Edit report at https://bugs.php.net/bug.php?id=54488&edit=1
ID: 54488 User updated by: dbetz at df dot eu Reported by: dbetz at df dot eu Summary: SIGSEGV in zend_assign_to_variable -Status: Feedback +Status: Assigned Type: Bug Package: FPM related Operating System: Gentoo PHP Version: 5.3.6 Assigned To: fat Block user comment: N Private report: N New Comment: Hello, the problem ist only in FPM. Running php-cgi works for me. Thx and greetings Previous Comments: ------------------------------------------------------------------------ [2011-07-02 12:49:05] f...@php.net Not enough information was provided for us to be able to handle this bug. Please re-read the instructions at http://bugs.php.net/how-to-report.php If you can provide more information, feel free to add it to this bug and change the status back to "Open". Thank you for your interest in PHP. Is it possible for you to test without FPM (with php-cgi or mod_php for apache) please ? I'd like to first ensure the bug is exclusively related to FPM. thx ------------------------------------------------------------------------ [2011-04-15 10:36:04] dbetz at df dot eu Hello, here are some more infos it seems **variable_ptr_ptr is empty (gdb) print variable_ptr_ptr $6 = (zval **) 0x9289bb4 (gdb) print *variable_ptr_ptr $7 = (zval *) 0x5a5a5a5a (gdb) print **variable_ptr_ptr Cannot access memory at address 0x5a5a5a5a (gdb) print opline $1 = (zend_op *) 0x926d958 (gdb) print *opline $2 = {handler = 0x865abb8 <ZEND_ASSIGN_SPEC_CV_VAR_HANDLER>, result = {op_type = 4, u = {constant = {value = {lval = 660, dval = 3.2608332625522272e-321, str = {val = 0x294 <Address 0x294 out of bounds>, len = 0}, ht = 0x294, obj = {handle = 660, handlers = 0x0}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 660, opline_num = 660, op_array = 0x294, jmp_addr = 0x294, EA = {var = 660, type = 0}}}, op1 = {op_type = 16, u = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {var = 0, type = 16}}}, op2 = {op_type = 4, u = {constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = { val = 0x280 <Address 0x280 out of bounds>, len = 8}, ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 640, opline_num = 640, op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}}, extended_value = 0, lineno = 403, opcode = 38 '&'} (gdb) print opline->op2 $3 = {op_type = 4, u = {constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = {val = 0x280 <Address 0x280 out of bounds>, len = 8}, ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 640, opline_num = 640, op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}} (gdb) print &opline->op1 $8 = (struct _znode *) 0x926d970 (gdb) print opline->op1 $9 = {op_type = 16, u = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = { var = 0, type = 16}}} (gdb) print (&opline->op1)->u.var $13 = 0 (gdb) print (&opline->op1)->u $14 = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {var = 0, type = 16}} ------------------------------------------------------------------------ [2011-04-07 16:30:05] dbetz at df dot eu here the php-fpm.conf: [global] pid = /var/run/php5-53LATEST.pid error_log = /var/log/php-fpm.log log_level = debug emergency_restart_threshold = 10 [default] listen = localhost:9000 user = nobody group = apache pm = dynamic pm.max_children = 1000 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 1 pm.max_requests = 1000 pm.status_path = /status [domain.com] listen = /etc/httpd/fastcgi/domain.com user = u222227 group = nobody pm = dynamic pm.max_children = 1000 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 1 pm.max_requests = 1000 ------------------------------------------------------------------------ [2011-04-07 16:26:51] dbetz at df dot eu Configure Command => './configure' '--with-mysql=/usr/local/mysql' '--enable-debug' '--with-mysqli' '--with-config-file-path=/usr/local/php53-fpm' '--with-openssl' '--with-gd' '--with-t1lib' '--enable-ftp' '--enable-calendar' '--with-libxml-dir' '--with-jpeg-dir=../jpeg-6b/' '--with-freetype-dir=/usr/lib' '--with-gettext' '--with-zlib-dir=../zlib-1.1.3/' '--with-png-dir=../libpng-1.0.6/' '--with-gdbm' '--with-ndbm' '--enable-dba' '--with-imap=/usr/local/imap-2007e' '--with-imap-ssl=/usr/local/imap-2007e' '--enable-wddx' '--enable-bcmath' '--enable-exif' '--with-curl' '--enable-inline-optimization' '--with-gnu-ld' '--with-zlib' '--with-mcrypt' '--enable-wddx' '--with-mhash' '--with-pgsql' '--enable-sockets' '--with-tidy' '--with-xmlrpc' '--enable-zip' '--with-bz2' '--with-pdo-mysql=/usr' '--with-iconv' '--enable-soap' '--with-ldap' '--with-xsl' '--with-t1lib' '--enable-fpm' '--enable-mbstring' ------------------------------------------------------------------------ [2011-04-07 16:22:38] dbetz at df dot eu Description: ------------ Hello, php-fpm with apache 2.2.16 has random segfaults when making new threads in vbulletin board. The POST works, but the redirect segfaults i think. Here is an backtrace of the php-fpm worker: Program received signal SIGSEGV, Segmentation fault. 