PHP :: Bug #43582 :: Core dump in _zend_mm_alloc

Bug #43582

Core dump in _zend_mm_alloc_int

Submitted:

2007-12-12 18:10 UTC

Modified:

2007-12-30 01:00 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

steve at grommit dot com

Assigned:

Status:

No Feedback

Package:

Apache2 related

PHP Version:

5.2.5

OS:

OpenSolaris (snv_75a)

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	steve at grommit dot com
New email:
PHP Version:		OS:

New Comment:

[2007-12-12 18:10 UTC] steve at grommit dot com

Description:
------------
I'm seeing consistent core dumps of httpd in libphp5.so (compiled on my Solaris Nevada build 75a machine), all of them here:

libphp5.so`_zend_mm_alloc_int+0x5e(82329e8, 2d)

This is snv_75a on a quad core Intel xeon with PHP 5.2.5 and Apache2 2.2.3.

Actual result:
--------------
Stack trace:

[root@grommit:core] 501$ mdb core.httpd.22142
$Loading modules: [ libc.so.1 libnvpair.so.1 libuutil.so.1 libavl.so.1 ld.so.1 ]
> $c
libphp5.so`_zend_mm_alloc_int+0x5e(82329e8, 2d)
libphp5.so`_emalloc+0x27(2d)
libphp5.so`_zend_hash_quick_add_or_update+0x1f1(85cec90, 8999260, a, 7f4f5fed, 
80438a8, 4)
libphp5.so`_get_zval_ptr_ptr+0x17e(880a6c0, 8043940, 80438f0, 1)
libphp5.so`ZEND_RECV_INIT_SPEC_CONST_HANDLER+0x103(8044168)
libphp5.so`execute+0x12d(8714c90)
libphp5.so`zend_do_fcall_common_helper_SPEC+0x29f(8044fd8)
libphp5.so`ZEND_DO_FCALL_SPEC_CONST_HANDLER+0x67(8044fd8)
libphp5.so`execute+0x12d(8906200)
libphp5.so`zend_do_fcall_common_helper_SPEC+0x29f(8047558)
libphp5.so`ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+0x15(8047558)
libphp5.so`execute+0x12d(823daf8)
libphp5.so`zend_execute_scripts+0x128(8, 0, 3, 0, 8047b24, 0)
libphp5.so`php_execute_script+0x26d(8047b24)
libphp5.so`php_handler+0x426(8380000)
ap_run_handler+0x25(8380000)
ap_invoke_handler+0xba(8380000)
ap_process_request+0x50(8380000)
ap_process_http_connection+0x52(8372260)
ap_run_process_connection+0x25(8372260)
ap_process_connection+0x3a(8372260, 8371fc8)
child_main+0x2f6(13)
make_child+0x84(80beaf8, 13)
perform_idle_server_maintenance+0xe2(80bcc58)
ap_mpm_run+0x234(80bcc58, 80ead10, 80beaf8)
main+0x6e8(3, 8047e38, 8047e48)
_start+0x7a(3, 8047ed4, 8047eeb, 8047eee, 0, 8047ef4)


