PHP :: Bug #43582 :: Core dump in _zend_mm_alloc

Bug #43582

Core dump in _zend_mm_alloc_int

Submitted:

2007-12-12 18:10 UTC

Modified:

2007-12-30 01:00 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

steve at grommit dot com

Assigned:

Status:

No Feedback

Package:

Apache2 related

PHP Version:

5.2.5

OS:

OpenSolaris (snv_75a)

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	steve at grommit dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-12-12 18:10 UTC] steve at grommit dot com

Description:
------------
I'm seeing consistent core dumps of httpd in libphp5.so (compiled on my Solaris Nevada build 75a machine), all of them here:

libphp5.so`_zend_mm_alloc_int+0x5e(82329e8, 2d)

This is snv_75a on a quad core Intel xeon with PHP 5.2.5 and Apache2 2.2.3.

Actual result:
--------------
Stack trace:

[root@grommit:core] 501$ mdb core.httpd.22142
$Loading modules: [ libc.so.1 libnvpair.so.1 libuutil.so.1 libavl.so.1 ld.so.1 ]
> $c
libphp5.so`_zend_mm_alloc_int+0x5e(82329e8, 2d)
libphp5.so`_emalloc+0x27(2d)
libphp5.so`_zend_hash_quick_add_or_update+0x1f1(85cec90, 8999260, a, 7f4f5fed, 
80438a8, 4)
libphp5.so`_get_zval_ptr_ptr+0x17e(880a6c0, 8043940, 80438f0, 1)
libphp5.so`ZEND_RECV_INIT_SPEC_CONST_HANDLER+0x103(8044168)
libphp5.so`execute+0x12d(8714c90)
libphp5.so`zend_do_fcall_common_helper_SPEC+0x29f(8044fd8)
libphp5.so`ZEND_DO_FCALL_SPEC_CONST_HANDLER+0x67(8044fd8)
libphp5.so`execute+0x12d(8906200)
libphp5.so`zend_do_fcall_common_helper_SPEC+0x29f(8047558)
libphp5.so`ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+0x15(8047558)
libphp5.so`execute+0x12d(823daf8)
libphp5.so`zend_execute_scripts+0x128(8, 0, 3, 0, 8047b24, 0)
libphp5.so`php_execute_script+0x26d(8047b24)
libphp5.so`php_handler+0x426(8380000)
ap_run_handler+0x25(8380000)
ap_invoke_handler+0xba(8380000)
ap_process_request+0x50(8380000)
ap_process_http_connection+0x52(8372260)
ap_run_process_connection+0x25(8372260)
ap_process_connection+0x3a(8372260, 8371fc8)
child_main+0x2f6(13)
make_child+0x84(80beaf8, 13)
perform_idle_server_maintenance+0xe2(80bcc58)
ap_mpm_run+0x234(80bcc58, 80ead10, 80beaf8)
main+0x6e8(3, 8047e38, 8047e48)
_start+0x7a(3, 8047ed4, 8047eeb, 8047eee, 0, 8047ef4)


