php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54488 SIGSEGV in zend_assign_to_variable
Submitted: 2011-04-07 16:22 UTC Modified: 2011-10-31 13:02 UTC
Votes:5
Avg. Score:4.6 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: dbetz at df dot eu Assigned: fat (profile)
Status: Not a bug Package: FPM related
PHP Version: 5.3.6 OS: Gentoo
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dbetz at df dot eu
New email:
PHP Version: OS:

 

 [2011-04-07 16:22 UTC] dbetz at df dot eu
Description:
------------
Hello,

php-fpm with apache 2.2.16 has random segfaults when making new threads in vbulletin board.
The POST works, but the redirect segfaults i think.

Here is an backtrace of the php-fpm worker:

Program received signal SIGSEGV, Segmentation fault.
0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0)
    at /usr/src/php-5.3.6/Zend/zend_execute.c:662
662             if (Z_TYPE_P(variable_ptr) == IS_OBJECT && Z_OBJ_HANDLER_P(variable_ptr, set)) {
(gdb) bt full
#0  0x085f95b6 in zend_assign_to_variable (variable_ptr_ptr=0xad882e28, value=0xad8994e8, is_tmp_var=0)
    at /usr/src/php-5.3.6/Zend/zend_execute.c:662
        variable_ptr = 0x5a5a5a5a
        garbage = {value = {lval = 4, dval = 1.9762625833649862e-323, str = {val = 0x4 <Address 0x4 out of bounds>, len = 0}, ht = 0x4, obj = {
              handle = 4, handlers = 0x0}}, refcount__gc = 149399716, type = 4 '\004', is_ref__gc = 175 '¯'}
#1  0x0865a6d9 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x91207cc) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:27337
        opline = 0xad89d7f4
        free_op2 = {var = 0xad8994e8}
        value = 0xad8994e8
        variable_ptr_ptr = 0xad882e28
#2  0x085cdc2c in execute (op_array=0x8e9fdd4) at /usr/src/php-5.3.6/Zend/zend_vm_execute.h:107
        ret = 3
        execute_data = 0x91207cc
        nested = 1 '\001'
        original_in_execution = 0 '\000'
#3  0x085a288e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.3.6/Zend/zend.c:1194
        files = 0xbe65f394 ""
        i = 1
        file_handle = 0xbe6636e4
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
#4  0x085381b5 in php_execute_script (primary_file=0xbe6636e4) at /usr/src/php-5.3.6/main/main.c:2268
        realfile = "W2Á­\000\000\000\000\070\004f¾öÿW\b0\024Å\bÌp\205\t\n\000\000\000\210R¹\bÅ\001\000\000\000\000\000\000\000\000\000\000/\016X\b\001\005\000\001\000\000\000\000H\004f¾E\214f\bÌp\205\t\000s\205\t´\002\000\000¼lY\b\234ÓÝ\b´\002\000\000X\004f¾/\016X\b0\024Å\bðr\205\t\210R¹\bÅ\001\000\000\000\000\000\000\000\000\000\000(\024f¾ñ\bT\bðr\205\t\210R¹\bÅ\001\000\000\000\000\000\000\000\000\000\000\020\000\000\000À\213«\a/\001Ì­\000\000\000\000ø\033\002\000X\024f¾ñ\bT\b| ÐÄ\b\024ÒÄ\b¸\004f¾|âÀ­\000\000\000\000\001\000\000\000"...
        __orig_bailout = 0xbe6615f8
        __bailout = {{__jmpbuf = {-1379008524, 0, -1100606276, -1100606184, -1966102021, -405377897}, __mask_was_saved = 0, __saved_mask = {__val = {
                184, 0, 1302178070, 0, 1298211931, 0, 1302178636, 0, 6916987, 0, 146923508, 0, 0, 3194360904, 141417788, 3, 4, 3194360996, 137660206,
                3194361112, 139709081, 4, 3194360996, 1, 1, 0, 0, 3194361112, 140936771, 0, 2915958772, 0}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        old_cwd = 0xbe65f3b0 "/"
        use_heap = 0 '\000'
        retval = 0
#5  0x08671d6c in main (argc=3, argv=0xbe663844) at /usr/src/php-5.3.6/sapi/fpm/fpm/fpm_main.c:1917
        status_buffer = 0x0
        status_content_type = 0x0
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {-1379008524, 0, 0, -1100597368, -1929188869, -1894015849}, __mask_was_saved = 0, __saved_mask = {__val = {
                0 <repeats 32 times>}}}}
        free_query_string = 0
        exit_status = 0
        cgi = 0
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8db4700 "/var/www/testforen/domaingo/showthread.php", opened_path = 0x0,
          handle = {fd = 148727672, fp = 0x8dd6778, stream = {handle = 0x8dd6778, isatty = 0, mmap = {len = 83287, pos = 0, map = 0xadb82000,
---Type <return> to continue, or q <return> to quit---
                buf = 0xadb82000 <Address 0xadb82000 out of bounds>, old_handle = 0x8df61d8, old_closer = 0x85baa1d <zend_stream_stdio_closer>},
              reader = 0x85ba9f4 <zend_stream_stdio_reader>, fsizer = 0x85baa42 <zend_stream_stdio_fsizer>,
              closer = 0x85bab31 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        max_requests = 1000
        requests = 21
        fcgi_fd = 0
        request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xbe6616cc "\001\006",
          out_buf = "\001\006\000\001\000·\001\000Status: 302 Moved Temporarily\r\nX-Powered-By: PHP/5.3.6\r\nLocation: https://forum.domain.com/threads/10432-fsadfsdaf?p=57751#post57751\r\nContent-type: text/html\r\n\r\n\000\001\003\000\001\000\b\000\000\000\000\000\000\000"...,
          reserved = '\000' <repeats 15 times>, env = 0x8dadc84}
        fpm_config = 0xbe6639dd "infactory-kunde.de"
        fpm_prefix = 0x0
        test_conf = 0
(gdb)


