\000\000/\016X\b\001\005\000\001\000\000\000\000H\004f¾E\214f\bÌp\205\t\000s\205\t´\002\000\000¼lY\b\234ÓÝ\b´\002\000\000X\004f¾/\016X\b0\024Å\bðr\205\t\210R¹\bÅ\001\000\000\000\000\000\000\000\000\000\000(\024f¾ñ\bT\bðr\205\t\210R¹\bÅ\001\000\000\000\000\000\000\000\000\000\000\020\000\000\000À\213«\a/\001Ì­\000\000\000\000ø\033\002\000X\024f¾ñ\bT\b|
 ÐÄ\b\024ÒÄ\b¸\004f¾|âÀ­\000\000\000\000\001\000\000\000"...
        __orig_bailout = 0xbe6615f8
        __bailout = {{__jmpbuf = {-1379008524, 0, -1100606276, -1100606184, 
-1966102021, -405377897}, __mask_was_saved = 0, __saved_mask = {__val = {
                184, 0, 1302178070, 0, 1298211931, 0, 1302178636, 0, 6916987, 
0, 146923508, 0, 0, 3194360904, 141417788, 3, 4, 3194360996, 137660206,
                3194361112, 139709081, 4, 3194360996, 1, 1, 0, 0, 3194361112, 
140936771, 0, 2915958772, 0}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, 
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 
0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, 
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path 
= 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, 
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        old_cwd = 0xbe65f3b0 "/"
        use_heap = 0 '\000'
        retval = 0
#5  0x08671d6c in main (argc=3, argv=0xbe663844) at 
/usr/src/php-5.3.6/sapi/fpm/fpm/fpm_main.c:1917
        status_buffer = 0x0
        status_content_type = 0x0
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {-1379008524, 0, 0, -1100597368, -1929188869, 
-1894015849}, __mask_was_saved = 0, __saved_mask = {__val = {
                0 <repeats 32 times>}}}}
        free_query_string = 0
        exit_status = 0
        cgi = 0
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8db4700 
"/var/www/testforen/domaingo/showthread.php", opened_path = 0x0,
          handle = {fd = 148727672, fp = 0x8dd6778, stream = {handle = 
0x8dd6778, isatty = 0, mmap = {len = 83287, pos = 0, map = 0xadb82000,
---Type <return> to continue, or q <return> to quit---
                buf = 0xadb82000 <Address 0xadb82000 out of bounds>, old_handle 
= 0x8df61d8, old_closer = 0x85baa1d <zend_stream_stdio_closer>},
              reader = 0x85ba9f4 <zend_stream_stdio_reader>, fsizer = 0x85baa42 
<zend_stream_stdio_fsizer>,
              closer = 0x85bab31 <zend_stream_mmap_closer>}}, free_filename = 0 
'\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        max_requests = 1000
        requests = 21
        fcgi_fd = 0
        request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, 
in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xbe6616cc "\001\006",
          out_buf = "\001\006\000\001\000·\001\000Status: 302 Moved 
Temporarily\r\nX-Powered-By: PHP/5.3.6\r\nLocation: 
https://forum.domain.com/threads/10432-fsadfsdaf?p=57751#post57751\r\nContent-type:
 text/html\r\n\r\n\000\001\003\000\001\000\b\000\000\000\000\000\000\000"...,
          reserved = '\000' <repeats 15 times>, env = 0x8dadc84}
        fpm_config = 0xbe6639dd "infactory-kunde.de"
        fpm_prefix = 0x0
        test_conf = 0
(gdb)


Test script:
---------------
Sorry, can reproduce only in vbulletin board.

Expected result:
----------------
The redirection to the thread works

Actual result:
--------------
An SIGSEGV



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=54488&edit=1

Reply via email to