Dissassembly of that portion of the code:
> libphp5.so`_zend_mm_alloc_int+0x5e::dis
libphp5.so`_zend_mm_alloc_int+0x3f:     shrl   $0x3,%esi
libphp5.so`_zend_mm_alloc_int+0x42:     leal   -0x2(%esi),%ecx
libphp5.so`_zend_mm_alloc_int+0x45:     cmpl   %edx,%eax
libphp5.so`_zend_mm_alloc_int+0x47:     
jb     +0x44e   <libphp5.so`_zend_mm_alloc_int+0x49b>
libphp5.so`_zend_mm_alloc_int+0x4d:     movl   0x8(%ebp),%eax
libphp5.so`_zend_mm_alloc_int+0x50:     movl   %eax,-0x4(%ebp)
libphp5.so`_zend_mm_alloc_int+0x53:     movl   0x3c(%eax,%esi,4),%edx
libphp5.so`_zend_mm_alloc_int+0x57:     testl  %edx,%edx
libphp5.so`_zend_mm_alloc_int+0x59:     
je     +0x18    <libphp5.so`_zend_mm_alloc_int+0x73>
libphp5.so`_zend_mm_alloc_int+0x5b:     leal   0x8(%edx),%eax
libphp5.so`_zend_mm_alloc_int+0x5e:     movl   0x8(%edx),%ecx
libphp5.so`_zend_mm_alloc_int+0x61:     movl   -0x4(%ebp),%edx
libphp5.so`_zend_mm_alloc_int+0x64:     movl   %ecx,0x3c(%edx,%esi,4)
libphp5.so`_zend_mm_alloc_int+0x68:     movl   -0x10(%ebp),%ecx
libphp5.so`_zend_mm_alloc_int+0x6b:     subl   %ecx,0x40(%edx)
libphp5.so`_zend_mm_alloc_int+0x6e:     
jmp    +0x443   <libphp5.so`_zend_mm_alloc_int+0x4b6>
libphp5.so`_zend_mm_alloc_int+0x73:     movl   -0x4(%ebp),%eax
libphp5.so`_zend_mm_alloc_int+0x76:     movl   0x4(%eax),%eax
libphp5.so`_zend_mm_alloc_int+0x79:     shrl   %cl,%eax
libphp5.so`_zend_mm_alloc_int+0x7b:     testl  %eax,%eax
libphp5.so`_zend_mm_alloc_int+0x7d:     
je     +0x1b    <libphp5.so`_zend_mm_alloc_int+0x9a>


Register contents:
> $r
%cs = 0x0043            %eax = 0x41373041 
%ds = 0x004b            %ebx = 0xfd3d156c 
%ss = 0x004b            %ecx = 0x00000005 
%es = 0x004b            %edx = 0x41373039 
%fs = 0x0000            %esi = 0x00000007 
%gs = 0x01c3            %edi = 0x00000000 

 %eip = 0xfd28f552 libphp5.so`_zend_mm_alloc_int+0x5e
 %ebp = 0x080437ec
%kesp = 0x00000000

%eflags = 0x00000206
  id=0 vip=0 vif=0 ac=0 vm=0 rf=0 nt=0 iopl=0x0
  status=<of,df,IF,tf,sf,zf,af,PF,cf>

   %esp = 0x080437c4
%trapno = 0xe
   %err = 0x4
>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-12-13 09:18 UTC] jani@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

[2007-12-14 21:13 UTC] steve at grommit dot com

Nope - still crashes.  I installed from the CVS tarball pointed at below, and just got the following core dump:

[root@grommit:core] 501$ mdb core.httpd.9922 
Loading modules: [ libc.so.1 libnvpair.so.1 libuutil.so.1 libavl.so.1 ld.so.1 ]
> $c
libphp5.so`_zend_mm_alloc_int+0x11f(82329e8, 40)
libphp5.so`_emalloc+0x27(40)
libphp5.so`_safe_emalloc+0xa0(10, 4, 0)
libphp5.so`_ecalloc+0x2a(10, 4)
libphp5.so`_zend_hash_init+0x8e(8047738, a, 0, 0, 0)
libphp5.so`ps_srlzr_encode_php+0x48(80477b4, 80477ec)
libphp5.so`php_session_encode+0x42(80477ec)
libphp5.so`php_session_save_current_state+0x246(0, fdbb9d5c, 8047824, fd3d2cac, 
82a6c40, fd2ac45c)
libphp5.so`php_session_flush+0x54(8047878, fd2ac476, 1, e, fd2902bb, 82329e8)
libphp5.so`zm_deactivate_session+0xb(1, e)
libphp5.so`module_registry_cleanup+0x1a(82a6c78)
libphp5.so`zend_hash_apply+0x54(fd413d60, fd2ac45c)
libphp5.so`zend_deactivate_modules+0x55(8380000, fd414fc0, fd3d2cac, fd3d2cac, 
fd414fc0, 8380000)
libphp5.so`php_request_shutdown+0x125(0)
libphp5.so`php_handler+0x4ae(8380000)
ap_run_handler+0x25(8380000)
ap_invoke_handler+0xba(8380000)
ap_process_request+0x50(8380000)
ap_process_http_connection+0x52(8372260)
ap_run_process_connection+0x25(8372260)
ap_process_connection+0x3a(8372260, 8371fc8)
child_main+0x2f6(6)
make_child+0x84(80beaf8, 6)
perform_idle_server_maintenance+0xe2(80bcc58)
ap_mpm_run+0x234(80bcc58, 80ead10, 80beaf8)
main+0x6e8(3, 8047e38, 8047e48)
_start+0x7a(3, 8047ed4, 8047eeb, 8047eee, 0, 8047ef4)


