php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60156 Segmentation fault at _zend_mm_alloc_int
Submitted: 2011-10-28 06:43 UTC Modified: 2012-05-22 15:53 UTC
From: dbetz at df dot eu Assigned: fat (profile)
Status: Not a bug Package: FPM related
PHP Version: 5.3.8 OS: Gentoo
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dbetz at df dot eu
New email:
PHP Version: OS:

 

 [2011-10-28 06:43 UTC] dbetz at df dot eu
Description:
------------
Hello,

when posting in vBulletin Board the PHP-FPM receives an segfault.


Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x8a3aa30, size=52) at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_alloc.c:1835
1835    /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_alloc.c: No such file or directory.
        in /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_alloc.c
(gdb) bt full
#0  _zend_mm_alloc_int (heap=0x8a3aa30, size=52) at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_alloc.c:1835
        bitmap = <value optimized out>
        best_fit = <value optimized out>
        true_size = 60
        block_size = <value optimized out>
        remaining_size = <value optimized out>
        segment_size = <value optimized out>
        segment = <value optimized out>
        keep_rest = <value optimized out>
#1  0x0842ea0c in _zend_hash_quick_add_or_update (ht=0x90dc2f0, arKey=0x90d8b78 "plaintext_parser", nKeyLength=17, h=3773187690, pData=0x90d8b64,
    nDataSize=4, pDest=0xba7522a8, flag=1) at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_hash.c:315
        p = 0x0
#2  0x0842ef06 in zend_hash_copy (target=0x90dc2f0, source=0x8e88318, pCopyConstructor=0x84216f0 <zval_add_ref>, tmp=0xba7522e8, size=4)
    at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_hash.c:788
        p = 0x90d8b58
        new_entry = 0x90d8a40
#3  0x084217df in _zval_copy_ctor_func (zvalue=0x9003c60) at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_variables.c:134
        tmp = 0x5b
        original_ht = 0x8e88318
#4  0x084226a0 in _zval_copy_ctor (type=8, format=0x898f84c "Use of undefined constant %s - assumed '%s'")
    at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_variables.h:45
No locals.
#5  zend_error (type=8, format=0x898f84c "Use of undefined constant %s - assumed '%s'") at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend.c:1103
        retval = <value optimized out>
        z_error_type = 0x90054d4
        z_error_message = 0x90da358
        z_error_filename = 0x90082a0
        z_error_lineno = 0x90082f4
        z_context = 0x9003c60
        error_filename = 0x90d5b34 "/home/user/testforen/domaingo/includes/functions_newpost.php(668) : eval()'d code"
        error_lineno = 43
        orig_user_error_handler = <value optimized out>
        in_compilation = <value optimized out>
        saved_class_entry = <value optimized out>
#6  0x08448926 in ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER (execute_data=0x8b92abc)
    at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_vm_execute.h:17844
        actual = 0x90dafe4 "postid"
        opline = 0x90de7e0
#7  0x0844d33e in execute (op_array=0x8e90548) at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_vm_execute.h:107
        ret = <value optimized out>
        execute_data = 0x8b92abc
        nested = 1 '\001'
        original_in_execution = 0 '\000'
#8  0x08421b46 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend.c:1236
        i = 1
        file_handle = 0xba7568a0
        orig_op_array = 0x0
        orig_retval_ptr_ptr = 0x0
#9  0x083cf596 in php_execute_script (primary_file=0xba7568a0) at /root/compile/php-5.3/latest/php-5.3.8/main/main.c:2284
        realfile = "ø4uºóûJ\b\000À½©ÿÿÿÿ\000\000\000\000sd@\b@è¼\b\020@¿©8´¼\b|FuºO±Ù\001ù\213\t\000(5uº\t;J\b\003\000\000\000\030\065uº\b\000\000\000\000\000\000\000 \203=©ôo=©Nß.©\000\000\000\000\001\000\000\000|Fuº¤ö¼\bô\206\000\000\060ª£\b¤ö¼\bX5uº\002\000\000\000 \000\000\000\002\000\000\000\001\000\000\000P\204=©\025A;©\000\000\000\000Ø\203=©ä?;©ïB;©\020\000\000\000\000\000\000\000\a\000\000\000 \203=©\000\000\002\000Ð\203=©ôo=© \203=©ôðä\b¨5uº,\005/©"...
---Type <return> to continue, or q <return> to quit---
        __orig_bailout = 0xba756750
        __bailout = {{__jmpbuf = {-1166710624, 149219088, -1166719584, -1166719512, 2100435798, -292405198}, __mask_was_saved = 0, __saved_mask = {
