PHP :: Bug #43397 :: crashes in _zend_mm_free

Bug #43397

crashes in _zend_mm_free_int

Submitted:

2007-11-24 15:58 UTC

Modified:

2009-02-19 01:00 UTC

Votes:	8
Avg. Score:	4.6 ± 0.7
Reproduced:	8 of 8 (100.0%)
Same Version:	3 (37.5%)
Same OS:	1 (12.5%)

From:

phajdan dot jr at gmail dot com

Assigned:

dmitry (profile)

Status:

No Feedback

Package:

Scripting Engine problem

PHP Version:

5.3CVS-2007-11-25

OS:

Linux (Gentoo 2007.0)

Private report:

CVE-ID:

None

View Developer Edit

[2007-11-24 15:58 UTC] phajdan dot jr at gmail dot com

Description:
------------
I have a not-so-small script (20k LOC) and there is a problem during some extensive operations in it: a crash. I tried to find out which part of my program could cause it (tried to comment out some fragments of code etc - but the code isn't very simple, so I couldn't find a fragment possibly related to the crash).

I have 3 backtraces, with PHP compiled with -debug (Gentoo USE flag). When compiled with debug, the issue doesn't persist.

I don't know how should I debug the problem - if I can do something to help you fix it - I will.

Actual result:
--------------
Backtrace 1:

#0  0xb7782fe8 in _zend_mm_free_int () from /usr/lib/apache2/modules/libphp5.so
#1  0xb77a6d46 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#2  0xb779c9e7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#3  0xb7790a99 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#4  0xb77a6d20 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#5  0xb779c9e7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#6  0xb7790a99 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#7  0xb77a6d20 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#8  0xb779c9e7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#9  0xb7790a99 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#10 0xb77a6d20 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#11 0xb77b5ea3 in zend_object_std_dtor () from /usr/lib/apache2/modules/libphp5.so
#12 0xb77b5ed2 in zend_objects_free_object_storage () from /usr/lib/apache2/modules/libphp5.so
#13 0xb77b8fd7 in zend_objects_store_del_ref_by_handle () from /usr/lib/apache2/modules/libphp5.so
#14 0xb77b9017 in zend_objects_store_del_ref () from /usr/lib/apache2/modules/libphp5.so
#15 0xb7790a99 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#16 0xb77a6d20 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#17 0xb779c9e7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#18 0xb7790a99 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#19 0xb77a6d20 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#20 0xb779c9e7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#21 0xb7790a99 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#22 0xb77a6f10 in zend_hash_clean () from /usr/lib/apache2/modules/libphp5.so
#23 0xb7794915 in zend_cleanup_op_array_data () from /usr/lib/apache2/modules/libphp5.so
#24 0xb7794937 in zend_cleanup_function_data_full () from /usr/lib/apache2/modules/libphp5.so
#25 0xb77a6bec in zend_hash_apply () from /usr/lib/apache2/modules/libphp5.so
#26 0xb77947a9 in zend_cleanup_class_data () from /usr/lib/apache2/modules/libphp5.so
#27 0xb77a6bec in zend_hash_apply () from /usr/lib/apache2/modules/libphp5.so
#28 0xb7790eb9 in shutdown_executor () from /usr/lib/apache2/modules/libphp5.so
#29 0xb779cf4d in zend_deactivate () from /usr/lib/apache2/modules/libphp5.so
#30 0xb775c729 in php_request_shutdown () from /usr/lib/apache2/modules/libphp5.so
#31 0xb78160cd in php_handler () from /usr/lib/apache2/modules/libphp5.so
#32 0x08079037 in ap_run_handler ()
#33 0x0807c1b7 in ap_invoke_handler ()
#34 0x08087068 in ap_process_request ()
#35 0x080842cf in ap_process_http_connection ()
#36 0x0807ff67 in ap_run_process_connection ()
#37 0x0808b1a4 in child_main ()
#38 0x0808b409 in make_child ()
#39 0x0808c177 in ap_mpm_run ()
#40 0x08066908 in main ()

Backtrace 2:

#0  0xb775ef11 in _zend_mm_free_int () from /usr/lib/apache2/modules/libphp5.so
#1  0xb7770b37 in destroy_op_array () from /usr/lib/apache2/modules/libphp5.so
#2  0xb77829ef in zend_hash_apply_deleter () from /usr/lib/apache2/modules/libphp5.so
#3  0xb7782ae8 in zend_hash_reverse_apply () from /usr/lib/apache2/modules/libphp5.so
#4  0xb776d06b in shutdown_executor () from /usr/lib/apache2/modules/libphp5.so
#5  0xb7778f4d in zend_deactivate () from /usr/lib/apache2/modules/libphp5.so
#6  0xb7738729 in php_request_shutdown () from /usr/lib/apache2/modules/libphp5.so
#7  0xb77f20cd in php_handler () from /usr/lib/apache2/modules/libphp5.so
#8  0x08079037 in ap_run_handler ()
#9  0x0807c1b7 in ap_invoke_handler ()
#10 0x08087068 in ap_process_request ()
#11 0x080842cf in ap_process_http_connection ()
#12 0x0807ff67 in ap_run_process_connection ()
#13 0x0808b1a4 in child_main ()
#14 0x0808b409 in make_child ()
#15 0x0808c177 in ap_mpm_run ()
#16 0x08066908 in main ()