Dissassembly of that portion of the code:
> libphp5.so`_zend_mm_alloc_int+0x5e::dis
libphp5.so`_zend_mm_alloc_int+0x3f:     shrl   $0x3,%esi
libphp5.so`_zend_mm_alloc_int+0x42:     leal   -0x2(%esi),%ecx
libphp5.so`_zend_mm_alloc_int+0x45:     cmpl   %edx,%eax
libphp5.so`_zend_mm_alloc_int+0x47:     
jb     +0x44e   <libphp5.so`_zend_mm_alloc_int+0x49b>
libphp5.so`_zend_mm_alloc_int+0x4d:     movl   0x8(%ebp),%eax
libphp5.so`_zend_mm_alloc_int+0x50:     movl   %eax,-0x4(%ebp)
libphp5.so`_zend_mm_alloc_int+0x53:     movl   0x3c(%eax,%esi,4),%edx
libphp5.so`_zend_mm_alloc_int+0x57:     testl  %edx,%edx
libphp5.so`_zend_mm_alloc_int+0x59:     
je     +0x18    <libphp5.so`_zend_mm_alloc_int+0x73>
libphp5.so`_zend_mm_alloc_int+0x5b:     leal   0x8(%edx),%eax
libphp5.so`_zend_mm_alloc_int+0x5e:     movl   0x8(%edx),%ecx
libphp5.so`_zend_mm_alloc_int+0x61:     movl   -0x4(%ebp),%edx
libphp5.so`_zend_mm_alloc_int+0x64:     movl   %ecx,0x3c(%edx,%esi,4)
libphp5.so`_zend_mm_alloc_int+0x68:     movl   -0x10(%ebp),%ecx
libphp5.so`_zend_mm_alloc_int+0x6b:     subl   %ecx,0x40(%edx)
libphp5.so`_zend_mm_alloc_int+0x6e:     
jmp    +0x443   <libphp5.so`_zend_mm_alloc_int+0x4b6>
libphp5.so`_zend_mm_alloc_int+0x73:     movl   -0x4(%ebp),%eax
libphp5.so`_zend_mm_alloc_int+0x76:     movl   0x4(%eax),%eax
libphp5.so`_zend_mm_alloc_int+0x79:     shrl   %cl,%eax
libphp5.so`_zend_mm_alloc_int+0x7b:     testl  %eax,%eax
libphp5.so`_zend_mm_alloc_int+0x7d:     
je     +0x1b    <libphp5.so`_zend_mm_alloc_int+0x9a>


Register contents:
> $r
%cs = 0x0043            %eax = 0x41373041 
%ds = 0x004b            %ebx = 0xfd3d156c 
%ss = 0x004b            %ecx = 0x00000005 
%es = 0x004b            %edx = 0x41373039 
%fs = 0x0000            %esi = 0x00000007 
%gs = 0x01c3            %edi = 0x00000000 

 %eip = 0xfd28f552 libphp5.so`_zend_mm_alloc_int+0x5e
 %ebp = 0x080437ec
%kesp = 0x00000000

%eflags = 0x00000206
  id=0 vip=0 vif=0 ac=0 vm=0 rf=0 nt=0 iopl=0x0
  status=<of,df,IF,tf,sf,zf,af,PF,cf>

   %esp = 0x080437c4
%trapno = 0xe
   %err = 0x4
>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-12-13 09:18 UTC] jani@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

[2007-12-14 21:13 UTC] steve at grommit dot com

Nope - still crashes.  I installed from the CVS tarball pointed at below, and just got the following core dump:

[root@grommit:core] 501$ mdb core.httpd.9922 
Loading modules: [ libc.so.1 libnvpair.so.1 libuutil.so.1 libavl.so.1 ld.so.1 ]
> $c
libphp5.so`_zend_mm_alloc_int+0x11f(82329e8, 40)
libphp5.so`_emalloc+0x27(40)
libphp5.so`_safe_emalloc+0xa0(10, 4, 0)
libphp5.so`_ecalloc+0x2a(10, 4)
libphp5.so`_zend_hash_init+0x8e(8047738, a, 0, 0, 0)
libphp5.so`ps_srlzr_encode_php+0x48(80477b4, 80477ec)
libphp5.so`php_session_encode+0x42(80477ec)
libphp5.so`php_session_save_current_state+0x246(0, fdbb9d5c, 8047824, fd3d2cac, 
82a6c40, fd2ac45c)
libphp5.so`php_session_flush+0x54(8047878, fd2ac476, 1, e, fd2902bb, 82329e8)
libphp5.so`zm_deactivate_session+0xb(1, e)
libphp5.so`module_registry_cleanup+0x1a(82a6c78)
libphp5.so`zend_hash_apply+0x54(fd413d60, fd2ac45c)
libphp5.so`zend_deactivate_modules+0x55(8380000, fd414fc0, fd3d2cac, fd3d2cac, 
fd414fc0, 8380000)
libphp5.so`php_request_shutdown+0x125(0)
libphp5.so`php_handler+0x4ae(8380000)
ap_run_handler+0x25(8380000)
ap_invoke_handler+0xba(8380000)
ap_process_request+0x50(8380000)
ap_process_http_connection+0x52(8372260)
ap_run_process_connection+0x25(8372260)
ap_process_connection+0x3a(8372260, 8371fc8)
child_main+0x2f6(6)
make_child+0x84(80beaf8, 6)
perform_idle_server_maintenance+0xe2(80bcc58)
ap_mpm_run+0x234(80bcc58, 80ead10, 80beaf8)
main+0x6e8(3, 8047e38, 8047e48)
_start+0x7a(3, 8047ed4, 8047eeb, 8047eee, 0, 8047ef4)


