PHP :: Bug #51467 :: Crash in shutdown

Bug #51467

Crash in shutdown

Submitted:

2010-04-03 02:39 UTC

Modified:

2010-08-09 03:28 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

php at group dot apple dot com

Assigned:

felipe (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.3.2

OS:

Mac OS X 10.6

Private report:

CVE-ID:

None

View Developer Edit

[2010-04-03 02:39 UTC] php at group dot apple dot com

Description:
------------
Executing certain scripts on Mac OS X 10.6 running 5.3.2 (or 5.3.1 or 5.3) 
causes a crash in 
the shutdown routine. The stack trace appears to be the same reported in 
http://bugs.php.net/bug.php?id=49209.

See stack trace below.

I uploaded a tarball named "shutdown_crasher.tar.gz" as a smallish sample 
demonstrating the 
flaw.

"php displayDoc.php" shows the first crash noted below.

Putting the files into an apache doc root and loading the index.html file shows 
two buttons. 
Clicking on one should cause apache to crash. (Oddly, one deployment always 
crashed with the 
"synchronous" call while another always crashed with the "async" call.) This 
crash is the 
second noted below.

Test script:
---------------
See tarball attached as a patch.

Expected result:
----------------
I expected output without a crash.

Actual result:
--------------
Backtrace from php CLI:
--------------------
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000001434ed621
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   php                             0x000000010032aa3f gc_zval_possible_root + 
99
1   php                             0x000000010031ad97 zend_hash_destroy + 42
2   php                             0x00000001001a2b35 sxe_object_free_storage + 
53
3   php                             0x000000010032f351 
zend_objects_store_free_object_storage + 120
4   php                             0x0000000100304ab1 shutdown_executor + 515
5   php                             0x000000010030fce8 zend_deactivate + 111
6   php                             0x00000001002c2fce php_request_shutdown + 
597
7   php                             0x000000010038c51f main + 5213
8   php                             0x00000001000013b8 start + 52
--------------------

Backtrace from apache:
--------------------
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000001d074cc21
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libphp5.so                    	0x000000010131c64f gc_zval_possible_root 
+ 99
1   libphp5.so                    	0x000000010130d58b zend_hash_destroy + 
42
2   libphp5.so                    	0x000000010119e100 
sxe_object_free_storage + 53
3   libphp5.so                    	0x0000000101320f05 
zend_objects_store_free_object_storage + 120
4   libphp5.so                    	0x00000001012f76f2 shutdown_executor + 
515
5   libphp5.so                    	0x0000000101302508 zend_deactivate + 111
6   libphp5.so                    	0x00000001012b6481 php_request_shutdown 
+ 597
7   libphp5.so                    	0x000000010137cff9 php_handler + 1370
[apache stack removed]
--------------------

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-04-03 02:43 UTC] rasmus@php.net

-Status: Open +Status: Feedback

[2010-04-03 02:43 UTC] rasmus@php.net

That doesn't look like the same backtrace to me.  Try turning off gc in your 
php.ini:

zend.enable_gc=Off

And see if it still happens.  There have been some recent fixes to the gc code.

[2010-04-03 03:13 UTC] php at group dot apple dot com

The patch file didn't upload because it wasn't text. I base64'd it and posted it 
here:
http://pastebin.org/131802

[2010-04-03 03:21 UTC] php at group dot apple dot com

Are you saying the two backtraces in this report don't look the same or that
#49209's backtrace doesn't look the same? If the former, focus on the function
name + offsets and you will see they are practically identical. If the latter,
consider that the other report is a different OS (Linux) running PHP 5.2.10;
given the similarities, this bug appears to have been latent in multiple releases.

To answer your question, disabling GC prevents the crash.

[2010-04-03 03:25 UTC] rasmus@php.net

But you just proved they are unrelated.  Your backtrace showed a gc_ function as 
the crash point, and disabling gc fixed it.  There was no gc code in PHP 5.2.x 
which is the version bug 49209 was reported against, and of course there are no 
gc functions in the backtrace of that report.

So, please try a current PHP 5.3 snapshot to see if the recent gc fixes has 
addressed this particular issue.

[2010-04-03 03:33 UTC] php at group dot apple dot com

Downloading now. Given the integration time to build in our environment, I likely 
won't have results until Monday.

[2010-04-03 05:08 UTC] php at group dot apple dot com

The same crash occurs with php5.3-201004030030.tar.bz2.

[2010-04-06 20:25 UTC] php at group dot apple dot com

Any more feedback required to diagnose this problem?

[2010-08-09 03:28 UTC] felipe@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: felipe

[2010-08-09 03:28 UTC] felipe@php.net

There already was a fix for this issue. Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Jul 28 19:00:02 2025 UTC