PHP :: Bug #45339 :: Crash In ZEND_MM_CHECK

Bug #45339

Crash In ZEND_MM_CHECK_TREE

Submitted:

2008-06-23 18:49 UTC

Modified:

2010-12-20 12:35 UTC

Votes:	5
Avg. Score:	4.6 ± 0.5
Reproduced:	3 of 3 (100.0%)
Same Version:	3 (100.0%)
Same OS:	3 (100.0%)

From:

willh at metavera dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

5.2CVS, 5.3CVS, 6CVS (2008-07-23)

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	willh at metavera dot com
New email:
PHP Version:		OS:

New Comment:

[2008-06-23 18:49 UTC] willh at metavera dot com

Description:
------------
PHP crashes in ZEND_MM_CHECK_TREE. The problem is reproducible with 
our source code but I have been unable to create a short script that 
duplicates the issue. 

The crash happens with with the CVS version of PHP, and the same crash 
happens with 5.2.6. 

I have a core file if needed. If PHP is configured with --enable-debug  
the crash does not happen. 

On crash, we also get:
----
/usr/src/t/php-5.2.6/Zend/zend_execute.c(403) :  Freeing 0xB1272E30 
(16 
bytes), script=[redacted]/training/code/lmember/index.php
Last leak repeated 2 times
----
in the error logs



PHP 5.2 snap configured like ...

'./configure' '--prefix=/usr/local/php5' '--with-apxs2=/usr/bin/apxs2' 
'--with-libxml-dir' '--with-openssl' '--with-zlib' '--enable-bcmath' 
'--enable-calendar' '--with-curl' '--with-curlwrappers' '--enable-
exif' '--enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--with-
gettext' '--with-gmp' '--with-imap' '--enable-mbstring' '--with-pdo-
pgsql' '--with-pgsql' '--enable-soap' '--with-tidy' '--enable-zip' '--
with-xsl' '--with-imap-ssl' '--with-jpeg-dir=/usr/lib' '--with-png-
dir=/usr/lib' '--with-ttf=/usr/lib' '--enable-zip' '--with-freetype-
dir=/usr/lib' '--with-bz2' '--enable-sockets' '--with-kerberos' '--
with-mcrypt' '--enable-sysvshm' '--enable-sysvsem'






Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215793472 (LWP 16822)]
0xb73c0298 in _zend_mm_free_int (heap=0x8230fe8, p=<value optimized 
out>) at /usr/src/php-5.2.6/Zend/zend_alloc.c:817
817                             ZEND_MM_CHECK_TREE(mm_block);
(gdb)  bt
#0  0xb73c0298 in _zend_mm_free_int (heap=0x8230fe8, p=<value 
optimized 
out>) at /usr/src/php-5.2.6/Zend/zend_alloc.c:817
#1  0xb73f2482 in zend_objects_free_object_storage (object=0xa2edd24c) 
at /usr/src/php-5.2.6/Zend/zend_objects.c:122
#2  0xb73f532f in zend_objects_store_free_object_storage 
(objects=0xb76e2b28) at /usr/src/php-5.2.6/Zend/zend_objects_API.c:89
#3  0xb73cdce9 in shutdown_executor () at 
/usr/src/php-5.2.6/Zend/zend_execute_API.c:299
#4  0xb73d98dd in zend_deactivate () at /usr/src/php-
5.2.6/Zend/zend.c:860
#5  0xb739a569 in php_request_shutdown (dummy=0x0) at 
/usr/src/php-5.2.6/main/main.c:1486
#6  0xb745471d in php_handler (r=0x8355578) at 
/usr/src/php-5.2.6/sapi/apache2handler/sapi_apache2.c:469
#7  0x08074607 in ap_run_handler ()
#8  0x080777b1 in ap_invoke_handler ()
#9  0x0808471a in ap_internal_redirect ()
...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-06-23 19:41 UTC] scottmac@php.net

Compile with --enable-debug but disable the PHP memory manager.

You can do this with an environmental variable.

export USE_ZEND_ALLOC=0

Then start Apache in debug mode, you can do this with httpd -X

[2008-06-23 20:40 UTC] willh at metavera dot com

We tried --enable-debug and having USE_ZEND_ALLOC=0 environment variable 
set- no crash.
We tried the non-enable-debug set and having USE_ZEND_ALLOC=0 set- no 
crash.

So with USE_ZEND_ALLOC=0 no crashes.

[2008-06-24 22:27 UTC] willh at metavera dot com

I have managed to isolate the PHP code that appeared to be triggering 
this issue on our production server and have crafted a relativity 
short, 71 lines, script that crashes PHP on our development servers. 
These servers run a different distribution of Linux but PHP is 
configured and compiled similarly. Unfortunately this script does not 
crash on our development server. 