Since it looks like it happened at a different instruction, here's the disassembly:
> libphp5.so`_zend_mm_alloc_int+0x11f::dis
libphp5.so`_zend_mm_alloc_int+0x104:    testl  %esi,%esi
libphp5.so`_zend_mm_alloc_int+0x106:    
jne    +0x7     <libphp5.so`_zend_mm_alloc_int+0x10f>
libphp5.so`_zend_mm_alloc_int+0x108:    
jmp    +0x231   <libphp5.so`_zend_mm_alloc_int+0x33e>
libphp5.so`_zend_mm_alloc_int+0x10d:    movl   %ecx,%esi
libphp5.so`_zend_mm_alloc_int+0x10f:    movl   0x2874(%ebx),%eax
libphp5.so`_zend_mm_alloc_int+0x115:    movl   (%eax),%eax
libphp5.so`_zend_mm_alloc_int+0x117:    testl  %eax,%eax
libphp5.so`_zend_mm_alloc_int+0x119:    
je     +0x2     <libphp5.so`_zend_mm_alloc_int+0x11d>
libphp5.so`_zend_mm_alloc_int+0x11b:    call   *%eax
libphp5.so`_zend_mm_alloc_int+0x11d:    movl   (%esi),%eax
libphp5.so`_zend_mm_alloc_int+0x11f:    cmpl   0x4(%esi,%eax),%eax
libphp5.so`_zend_mm_alloc_int+0x123:    
jne    +0x15    <libphp5.so`_zend_mm_alloc_int+0x13a>
libphp5.so`_zend_mm_alloc_int+0x125:    movl   0x4(%esi),%edx
libphp5.so`_zend_mm_alloc_int+0x128:    cmpl   $0x3,%edx
libphp5.so`_zend_mm_alloc_int+0x12b:    
je     +0x1c    <libphp5.so`_zend_mm_alloc_int+0x149>
libphp5.so`_zend_mm_alloc_int+0x12d:    movl   %edx,%eax
libphp5.so`_zend_mm_alloc_int+0x12f:    andl   $0xfffffffc,%eax
libphp5.so`_zend_mm_alloc_int+0x132:    movl   %esi,%ecx
libphp5.so`_zend_mm_alloc_int+0x134:    subl   %eax,%ecx
libphp5.so`_zend_mm_alloc_int+0x136:    cmpl   %edx,(%ecx)
libphp5.so`_zend_mm_alloc_int+0x138:    
je     +0xf     <libphp5.so`_zend_mm_alloc_int+0x149>


and the register contents:
>  $r
%cs = 0x0043            %eax = 0x3a726f72 
%ds = 0x004b            %ebx = 0xfd3d2cac 
%ss = 0x004b            %ecx = 0x082329e8 
%es = 0x004b            %edx = 0x00000003 
%fs = 0x0000            %esi = 0x087460e0 
%gs = 0x01c3            %edi = 0x00000000 

 %eip = 0xfd28f74b libphp5.so`_zend_mm_alloc_int+0x11f
 %ebp = 0x0804765c
%kesp = 0x00000000

%eflags = 0x00000246
  id=0 vip=0 vif=0 ac=0 vm=0 rf=0 nt=0 iopl=0x0
  status=<of,df,IF,tf,sf,ZF,af,PF,cf>

   %esp = 0x08047634
%trapno = 0xe
   %err = 0x4


It's definitely a recurring crash - unfortunately since it's in httpd, I don't know how to figure out what page/PHP instruction is causing it to trip.

Got any suggestions for what I can do to help to try and narrow down the cause?

[2007-12-22 17:27 UTC] jani@php.net

It's something you're storing in the session that causes it.

[2007-12-30 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Apr 22 23:01:27 2025 UTC