|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2010-03-04 12:06 UTC] strube at physik3 dot gwdg dot de
Description: ------------ After having used APC-3.0.19 for a long time with PHP-5.2.x (x <= 13) in CGI mode, I now tried APC-3.1.3p1. Running make test, the tests apc_bin_001 and apc_bin_002 failed, crashing with an address alignment error. This is a Sun SPARC machine, and SPARC (unlike x86) processors do not tolerate addresses (pointers) whose integer values are not a multiple of sizeof(variable_pointed_to). This seems not be taken into account in the memory allocation of (at least) apc_bin.c and apc_compile.c. In fact, I could prevent the crashes by compiling apc_bin.c and apc_compile.c with option -misalign (Sun Studio/Forte 7 cc). I do not suggest this as fix but just to confirm that address misalignment was the reason. (I have also sent parts of this report as a comment to Bug #17046, which I feel may have the same reason, although mod_php is used there rather than php-cgi.) Reproduce code: --------------- In the APC-3.1.3p1 source directory, execute /path/to/php-cgi -n -d extension_dir=$cwd/modules -d extension=apc.so -d apc.stat=0 tests/apc_bin_001.php (or 002, respectively). Expected result: ---------------- See expected results in tests/apc_bin_00{1,2}.phpt Actual result: -------------- Crash with SIGBUS and core dump. Debugger, call stack: *** dbx-output for apc_bin_001 core file: (dbx) where =>[1] apc_unswizzle_bd(0x5a5ed0, 0x416db8b6, 0x22437b01, 0x5a5ed8, 0x416db8, 0x0), at 0xfe9a7a7c [2] apc_bin_load(0x1, 0x3, 0xfe9bc6f4, 0xffbfef7c, 0xffbfef84, 0x5a5ed0), at 0xfe9a8730 [3] zif_apc_bin_load(0x2, 0x5a5998, 0x400, 0x3e3e8, 0x3aefbc, 0x59bb04), at 0xfe97e3a8 [4] zend_do_fcall_common_helper_SPEC(0xffbff1f0, 0x53e938, 0x0, 0x8400, 0x0, 0x550838), at 0x3e19d4 [5] execute(0x3e9b8c, 0x0, 0x0, 0x5960d8, 0x5a5628, 0xffbff1f0), at 0x3e0ea8 [6] zend_execute_scripts(0x8, 0x0, 0x3, 0x8000, 0x0, 0x5960d8), at 0x3a0028 [7] php_execute_script(0x0, 0x59b240, 0x0, 0xffbff860, 0x5a4c90, 0x8000), at 0x310c3c [8] main(0x7b20, 0x0, 0x596568, 0x7, 0x59b240, 0x8000), at 0x485aa0 *** dbx-output for apc_bin_002 core file: (dbx) where =>[1] apc_copy_op_array(0x5aabfb, 0xfc80a064, 0xffbfed70, 0x0, 0xff00, 0xff0000), at 0xfe986934 [2] apc_bin_dump(0x690498, 0x0, 0x0, 0xfe9a6954, 0x5aab58, 0xfe9bdfe4), at 0xfe9a8238 [3] zif_apc_bin_dump(0x2, 0x5a7218, 0x400, 0x3e80c, 0x3aefbc, 0x59bb2c), at 0xfe97df84 [4] zend_do_fcall_common_helper_SPEC(0xffbff1b8, 0x53e938, 0x0, 0x8400, 0x0, 0x550838), at 0x3e19d4 [5] execute(0x3e9b8c, 0x0, 0x0, 0x5960d8, 0x5a5910, 0xffbff1b8), at 0x3e0ea8 [6] zend_execute_scripts(0x8, 0x0, 0x3, 0x8000, 0x0, 0x5960d8), at 0x3a0028 [7] php_execute_script(0x0, 0x59b248, 0x0, 0xffbff828, 0x5a4cd8, 0x8000), at 0x310c3c [8] main(0x7b20, 0x0, 0x596568, 0x9, 0x59b248, 0x8000), at 0x485aa0 PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 03:00:01 2025 UTC |