Backtrace 3:

#0  0xb781f524 in _zend_mm_free_int () from /usr/lib/apache2/modules/libphp5.so
#1  0xb78423a6 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#2  0xb78383a7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#3  0xb782c759 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#4  0xb78423a6 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#5  0xb7851273 in zend_object_std_dtor () from /usr/lib/apache2/modules/libphp5.so
#6  0xb78512a2 in zend_objects_free_object_storage () from /usr/lib/apache2/modules/libphp5.so
#7  0xb78543a7 in zend_objects_store_del_ref_by_handle () from /usr/lib/apache2/modules/libphp5.so
#8  0xb78543e7 in zend_objects_store_del_ref () from /usr/lib/apache2/modules/libphp5.so
#9  0xb782c759 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#10 0xb78423a6 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#11 0xb78383a7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#12 0xb782c759 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#13 0xb78423a6 in zend_hash_destroy () from /usr/lib/apache2/modules/libphp5.so
#14 0xb78383a7 in _zval_dtor_func () from /usr/lib/apache2/modules/libphp5.so
#15 0xb787963a in zend_assign_to_variable () from /usr/lib/apache2/modules/libphp5.so
#16 0xb7879a74 in ZEND_ASSIGN_SPEC_CV_TMP_HANDLER () from /usr/lib/apache2/modules/libphp5.so
#17 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#18 0xb7856628 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#19 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#20 0xb7856628 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#21 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#22 0xb7856628 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#23 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#24 0xb7856628 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#25 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#26 0xb7856628 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#27 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#28 0xb782dfa0 in zend_call_function () from /usr/lib/apache2/modules/libphp5.so
#29 0xb782efae in call_user_function_ex () from /usr/lib/apache2/modules/libphp5.so
#30 0xb778b3d5 in zif_call_user_func () from /usr/lib/apache2/modules/libphp5.so
#31 0xb7856bc8 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#32 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#33 0xb7856628 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#34 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#35 0xb7856628 in zend_do_fcall_common_helper_SPEC () from /usr/lib/apache2/modules/libphp5.so
#36 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#37 0xb785fb70 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER () from /usr/lib/apache2/modules/libphp5.so
#38 0xb7855bf8 in execute () from /usr/lib/apache2/modules/libphp5.so
#39 0xb78386d4 in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so
#40 0xb77f8ea0 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so
#41 0xb78b15a1 in php_handler () from /usr/lib/apache2/modules/libphp5.so
#42 0x08079037 in ap_run_handler ()
#43 0x0807c1b7 in ap_invoke_handler ()
#44 0x08087068 in ap_process_request ()
#45 0x080842cf in ap_process_http_connection ()
#46 0x0807ff67 in ap_run_process_connection ()
#47 0x0808b1a4 in child_main ()
#48 0x0808b409 in make_child ()
#49 0x0808c177 in ap_mpm_run ()
#50 0x08066908 in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-02-13 18:49 UTC] phajdan dot jr at gmail dot com

Please take a look at my original report - I was unable to extract a simple fragment which is causing the problem. Yet I'm still able to debug the issue in some other way.

One thing is worth noting: I'm almost sure it's something withe the new Zend MM introduced in some recent version of PHP. This crash didn't happen earlier (I tested it again with older version just to make sure), and with debug build it also does not happen.

[2008-02-20 14:50 UTC] dmitry@php.net

It is not possible to reproduce and fix the bug, without "bad" code.

[2008-02-23 12:42 UTC] phajdan dot jr at gmail dot com

Well, I wrote this earlier: I couldn't reduce the set of failing code enough to be usable. I tried again. At some point the problem disappears. It seems to be caused by a big amount of allocation/deallocation, so would be difficult to reproduce in a short script.

Please note that the bug has been *introduced* with Zend MM. In earlier versions of PHP it's just not present. That may help finding the cause.

I can also try to help reproduce the issue some other way, if you can provide me with some instructions or directions.

