Bug #64720 [Asn->Csd]: SegFault on zend_deactivate
Edit report at https://bugs.php.net/bug.php?id=64720&edit=1
ID: 64720
Updated by: dmi...@php.net
Reported by:d dot ananyev at gmail dot com
Summary:SegFault on zend_deactivate
-Status: Assigned
+Status: Closed
Type: Bug
Package:Reproducible crash
Operating System: CentOS release 6.4 (Final)
PHP Version:5.4.10
Assigned To:dmitry
Block user comment: N
Private report: N
New Comment:
The fix for this bug has been committed.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
For Windows:
http://windows.php.net/snapshots/
Thank you for the report, and for helping us make PHP better.
Previous Comments:
[2013-05-21 06:35:24] dmi...@php.net
The fix for this bug has been committed.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
For Windows:
http://windows.php.net/snapshots/
Thank you for the report, and for helping us make PHP better.
[2013-05-21 06:34:09] dmi...@php.net
Automatic comment on behalf of dmi...@zend.com
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=77f15762137e2d8173df9b733b4cb70fc996
Log: Fixed bug #64720 (SegFault on zend_deactivate)
[2013-05-21 05:09:53] dmi...@php.net
Script to Reproduce
---
trace = debug_backtrace(1);
}
}
class Bar {
public function __destruct() {
Stat::getInstance();
new Error();
}
public function test() {
new Error();
}
}
$foo = new Foo();
$bar = new Bar();
$bar->test();
?>
The crash occurs because PHP tries to access static properties of class "Stat"
after they are destroyed.
==22607== Invalid read of size 4
==22607==at 0x84EA438: _zval_dtor_func (zend_variables.c:46)
==22607==by 0x84DAA42: _zval_dtor (zend_variables.h:35)
==22607==by 0x84DAAEF: i_zval_ptr_dtor (zend_execute.h:81)
==22607==by 0x84DB851: _zval_ptr_dtor (zend_execute_API.c:428)
==22607==by 0x84E032A: cleanup_user_class_data (zend_opcode.c:169)
==22607==by 0x84E0419: zend_cleanup_user_class_data (zend_opcode.c:202)
==22607==by 0x84FC771: zend_hash_reverse_apply (zend_hash.c:799)
==22607==by 0x84DB4BE: shutdown_executor (zend_execute_API.c:289)
==22607==by 0x84EC528: zend_deactivate (zend.c:939)
==22607==by 0x84744D6: php_request_shutdown (main.c:1800)
==22607==by 0x8585386: do_cli (php_cli.c:1176)
==22607==by 0x8585B2F: main (php_cli.c:1377)
==22607== Address 0x4949fa8 is 0 bytes inside a block of size 20 free'd
==22607==at 0x4007F0F: free (vg_replace_malloc.c:446)
==22607==by 0x84BFEA5: _efree (zend_alloc.c:2437)
==22607==by 0x851CDEB: i_zval_ptr_dtor (zend_execute.h:82)
==22607==by 0x8541EA6: ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER
(zend_vm_execute.h:15900)
==22607==by 0x8521499: execute_ex (zend_vm_execute.h:356)
==22607==by 0x85214FD: zend_execute (zend_vm_execute.h:381)
==22607==by 0x84DD3D5: zend_call_function (zend_execute_API.c:941)
==22607==by 0x85080A9: zend_call_method (zend_interfaces.c:97)
==22607==by 0x8515232: zend_objects_destroy_object (zend_objects.c:123)
==22607==by 0x851B546: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:207)
==22607==by 0x851B426: zend_objects_store_del_ref (zend_objects_API.c:173)
==22607==by 0x84EA474: _zval_dtor_func (zend_variables.c:54)
[2013-04-29 09:14:46] d dot ananyev at gmail dot com
It's not opcache related
[2013-04-29 09:01:31] d dot ananyev at gmail dot com
We've got the same segfault trace without any opcode cache.
Core was generated by `php-fpm: pool www
'.
Program terminated with signal 11, Segmentation fault.
#0 _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
2100if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
Missing separate debuginfos, use: debuginfo-install fftw-3.2.1-3.1.el6.x86_64
lcms-libs-1.19-1.el6.x86_64 libc-client-2007e-11.el6.x86_64 libidn-1.18-
2.el6.x86_64 libmcrypt-2.5.8-9.el6.x86_64 librabbitmq-0.2-
0.1.git2059570.el6.remi.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 xz-libs-
4.999.9-0.3.beta.20091007git.el6.x86_64
(gdb) bt
#0 _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
#1 0x007116d7 in _zval_dtor (zval_ptr=0x16beb60) at /usr/build/php-
5.4.10/ph
Bug #64720 [Asn->Csd]: SegFault on zend_deactivate
Edit report at https://bugs.php.net/bug.php?id=64720&edit=1
ID: 64720
Updated by: dmi...@php.net
Reported by:d dot ananyev at gmail dot com
Summary:SegFault on zend_deactivate
-Status: Assigned
+Status: Closed
Type: Bug
Package:Reproducible crash
Operating System: CentOS release 6.4 (Final)
PHP Version:5.4.10
Assigned To:dmitry
Block user comment: N
Private report: N
New Comment:
Automatic comment on behalf of dmi...@zend.com
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=77f15762137e2d8173df9b733b4cb70fc996
Log: Fixed bug #64720 (SegFault on zend_deactivate)
Previous Comments:
[2013-05-21 05:09:53] dmi...@php.net
Script to Reproduce
---
trace = debug_backtrace(1);
}
}
class Bar {
public function __destruct() {
Stat::getInstance();
new Error();
}
public function test() {
new Error();
}
}
$foo = new Foo();
$bar = new Bar();
$bar->test();
?>
The crash occurs because PHP tries to access static properties of class "Stat"
after they are destroyed.