I've rebuilt PHP and APC with debugging enabled. dbx reports the following for each of the tests. I hope this helps. t@1 (l@1) program terminated by signal BUS (invalid address alignment) Current function is apc_unswizzle_bd 540 if(bd->swizzled_ptrs[i]) { (dbx) where current thread: t@1 =>[1] apc_unswizzle_bd(bd = 0xfb4410, flags = 3), line 540 in "apc_bin.c" [2] apc_bin_load(bd = 0xfb4410, flags = 3), line 804 in "apc_bin.c" [3] zif_apc_bin_load(ht = 2, return_value = 0xfb2d20, return_value_ptr = (nil), this_ptr = (nil), return_value_used = 0), line 1434 in "php_apc.c" [4] zend_do_fcall_common_helper_SPEC(execute_data = ???) (optimized), at 0x987ecc (line ~313) in "zend_vm_execute.h" [5] execute(op_array = ???) (optimized), at 0x987674 (line ~104) in "zend_vm_execute.h" [6] zend_execute_scripts(type = ???, retval = ???, file_count = ???, ... = ???, ...) (optimized), at 0x92163c (line ~1194) in "zend.c" [7] php_execute_script(primary_file = ???) (optimized), at 0x838a00 (line ~2260) in "main.c" [8] main(argc = ???, argv = ???) (optimized), at 0x9df248 (line ~1192) in "php_cli.c" (dbx) print bd bd = 0xfb4410 (dbx) print *bd *bd = { size = 657U swizzled = 1 md5 = "\023Oxq{\022N\001\016" crc = 574847745U num_entries = 1U entries = 0xfb443c num_swizzled_ptrs = 3 swizzled_ptrs = 0xfb4693 } (dbx) print 0xfb4693 16467603 (dbx) print *bd->swizzled_ptrs *bd->swizzled_ptrs = 0x38 (dbx) print i; i = 0 (dbx) print bd->swizzled_ptrs[0] bd->swizzled_ptrs[0] = 0x38 (dbx) print bd->swizzled_ptrs[1] bd->swizzled_ptrs[1] = 0x54 (dbx) print bd->swizzled_ptrs[2] bd->swizzled_ptrs[2] = 0x40 t@1 (l@1) program terminated by signal BUS (invalid address alignment) Current function is apc_copy_op_array 904 dst->function_name = NULL; (dbx) where current thread: t@1 =>[1] apc_copy_op_array(dst = 0xfbd5b1, src = 0xfbc0d14c, ctxt = 0xffbfed40), line 904 in "apc_compile.c" [2] apc_bin_dump(files = (nil), user_vars = (nil)), line 707 in "apc_bin.c" [3] zif_apc_bin_dump(ht = 2, return_value = 0xfb5918, return_value_ptr = (nil), this_ptr = (nil), return_value_used = 1), line 1326 in "php_apc.c" [4] zend_do_fcall_common_helper_SPEC(execute_data = ???) (optimized), at 0x987ecc (line ~313) in "zend_vm_execute.h" [5] execute(op_array = ???) (optimized), at 0x987674 (line ~104) in "zend_vm_execute.h" [6] zend_execute_scripts(type = ???, retval = ???, file_count = ???, ... = ???, ...) (optimized), at 0x92163c (line ~1194) in "zend.c" [7] php_execute_script(primary_file = ???) (optimized), at 0x838a00 (line ~2260) in "main.c" [8] main(argc = ???, argv = ???) (optimized), at 0x9df248 (line ~1192) in "php_cli.c" (dbx) print *dst *dst = { type = '\002' function_name = (nil) scope = (nil) fn_flags = 0 prototype = (nil) num_args = 0 required_num_args = 0 arg_info = (nil) pass_rest_by_reference = '\0' return_reference = '\0' done_pass_two = '\001' refcount = 0xfbc0d21c opcodes = 0xfbc0e178 last = 71U size = 71U vars = 0xfbc0fff8 last_var = 3 size_var = 16 T = 48U brk_cont_array = (nil) last_brk_cont = 0 current_brk_cont = -1 try_catch_array = (nil) last_try_catch = 0 static_variables = (nil) start_op = (nil) backpatch_count = 0 this_var = 4294967295U filename = 0xfbc0d1dc "/home/lir/bcc/web-20100415/APC-3.1.3p1/tests/apc_bin_002.inc" line_start = 0 line_end = 0 doc_comment = (nil) doc_comment_len = 0 early_binding = 4294967295U reserved = ((nil), (nil), (nil), (nil)) APC 3.1.2 isn't affected since it seems the bin_dump functionality wasn't present in that release - it does appear to work, but it does look like there was a lot of other improvements in 3.1.3 so I'm reluctant to make do.Having done some more testing, it does seem that there's (at least) 2 pointer