#43834 [Fbk->Opn]: zend_mm_shutdown - Apache Crash

[jaco at jump dot co dot za]

 ID:               43834
 User updated by:  jaco at jump dot co dot za
 Reported By:      jaco at jump dot co dot za
-Status:           Feedback
+Status:           Open
 Bug Type:         Scripting Engine problem
 Operating System: Windows 2003
 PHP Version:      5.2CVS-2008-01-14 (snap)
 New Comment:

I am unable to privide any code to re-produce this proplem. The best I
could figure out up to know is that the get_browser() function together
with the browscap.ini on windows on a busy website is not a good idea.

The bug does not appear every time, but after I removed all
get_browser() code from the site, the server did not crash again. We get
about 500,000 page impressions per day, and the error occured about
10-15 times a day.


Previous Comments:
------------------------------------------------------------------------

[2008-01-28 23:37:39] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.



------------------------------------------------------------------------

[2008-01-14 07:10:29] jaco at jump dot co dot za

I got this in the user.dmp file:

In user.dmp the assembly instruction at php5ts!_zend_mm_free_int+139 in
C:\WINDOWS\system32\php5ts.dll from The PHP Group has caused an access
violation exception (0xC0000005) when trying to read from memory
location 0x697a6f59 on thread 7

------------------------------------------------------------------------

[2008-01-14 06:45:43] jaco at jump dot co dot za

I finally got the symbol files to work, and the stack trace looks a bit
different now:

function: php5ts!_zend_mm_free_int
        006aac9b 33c9             xor     ecx,ecx
        006aac9d 8b4718           mov     eax,[edi+0x18]
        006aaca0 85c0             test    eax,eax
        006aaca2 0f95c1           setne   cl
        006aaca5 8d448f14         lea     eax,[edi+ecx*4+0x14]
        006aaca9 8b4c8f14         mov     ecx,[edi+ecx*4+0x14]
        006aacad 85c9             test    ecx,ecx
        006aacaf 75e6             jnz    
php5ts!_zend_mm_free_int+0x117 (006aac97)
        006aacb1 c70200000000     mov     dword ptr [edx],0x0
        006aacb7 eb6f             jmp    
php5ts!_zend_mm_free_int+0x1a8 (006aad28)
FAULT ->006aacb9 395f0c           cmp     [edi+0xc],ebx    
ds:0023:0000000c=????????
        006aacbc 7505             jnz    
php5ts!_zend_mm_free_int+0x143 (006aacc3)
        006aacbe 395908           cmp     [ecx+0x8],ebx
        006aacc1 7410             jz     
php5ts!_zend_mm_free_int+0x153 (006aacd3)
        006aacc3 68cc629500       push    0x9562cc
        006aacc8 e883f6ffff       call    php5ts!zend_mm_panic
(006aa350)
        006aaccd 8b4dfc           mov     ecx,[ebp-0x4]
        006aacd0 83c404           add     esp,0x4
        006aacd3 894f0c           mov     [edi+0xc],ecx
        006aacd6 897908           mov     [ecx+0x8],edi
        006aacd9 8b03             mov     eax,[ebx]