Since it looks like it happened at a different instruction, here's the disassembly:
> libphp5.so`_zend_mm_alloc_int+0x11f::dis
libphp5.so`_zend_mm_alloc_int+0x104:    testl  %esi,%esi
libphp5.so`_zend_mm_alloc_int+0x106:    
jne    +0x7     <libphp5.so`_zend_mm_alloc_int+0x10f>
libphp5.so`_zend_mm_alloc_int+0x108:    
jmp    +0x231   <libphp5.so`_zend_mm_alloc_int+0x33e>
libphp5.so`_zend_mm_alloc_int+0x10d:    movl   %ecx,%esi
libphp5.so`_zend_mm_alloc_int+0x10f:    movl   0x2874(%ebx),%eax
libphp5.so`_zend_mm_alloc_int+0x115:    movl   (%eax),%eax
libphp5.so`_zend_mm_alloc_int+0x117:    testl  %eax,%eax
libphp5.so`_zend_mm_alloc_int+0x119:    
je     +0x2     <libphp5.so`_zend_mm_alloc_int+0x11d>
libphp5.so`_zend_mm_alloc_int+0x11b:    call   *%eax
libphp5.so`_zend_mm_alloc_int+0x11d:    movl   (%esi),%eax
libphp5.so`_zend_mm_alloc_int+0x11f:    cmpl   0x4(%esi,%eax),%eax
libphp5.so`_zend_mm_alloc_int+0x123:    
jne    +0x15    <libphp5.so`_zend_mm_alloc_int+0x13a>
libphp5.so`_zend_mm_alloc_int+0x125:    movl   0x4(%esi),%edx
libphp5.so`_zend_mm_alloc_int+0x128:    cmpl   $0x3,%edx
libphp5.so`_zend_mm_alloc_int+0x12b:    
je     +0x1c    <libphp5.so`_zend_mm_alloc_int+0x149>
libphp5.so`_zend_mm_alloc_int+0x12d:    movl   %edx,%eax
libphp5.so`_zend_mm_alloc_int+0x12f:    andl   $0xfffffffc,%eax
libphp5.so`_zend_mm_alloc_int+0x132:    movl   %esi,%ecx
libphp5.so`_zend_mm_alloc_int+0x134:    subl   %eax,%ecx
libphp5.so`_zend_mm_alloc_int+0x136:    cmpl   %edx,(%ecx)
libphp5.so`_zend_mm_alloc_int+0x138:    
je     +0xf     <libphp5.so`_zend_mm_alloc_int+0x149>


and the register contents:
>  $r
%cs = 0x0043            %eax = 0x3a726f72 
%ds = 0x004b            %ebx = 0xfd3d2cac 
%ss = 0x004b            %ecx = 0x082329e8 
%es = 0x004b            %edx = 0x00000003 
%fs = 0x0000            %esi = 0x087460e0 
%gs = 0x01c3            %edi = 0x00000000 

 %eip = 0xfd28f74b libphp5.so`_zend_mm_alloc_int+0x11f
 %ebp = 0x0804765c
%kesp = 0x00000000

%eflags = 0x00000246
  id=0 vip=0 vif=0 ac=0 vm=0 rf=0 nt=0 iopl=0x0
  status=<of,df,IF,tf,sf,ZF,af,PF,cf>

   %esp = 0x08047634
%trapno = 0xe
   %err = 0x4


It's definitely a recurring crash - unfortunately since it's in httpd, I don't know how to figure out what page/PHP instruction is causing it to trip.

Got any suggestions for what I can do to help to try and narrow down the cause?

[2007-12-22 17:27 UTC] jani@php.net

It's something you're storing in the session that causes it.

[2007-12-30 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 16 05:01:35 2024 UTC