alignment issues in APC 3.1 on SPARC. The bindump functionality did introduce new ones which are highlighted by 'make test', but I still see SIGBUS issues with APC 3.1.2 on the second load of some (but not all) pages. apc.php doesn't break, nor does a page with a phpinfo() call. The following code does seem to be enough to consistently break (I realise this example doesn't make a lot of sense, but I cut my test script down to the minimum that would make it die - it does seem that just one call to microtime is enough though): <?php $s = microtime(true); echo '<p>EXEC TIME: ' . (microtime(true) - $s) . '</p>'; ?> Load the page once and it is fine, the second time the process dies with a bus error. This happens with both APC 3.1.2 and APC 3.1.3p1. If I build PHP without any optimisations I do not see the issue, but it is something like 3x slower. Any level of optimisation does seem to be enough to break it. If I remove the APC module completely I do not see the problem. Unfortunately, this is not a workaround as we have some code that relies on the APC user cache. Further dbx output from the core dump in case it's useful: t@1 (l@1) program terminated by signal BUS (invalid address alignment) Current function is ZEND_SEND_VAL_SPEC_CONST_HANDLER (optimized) 1721 INIT_PZVAL_COPY(valptr, value); (dbx) where current thread: t@1 =>[1] ZEND_SEND_VAL_SPEC_CONST_HANDLER(execute_data = ???) (optimized), at 0x814d30 (line ~1721) in "zend_vm_execute.h" [2] execute(op_array = ???) (optimized), at 0x8113f0 (line ~104) in "zend_vm_execute.h" [3] zend_execute_scripts(type = ???, retval = ???, file_count = ???, ... = ???, ...) (optimized), at 0x7b770c (line ~1194) in "zend.c" [4] php_execute_script(primary_file = ???) (optimized), at 0x6f096c (line ~2260) in "main.c" [5] main(argc = ???, argv = ???) (optimized), at 0x85e030 (line ~2102) in "cgi_main.c" (dbx) print *execute_data *execute_data = { opline = (nil) function_state = { function = 0x2f777777 arguments = 0x726f6f74 } fbc = 0x2f62656e called_scope = (nil) op_array = 0x68700018 object = 0x31 Ts = 0x21 CVs = (nil) symbol_table = 0xfde8c234 prev_execute_data = 0xfde8c248 old_error_reporting = 0xfde94360 nested = '' original_return_value = 0xfde8740c current_scope = 0xfde87424 current_called_scope = 0xfde943c8 current_this = 0x2b0 current_object = 0x2b0 call_opline = 0x179 } (dbx) print *execute_data.fbc dbx: cannot access address 0x2f62656e (dbx) print *execute_data.op_array dbx: cannot access address 0x68700018 (dbx) print *execute_data.op_array dbx: cannot access address 0x68700018 (dbx) print *execute_data.symbol_table *execute_data->symbol_table = { nTableSize = 2648948640U nTableMask = 1073781359U nNumOfElements = 2416967704U nNextFreeElement = 2177359880U pInternalPointer = 0x91e80008 pListHead = 0x9de3bfa0 pListTail = 0x40009a5e arBuckets = 0x90100018 pDestructor = 0x81c7e008 persistent = '' nApplyCount = '' bApplyProtection = '\0' } (dbx) print *execute_data.prev_execute_data *execute_data->prev_execute_data = { opline = 0x9de3bfa0 function_state = { function = 0x40009a5e arguments = 0x90100018 } fbc = 0x81c7e008 called_scope = 0x81e80000 op_array = (nil) object = (nil) Ts = (nil) CVs = (nil) symbol_table = 0x9de3bfa0 prev_execute_data = 0xc0266000 old_error_reporting = 0x40000002 nested = '' original_return_value = 0x1b000099 current_scope = 0xfa062000 current_called_scope = 0x9a036298 current_this = 0x80a76008 current_object = 0xa203400f call_opline = 0x1640000c } (dbx) print *execute_data.original_return_value *execute_data->original_return_value = 0x81c3e008 (dbx) print *execute_data.current_scope *execute_data->current_scope = { type = '' name = 0x1000000 "" name_length = 0 parent = (nil) refcount = 0 constants_updated = '\0' ce_flags = 2648948640U function_table = { nTableSize = 1073741826U nTableMask = 2651848719U nNumOfElements = 452985005U nNextFreeElement = 989855744U pInternalPointer = 0x9a0360cc pListHead = 0xb81f612c pListTail = 0xa203400f arBuckets = 0xec04401c pDestructor = 0xea05a000 persistent = '' nApplyCount = '' bApplyProtection = '`' } default_properties = { nTableSize = 306184196U nTableMask = 2853052671U nNumOfElements = 2177359880U nNextFreeElement = 2447908864U pInternalPointer = 0x39000000 pListHead = 0x37000000 pListTail = 0x4000ae13 arBuckets = 0x9010200c pDestructor = 0xa61f20f8 persistent = '' nApplyCount = '\036' bApplyProtection = '' } properties_info = { nTableSize = 4161028115U nTableMask = 2953838600U nNumOfElements = 3657711631U nNextFreeElement = 3959889920U pInternalPointer = 0xec222000 pListHead = 0xe8036000 pListTail = 0xa0252050 arBuckets = 0xe0222004 pDestructor = 0xd8022000 persistent = '@' nApplyCount = '\0' bApplyProtection = '' } default_static_members = { nTableSize = 2435522562U nTableMask = 3492159496U nNumOfElements = 3590791168U nNextFreeElement = 2158157824U pInternalPointer = 0x8400060 pListHead = 0xba102000 pListTail = 0xf4062008 arBuckets = 0xaf2f6002 pDestructor = 0xba076001 persistent = '' nApplyCount = '&' bApplyProtection = '' } static_members = 0xe4072000 constants_table = { nTableSize = 2158444562U nTableMask = 440401929U nNumOfElements = 3006226434U nNextFreeElement = 3993378824U pInternalPointer = 0xba076001 pListHead = 0xc025c019 pListTail = 0xe4072000 arBuckets = 0x80a74012 pDestructor = 0x2a4ffff4 persistent = '' nApplyCount = '\006' bApplyProtection = ' ' } builtin_functions = 0x80a56000 constructor = 0x1240004f destructor = 0x80900012 clone = 0x840004d __get = 0xb2102000 __set = 0x21000000 __unset = 0x27000000 __isset = 0x981c2088 __call = 0xa41ce060 __callstatic = 0xfa04400c __tostring = 0x17000000 serialize_func = 0xee044012 unserialize_func = 0x941ae03c iterator_funcs = { funcs = 0xe204400a zf_new_iterator = 0xf4076000 zf_valid = 0x80a6a000 zf_current = 0x2400005 zf_key = 0xa52e6003 zf_next = 0xd0076000 zf_rewind = 0x9fc20000 } create_object = 0x1000000 get_iterator = 0xd405e000 interface_gets_implemented = 0x92028012 get_static_method = 0x4000af0e serialize = 0xd0026004 unserialize = 0xca05e000 interfaces = 0x88048005 num_interfaces = 3858833412U filename = 0xc604e028 "<bad address 0xc604e028>" line_start = 2214903811U line_end = 3254820872U doc_comment = 0x80a06000 "<bad address 0x80a06000>" doc_comment_len = 37748765U module = 0xac04e020 } (dbx) print *execute_data.current_called_scope *execute_data->current_called_scope = { type = '' name = 0x1000000 "" name_length = 0 parent = (nil) refcount = 0 constants_updated = '\0' ce_flags = 2648948640U function_table = { nTableSize = 1073741826U nTableMask = 2651848719U nNumOfElements = 452984953U nNextFreeElement = 2583912744U