*----> Stack Back Trace <----*
ChildEBP RetAddr  Args to Child              
0236fae0 006abce9 080dab18 00020000 00755f17
php5ts!_zend_mm_free_int+0x139 (CONV: cdecl)
0236faec 00755f17 01253a20 0b936cac 00735f13 php5ts!_efree+0x39 (FPO:
[1,0,0]) (CONV: cdecl)
0236faf8 00735f13 01253a78 0b936d20 0073a117
php5ts!_zval_dtor_func+0x27 (FPO: [1,0,1]) (CONV: cdecl)
0236fb04 0073a117 0b936cac 0b937348 0b927c00 php5ts!_zval_ptr_dtor+0x23
(FPO: [1,0,1]) (CONV: cdecl)
0236fb1c 00755f49 0b927c60 0b937354 00735f13
php5ts!zend_hash_destroy+0x27 (FPO: [EBP 0x0b927a40] [1,0,4]) (CONV:
cdecl)
0236fb28 00735f13 0b927c00 0b937420 0073a1a3
php5ts!_zval_dtor_func+0x59 (FPO: [1,0,1]) (CONV: cdecl)
0236fb34 0073a1a3 0b937354 0b925718 0236fc10 php5ts!_zval_ptr_dtor+0x23
(FPO: [1,0,1]) (CONV: cdecl)
0236fb4c 006bce7b 0b927a40 00000000 0b91f89e
php5ts!zend_hash_clean+0x23 (FPO: [EBP 0x0236fbb4] [1,0,4]) (CONV:
cdecl)
0236fb94 006bc465 0236fbb4 080d98a0 006bc3e5
php5ts!zend_do_fcall_common_helper_SPEC+0xa0b (FPO: [EBP 0x0236fb98]
[2,12,4]) (CONV: cdecl)
0236fba0 006bc3e5 0236fbb4 080d98a0 080d98a0
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+0x15 (FPO: [2,0,0]) (CONV:
cdecl)
0236fc28 0075b9fd 00000008 080d98a0 00000000 php5ts!execute+0x1c5 (FPO:
[EBP 0x0b920598] [2,16,3]) (CONV: cdecl)
0236fc58 006abca9 7c827d0b 00000040 000006f4
php5ts!php_execute_script+0x20d (CONV: cdecl)
0236fc5c 7c827d0b 00000040 000006f4 00000000 php5ts!_emalloc+0x39 (FPO:
[1,0,0]) (CONV: cdecl)
WARNING: Stack unwind information not available. Following frames may
be wrong.
0236fc6c 77e61d43 08112da8 00000000 0236fcb8
ntdll!NtWaitForSingleObject+0xc
00000000 00000000 00000000 00000000 00000000
kernel32!WaitForSingleObjectEx+0xad

------------------------------------------------------------------------

[2008-01-14 00:07:08] jaco at jump dot co dot za

Description:
------------
On random apache crashes, the following is in the event log:

Faulting application httpd.exe, version 2.2.4.0, faulting module
php5ts.dll, version 5.2.5.5, fault address 0x0000adae.

The fault address is always: 0x0000adae and 0x0000acb9

The following dump was created by dr watson:

*----> State Dump for Thread Id 0xc68 <----*

eax=030f011c ebx=016616f8 ecx=000a2168 edx=1a943ff8 esi=fe5415dc
edi=00030000
eip=006aadae esp=03c2fad0 ebp=03c2fae0 iopl=0         nv up ei ng nz ac
pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00010293

function: php5ts!zend_mm_shutdown
        006aad93 8b03             mov     eax,[ebx]
        006aad95 8b4d0c           mov     ecx,[ebp+0xc]
        006aad98 03c8             add     ecx,eax
        006aad9a 894d0c           mov     [ebp+0xc],ecx
        006aad9d 8bf9             mov     edi,ecx
        006aad9f 8b4604           mov     eax,[esi+0x4]
        006aada2 a801             test    al,0x1
        006aada4 0f85a7010000     jne    
php5ts!zend_mm_shutdown+0x11e1 (006aaf51)
        006aadaa 24fc             and     al,0xfc
        006aadac 2bf0             sub     esi,eax
FAULT ->006aadae 8b7e08           mov     edi,[esi+0x8]    
ds:0023:fe5415e4=????????
        006aadb1 8b5e0c           mov     ebx,[esi+0xc]
        006aadb4 3bfe             cmp     edi,esi
        006aadb6 0f85b4000000     jne    
php5ts!zend_mm_shutdown+0x1100 (006aae70)
        006aadbc 3bde             cmp     ebx,esi
        006aadbe 740d             jz     
php5ts!zend_mm_shutdown+0x105d (006aadcd)
        006aadc0 68cc629500       push    0x9562cc
        006aadc5 e886f5ffff       call    php5ts!zend_mm_shutdown+0x5e0
(006aa350)
        006aadca 83c404           add     esp,0x4
        006aadcd 8b5618           mov     edx,[esi+0x18]
        006aadd0 33c9             xor     ecx,ecx

*----> Stack Back Trace <----*
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may
be wrong.
03c2fae0 006abce9 1a9424d0 00030000 00755f17
php5ts!zend_mm_shutdown+0x103e
77bbce33 e877ba20 0000b685 8508758b ac840ff6 php5ts!efree+0x39
e868186a 00000000 00000000 00000000 00000000 0xe877ba20

I have installed the latest snapshot, and this is still happening.


Reproduce code:
---------------
I am not able to reproduce this code, this only happens on the
production server, with more than 4 million records in the database,
every page I tested does not cause this to happen, so I am now thinking
that this might be caused by specific data coming from mysql



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=43834&edit=1