              __val = {0, 41205, 0, 4096, 96, 0, 1307476459, 0, 1307472900, 0, 1307476461, 0, 851998, 0, 149313384, 148992216, 149221620, 3128247784,
                138241681, 3, 4, 3128247648, 1, 149221372, 3128256336, 3128247672, 149215192, 149219088, 147225912, 3128247784, 2112977750, 2305}}}}
        prepend_file_p = 0x0
        append_file_p = <value optimized out>
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0,
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
          free_filename = 0 '\000'}
        retval = 0
#10 0x084acb2c in main (argc=3, argv=Cannot access memory at address 0x23
) at /root/compile/php-5.3/latest/php-5.3.8/sapi/fpm/fpm/fpm_main.c:1902
        __bailout = {{__jmpbuf = {0, -1166710268, 0, -1166710456, 2112944982, 48940594}, __mask_was_saved = 0, __saved_mask = {__val = {2841137454,
                2840991500, 2847910100, 3128256408, 2843228222, 13, 2841000460, 2837881952, 1480958541, 3128256544, 29, 2843041792, 0, 0, 1, 560,
                2837877936, 2843041792, 2841137454, 2841044492, 2841000460, 1, 2847924164, 3128256688, 2843042232, 3128256648, 2847840384, 3128256632,
                2841000460, 3128256620, 2847926868, 0}}}}
        exit_status = 0
        c = <value optimized out>
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x8e4f0f4 "/home/user/testforen/domaingo/newreply.php", opened_path = 0x0, handle = {
            fd = 149313884, fp = 0x8e6595c, stream = {handle = 0x8e6595c, isatty = 0, mmap = {len = 41205, pos = 0, map = 0xa0dda000,
                buf = 0xa0dda000 <Address 0xa0dda000 out of bounds>, old_handle = 0x8e170d8, old_closer = 0x8437520 <zend_stream_stdio_closer>},
              reader = 0x8437b00 <zend_stream_stdio_reader>, fsizer = 0x8437a30 <zend_stream_stdio_fsizer>,
              closer = 0x8437a80 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = <value optimized out>
        max_requests = 1000
        requests = 6
        fcgi_fd = <value optimized out>
        request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0xba7546a0 "\001\006",
          out_buf = "\001\006\000\001\001'\001\000X-Powered-By: PHP/5.3.8\r\nExpires: 0\r\nCache-Control: private, post-check=0, pre-check=0, max-age=0\r\nPragma: no-cache\r\nContent-Type: text/xml; charset=windows-1252\r\n\r\n<?xml version=\"1.0\" encodin"..., reserved = '\000' <repeats 15 times>,
          env = 0x8e4bcf8}
        fpm_config = 0xba756b91 "factory-kunde.de"
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
(gdb) fram 0
#0  _zend_mm_alloc_int (heap=0x8a3aa30, size=52) at /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_alloc.c:1835
1835    in /root/compile/php-5.3/latest/php-5.3.8/Zend/zend_alloc.c
(gdb) print heap
$1 = (zend_mm_heap *) 0x8a3aa30
(gdb) print *heap
$2 = {use_zend_alloc = 1, _malloc = 0, _free = 0, _realloc = 0, free_bitmap = 67584, large_free_bitmap = 131072, block_size = 262144,
  compact_size = 2097152, segments_list = 0x90c6cc8, storage = 0x8a3aa20, real_size = 4718592, real_peak = 4718592, limit = 104857600, size = 4555868,
  peak = 4565368, reserve_size = 8192, reserve = 0x8e49cf0, overflow = 0, internal = 0, cached = 23360, cache = {0x90db358, 0x90d974c, 0x90d9904,
    0x9008260, 0x90ded84, 0x90cf010, 0x90dc840, 0x90db2e4, 0x90dc9d0, 0x90d5978, 0x90d8978, 0x59244e84, 0x90d8404, 0x90d837c, 0x90d67dc, 0x8e9ae3c,
    0x90da5d0, 0x8ee6e20, 0x0, 0x90108f4, 0x90cd84c, 0x90dee90, 0x90d5c50, 0x90cd940, 0x8d81024, 0x9070550, 0x90d5890, 0x8e83f1c, 0x90d5728, 0x8ee6ed0,
    0x0, 0x9006230}, free_buckets = {0x8a3aaf8, 0x8a3aaf8, 0x8a3ab00, 0x8a3ab00, 0x8a3ab08, 0x8a3ab08, 0x8a3ab10, 0x8a3ab10, 0x8a3ab18, 0x8a3ab18,
    0x8a3ab20, 0x8a3ab20, 0x8a3ab28, 0x8a3ab28, 0x8a3ab30, 0x8a3ab30, 0x8a3ab38, 0x8a3ab38, 0x8a3ab40, 0x8a3ab40, 0x8a3ab48, 0x8a3ab48, 0x90dc7dc,
    0x90dc7dc, 0x8a3ab58, 0x8a3ab58, 0x8a3ab60, 0x8a3ab60, 0x8a3ab68, 0x8a3ab68, 0x8a3ab70, 0x8a3ab70, 0x90dee08, 0x90dee08, 0x8a3ab80, 0x8a3ab80,
    0x8a3ab88, 0x8a3ab88, 0x8a3ab90, 0x8a3ab90, 0x8a3ab98, 0x8a3ab98, 0x8a3aba0, 0x8a3aba0, 0x8a3aba8, 0x8a3aba8, 0x8a3abb0, 0x8a3abb0, 0x8a3abb8,
    0x8a3abb8, 0x8a3abc0, 0x8a3abc0, 0x8a3abc8, 0x8a3abc8, 0x8a3abd0, 0x8a3abd0, 0x8a3abd8, 0x8a3abd8, 0x8a3abe0, 0x8a3abe0, 0x8a3abe8, 0x8a3abe8,
    0x8a3abf0, 0x8a3abf0}, large_free_buckets = {0x0 <repeats 17 times>, 0x90df2b8, 0x0 <repeats 14 times>}, rest_buckets = {0x8a3ac78, 0x8a3ac78}}
(gdb) 