Test script:
---------------
Sorry, can reproduce only in vbulletin board.

Expected result:
----------------
The redirection to the thread works

Actual result:
--------------
An SIGSEGV


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-07 16:26 UTC] dbetz at df dot eu
Configure Command =>  './configure'  '--with-mysql=/usr/local/mysql' '--enable-debug' '--with-mysqli' '--with-config-file-path=/usr/local/php53-fpm' '--with-openssl' '--with-gd' '--with-t1lib' '--enable-ftp' '--enable-calendar' '--with-libxml-dir' '--with-jpeg-dir=../jpeg-6b/' '--with-freetype-dir=/usr/lib' '--with-gettext' '--with-zlib-dir=../zlib-1.1.3/' '--with-png-dir=../libpng-1.0.6/' '--with-gdbm' '--with-ndbm' '--enable-dba' '--with-imap=/usr/local/imap-2007e' '--with-imap-ssl=/usr/local/imap-2007e' '--enable-wddx' '--enable-bcmath' '--enable-exif' '--with-curl' '--enable-inline-optimization' '--with-gnu-ld' '--with-zlib' '--with-mcrypt' '--enable-wddx' '--with-mhash' '--with-pgsql' '--enable-sockets' '--with-tidy' '--with-xmlrpc' '--enable-zip' '--with-bz2' '--with-pdo-mysql=/usr' '--with-iconv' '--enable-soap' '--with-ldap' '--with-xsl' '--with-t1lib' '--enable-fpm' '--enable-mbstring'
 [2011-04-07 16:30 UTC] dbetz at df dot eu
here the php-fpm.conf:

[global]

pid = /var/run/php5-53LATEST.pid
error_log = /var/log/php-fpm.log
log_level = debug
emergency_restart_threshold = 10

[default]

listen = localhost:9000
user = nobody
group = apache

pm = dynamic
pm.max_children = 1000
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000
pm.status_path = /status


[domain.com]

listen = /etc/httpd/fastcgi/domain.com
user = u222227
group = nobody

pm = dynamic
pm.max_children = 1000
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000
 [2011-04-15 10:36 UTC] dbetz at df dot eu
Hello,

here are some more infos

it seems **variable_ptr_ptr is empty

(gdb) print variable_ptr_ptr
$6 = (zval **) 0x9289bb4
(gdb) print *variable_ptr_ptr
$7 = (zval *) 0x5a5a5a5a
(gdb) print **variable_ptr_ptr
Cannot access memory at address 0x5a5a5a5a


