php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52349 "zend_mm_heap corrupted" error
Submitted: 2010-07-15 18:12 UTC Modified: 2013-02-18 00:34 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mbeccati@php.net Assigned: dmitry (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.3RC3 OS: FreeBSD 6.2
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-07-15 18:12 UTC] mbeccati@php.net
Description:
------------
A few things:

* It happens when running a specific "simpletest" integration test 
* It doesn't always happen, roughly 33-50% of the times
* Never happened with 5.3.2, I got a report from Bamboo as soon as I upgraded to 5.3.3RC3

Of course I can't get a simple reproduce script as the aforementioned test does tons of things, but of course I can provide more information, SSH access, or try anything I'm asked to.

Test script:
---------------
n/a

Expected result:
----------------
No failure

Actual result:
--------------
zend_mm_heap corrupted exit message, with the following backtrace

#0  0x000000000079f25b in zval_scan (pz=0x3b31970) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:485
        p = (Bucket *) 0x3661108
#1  0x000000000079f6b9 in gc_collect_cycles () at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:535
        p = (zval_gc_info *) 0xee5ee0
        q = (zval_gc_info *) 0x0
        orig_free_list = (zval_gc_info *) 0x7fffffffc6e0
        orig_next_to_free = (zval_gc_info *) 0x211ef18
        count = 0
#2  0x000000000079fbd8 in gc_zval_possible_root (zv=0x33588b0) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:166
        newRoot = (gc_root_buffer *) 0x3627830
#3  0x00000000007a4fde in zend_assign_to_object (result=0x211ef18, object_ptr=0xe567a0, property_name=0x211ef60, value_op=0x211efb0, Ts=0x113b228, opcode=136) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute.c:602
        object = (zval *) 0x3632b70
        free_value = {var = 0x113b701}
        value = (zval *) 0x33588b0
        retval = (zval **) 0x113b6e0
#4  0x00000000007e2796 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER (execute_data=0x113b190) at zend_vm_execute.h:17645
        opline = (zend_op *) 0x0
#5  0x00000000007a65f9 in execute (op_array=0x2119968) at zend_vm_execute.h:107
        ret = 0
        execute_data = (zend_execute_data *) 0x113b190
        nested = 1 '\001'
        original_in_execution = 1 '\001'
#6  0x0000000000777d94 in zend_call_function (fci=0x7fffffffc970, fci_cache=0x0) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute_API.c:963
        call_via_handler = 34934168
        i = 18062328
        original_return_value = (zval **) 0x1139bf8
        calling_symbol_table = (HashTable *) 0x0
        original_op_array = (zend_op_array *) 0x2150d98
        original_opline_ptr = (zend_op **) 0x1139f28
        current_scope = (zend_class_entry *) 0x2118528
        current_called_scope = (zend_class_entry *) 0x2104658
        calling_scope = (zend_class_entry *) 0x2104658
        called_scope = (zend_class_entry *) 0x2104658
        current_this = (zval *) 0x30c9840
        execute_data = {opline = 0x0, function_state = {function = 0x2109b78, arguments = 0x113a068}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, object = 0x3632b70, Ts = 0x1139fe0, CVs = 0x1139fc0, symbol_table = 0x0,
  prev_execute_data = 0x1139f28, old_error_reporting = 0x0, nested = 1 '\001', original_return_value = 0x2104658, current_scope = 0x30c9840, current_called_scope = 0x0, current_this = 0x0, current_object = 0x0, call_opline = 0x1139fc8}
#7  0x0000000000728986 in xml_call_handler (parser=0x2f77938, handler=0x3356688, function_ptr=0x3627830, argc=3, argv=0x7fffffffca50) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:530
        args = (zval ***) 0x2f7e210
        retval = (zval *) 0x0
        result = -13744
        fci = {size = 72, function_table = 0xe58180, function_name = 0x3356688, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffc968, param_count = 3, params = 0x2f7e210, object_ptr = 0x3632b70, no_separation = 0 '\0'}
        i = 3
#8  0x000000000072926a in _xml_startElementHandler (userData=0x2f77938, name=0x11fa8c0 "plugin", attributes=0x0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:822
        attrs = (const char **) 0x0
        att = 0x0
        val = 0x11fa8c0 "plugin"
        val_len = 0
        retval = (zval *) 0x821ae6ce
        args = {0x37ba0f0, 0x3359b18, 0x37ba450}
#9  0x000000000072b56e in _start_element_handler (user=0x2d40860, name=0x11fa8c0 "plugin", attributes=0x0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:84
        qualified_name = (xmlChar *) 0x11fa8c0 "plugin"
#10 0x00000000820fa26a in xmlParseStartTag () from /usr/local/lib/libxml2.so.5
No symbol table info available.
#11 0x00000000820ff102 in xmlParseTryOrFinish () from /usr/local/lib/libxml2.so.5
No symbol table info available.
#12 0x00000000821004ab in xmlParseChunk () from /usr/local/lib/libxml2.so.5
No symbol table info available.
#13 0x000000000072c00d in php_XML_Parse (parser=0x2d40860, data=0x3540020 "", data_len=56784944, is_final=0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:605
        error = 0
#14 0x000000000072a963 in zif_xml_parse (ht=62069104, return_value=0x374c980, return_value_ptr=0x3627830, this_ptr=0x0, return_value_used=0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:1464
        parser = (xml_parser *) 0x2f77938
        pind = (zval *) 0x374ccf0
        data = 0x3356e18 "<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<?xml-stylesheet type=\"text/xsl\" href=\"\"?>\n\n<plugin>\n    <name>apRetargetingDriverExternalUI</name>\n    <creationDate>2010-06-10</creationDate>\n    <author"...
        data_len = 1075
        ret = 0
        isFinal = 1
#15 0x00000000007a7100 in zend_do_fcall_common_helper_SPEC (execute_data=0x1139f28) at zend_vm_execute.h:316
        i = 3
        p = (zval **) 0x113a048
        arg_count = 0
        opline = (zend_op *) 0x213f2b8
        should_change_scope = 0 '\0'
#16 0x00000000007a65f9 in execute (op_array=0x2150d98) at zend_vm_execute.h:107
        ret = 0
        execute_data = (zend_execute_data *) 0x1139f28
        nested = 1 '\001'
        original_in_execution = 0 '\0'
#17 0x0000000000785675 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend.c:1194
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffcf30, reg_save_area = 0x7fffffffce40}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffffffe850
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
#18 0x0000000000735158 in php_execute_script (primary_file=0x7fffffffe850) at /array1/compile/php-5.3.3RC3-fcgi/main/main.c:2260
        realfile = "/usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK/tests/run.php\000\000>@Ü\200\000\000\000\000\000\027Þ\200\000\000\000\0000áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000é=Ü\200", '\0' <repeats 13 times>, "rÞ\200\000\000\000\000(áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000páÿÿÿ\177\000\000ç\016", '\0' <repeats 14 times>, "\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000\001<Ü\200\000\000\000"...
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0},
      reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0},
      reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fffffffcf40 ""
        retval = 0
#19 0x00000000008099fb in main (argc=9, argv=0x7fffffffe948) at /array1/compile/php-5.3.3RC3-fcgi/sapi/cli/php_cli.c:1192
        len = 140737488348832
        argn = (zval *) 0x80de6600
        input = 0x0
        index = 9
        argi = (zval *) 0x80ee0030
        exit_status = 0
        c = 0
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffeb75 "run.php", opened_path = 0x0, handle = {fd = 15152376, fp = 0xe734f8, stream = {handle = 0xe734f8, isatty = 0, mmap = {len = 5351, pos = 0, map = 0x80df4000,
        buf = 0x80df4000 <Address 0x80df4000 out of bounds>, old_handle = 0x8270d840, old_closer = 0x797cd0 <zend_stream_stdio_closer>}, reader = 0x797cb0 <zend_stream_stdio_reader>, fsizer = 0x797cf0 <zend_stream_stdio_fsizer>,
      closer = 0x797d50 <zend_stream_mmap_closer>}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffffffeb75 "run.php"
        arg_excp = (char **) 0x3540020
        script_file = 0x7fffffffeb75 "run.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = -6496