==22607== Invalid read of size 4
==22607==at 0x84EA438: _zval_dtor_func (zend_variables.c:46)
==22607==by 0x84DAA42: _zval_dtor (zend_variables.h:35)
==22607==by 0x84DAAEF: i_zval_ptr_dtor (zend_execute.h:81)
==22607==by 0x84DB851: _zval_ptr_dtor (zend_execute_API.c:428)
==22607==by 0x84E032A: cleanup_user_class_data (zend_opcode.c:169)
==22607==by 0x84E0419: zend_cleanup_user_class_data (zend_opcode.c:202)
==22607==by 0x84FC771: zend_hash_reverse_apply (zend_hash.c:799)
==22607==by 0x84DB4BE: shutdown_executor (zend_execute_API.c:289)
==22607==by 0x84EC528: zend_deactivate (zend.c:939)
==22607==by 0x84744D6: php_request_shutdown (main.c:1800)
==22607==by 0x8585386: do_cli (php_cli.c:1176)
==22607==by 0x8585B2F: main (php_cli.c:1377)
==22607== Address 0x4949fa8 is 0 bytes inside a block of size 20 free'd
==22607==at 0x4007F0F: free (vg_replace_malloc.c:446)
==22607==by 0x84BFEA5: _efree (zend_alloc.c:2437)
==22607==by 0x851CDEB: i_zval_ptr_dtor (zend_execute.h:82)
==22607==by 0x8541EA6: ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER
(zend_vm_execute.h:15900)
==22607==by 0x8521499: execute_ex (zend_vm_execute.h:356)
==22607==by 0x85214FD: zend_execute (zend_vm_execute.h:381)
==22607==by 0x84DD3D5: zend_call_function (zend_execute_API.c:941)
==22607==by 0x85080A9: zend_call_method (zend_interfaces.c:97)
==22607==by 0x8515232: zend_objects_destroy_object (zend_objects.c:123)
==22607==by 0x851B546: zend_objects_store_del_ref_by_handle_ex
(zend_objects_API.c:207)
==22607==by 0x851B426: zend_objects_store_del_ref (zend_objects_API.c:173)
==22607==by 0x84EA474: _zval_dtor_func (zend_variables.c:54)
[2013-04-29 09:14:46] d dot ananyev at gmail dot com
It's not opcache related
[2013-04-29 09:01:31] d dot ananyev at gmail dot com
We've got the same segfault trace without any opcode cache.
Core was generated by `php-fpm: pool www
'.
Program terminated with signal 11, Segmentation fault.
#0 _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
2100if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
Missing separate debuginfos, use: debuginfo-install fftw-3.2.1-3.1.el6.x86_64
lcms-libs-1.19-1.el6.x86_64 libc-client-2007e-11.el6.x86_64 libidn-1.18-
2.el6.x86_64 libmcrypt-2.5.8-9.el6.x86_64 librabbitmq-0.2-
0.1.git2059570.el6.remi.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 xz-libs-
4.999.9-0.3.beta.20091007git.el6.x86_64
(gdb) bt
#0 _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_alloc.c:2100
#1 0x007116d7 in _zval_dtor (zval_ptr=0x16beb60) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_variables.h:35
#2 _zval_ptr_dtor (zval_ptr=0x16beb60) at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:438
#3 0x007163af in cleanup_user_class_data (pce=)
at
/usr/build/php-5.4.10/php-5.4.10/Zend/zend_opcode.c:165
#4 zend_cleanup_user_class_data (pce=) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_opcode.c:198
#5 0x0072b944 in zend_hash_reverse_apply (ht=0x1177c90,
apply_func=0x716340 ) at /usr/build/php-
5.4.10/php-5.4.10/Zend/zend_hash.c:799
#6 0x00714156 in shutdown_executor () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend_execute_API.c:289
#7 0x0071f412 in zend_deactivate () at /usr/build/php-5.4.10/php-
5.4.10/Zend/zend.c:938
#8 0x006c2a3c in php_request_shutdown (dummy=) at
/usr/build/php-5.4.10/php-5.4.10/main/main.c:1790
#9 0x007d0