(gdb) print opline
$1 = (zend_op *) 0x926d958
(gdb) print *opline
$2 = {handler = 0x865abb8 <ZEND_ASSIGN_SPEC_CV_VAR_HANDLER>, result = {op_type = 4, u = {constant = {value = {lval = 660,
          dval = 3.2608332625522272e-321, str = {val = 0x294 <Address 0x294 out of bounds>, len = 0}, ht = 0x294, obj = {handle = 660, handlers = 0x0}},
        refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 660, opline_num = 660, op_array = 0x294, jmp_addr = 0x294, EA = {var = 660,
        type = 0}}}, op1 = {op_type = 16, u = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0,
          obj = {handle = 0, handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0,
      jmp_addr = 0x0, EA = {var = 0, type = 16}}}, op2 = {op_type = 4, u = {constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = {
            val = 0x280 <Address 0x280 out of bounds>, len = 8}, ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000',
        is_ref__gc = 0 '\000'}, var = 640, opline_num = 640, op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}}, extended_value = 0,
  lineno = 403, opcode = 38 '&'}
(gdb) print opline->op2
$3 = {op_type = 4, u = {constant = {value = {lval = 640, dval = 1.6975966643924192e-313, str = {val = 0x280 <Address 0x280 out of bounds>, len = 8},
        ht = 0x280, obj = {handle = 640, handlers = 0x8}}, refcount__gc = 0, type = 0 '\000', is_ref__gc = 0 '\000'}, var = 640, opline_num = 640,
    op_array = 0x280, jmp_addr = 0x280, EA = {var = 640, type = 8}}}
(gdb) print &opline->op1
$8 = (struct _znode *) 0x926d970
(gdb) print opline->op1
$9 = {op_type = 16, u = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0,
          handlers = 0x10}}, refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {
      var = 0, type = 16}}}
(gdb) print (&opline->op1)->u.var
$13 = 0
(gdb) print (&opline->op1)->u
$14 = {constant = {value = {lval = 0, dval = 3.3951932655444357e-313, str = {val = 0x0, len = 16}, ht = 0x0, obj = {handle = 0, handlers = 0x10}},
    refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}, var = 0, opline_num = 0, op_array = 0x0, jmp_addr = 0x0, EA = {var = 0, type = 16}}
 [2011-07-02 12:47 UTC] fat@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: fat
 [2011-07-02 12:49 UTC] fat@php.net
-Status: Assigned +Status: Feedback
 [2011-07-02 12:49 UTC] fat@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


Is it possible for you to test without FPM (with php-cgi or mod_php for apache) 
please ?

I'd like to first ensure the bug is exclusively related to FPM.

thx
 [2011-07-04 02:20 UTC] dbetz at df dot eu
-Status: Feedback +Status: Assigned
 [2011-07-04 02:20 UTC] dbetz at df dot eu
Hello,

the problem ist only in FPM. Running php-cgi works for me.

Thx and greetings
 [2011-07-05 17:24 UTC] fat@php.net
-Status: Assigned +Status: Feedback
 [2011-07-05 17:24 UTC] fat@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


can you please provide the configure options you used to compile PHP please ?

thx
++ jerome
 [2011-07-06 01:58 UTC] dbetz at df dot eu
-Status: Feedback +Status: Assigned
 [2011-07-06 01:58 UTC] dbetz at df dot eu
Oh sorry,

here the configure options:

./configure --with-mysql=/usr/local/mysql \
--enable-debug \
--with-mysqli \
--with-config-file-path=/usr/local/php53-fpm \
--with-openssl \
--with-gd \
--with-t1lib \
--enable-ftp \
--enable-calendar \
--with-libxml-dir \
--with-jpeg-dir=../jpeg-6b/ \
--with-freetype-dir=/usr/lib \
--with-gettext \
--with-zlib-dir=../zlib-1.1.3/ \
--with-png-dir=../libpng-1.0.6/ \
--with-gdbm \
--with-ndbm \
--enable-dba \
--with-imap=/usr/local/imap-2007e \
--with-imap-ssl=/usr/local/imap-2007e \
--enable-wddx \
--enable-bcmath \
--enable-exif \
--with-curl \
--enable-inline-optimization \
--with-gnu-ld \
--with-zlib \
--with-mcrypt \
--enable-wddx \
--with-mhash \
--with-pgsql \
--enable-sockets \
--with-tidy \
--with-xmlrpc \
--enable-zip \
--with-bz2 \
--with-pdo-mysql=/usr \
--with-iconv \
--enable-soap \
--with-ldap \
--with-xsl \
--with-t1lib \
--enable-fpm \
--enable-mbstring
 [2011-07-06 06:18 UTC] fat@php.net
-Status: Assigned +Status: Feedback
 [2011-07-06 06:18 UTC] fat@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