I am able to reproduce this every time with PHP 5.3.8 FPM w/o --enable-debug
When compiling with --enable-debug the FPM wont segfault anymore.

I think there is an problem, when an error in the script occurs:
"functions_newpost.php(668) : eval()'d code"

The line looks like this:
($hook = vBulletinHook::fetch_hook('newpost_complete')) ? eval($hook) : false;
$hook is NULL in this case.

Configure:
./configure --with-mysql=/usr/local/mysql \
--with-mysqli \
--with-config-file-path=/usr/local/php53-fpm \
--with-openssl \
--with-gd \
--with-t1lib \
--enable-ftp \
--enable-calendar \
--with-libxml-dir \
--with-jpeg-dir=../jpeg-6b/ \
--with-freetype-dir=/usr/lib \
--with-gettext \
--with-zlib-dir=../zlib-1.1.3/ \
--with-png-dir=../libpng-1.0.6/ \
--with-gdbm \
--with-ndbm \
--enable-dba \
--with-imap=/usr/local/imap-2007e \
--with-imap-ssl=/usr/local/imap-2007e \
--enable-wddx \
--enable-bcmath \
--enable-exif \
--with-curl \
--enable-inline-optimization \
--enable-zend-multibyte \
--with-gnu-ld \
--with-zlib \
--with-mcrypt= \
--enable-wddx \
--with-mhash \
--with-pgsql \
--with-bz2 \
--with-pdo-mysql=/usr \
--with-iconv \
--enable-soap \
--with-xsl \
--with-t1lib \
--enable-fpm \
--enable-mbstring

fpm config:
listen = /etc/httpd/fastcgi/dynamic/socket
user = u145279
group = nobody

pm = ondemand
pm.max_children = 500
pm.min_spare_servers = 2
pm.max_spare_servers = 250
pm.process_idle_timeout = 300
pm.max_requests = 1000





Test script:
---------------
Sry, no test script avail.


Expected result:
----------------
Redirect after forum post works

Actual result:
--------------
Segmentation fault occurred at 59244e8c in /usr/bin/php5.3.8-fpm[php5.3.8-fpm:24964]



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-31 10:56 UTC] fat@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


It does not seem to be a problem related to FPM but to core.

Can you reproduce the bug with php-cgi, php-cli or mod_php ?
 [2011-10-31 10:56 UTC] fat@php.net
-Status: Open +Status: Feedback
 [2011-10-31 12:46 UTC] dbetz at df dot eu
Hello,

i cant reproduce this with php-cgi and php-fpm with --enable-debug
When i compile php-fpm w/o --enable-debug i hit this segfault.

With php <= 5.3.7rc3-dev i always get an segfault in zend_assign_to_variable
See https://bugs.php.net/bug.php?id=54488

It is always the same procedure to reproduce this segfaults.
 [2011-10-31 12:46 UTC] dbetz at df dot eu
-Status: Feedback +Status: Open
 [2011-11-25 13:52 UTC] dbetz at df dot eu
sorry. i found the solution in an self-made patch for php.

You can close this.
Thank you.
 [2012-05-22 15:53 UTC] fat@php.net
it was a bug in a custom PHP patch
 [2012-05-22 15:53 UTC] fat@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: fat
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 02:01:29 2024 UTC