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-15 18:19 UTC] mbeccati@php.net
-Assigned To: +Assigned To: dmitry
 [2010-07-15 18:19 UTC] mbeccati@php.net
Assigning to dmitry, per IRC chat.
 [2010-07-16 08:23 UTC] dmitry@php.net
-Status: Assigned +Status: Feedback
 [2010-07-16 08:23 UTC] dmitry@php.net
Sorry, but I need a script to reproduce and fix this the bug. In case it's a big application, I can try to debug it on your system if you give me SSH access, but it's more difficult.
 [2011-03-18 12:20 UTC] jan-php at kantert dot net
Same bug on Ubuntu 10.04 LTS x86_64
PHP 5.3.2-1ubuntu4.7 with Suhosin-Patch (cli) (built: Jan 12 2011 18:36:55)

Also happens only 30% of the time. Some times "just" segfaults without error. Sometimes with this error. Happens when running the archive.sh in piwik.

strace /usr/bin/php5 -q /home/XXX/misc/cron/../../index.php

We did an strace on the process and noticed some things. If it segfaults (only then) there are a lot brk lines:

brk(0x805a000)                          = 0x805a000
brk(0x809a000)                          = 0x809a000
brk(0x80da000)                          = 0x80da000
brk(0x811a000)                          = 0x811a000
brk(0x815a000)                          = 0x815a000
brk(0x819a000)                          = 0x819a000
brk(0x81da000)                          = 0x81da000
brk(0x821a000)                          = 0x821a000
brk(0x825a000)                          = 0x825a000
brk(0x829a000)                          = 0x829a000
brk(0x82da000)                          = 0x82da000
brk(0x831a000)                          = 0x831a000
brk(0x835a000)                          = 0x835a000
brk(0x839a000)                          = 0x839a000
brk(0x83da000)                          = 0x83da000


At the end:

close(5)                                = 0
close(4)                                = 0
munmap(0x7fcae32e3000, 528384)          = 0
write(3, "\1\0\0\0\1", 5)               = 5
shutdown(3, 2 /* send and receive */)   = 0
close(3)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Aug 10 14:05:44 2022 UTC