I'm sorry to bother you again. Can you please give us the apache configuration and 
a phpinfo() output ?

thx
 [2011-07-06 07:29 UTC] dbetz at df dot eu
-Status: Feedback +Status: Assigned
 [2011-07-06 07:29 UTC] dbetz at df dot eu
Hello,

no problem. :-)

The apache config is a little bit difficult, so i only paste the relevant things:

  LoadModule fastcgi_module     mod_fastcgi.so
  LoadModule ldap_module        mod_ldap.so
  LoadModule vhost_ldap_module  mod_vhost_ldap.so

  LDAPSharedCacheSize 2000000
  LDAPCacheEntries 4096
  LDAPCacheTTL 5
  LDAPOpCacheEntries 4096
  LDAPOpCacheTTL 5

  FastCgiExternalServer /etc/httpd/fastcgi/php-fcgi-starter -socket /etc/httpd/fastcgi/php5-53LATEST
  Action php-fastcgi /php/php-fcgi-starter

<VirtualHost _default_:80>
  ServerName domainname.de
  SuexecUserGroup apache nobody
  DocumentRoot /kunden/shadow/htdocs/

  ScriptAlias /php/ /etc/httpd/fastcgi/

  VhostLDAPEnabled on
  VhostLDAPUrl "ldap://localhost/cn=bla,sec=hosting,o=domain,c=de"
  VhostLdapBindDN "cn=username,cn=bla,sec=hosting,o=domain,c=de"
  VhostLDAPBindPassword "noone"
</Virtualhost>

FPM Config:

;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; All relative paths in this configuration file are relative to PHP's install
; prefix.

; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
include=/usr/local/etc/fpm.d/5-53LATEST-*.conf

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]

pid = /var/run/php5-53LATEST.pid

; Error log file
; Note: the default prefix is /usr/local/var
; Default Value: log/php-fpm.log
error_log = /var/log/php-fpm.log

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
log_level = warning

; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
emergency_restart_threshold = 10

[default]

listen = /etc/httpd/fastcgi/5-53LATEST
user = root
group = nobody

pm = dynamic
pm.max_children = 1000
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000

; PHP.ini Settings:

php_flag[track_errors] = Off
php_flag[allow_url_fopen] = On
php_flag[sql.safe_mode] = Off
..
tons of php_(admin)_flags



phpinfo() can be found at http://imageupgrade2.domainfactory-kunde.de/info.php

Thanks for your help
 [2011-07-06 08:32 UTC] fat@php.net
-Status: Assigned +Status: Feedback
 [2011-07-06 08:32 UTC] fat@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


you are reporting using 5.3.6 but on the phpinfo() page you provide us it's 5.3.5.

Is it possible for you to test using the last snapshot of 5.3 please ?

thx
++ jerome
 [2011-07-06 08:41 UTC] dbetz at df dot eu
-Status: Feedback +Status: Assigned
 [2011-07-06 08:41 UTC] dbetz at df dot eu
Oh sorry, my failure.

Now its 5.3.6 and the problem still exists with that version.

Greetings,
Daniel
 [2011-07-06 08:56 UTC] dbetz at df dot eu
Ah, what i have forgotten:
With debug flags in the php-fpm binary the segfaults seems not to occur so often.
I try now the latest snapshot to see if the problem is there too.
 [2011-07-07 02:38 UTC] dbetz at df dot eu
Hello,

with 5.3.7RC3-dev i cant hit the bug anymore ( i think )
I will keep on testing.