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0) at /usr/src/php-5.3.6/Zend/zend_execute.c:662 662 if (Z_TYPE_P(variable_ptr) == IS_OBJECT && Z_OBJ_HANDLER_P(variable_ptr, set)) { (gdb) bt full #0 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0) at /usr/src/php-5.3.6/Zend/zend_execute.c:662 variable_ptr = 0x5a5a5a5a garbage = {value = {lval = 4, dval = 1.9762625833649862e-323, str = {val = 0x4 <Address 0x4 out of bounds>, len = 0}, ht = 0x4, obj = { handle = 4, handlers = 0x0}}, refcount__gc = 149399716, type = 4 '\004', is_ref__gc = 175 '¯'} #1 0x0865a6d9 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x91207cc) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:27337 opline = 0xad89d7f4 free_op2 = {var = 0xad8994e8} value = 0xad8994e8 variable_ptr_ptr = 0xad882e28 #2 0x085cdc2c in execute (op_array=0x8e9fdd4) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:107 ret = 3 execute_data = 0x91207cc nested = 1 '\001' original_in_execution = 0 '\000' #3 0x085a288e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.3.6/Zend/zend.c:1194 files = 0xbe65f394 "" i = 1 file_handle = 0xbe6636e4 orig_op_array = 0x0 orig_retval_ptr_ptr = 0x0 #4 0x085381b5 in php_execute_script (primary_file=0xbe6636e4) at /usr/src/php-5.3.6/main/main.c:2268 realfile = "W2ÃÂ\000\000\000\000\070\004f¾öÿW\b0\024à \bÃp\205\t\n\000\000\000\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000/\016X\b\001\005\000\001\000\000\000\000H\004f¾E\214f\bÃp\205\t\000s\205\t´\002\000\000¼lY\b\234ÃÃ\b´\002\000\000X\004f¾/\016X\b0\024à \bðr\205\t\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000(\024f¾ñ\bT\bðr\205\t\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000\020\000\000\000Ã\213«\a/\001ÃÂ\000\000\000\000ø\033\002\000X\024f¾ñ\bT\b| ÃÃ\b\024ÃÃ\b¸\004f¾|âÃÂ\000\000\000\000\001\000\000\000"... __orig_bailout = 0xbe6615f8 __bailout = {{__jmpbuf = {-1379008524, 0, -1100606276, -1100606184, -1966102021, -405377897}, __mask_was_saved = 0, __saved_mask = {__val = { 184, 0, 1302178070, 0, 1298211931, 0, 1302178636, 0, 6916987, 0, 146923508, 0, 0, 3194360904, 141417788, 3, 4, 3194360996, 137660206, 3194361112, 139709081, 4, 3194360996, 1, 1, 0, 0, 3194361112, 140936771, 0, 2915958772, 0}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} old_cwd = 0xbe65f3b0 "/" use_heap = 0 '\000' retval = 0 #5 0x08671d6c in main (argc=3, argv=0xbe663844) at /usr/src/php-5.3.6/sapi/fpm/fpm/fpm_main.c:1917 status_buffer = 0x0 status_content_type = 0x0 __orig_bailout = 0x0 __bailout = {{__jmpbuf = {-1379008524, 0, 0, -1100597368, -1929188869, -1894015849}, __mask_was_saved = 0, __saved_mask = {__val = { 0 <repeats 32 times>}}}} free_query_string = 0 exit_status = 0 cgi = 0 c = -1 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8db4700 "/var/www/testforen/domaingo/showthread.php", opened_path = 0x0, handle = {fd = 148727672, fp = 0x8dd6778, stream = {handle = 0x8dd6778, isatty = 0, mmap = {len = 83287, pos = 0, map = 0xadb82000, ---Type <return> to continue, or q <return> to quit--- buf = 0xadb82000 <Address 0xadb82000 out of bounds>, old_handle = 0x8df61d8, old_closer = 0x85baa1d <zend_stream_stdio_closer>}, reader = 0x85ba9f4 <zend_stream_stdio_reader>, fsizer = 0x85baa42 <zend_stream_stdio_fsizer>, closer = 0x85bab31 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'} orig_optind = 1 orig_optarg = 0x0 ini_entries_len = 0 max_requests = 1000 requests = 21 fcgi_fd = 0 request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xbe6616cc "\001\006", out_buf = "\001\006\000\001\000·\001\000Status: 302 Moved Temporarily\r\nX-Powered-By: PHP/5.3.6\r\nLocation: https://forum.domain.com/threads/10432-fsadfsdaf?p=57751#post57751\r\nContent-type: text/html\r\n\r\n\000\001\003\000\001\000\b\000\000\000\000\000\000\000"..., reserved = '\000' <repeats 15 times>, env = 0x8dadc84} fpm_config = 0xbe6639dd "infactory-kunde.de" fpm_prefix = 0x0 test_conf = 0 (gdb) Test script: --------------- Sorry, can reproduce only in vbulletin board. Expected result: ---------------- The redirection to the thread works Actual result: -------------- An SIGSEGV ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=54488&edit=1