From: Operating system: Gentoo PHP version: 5.3.6 Package: FPM related Bug Type: Bug Bug description:SIGSEGV in zend_assign_to_variable
Description: ------------ Hello, php-fpm with apache 2.2.16 has random segfaults when making new threads in vbulletin board. The POST works, but the redirect segfaults i think. Here is an backtrace of the php-fpm worker: Program received signal SIGSEGV, Segmentation fault. 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0) at /usr/src/php-5.3.6/Zend/zend_execute.c:662 662 if (Z_TYPE_P(variable_ptr) == IS_OBJECT && Z_OBJ_HANDLER_P(variable_ptr, set)) { (gdb) bt full #0 0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0) at /usr/src/php-5.3.6/Zend/zend_execute.c:662 variable_ptr = 0x5a5a5a5a garbage = {value = {lval = 4, dval = 1.9762625833649862e-323, str = {val = 0x4 <Address 0x4 out of bounds>, len = 0}, ht = 0x4, obj = { handle = 4, handlers = 0x0}}, refcount__gc = 149399716, type = 4 '\004', is_ref__gc = 175 '¯'} #1 0x0865a6d9 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x91207cc) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:27337 opline = 0xad89d7f4 free_op2 = {var = 0xad8994e8} value = 0xad8994e8 variable_ptr_ptr = 0xad882e28 #2 0x085cdc2c in execute (op_array=0x8e9fdd4) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:107 ret = 3 execute_data = 0x91207cc nested = 1 '\001' original_in_execution = 0 '\000' #3 0x085a288e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.3.6/Zend/zend.c:1194 files = 0xbe65f394 "" i = 1 file_handle = 0xbe6636e4 orig_op_array = 0x0 orig_retval_ptr_ptr = 0x0 #4 0x085381b5 in php_execute_script (primary_file=0xbe6636e4) at /usr/src/php-5.3.6/main/main.c:2268 realfile = "W2ÃÂ\000\000\000\000\070\004f¾öÿW\b0\024à \bÃp\205\t\n\000\000\000\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000/\016X\b\001\005\000\001\000\000\000\000H\004f¾E\214f\bÃp\205\t\000s\205\t´\002\000\000¼lY\b\234ÃÃ\b´\002\000\000X\004f¾/\016X\b0\024à \bðr\205\t\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000(\024f¾ñ\bT\bðr\205\t\210R¹\bà \001\000\000\000\000\000\000\000\000\000\000\020\000\000\000Ã\213«\a/\001ÃÂ\000\000\000\000ø\033\002\000X\024f¾ñ\bT\b| ÃÃ\b\024ÃÃ\b¸\004f¾|âÃÂ\000\000\000\000\001\000\000\000"... __orig_bailout = 0xbe6615f8 __bailout = {{__jmpbuf = {-1379008524, 0, -1100606276, -1100606184, -1966102021, -405377897}, __mask_was_saved = 0, __saved_mask = {__val = { 184, 0, 1302178070, 0, 1298211931, 0, 1302178636, 0, 6916987, 0, 146923508, 0, 0, 3194360904, 141417788, 3, 4, 3194360996, 137660206, 3194361112, 139709081, 4, 3194360996, 1, 1, 0, 0, 3194361112, 140936771, 0, 2915958772, 0}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} old_cwd = 0xbe65f3b0 "/" use_heap = 0 '\000' retval = 0 #5 0x08671d6c in main (argc=3, argv=0xbe663844) at /usr/src/php-5.3.6/sapi/fpm/fpm/fpm_main.c:1917 status_buffer = 0x0 status_content_type = 0x0 __orig_bailout = 0x0 __bailout = {{__jmpbuf = {-1379008524, 0, 0, -1100597368, -1929188869, -1894015849}, __mask_was_saved = 0, __saved_mask = {__val = { 0 <repeats 32 times>}}}} free_query_string = 0 exit_status = 0 cgi = 0 c = -1 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8db4700 "/var/www/testforen/domaingo/showthread.php", opened_path = 0x0, handle = {fd = 148727672, fp = 0x8dd6778, stream = {handle = 0x8dd6778, isatty = 0, mmap = {len = 83287, pos = 0, map = 0xadb82000, ---Type <return> to continue, or q <return> to quit--- buf = 0xadb82000 <Address 0xadb82000 out of bounds>, old_handle = 0x8df61d8, old_closer = 0x85baa1d <zend_stream_stdio_closer>}, reader = 0x85ba9f4 <zend_stream_stdio_reader>, fsizer = 0x85baa42 <zend_stream_stdio_fsizer>, closer = 0x85bab31 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'} orig_optind = 1 orig_optarg = 0x0 ini_entries_len = 0 max_requests = 1000 requests = 21 fcgi_fd = 0 request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xbe6616cc "\001\006", out_buf = "\001\006\000\001\000·\001\000Status: 302 Moved Temporarily\r\nX-Powered-By: PHP/5.3.6\r\nLocation: https://forum.domain.com/threads/10432-fsadfsdaf?p=57751#post57751\r\nContent-type: text/html\r\n\r\n\000\001\003\000\001\000\b\000\000\000\000\000\000\000"..., reserved = '\000' <repeats 15 times>, env = 0x8dadc84} fpm_config = 0xbe6639dd "infactory-kunde.de" fpm_prefix = 0x0 test_conf = 0 (gdb) Test script: --------------- Sorry, can reproduce only in vbulletin board. Expected result: ---------------- The redirection to the thread works Actual result: -------------- An SIGSEGV -- Edit bug report at http://bugs.php.net/bug.php?id=54488&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=54488&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=54488&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=54488&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=54488&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=54488&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=54488&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=54488&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=54488&r=needscript Try newer version: http://bugs.php.net/fix.php?id=54488&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=54488&r=support Expected behavior: http://bugs.php.net/fix.php?id=54488&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=54488&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=54488&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=54488&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54488&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=54488&r=dst IIS Stability: http://bugs.php.net/fix.php?id=54488&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=54488&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=54488&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=54488&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=54488&r=mysqlcfg