Thx,
Daniel
 [2011-07-12 19:08 UTC] fat@php.net
I've asked for help on internals: http://news.php.net/php.internals/53922

see where it goes
 [2011-07-13 04:33 UTC] tony2001@php.net
Valgrind log would be quite helpful: https://bugs.php.net/bugs-getting-valgrind-log.php
 [2011-07-13 05:41 UTC] dbetz at df dot eu
Thanks for all your help.

The segfault isnt reproducable now.
Maybe the last vBulletin Board update changes some thing in the Object handling or maybe i have updated some librarys.
I have tested with PHP-FPM 5.3.6 and the latest Snapshot.

So i think you can close this bugreport.

Greets,
Daniel
 [2011-07-13 05:59 UTC] fat@php.net
-Status: Assigned +Status: Bogus
 [2011-07-13 05:59 UTC] fat@php.net
OK, closed now. You can still reopen it if it happens again
 [2011-07-22 05:20 UTC] dbetz at df dot eu
Hello,

after some time without problems now i get many segfaults:

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x8a65570, size=52) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_alloc.c:1835
1835    /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_alloc.c: No such file or directory.
        in /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_alloc.c
(gdb) bt full
#0  _zend_mm_alloc_int (heap=0x8a65570, size=52) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_alloc.c:1835
        bitmap = <value optimized out>
        best_fit = <value optimized out>
        true_size = 60
        block_size = <value optimized out>
        remaining_size = <value optimized out>
        segment_size = <value optimized out>
        segment = <value optimized out>
        keep_rest = <value optimized out>
#1  0x08450e8c in _zend_hash_quick_add_or_update (ht=0x94a6144, arKey=0x94a2ecc "plaintext_parser", nKeyLength=17, h=3773187690, pData=0x94a2eb8,
    nDataSize=4, pDest=0xb4dfd1f8, flag=1) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_hash.c:315
        p = 0x0
#2  0x08451386 in zend_hash_copy (target=0x94a6144, source=0x92a7994, pCopyConstructor=0x8443f90 <zval_add_ref>, tmp=0xb4dfd238, size=4)
    at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_hash.c:787
        p = 0x94a2eac
        new_entry = 0x94a2e08
#3  0x0844407f in _zval_copy_ctor_func (zvalue=0x935eb10) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_variables.c:134
        tmp = 0x5b
        original_ht = 0x92a7994
#4  0x0844487d in _zval_copy_ctor (type=8, format=0x89b9f2c "Use of undefined constant %s - assumed '%s'")
    at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_variables.h:45
No locals.
#5  zend_error (type=8, format=0x89b9f2c "Use of undefined constant %s - assumed '%s'")
    at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend.c:1078
        retval = <value optimized out>
        z_error_type = 0x93ccd28
        z_error_message = 0x94a49d8
        z_error_filename = 0x935cd3c
        z_error_lineno = 0x935cd88
        z_context = 0x935eb10
        error_filename = 0x949feec "/kunden/145279_85737/liveforen/domaingo/includes/functions_newpost.php(668) : eval()'d code"
        error_lineno = 43
        orig_user_error_handler = <value optimized out>
        in_compilation = <value optimized out>
        saved_class_entry = <value optimized out>
#6  0x0846a0d6 in ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER (execute_data=0x8bca78c)
    at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_vm_execute.h:17844
        actual = 0x94a5574 "postid"
        opline = 0x94a825c
#7  0x0846eaee in execute (op_array=0x8e24980) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend_vm_execute.h:107
        ret = <value optimized out>
        execute_data = 0x8bca78c
        nested = 1 '\001'
        original_in_execution = 0 '\000'
#8  0x084443e6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/Zend/zend.c:1195
        i = 1
        file_handle = 0xb4e01790
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
