php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52518 Segfault in /Zend/zend_objects_API.c:230
Submitted: 2010-08-02 19:12 UTC Modified: 2012-03-07 22:15 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: correo at sevein dot com Assigned: pajoye (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3.3 OS: Linux/Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: correo at sevein dot com
New email:
PHP Version: OS:

 

 [2010-08-02 19:12 UTC] correo at sevein dot com 
Description:
------------
A PHP process segfaults randomly when I try to build a complex search index with 
Symfony framework and Zend Lucene. Unfortunately, I can't figure out a short 
script to reproduce this problem.

I can reproduce it with all PHP versions, included PHP 5.3.3. In debug mode, the 
problem occurs fastly (the index build can take many hours).

This is how I compiled my PHP installation:

./configure \
--enable-dom \
--enable-libxml \
--with-xsl \
--enable-pdo \
--with-pdo-mysql \
--with-mysql \
--with-mysqli \
--enable-mbstring \
--enable-debug


gdb:

$ gdb /home/foobar/bin/php-5.3.3-debug ./core
Core was generated by `/home/foobar/bin/php-5.3.3-debug -d memory_limit=1200M 
symfony search:populate Q'.
Program terminated with signal 11, Segmentation fault.
#0  0x000000000086d775 in zend_objects_store_del_ref_by_handle_ex (handle=16159, 
handlers=0x106b340)
    at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:230
230		obj->refcount--;

(gdb) print obj
$1 = (struct _store_object *) 0x7ffc9fc80838

(gdb) print obj->refcount
Cannot access memory at address 0x7ffc9fc80860



The backtrack:

(gdb) bt
#0  0x000000000086d775 in zend_objects_store_del_ref_by_handle_ex (handle=16159, 
handlers=0x106b340)
    at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:230
#1  0x000000000086d477 in zend_objects_store_del_ref (zobject=0xd724c90) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:172
#2  0x000000000083d822 in _zval_dtor_func (zvalue=0xd724c90, 
__zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.c:52
#3  0x000000000082d73a in _zval_dtor (zvalue=0xd724c90, __zend_filename=0xdceb88 
"/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.h:35
#4  0x000000000082e6c8 in _zval_ptr_dtor (zval_ptr=0xddbaa00, 
__zend_filename=0xdd0400 "/home/foobar/bin/php-5.3.3/Zend/zend_variables.c", 
    __zend_lineno=178) at /home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c:443
#5  0x000000000083db9f in _zval_ptr_dtor_wrapper (zval_ptr=0xddbaa00) at 
/home/foobar/bin/php-5.3.3/Zend/zend_variables.c:178
#6  0x000000000084feb0 in zend_hash_destroy (ht=0xcba0578) at 
/home/foobar/bin/php-5.3.3/Zend/zend_hash.c:526
#7  0x0000000000868209 in zend_object_std_dtor (object=0xf2983f0) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects.c:45
#8  0x0000000000868585 in zend_objects_free_object_storage (object=0xf2983f0) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects.c:128
#9  0x000000000086d710 in zend_objects_store_del_ref_by_handle_ex (handle=16266, 
handlers=0x106b340)
    at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:220
#10 0x000000000086d477 in zend_objects_store_del_ref (zobject=0xe67c7b0) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:172
#11 0x000000000083d822 in _zval_dtor_func (zvalue=0xe67c7b0, 
__zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.c:52
#12 0x000000000082d73a in _zval_dtor (zvalue=0xe67c7b0, __zend_filename=0xdceb88 
"/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.h:35
#13 0x000000000082e6c8 in _zval_ptr_dtor (zval_ptr=0x7ffca2525c10, 
__zend_filename=0xdd6728 "/home/foobar/bin/php-5.3.3/Zend/zend_vm_execute.h", 
    __zend_lineno=160) at /home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c:443
#14 0x00000000008732da in zend_leave_helper_SPEC (execute_data=0x7ffca2525b38) 
at /home/foobar/bin/php-5.3.3/Zend/zend_vm_execute.h:160
#15 0x0000000000878335 in ZEND_RETURN_SPEC_CONST_HANDLER 
(execute_data=0x7ffca2525b38) at /home/foobar/bin/php-
5.3.3/Zend/zend_vm_execute.h:1686
#16 0x0000000000873131 in execute (op_array=0x33a0410) at /home/foobar/bin/php-
5.3.3/Zend/zend_vm_execute.h:107
#17 0x00000000008401ec in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/foobar/bin/php-5.3.3/Zend/zend.c:1194
#18 0x00000000007ca328 in php_execute_script (primary_file=0x7fffd3b27230) at 
/home/foobar/bin/php-5.3.3/main/main.c:2260
#19 0x00000000009238a3 in main (argc=6, argv=0x7fffd3b27498) at 
/home/foobar/bin/php-5.3.3/sapi/cli/php_cli.c:1192

Test script:
---------------
Unfortunately, I can't figure out a short script to reproduce this problem.

Expected result:
----------------
The process should not segfault.

Actual result:
--------------
Segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-05 03:41 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2010-08-05 03:41 UTC] felipe@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2010-08-07 12:48 UTC] correo at sevein dot com
-Status: Feedback +Status: Open
 [2010-08-07 12:48 UTC] correo at sevein dot com 
I continue investigating this issue. I ran valgrind to complete this report and 
got this:

==1994== Invalid read of size 4
==1994==    at 0x701E1C: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:230)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
==1994==  Address 0x10611c30 is 1,014,768 bytes inside a block of size 1,048,576 
free'd
==1994==    at 0x4C285A2: realloc (vg_replace_malloc.c:525)
==1994==    by 0x702080: zend_objects_store_put (zend_objects_API.c:113)
==1994==    by 0x6FE2C7: zend_objects_new (zend_objects.c:138)
==1994==    by 0x6E86F2: _object_and_properties_init (zend_API.c:1079)
==1994==    by 0x709168: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:476)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6D6D03: zend_call_function (zend_execute_API.c:963)
==1994==    by 0x6F5F4E: zend_call_method (zend_interfaces.c:97)
==1994==    by 0x6FE4DE: zend_objects_destroy_object (zend_objects.c:113)
==1994==    by 0x701F30: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:206)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
==1994== 
==1994== Invalid read of size 4
==1994==    at 0x701E1C: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:230)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
==1994==  Address 0x106172f0 is 1,036,976 bytes inside a block of size 1,048,576 
free'd
==1994==    at 0x4C285A2: realloc (vg_replace_malloc.c:525)
==1994==    by 0x702080: zend_objects_store_put (zend_objects_API.c:113)
==1994==    by 0x6FE2C7: zend_objects_new (zend_objects.c:138)
==1994==    by 0x6E86F2: _object_and_properties_init (zend_API.c:1079)
==1994==    by 0x709168: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:476)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6D6D03: zend_call_function (zend_execute_API.c:963)
==1994==    by 0x6F5F4E: zend_call_method (zend_interfaces.c:97)
==1994==    by 0x6FE4DE: zend_objects_destroy_object (zend_objects.c:113)
==1994==    by 0x701F30: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:206)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
 [2011-06-13 04:02 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-06-13 04:02 UTC] felipe@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2012-03-07 22:14 UTC] correo at sevein dot com 
I'm happy to say that I am not able to reproduce this segfault anymore. Thank you 
guys!
 [2012-03-07 22:14 UTC] correo at sevein dot com
-Status: Feedback +Status: Open
 [2012-03-07 22:15 UTC] pajoye@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: pajoye
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 02 14:01:36 2025 UTC