[2008-02-24 00:26 UTC] jani@php.net

One basic thing missing from this report: Your configure line.
And no, we're not interested in some Gentoo way of building PHP, we only support "our" way: ./configure <options> && make :)

[2008-02-24 07:49 UTC] phajdan dot jr at gmail dot com

Here it is, as reported by phpinfo().

apache2 SAPI:

'./configure' '--prefix=/usr/lib/php5' '--host=i686-pc-linux-gnu' '--mandir=/usr/lib/php5/man' '--infodir=/usr/lib/php5/info' '--sysconfdir=/etc' '--cache-file=./config.cache' '--disable-cli' '--with-apxs2=/usr/sbin/apxs2' '--with-config-file-path=/etc/php/apache2-php5' '--with-config-file-scan-dir=/etc/php/apache2-php5/ext-active' '--without-pear' '--disable-bcmath' '--with-bz2' '--disable-calendar' '--with-curl' '--without-curlwrappers' '--disable-dbase' '--enable-exif' '--without-fbsql' '--without-fdftk' '--disable-filter' '--enable-ftp' '--with-gettext' '--with-gmp' '--disable-ipv6' '--without-kerberos' '--enable-mbstring' '--with-mcrypt' '--without-mhash' '--without-msql' '--without-mssql' '--with-ncurses' '--with-openssl' '--with-openssl-dir=/usr' '--disable-pcntl' '--without-pgsql' '--disable-posix' '--without-pspell' '--without-recode' '--disable-shmop' '--without-snmp' '--enable-soap' '--disable-sockets' '--without-sybase' '--without-sybase-ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '--without-tidy' '--disable-wddx' '--disable-xmlreader' '--disable-xmlwriter' '--without-xmlrpc' '--with-xsl' '--enable-zip' '--with-zlib' '--disable-debug' '--enable-dba' '--without-cdb' '--with-db4' '--without-flatfile' '--with-gdbm' '--without-inifile' '--without-qdbm' '--with-freetype-dir=/usr' '--with-t1lib=/usr' '--disable-gd-jis-conv' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr' '--with-gd' '--with-mysql=/usr' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--without-mysqli' '--without-pdo-dblib' '--with-pdo-mysql=/usr' '--without-pdo-odbc' '--without-pdo-pgsql' '--with-pdo-sqlite=/usr' '--with-readline' '--without-libedit' '--without-mm' '--with-sqlite=/usr' '--enable-sqlite-utf8'

CLI SAPI (snippet of php -r 'phpinfo();'):

Configure Command =>  './configure'  '--prefix=/usr/lib/php5' '--host=i686-pc-linux-gnu' '--mandir=/usr/lib/php5/man' '--infodir=/usr/lib/php5/info' '--sysconfdir=/etc' '--cache-file=./config.cache' '--enable-cli' '--disable-cgi' '--with-config-file-path=/etc/php/cli-php5' '--with-config-file-scan-dir=/etc/php/cli-php5/ext-active' '--without-pear' '--disable-bcmath' '--with-bz2' '--disable-calendar' '--with-curl' '--without-curlwrappers' '--disable-dbase' '--enable-exif' '--without-fbsql' '--without-fdftk' '--disable-filter' '--enable-ftp' '--with-gettext' '--with-gmp' '--disable-ipv6' '--without-kerberos' '--enable-mbstring' '--with-mcrypt' '--without-mhash' '--without-msql' '--without-mssql' '--with-ncurses' '--with-openssl' '--with-openssl-dir=/usr' '--disable-pcntl' '--without-pgsql' '--disable-posix' '--without-pspell' '--without-recode' '--disable-shmop' '--without-snmp' '--enable-soap' '--disable-sockets' '--without-sybase' '--without-sybase-ct' '--disable-sysvmsg' '--disable-sysvsem' '--disable-sysvshm' '--without-tidy' '--disable-wddx' '--disable-xmlreader' '--disable-xmlwriter' '--without-xmlrpc' '--with-xsl' '--enable-zip' '--with-zlib' '--disable-debug' '--enable-dba' '--without-cdb' '--with-db4' '--without-flatfile' '--with-gdbm' '--without-inifile' '--without-qdbm' '--with-freetype-dir=/usr' '--with-t1lib=/usr' '--disable-gd-jis-conv' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr' '--with-gd' '--with-mysql=/usr' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--without-mysqli' '--without-pdo-dblib' '--with-pdo-mysql=/usr' '--without-pdo-odbc' '--without-pdo-pgsql' '--with-pdo-sqlite=/usr' '--with-readline' '--without-libedit' '--without-mm' '--with-sqlite=/usr' '--enable-sqlite-utf8'

[2008-03-13 13:31 UTC] jani@php.net

Another thing: Do you load any shared extensions in your php.ini?

[2008-03-21 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2008-07-14 18:32 UTC] nic dot rodgers at enableinteractive dot co dot uk

I get the same error on PHP 5.2.5, 5.2.6, and the latest CVS snapshot.

[2009-02-11 21:38 UTC] felipe@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2009-02-19 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2009-10-08 08:21 UTC] igor at webta dot net

I have the same problem. Problem exists only on FreeBSD (6.x, 7.0) and only in CLI php. Here is a backtrace:

(gdb) bt
#0  0x0812cefa in _zend_mm_free_int ()
#1  0x28a021a0 in zm_deactivate_pcntl () from /usr/local/lib/php/20060613/pcntl.so
#2  0x08147f20 in module_registry_cleanup ()
#3  0x081503f4 in zend_hash_reverse_apply ()
#4  0x08146880 in zend_deactivate_modules ()
#5  0x08106d45 in php_request_shutdown ()
#6  0x081c2581 in main ()

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 20:01:29 2024 UTC