php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51182 PHP crashes: "zend_mm_heap corrupted" after array operation
Submitted: 2010-03-02 12:31 UTC Modified: 2010-03-03 03:37 UTC
From: torsten dot landmann at bauermedia dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.13 OS: Ubuntu
Private report: No CVE-ID: None
View Developer Edit
 [2010-03-02 12:31 UTC] torsten dot landmann at bauermedia dot com 
Description:
------------
We have a reproducible crash scenario but there are two problems with that:

1. PHP doesn't crash EVERY time.
2. We didn't manage to reproduce the problem with a simple script yet. It only happens in our Drupal-driven website with about 3000 files and a complex database.

However we managed to isolate the problem to a single line in code, which, if it gets rewritten, fixes the problem.
Because this line actually is a little weird and not good programming style anyways, it seems plausible to us that you will be able to comprehend the problem in PHP sourcecode if you look into it directly.

This is what happens if PHP crashes in our scenario:

1. The page gets completely rendered and output is written to the output stream.
2. Shutdown functions are executed.
3. After executing the last statement of the last shutdown function PHP suddenly crashes. The output buffer is discarded. The visitor sees blank page. The Apache error log receives a line that reads "zend_mm_heap corrupted"


The following is the line of code that seems to cause the problem. This line of code is executed long before any output data is written and long before shutdown functions get executed. It doesn't crash directly but only seems to trigger a future crash:

$tax = current(taxonomy_node_get_terms($node));


($node is an instance of stdClass, taxonomy_node_get_terms() returns an array.)

It seems that PHP may choke on its memory management later on when this line has been executed before. Maybe there's a problem because the return value is used for writing although not being saved in a variable.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-02 18:16 UTC] jani@php.net
-Status: Open +Status: Feedback
 [2010-03-02 18:16 UTC] jani@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2010-03-02 18:44 UTC] torsten dot landmann at bauermedia dot com 
We'd love to but we're sorry, as already mentioned above, we're unable provide this script. We've really, really tried to create something simple for you but we didn't succeed. At the moment we can only reproduce the problem with running our complete project.
Rewriting the mentioned line of code helps but that's all we can tell you.

If the above information doesn't help you with identifying why all this is happening, we'll probably have to watch this issue further and maybe get back to you at a later time. Thanks.
 [2010-03-03 02:30 UTC] aharvey@php.net
-Status: Open +Status: Bogus
 [2010-03-03 02:30 UTC] aharvey@php.net 
I don't think there's going to be much we can do about this without a short reproducing script and a backtrace in the case where PHP does crash. I certainly can't reproduce this with a simple script either.

If you are able to produce those at a later date, please feel free to comment here and we'll reopen the bug.
 [2010-03-03 03:37 UTC] aharvey@php.net
-Status: Bogus +Status: No Feedback
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 02 17:01:28 2025 UTC