The development server has php5.2-200806191230 configured in the 
following manner...

'./configure'  '--prefix=/usr/local/' '--with-apxs2' '--with-libxml-
dir' '--with-openssl' '--with-zlib' '--enable-bcmath' '--enable-
calendar' '--with-curl' '--with-curlwrappers' '--enable-exif' '--
enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--with-gettext' '--
with-gmp' '--enable-mbstring' '--with-pdo-pgsql' '--with-pgsql' '--
enable-soap' '--with-tidy' '--enable-zip' '--with-xsl' '--with-jpeg-
dir=/usr/lib' '--with-png-dir=/usr/lib' '--with-ttf=/usr/lib' '--
enable-zip' '--with-freetype-dir=/usr/lib' '--with-bz2' '--enable-
sockets' '--with-kerberos' '--with-mcrypt' '--enable-sysvshm' '--
enable-sysvsem' '--with-config-file-path=/etc'

The following script is expected to exit normally but it crashes when  USE_ZEND_ALLOC=1 . The following script does not crash when USE_ZEND_ALLOC=0. 

I apologize for the length of the script, it is a short as I was able 
to make it and still manage to get it to crash. 


_____________________
<?php

class MVCallback  {
	protected $key;
	protected $object; /*The object to call the method on*/
	protected $method; /*the method name */
	protected $arguments = array();
    static public function initialize($object,$method,$arguments = 
array()){
        $callback = new self();
        $callback->object = $object;
        $callback->method = $method;
        $callback->arguments = $arguments;
        return $callback;
    }
}

class callback_db_column  {
    protected $callback = null;
    protected $format_function;

    public function __construct($name,$column_name=_U ){
        $this->set_format_func('sprintf');
    }
    
    public function callback(){
        return $this->callback;
    }
    
    public function set_callback($aMVCallback){
        $this->callback = $aMVCallback;
        return $this;
    }
   
    protected function & set_format_func($aString){
        $this->format_function = &$aString;
    }
}


class foo  {
    protected $columns = array();
 
    function & add_column(&$col){
        $this->columns[] = &$col;
    }

    public function 
add_column_for_date($column_name,$value_name,$format_function){
        $col = new callback_db_column($column_name,$value_name);
       $col->set_callback(
                            MVCallback::initialize($this,
                                                    
'value_with_timezone',
                                                    
array($format_function,$value_name))
                            );

        $this->add_column(&$col);
    }
    
    
    function __construct($base_table=_U) {
        $this->add_column_for_date(COL_RES_START,RES_START, 
'stamp_to_string');
        $this->add_column_for_date(COL_RES_END, RES_END, 
'stamp_to_string');
        $this->add_column_for_date(COL_RES_START_SHORT, RES_START, 
'stamp_to_input_string');
        $this->add_column_for_date(COL_RES_END_SHORT, RES_END, 
'stamp_to_input_string');
            
    }
}

for($i=1; $i<=5000; ++$i){
    $foo = &new foo($u='foo');
}

[2008-06-24 23:16 UTC] willh at metavera dot com

I made a typo in the above comment. 

" Unfortunately this script does not crash on our development server. " 

should read ...

" Unfortunately this script does not crash on our production server. "

[2008-06-26 16:53 UTC] willh at metavera dot com

A couple interesting notes/observations. 

Removing the new by reference (&new) and replace it with new appears 
to no longer replicate the crash. 

Changing 

static public function initialize($object,$method,$arguments = 
array())

to read 

static public function initialize(&$object,$method,$arguments = 
array())

Appears to no longer replicate the crash. Notice the & in the function 
signature.  

Also passing something other than $this to MVCallback::initialize() 
appears to no longer replicate the crash. 

Commenting out line 1965 - 1967 in zend_alloc.c appears to prevent the 
crash (the if(ZEND_MM_PREV_BLOCK_IS_FREE.. block). This likely causes 
memory leaks or poor utilization of memory but the process no longer 
crashes.

[2008-07-14 18:39 UTC] nic dot rodgers at enableinteractive dot co dot uk

I get exactly the same backtrace on my codebase. This occurs under 5.2.5, 5.2.6 and the latest snapshot.

[2008-07-23 13:33 UTC] jani@php.net

Using the provided example code (and with USE_ZEND_ALLOC=0):

* HEAD and PHP_5_3: Crash in the CG stuff
* PHP_5_2: Leaks all over the place.

Dmitry, can you check this out please?

[2008-07-26 15:47 UTC] dmitry@php.net

This is a duplicate of #45178 that is alredy fixed in CVS.

[2010-12-20 12:35 UTC] jani@php.net

-Package: Tidy +Package: Scripting Engine problem

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Thu Apr 02 08:00:01 2026 UTC