Edit report at https://bugs.php.net/bug.php?id=64720&edit=1
ID: 64720
Updated by: dmi...@php.net
Reported by: d dot ananyev at gmail dot com
-Summary: SegFault on zend_deactivate (php-fpm)
+Summary: SegFault on zend_deactivate
-Status: Open
+Status: Assigned
Type: Bug
Package: Reproducible crash
Operating System: CentOS release 6.4 (Final)
PHP Version: 5.4.10
-Assigned To:
+Assigned To: dmitry
Block user comment: N
Private report: N
New Comment:
Script to Reproduce
-------------------
<?php
class Stat {
private static $requests;
public static function getInstance() {
if (!isset(self::$requests[1])) {
self::$requests[1] = new self();
}
return self::$requests[1];
}
public function __destruct() {
unset(self::$requests[1]);
}
}
class Foo {
public function __construct() {
Stat::getInstance();
}
}
class Error {
private $trace;
public function __construct() {
$this->trace = debug_backtrace(1);
}
}
class Bar {
public function __destruct() {
Stat::getInstance();
new Error();
}
public function test() {
new Error();
}
}
$foo = new Foo();
$bar = new Bar();
$bar->test();
?>
The crash occurs because PHP tries to access static properties of class "Stat"
after they are destroyed.
==22607== Invalid read of size 4
==22607== at 0x84EA438: _zval_dtor_func (zend_variables.c:46)
==22607== by 0x84DAA42: _zval_dtor (zend_variables.h:35)
==22607== by 0x84DAAEF: i_zval_ptr_dtor (zend_execute.h:81)
==22607== by 0x84DB851: _zval_ptr_dtor (zend_execute_API.c:428)
==22607== by 0x84E032A: cleanup_user_class_data (zend_opcode.c:169)
==22607== by 0x84E0419: zend_cleanup_user_class_data (zend_opcode.c:202)
==22607== by 0x84FC771: zend_hash_reverse_apply (zend_hash.c:799)
==22607== by 0x84DB4BE: shutdown_executor (zend_execute_API.c:289)
==22607== by 0x84EC528: zend_deactivate (zend.c:939)
==22607== by 0x84744D6: php_request_shutdown (main.c:1800)
==22607== by 0x8585386: do_cli (php_cli.c:1176)
==22607== by 0x8585B2F: main (php_cli.c:1377)
==22607== Address 0x4949fa8 is 0 bytes inside a block of size 20 free'd
==22607== at 0x4007F0F: free (vg_replace_malloc.c:446)
==22607== by 0x84BFEA5: _efree (zend_alloc.c:2437)
==22607== by 0x851CDEB: i_zval_ptr_dtor (zend_execute.h:82)
==22607== by 0x8541EA6: ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER
(zend_vm_execute.h:15900)
==22607== by 0x8521499: execute_ex (zend_vm_execute.h:356)
==22607== by 0x85214FD: zend_execute (zend_vm_execute.h:381)
==22607== by 0x84DD3D5: zend_call_function (zend_execute_API.c:941)
==22607== by 0x85080A9: zend_call_method (zend_interfaces.c:97)
==22607== by 0x8515232: zend_objects_destroy_object (zend_objects.c:123)
==22607== by 0x851B546: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:207)
==22607== by 0x851B426: zend_objects_store_del_ref (zend_objects_API.c:173)
==22607== by 0x84EA474: _zval_dtor_func (zend_variables.c:54)
Previous Comments:
------------------------------------------------------------------------
[2013-04-29 09:14:46] d dot ananyev at gmail dot com
It's not opcache related
------------------------------------------------------------------------
[2013-04-29 09:01:31] d dot ananyev at gmail dot com
We've got the same segfault trace without any opcode cache.
Core was generated by `php-fpm: pool www
'.
Program terminated with signal 11, Segmentation fault.
#0 _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
2100 if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
Missing separate debuginfos, use: debuginfo-install fftw-3.2.1-3.1.el6.x86_64
lcms-libs-1.19-1.el6.x86_64 libc-client-2007e-11.el6.x86_64 libidn-1.18-
2.el6.x86_64 libmcrypt-2.5.8-9.el6.x86_64 librabbitmq-0.2-
0.1.git2059570.el6.remi.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 xz-libs-
4.999.9-0.3.beta.20091007git.el6.x86_64
(gdb) bt
#0 _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
#1 0x00000000007116d7 in _zval_dtor (zval_ptr=0x16beb60) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_variables.h:35
#2 _zval_ptr_dtor (zval_ptr=0x16beb60) at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:438
#3 0x00000000007163af in cleanup_user_class_data (pce=<value optimized out>)
at
/usr/build/php-5.4.10/php-5.4.10/Zend/zend_opcode.c:165
#4 zend_cleanup_user_class_data (pce=<value optimized out>) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_opcode.c:198
#5 0x000000000072b944 in zend_hash_reverse_apply (ht=0x1177c90,
apply_func=0x716340 <zend_cleanup_user_class_data>) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_hash.c:799
#6 0x0000000000714156 in shutdown_executor () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:289
#7 0x000000000071f412 in zend_deactivate () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend.c:938
#8 0x00000000006c2a3c in php_request_shutdown (dummy=<value optimized out>) at
/usr/build/php-5.4.10/php-5.4.10/main/main.c:1790
#9 0x00000000007d0d49 in main (argc=<value optimized out>, argv=<value
optimized out>) at /usr/build/php-5.4.10/php-5.4.10/sapi/fpm/fpm/fpm_main.c:1948
------------------------------------------------------------------------
[2013-04-26 18:39:52] s...@php.net
If it is OPcache related, try using OPcache from https://github.com/zend-
dev/ZendOptimizerPlus. This has various fixes that aren't yet in PECL.
------------------------------------------------------------------------
[2013-04-26 17:43:42] d dot ananyev at gmail dot com
I installed OpCache from this link:
http://pecl.php.net/package/ZendOpcache/7.0.1
I'll check if it will be reproduced without opcode cache.
------------------------------------------------------------------------
[2013-04-26 17:13:04] s...@php.net
Where did you install opcache from?
Does the crash happen without opcache?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64720
--
Edit this bug report at https://bugs.php.net/bug.php?id=64720&edit=1