pInternalPointer = 0xa403400f pListHead = 0x9fc64000 pListTail = 0x90102028 arBuckets = 0xba900008 pDestructor = 0x32400005 persistent = '' nApplyCount = ''' bApplyProtection = '`' } default_properties = { nTableSize = 3121618944U nTableMask = 2177359880U nNumOfElements = 2447900701U nNextFreeElement = 4062666756U pInternalPointer = 0x2f000079 pListHead = 0x29000079 pListTail = 0xf4276008 arBuckets = 0x21000079 pDestructor = 0xac1dfe54 persistent = '' nApplyCount = ''' bApplyProtection = '`' } properties_info = { nTableSize = 2786934420U nTableMask = 2551987900U nNumOfElements = 4163330072U nNextFreeElement = 3223805984U pInternalPointer = 0xaa048016 pListHead = 0xc0276024 pListTail = 0xa2048013 arBuckets = 0xea27600c pDestructor = 0xe2276010 persistent = '' nApplyCount = '\004' bApplyProtection = '' } default_static_members = { nTableSize = 3592904732U nTableMask = 2177359880U nNumOfElements = 2447900701U nNextFreeElement = 2648948640U pInternalPointer = 0xf6062004 pListHead = 0xba266001 pListTail = 0xb9376003 arBuckets = 0xb4072001 pDestructor = 0xaf2ea003 persistent = '' nApplyCount = '\005' bApplyProtection = '' } static_members = 0x9fc6c000 constants_table = { nTableSize = 2416967699U nTableMask = 3129999368U nNumOfElements = 843055109U nNextFreeElement = 4062666756U pInternalPointer = 0xba102000 pListHead = 0x81c7e008 pListTail = 0x91e8001d arBuckets = 0xf2276000 pDestructor = 0xac076010 persistent = '' nApplyCount = ''' bApplyProtection = '`' } builtin_functions = 0xea062030 constructor = 0xea27600c destructor = 0xfa262030 clone = 0xe8062020 __get = 0xa4050013 __set = 0xe4262020 __unset = 0x81c7e008 __isset = 0x91e8001d __call = (nil) __callstatic = (nil) __tostring = (nil) serialize_func = (nil) unserialize_func = 0x9de3bfa0 iterator_funcs = { funcs = 0xba266001 zf_new_iterator = 0x40000002 zf_valid = 0x9e10000f zf_current = 0x1b000079 zf_key = 0xb5376003 zf_next = 0xfa062000 zf_rewind = 0x9a036024 } create_object = 0xae06a001 get_iterator = 0xa203400f interface_gets_implemented = 0x808f6008 get_static_method = 0x12400005 serialize = 0xb72de003 unserialize = 0xb826c019 interfaces = 0x10800009 num_interfaces = 2651807760U filename = 0xb8066004 "<bad address 0xb8066004>" line_start = 3022438425U line_end = 2158411804U doc_comment = 0xb806a008 "<bad address 0xb806a008>" doc_comment_len = 3110535194U module = 0x9e0f6010 } (dbx) where current thread: t@1 =>[1] ZEND_SEND_VAL_SPEC_CONST_HANDLER(execute_data = ???) (optimized), at 0x814d30 (line ~1721) in "zend_vm_execute.h" [2] execute(op_array = ???) (optimized), at 0x8113f0 (line ~104) in "zend_vm_execute.h" [3] zend_execute_scripts(type = ???, retval = ???, file_count = ???, ... = ???, ...) (optimized), at 0x7b770c (line ~1194) in "zend.c" [4] php_execute_script(primary_file = ???) (optimized), at 0x6f096c (line ~2260) in "main.c" [5] main(argc = ???, argv = ???) (optimized), at 0x85e030 (line ~2102) in "cgi_main.c" (dbx) up Current function is execute (optimized) 104 if ((ret = EX(opline)->handler(execute_data TSRMLS_CC)) > 0) { (dbx) print op_array op_array = 0xff04e0 (dbx) print *op_array *op_array = { type = '' function_name = 0xe04100 "^B\xe0<\xf8" scope = (nil) fn_flags = 0 prototype = (nil) num_args = 14696704U required_num_args = 0 arg_info = 0xff0540 pass_rest_by_reference = '\0' return_reference = '' done_pass_two = '\005' refcount = 0xdf1ce8 opcodes = (nil) last = 0 size = 16720192U vars = (nil) last_var = 0 size_var = 0 T = 0 brk_cont_array = (nil) last_brk_cont = 14698336 current_brk_cont = 0 try_catch_array = (nil) last_try_catch = 0 static_variables = (nil) start_op = 0xe06fcc backpatch_count = 14710060 this_var = 14710148U filename = 0xe076ec "" line_start = 14710660U line_end = 14710612U doc_comment = 0xe077d4 "" doc_comment_len = 16713052U early_binding = 14709816U reserved = (0xe07ee4, 0xe08f0c, 0xe09474, 0xe0986c) } (dbx) up Current function is zend_execute_scripts (optimized) 1194 zend_execute(EG(active_op_array) TSRMLS_CC); (dbx) print type type = 8473724 (dbx) print retval retval = 0xff04e0 (dbx) print *retval *retval = 0xfc0644c4 (dbx) print **retval **retval = { value = { lval = 8473724 dval = 3.0792827548813e-306 str = { val = 0x814c7c "\x9d\xe3\xbf\xa0\xf6^F " len = 0 } ht = 0x814c7c obj = { handle = 8473724U handlers = (nil) } } refcount__gc = 8U type = '\0' is_ref__gc = '\0' } (dbx) print file_count file_count = 19 Attaching the debugger to a running php-cgi process and setting a breakpoint as close as I can means I can get at the following bits of data: t@1 (l@1) stopped in _so_accept at 0xfe1cbab0 0xfe1cbab0: _so_accept+0x0004: ta %icc,0x00000008 Current function is fcgi_accept_request (optimized) 960 req->fd = accept(listen_socket, (struct sockaddr *)&sa, &len); (dbx) stop at zend.c:1194 (2) stop at "zend.c":1194 (dbx) cont t@1 (l@1) stopped in zend_execute_scripts (optimized) at line 1194 in file "zend.c" 1194 zend_execute(EG(active_op_array) TSRMLS_CC); (dbx) next t@1 (l@1) stopped in zend_execute_scripts (optimized) at line 1193 in file "zend.c" 1193 EG(return_value_ptr_ptr) = retval ? retval : NULL; (dbx) next t@1 (l@1) stopped in zend_execute_scripts (optimized) at line 1194 in file "zend.c" 1194 zend_execute(EG(active_op_array) TSRMLS_CC); (dbx) print executor_globals executor_globals = { return_value_ptr_ptr = (nil) uninitialized_zval = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 2U type = '\0' is_ref__gc = '\0' } uninitialized_zval_ptr = 0xdf1c18 error_zval = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 1U type = '\0' is_ref__gc = '\0' } error_zval_ptr = 0xdf1c30 arg_types_stack = { top = 0 max = 64 elements = 0xdf9688 top_element = 0xdf9688 persistent = '\0' } symtable_cache = ((nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil), (nil)) symtable_cache_limit = 0xdf1cd4 symtable_cache_ptr = 0xdf1c54 opline_ptr = (nil) active_symbol_table = 0xdf1ce8 symbol_table = { nTableSize = 64U nTableMask = 63U nNumOfElements = 5U nNextFreeElement = 0 pInternalPointer = 0xdf8c10 pListHead = 0xdf8c10 pListTail = 0xe03d00 arBuckets = 0xdf9790 pDestructor = 0x799ca0 = &_zval_ptr_dtor() persistent = '\0' nApplyCount = '\0' bApplyProtection = '\001' } included_files = { nTableSize = 8U nTableMask = 7U nNumOfElements = 1U nNextFreeElement = 0 pInternalPointer = 0xdf8070 pListHead = 0xdf8070 pListTail = 0xdf8070 arBuckets = 0xfef3d0 pDestructor = (nil) persistent = '\0' nApplyCount = '\0' bApplyProtection = '\001' } bailout = 0xffbfda2c error_reporting = 30719 orig_error_reporting = 0 exit_status = 0 active_op_array = 0xe03df8 function_table = 0xe35cb8 class_table = 0xe35d10 