From:
Operating system: Debian
PHP version: 5.3.8
Package: Scripting Engine problem
Bug Type: Bug
Bug description:Segmentation Fault hard to reproduce
Description:
------------
When running php-fpm 5.3.8 with APC-3.1.9 for several random days, it start
to
systematically segfault, we can't
reproduce it for now without waiting it to happen.
Here is some gdb informations :
The segfault in zend_compile.c line 2972 :
Program received signal SIGSEGV, Segmentation fault.
0x0000000000628c8d in do_bind_function (opline=0x7fe50eeb1398,
function_table=0x215ac30, compile_time=0 '\000') at
/usr/src/php-5.3.8/Zend/zend_compile.c:2972
2972 (*function->op_array.refcount)++;
A stacktrace :
(gdb) bt
#0 0x0000000000628c8d in do_bind_function (opline=0x7fe50eeb1398,
function_table=0x215ac30, compile_time=0 '\000')
at /usr/src/php-5.3.8/Zend/zend_compile.c:2972
#1 0x00000000006665a5 in ZEND_DECLARE_FUNCTION_SPEC_HANDLER
(execute_data=0x2590548) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:586
#2 0x0000000000666378 in execute (op_array=0x267bf98) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:107
#3 0x0000000000637d2a in zend_call_function (fci=0x7fff3aa53fa0,
fci_cache=
<value optimized out>) at /usr/src/php-
5.3.8/Zend/zend_execute_API.c:968
#4 0x00000000005275f0 in zim_reflection_method_invokeArgs (ht=<value
optimized
out>, return_value=0x233f5c0,
return_value_ptr=<value optimized out>,
this_ptr=<value optimized out>, return_value_used=<value optimized
out>) at
/usr/src/php-
5.3.8/ext/reflection/php_reflection.c:2750
#5 0x000000000068de5c in zend_do_fcall_common_helper_SPEC
(execute_data=0x258a778) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:320
#6 0x0000000000666378 in execute (op_array=0x2522480) at /usr/src/php-
5.3.8/Zend/zend_vm_execute.h:107
#7 0x00000000006411ea in zend_execute_scripts (type=8, retval=<value
optimized
out>, file_count=3) at /usr/src/php-
5.3.8/Zend/zend.c:1236
#8 0x00000000005effee in php_execute_script (primary_file=<value optimized
out>) at /usr/src/php-
5.3.8/main/main.c:2284
#9 0x00000000006cf132 in main (argc=<value optimized out>, argv=<value
optimized out>) at /usr/src/php-
5.3.8/sapi/fpm/fpm/fpm_main.c:1902
Some information about what caused the segfault :
function seems a valid pointer :
(gdb) p function
$1 = (zend_function *) 0x6821d0
But refcount seems to point to an invalid address garbage ...
(gdb) p function->op_array.refcount
$2 = (zend_uint *) 0x6697eb0824748b48
That is out of memory :
(gdb) p *function->op_array.refcount
Cannot access memory at address 0x6697eb0824748b48
function also contains a lot of garbage :
(gdb) p *function
$3 = {type = 72 'H', common = {type = 72 'H', function_name =
0x1f0fc35d5bc031
<Address 0x1f0fc35d5bc031 out of
bounds>, scope = 0x102444c748,
fn_flags = 360611840, prototype = 0x1446b60f2c7401f8, num_args =
1006954627,
required_num_args = 1219458817,
arg_info = 0xe80824748948f789,
pass_rest_by_reference = 52 '4', return_reference = 197 '\305'},
op_array =
{type = 72 'H',
function_name = 0x1f0fc35d5bc031 <Address 0x1f0fc35d5bc031 out of
bounds>,
scope = 0x102444c748, fn_flags =
360611840, prototype = 0x1446b60f2c7401f8,
num_args = 1006954627, required_num_args = 1219458817, arg_info =
0xe80824748948f789, pass_rest_by_reference = 52
'4', return_reference = 197 '\305',
done_pass_two = 253 '\375', refcount = 0x6697eb0824748b48, opcodes =
0x841f0f, last = 1394374, size = 2370359019,
vars = 0x481024548d482845,
last_var = -1991717239, size_var = 564586695, T = 2336817151,
brk_cont_array
= 0x2e66ffffff68e9c6, last_brk_cont =
8658703, current_brk_cont = 0,
try_catch_array = 0x6c8948e8245c8948, last_try_catch = -1991708636,
static_variables = 0x8b4838ec8348f824, start_op
= 0x50458b38778b482f,
backpatch_count = 106203976, this_var = 3531950088, filename =
0x428b000000b8840f <Address 0x428b000000b8840f out
of bounds>, line_start = 32015120,
line_end = 1116323973, doc_comment = 0xc7001542c6657510 <Address
0xc7001542c6657510 out of bounds>, doc_comment_len
= 69698, early_binding = 2303197184,
reserved = {0x8b30658b44102454, 0x8d4826248d4e107d, 0x84eee8e6894c3e3c,
0x314247c8041fffb}}, internal_function =
{type = 72 'H',
function_name = 0x1f0fc35d5bc031 <Address 0x1f0fc35d5bc031 out of
bounds>,
scope = 0x102444c748, fn_flags =
360611840, prototype = 0x1446b60f2c7401f8,
num_args = 1006954627, required_num_args = 1219458817, arg_info =
0xe80824748948f789, pass_rest_by_reference = 52
'4', return_reference = 197 '\305',
handler = 0x6697eb0824748b48, module = 0x841f0f}}
I found that function is from a function_table so i search for the name of
the
searched function :
(gdb) p opline->op1.u.constant.value
$6 = {lval = 140621774571448, dval = 6.9476387872984637e-310, str = {val =
0x7fe50eebc7b8 "", len = 78}, ht =
0x7fe50eebc7b8, obj = {handle = 250333112,
handlers = 0x4e}}
Seems space too ...
You can query for more information (value of pointers, etc...) but I may
take
some days to provide them waiting for php
to enter this state again.
--
Edit bug report at https://bugs.php.net/bug.php?id=60383&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=60383&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=60383&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=60383&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=60383&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=60383&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=60383&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=60383&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=60383&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=60383&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=60383&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=60383&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=60383&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=60383&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=60383&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=60383&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=60383&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=60383&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=60383&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=60383&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=60383&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=60383&r=mysqlcfg
