From:
Operating system: Gentoo
PHP version: 5.3.6
Package: FPM related
Bug Type: Bug
Bug description:SIGSEGV in zend_assign_to_variable
Description:
------------
Hello,
php-fpm with apache 2.2.16 has random segfaults when making new threads in
vbulletin board.
The POST works, but the redirect segfaults i think.
Here is an backtrace of the php-fpm worker:
Program received signal SIGSEGV, Segmentation fault.
0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28,
value=0xad8994e8, is_tmp_var=0)
at /usr/src/php-5.3.6/Zend/zend_execute.c:662
662 if (Z_TYPE_P(variable_ptr) == IS_OBJECT &&
Z_OBJ_HANDLER_P(variable_ptr, set)) {
(gdb) bt full
#0 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28,
value=0xad8994e8, is_tmp_var=0)
at /usr/src/php-5.3.6/Zend/zend_execute.c:662
variable_ptr = 0x5a5a5a5a
garbage = {value = {lval = 4, dval = 1.9762625833649862e-323, str =
{val = 0x4 <Address 0x4 out of bounds>, len = 0}, ht = 0x4, obj = {
handle = 4, handlers = 0x0}}, refcount__gc = 149399716, type
= 4 '\004', is_ref__gc = 175 '¯'}
#1 0x0865a6d9 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x91207cc)
at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:27337
opline = 0xad89d7f4
free_op2 = {var = 0xad8994e8}
value = 0xad8994e8
variable_ptr_ptr = 0xad882e28
#2 0x085cdc2c in execute (op_array=0x8e9fdd4) at
/usr/src/php-5.3.6/Zend/zend_vm_execute.h:107
ret = 3
execute_data = 0x91207cc
nested = 1 '\001'
original_in_execution = 0 '\000'
#3 0x085a288e in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /usr/src/php-5.3.6/Zend/zend.c:1194
files = 0xbe65f394 ""
i = 1
file_handle = 0xbe6636e4
orig_op_array = 0x0
orig_retval_ptr_ptr = 0x0
#4 0x085381b5 in php_execute_script (primary_file=0xbe6636e4) at
/usr/src/php-5.3.6/main/main.c:2268
realfile =
"W2ÃÂ\000\000\000\000\070\004f¾öÿW\b0\024Ã
\bÃp\205\t\n\000\000\000\210R¹\bÃ
\001\000\000\000\000\000\000\000\000\000\000/\016X\b\001\005\000\001\000\000\000\000H\004f¾E\214f\bÃp\205\t\000s\205\t´\002\000\000¼lY\b\234ÃÃ\b´\002\000\000X\004f¾/\016X\b0\024Ã
\bðr\205\t\210R¹\bÃ
\001\000\000\000\000\000\000\000\000\000\000(\024f¾ñ\bT\bðr\205\t\210R¹\bÃ
\001\000\000\000\000\000\000\000\000\000\000\020\000\000\000Ã\213«\a/\001ÃÂ\000\000\000\000ø\033\002\000X\024f¾ñ\bT\b|
ÃÃ\b\024ÃÃ\b¸\004f¾|âÃÂ\000\000\000\000\001\000\000\000"...
__orig_bailout = 0xbe6615f8
__bailout = {{__jmpbuf = {-1379008524, 0, -1100606276, -1100606184,
-1966102021, -405377897}, __mask_was_saved = 0, __saved_mask = {__val = {
184, 0, 1302178070, 0, 1298211931, 0, 1302178636, 0,
6916987, 0, 146923508, 0, 0, 3194360904, 141417788, 3, 4, 3194360996,
137660206,
3194361112, 139709081, 4, 3194360996, 1, 1, 0, 0,
3194361112, 140936771, 0, 2915958772, 0}}}}
prepend_file_p = 0x0
append_file_p = 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0,
mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle =
0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
free_filename = 0 '\000'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0,
mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle =
0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
free_filename = 0 '\000'}
old_cwd = 0xbe65f3b0 "/"
use_heap = 0 '\000'
retval = 0
#5 0x08671d6c in main (argc=3, argv=0xbe663844) at
/usr/src/php-5.3.6/sapi/fpm/fpm/fpm_main.c:1917
status_buffer = 0x0
status_content_type = 0x0
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {-1379008524, 0, 0, -1100597368,
-1929188869, -1894015849}, __mask_was_saved = 0, __saved_mask = {__val = {
0 <repeats 32 times>}}}}
free_query_string = 0
exit_status = 0
cgi = 0
c = -1
file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8db4700
"/var/www/testforen/domaingo/showthread.php", opened_path = 0x0,
handle = {fd = 148727672, fp = 0x8dd6778, stream = {handle =
0x8dd6778, isatty = 0, mmap = {len = 83287, pos = 0, map = 0xadb82000,
---Type <return> to continue, or q <return> to quit---
buf = 0xadb82000 <Address 0xadb82000 out of bounds>,
old_handle = 0x8df61d8, old_closer = 0x85baa1d
<zend_stream_stdio_closer>},
reader = 0x85ba9f4 <zend_stream_stdio_reader>, fsizer =
0x85baa42 <zend_stream_stdio_fsizer>,
closer = 0x85bab31 <zend_stream_mmap_closer>}}, free_filename
= 0 '\000'}
orig_optind = 1
orig_optarg = 0x0
ini_entries_len = 0
max_requests = 1000
requests = 21
fcgi_fd = 0
request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0,
in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xbe6616cc "\001\006",
out_buf = "\001\006\000\001\000·\001\000Status: 302 Moved
Temporarily\r\nX-Powered-By: PHP/5.3.6\r\nLocation:
https://forum.domain.com/threads/10432-fsadfsdaf?p=57751#post57751\r\nContent-type:
text/html\r\n\r\n\000\001\003\000\001\000\b\000\000\000\000\000\000\000"...,
reserved = '\000' <repeats 15 times>, env = 0x8dadc84}
fpm_config = 0xbe6639dd "infactory-kunde.de"
fpm_prefix = 0x0
test_conf = 0
(gdb)
Test script:
---------------
Sorry, can reproduce only in vbulletin board.
Expected result:
----------------
The redirection to the thread works
Actual result:
--------------
An SIGSEGV
--
Edit bug report at http://bugs.php.net/bug.php?id=54488&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=54488&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=54488&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=54488&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=54488&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=54488&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=54488&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=54488&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=54488&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=54488&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=54488&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=54488&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=54488&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=54488&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=54488&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54488&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=54488&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=54488&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=54488&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=54488&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=54488&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=54488&r=mysqlcfg