#9  0x083f2bd6 in php_execute_script (primary_file=0xb4e01790) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/main/main.c:2284
        realfile = "èãß´C\021M\b\000\060X¢ÿÿÿÿ\000\000\000\000#\217B\bô\020+\tÀ\\Ú£ÀÏ*\tlõß´å\235X\001\065~\r\000\030äß´©RL\b\003\000\000\000\bäß´\b\000\000\000\000\000\000\000pU¦\bn|A£\001\005\000\001\000\000\000\000\001\000\000\000lõß´¸.\027\t\220\002\000\000pU¦\b¸.\027\tHäß´#\217B\b\210ÓN£\002\000\000\000\001\000\000\000däß´\001ôß´\000\000\000\000¸ÓN£»Ô?\bl/\027\t\020\000\000\000\002\000\000\000/ÁL£\200ÓN£È\032\002\000¸ÓN£ô¿N£\200ÓN£Ð\000+\t\230äß´|¢A£"..---Type <return> to continue, or q <return> to quit---
.
        __orig_bailout = 0xb4e01640
        __bailout = {{__jmpbuf = {-1260382320, 153810792, -1260391280, -1260391208, 2072411008, -1166720775}, __mask_was_saved = 0, __saved_mask = {
              __val = {0, 41205, 0, 4096, 96, 0, 1308693440, 0, 1307472900, 0, 1308693441, 0, 852891, 0, 153900944, 148950944, 153813200, 3034576088,
                138386641, 3, 4, 3034575952, 1, 153812952, 3034584640, 3034575976, 153813428, 153810792, 149062664, 3034576088, 2076760960, 2305}}}}
        prepend_file_p = 0x0
        append_file_p = <value optimized out>
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        retval = 0
#10 0x084ce08c in main (argc=3, argv=Cannot access memory at address 0x23
) at /root/compile/php-5.3-fpm/snaps/php5.3-201107150430/sapi/fpm/fpm/fpm_main.c:1900
        __bailout = {{__jmpbuf = {0, -1260381964, 0, -1260382152, 2076793728, 1570506489}, __mask_was_saved = 0, __saved_mask = {__val = {2738603973,
                2749034436, 70078602, 2741702958, 2741557004, 2749023548, 3034584724, 2745840432, 13, 2741565964, 2741510004, 1480958541, 3034584860,
                32, 2744109768, 0, 0, 1, 560, 2738520464, 2744109768, 2741702958, 2741609996, 2741565964, 1, 2749034436, 3034584992, 2744110208,
                3034584952, 2748954464, 3034584936, 2741565964}}}}
        exit_status = 0
        c = <value optimized out>
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x92b00d0 "/www/145279_85737/liveforen/domaingo/newreply.php", opened_path = 0x0, handle = {
            fd = 153901444, fp = 0x92c5984, stream = {handle = 0x92c5984, isatty = 0, mmap = {len = 41205, pos = 0, map = 0xa30e0000,
                buf = 0xa30e0000 <Address 0xa30e0000 out of bounds>, old_handle = 0x8e0cfa0, old_closer = 0x8458cb0 <zend_stream_stdio_closer>},
              reader = 0x8459290 <zend_stream_stdio_reader>, fsizer = 0x84591c0 <zend_stream_stdio_fsizer>,
              closer = 0x8459210 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = <value optimized out>
        max_requests = 1000
        requests = 3
        fcgi_fd = <value optimized out>
        request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xb4dff590 "\001\003",
          out_buf = "\001\003\000\001\000\b\000\000\000\000\000\000\000B\020=q~cC^¥R>hñ°!¿uÑ»\020\220ØQåàW·qÎüG·lÙ.&+ª:£q\a\207cÎ\t>ö\237ã|wë\233½ü\220gÈ8\b\bhg¾Àa\217߯óÄ\026¬²£\021\216«¹ûÃ5¥N\220\bz\032\027ß\024)JÖðÿ\203Y\227î¹\216Ö¯¬\017¹7<}\të\205§¬^],Îx\220ÿsÐ\210ô\006®Ú,KÔ\215\200i\207$lÏqcâ÷\204\217:\222Í\027Ûm\237\033ëzúæúí¥²¥\224­÷\207\226\217.N¢É×Hi­«|¿åfÒõ2éÈ"..., reserved = '\000' <repeats 15 times>, env = 0x92acf98}
        fpm_config = 0xb4e01a8c ""
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0

valgrind didnt work correct. it shows me always an "out of memory" error, but there is enough memory free ...
 [2011-10-31 13:02 UTC] pajoye@php.net
@dbetz at df dot eu

Please provide a way to reproduce this problem (aka not randomly). That means to 
debug a little bit to see what happens in your app while it crashes. using 
vBulletin as a base to fix such crashes is not an option for us.

Thanks for your understanding,
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 01:01:28 2024 UTC