zend_constants = 0xe35d70 scope = (nil) called_scope = (nil) This = (nil) precision = 14 ticks_count = 0 in_execution = '\0' in_autoload = (nil) autoload_func = (nil) full_tables_cleanup = '\0' no_extensions = '\0' regular_list = { nTableSize = 8U nTableMask = 7U nNumOfElements = 0 nNextFreeElement = 1U pInternalPointer = (nil) pListHead = (nil) pListTail = (nil) arBuckets = 0xdf8a90 pDestructor = 0x7cfbb4 = &list_entry_destructor() persistent = '\0' nApplyCount = '\0' bApplyProtection = '\001' } persistent_list = { nTableSize = 8U nTableMask = 7U nNumOfElements = 0 nNextFreeElement = 0 pInternalPointer = (nil) pListHead = (nil) pListTail = (nil) arBuckets = 0xdf4938 pDestructor = 0x7cfc7c = &plist_entry_destructor() persistent = '\001' nApplyCount = '\0' bApplyProtection = '\0' } argument_stack = 0xfaf498 user_error_handler_error_reporting = 0 user_error_handler = (nil) user_exception_handler = (nil) user_error_handlers_error_reporting = { top = 0 max = 64 elements = 0xdf9898 } user_error_handlers = { top = 0 max = 64 elements = 0xdf99a0 top_element = 0xdf99a0 persistent = '\0' } user_exception_handlers = { top = 0 max = 64 elements = 0xdf9aa8 top_element = 0xdf9aa8 persistent = '\0' } error_handling = EH_NORMAL exception_class = (nil) timeout_seconds = 30 lambda_count = 0 ini_directives = 0xe392e0 modified_ini_directives = (nil) objects_store = { object_buckets = 0xdf9bb0 top = 1U size = 1024U free_list_head = -1 } exception = (nil) prev_exception = (nil) opline_before_exception = (nil) exception_op = ( { handler = 0x812840 = &`php-cgi`zend_execute.c`ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(register zend_execute_data *execute_data) result = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } op1 = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } op2 = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } extended_value = 0 lineno = 0 opcode = '?' } { handler = 0x812840 = &`php-cgi`zend_execute.c`ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(register zend_execute_data *execute_data) result = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } op1 = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } op2 = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } extended_value = 0 lineno = 0 opcode = '?' } { handler = 0x812840 = &`php-cgi`zend_execute.c`ZEND_HANDLE_EXCEPTION_SPEC_HANDLER(register zend_execute_data *execute_data) result = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } op1 = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } op2 = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } extended_value = 0 lineno = 0 opcode = '?' } ) current_execute_data = (nil) current_module = (nil) std_property_info = { flags = 0 name = (nil) name_length = 0 h = 0 doc_comment = (nil) doc_comment_len = 0 ce = (nil) } active = '\001' saved_fpu_cw = (nil) reserved = ((nil), (nil), (nil), (nil)) } (dbx) where current thread: t@1 =>[1] zend_execute_scripts(type = ???, retval = ???, file_count = ???, ... = ???, ...) (optimized), at 0x7b770c (line ~1194) in "zend.c" [2] php_execute_script(primary_file = ???) (optimized), at 0x6f096c (line ~2260) in "main.c" [3] main(argc = ???, argv = ???) (optimized), at 0x85e030 (line ~2102) in "cgi_main.c" (dbx) print executor_globals.active_op_array executor_globals.active_op_array = 0xe03df8 (dbx) print *executor_globals.active_op_array *executor_globals.active_op_array = { type = '\002' function_name = (nil) scope = (nil) fn_flags = 0 prototype = (nil) num_args = 0 required_num_args = 0 arg_info = (nil) pass_rest_by_reference = '\0' return_reference = '\0' done_pass_two = '\001' refcount = 0xe037e0 opcodes = 0xfc00a15c last = 10U size = 10U vars = 0xfc00a554 last_var = 1 size_var = 16 T = 6U brk_cont_array = (nil) last_brk_cont = 0 current_brk_cont = -1 try_catch_array = (nil) last_try_catch = 0 static_variables = (nil) start_op = (nil) backpatch_count = 0 this_var = 4294967295U filename = 0xfc00a13c "/www/wwwroot/bench2.php" line_start = 0 line_end = 0 doc_comment = (nil) doc_comment_len = 0 early_binding = 4294967295U reserved = ((nil), (nil), (nil), (nil)) } (dbx) print *executor_globals.active_op_array *executor_globals.active_op_array = { type = '\002' function_name = (nil) scope = (nil) fn_flags = 0 prototype = (nil) num_args = 0 required_num_args = 0 arg_info = (nil) pass_rest_by_reference = '\0' return_reference = '\0' done_pass_two = '\001' refcount = 0xe037e0 opcodes = 0xfc00a15c last = 10U size = 10U vars = 0xfc00a554 last_var = 1 size_var = 16 T = 6U brk_cont_array = (nil) last_brk_cont = 0 current_brk_cont = -1 try_catch_array = (nil) last_try_catch = 0 static_variables = (nil) start_op = (nil) backpatch_count = 0 this_var = 4294967295U filename = 0xfc00a13c "/www/wwwroot/bench2.php" line_start = 0 line_end = 0 doc_comment = (nil) doc_comment_len = 0 early_binding = 4294967295U reserved = ((nil), (nil), (nil), (nil)) } (dbx) print *executor_globals.active_op_array.opcodes *executor_globals.active_op_array->opcodes = { handler = 0x814c7c = &`php-cgi`zend_execute.c`ZEND_SEND_VAL_SPEC_CONST_HANDLER(register zend_execute_data *execute_data) result = { op_type = 8 u = { constant = { value = { lval = 0 dval = 0.0 str = { val = (nil) len = 0 } ht = (nil) obj = { handle = 0 handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 0 opline_num = 0 op_array = (nil) jmp_addr = (nil) EA = { var = 0 type = 0 } } } op1 = { op_type = 1 u = { constant = { value = { lval = 1 dval = 2.1219957909653e-314 str = { val = 0x1 "<bad address 0x1>" len = 0 } ht = 0x1 obj = { handle = 1U handlers = (nil) } } refcount__gc = 2U type = '\003' is_ref__gc = '\001' } var = 1U opline_num = 1U op_array = 0x1 jmp_addr = 0x1 EA = { var = 1U type = 0 } } } op2 = { op_type = 8 u = { constant = { value = { lval = 1 dval = 2.1219957909653e-314 str = { val = 0x1 "<bad address 0x1>" len = 0 } ht = 0x1 obj = { handle = 1U handlers = (nil) } } refcount__gc = 0 type = '\0' is_ref__gc = '\0' } var = 1U opline_num = 1U op_array = 0x1 jmp_addr = 0x1 EA = { var = 1U type = 0 } } } extended_value = 60U lineno = 3U opcode = 'A' } (dbx) print *executor_globals.active_op_array.vars *executor_globals.active_op_array->vars = { name = 0xfc00a564 "s" name_len = 1 hash_value = 5863704U } (dbx) print *executor_globals.active_op_array.refcount *executor_globals.active_op_array->refcount = 1000U (dbx) next t@1 (l@1) signal BUS (invalid address alignment) in ZEND_SEND_VAL_SPEC_CONST_HANDLER (optimized) at line 1721 in file "zend_vm_execute.h" 1721 INIT_PZVAL_COPY(valptr, value); I hope this helps. If there's anything else you need, I am happy to run some more tests.