php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52518 Segfault in /Zend/zend_objects_API.c:230
Submitted: 2010-08-02 19:12 UTC Modified: 2012-03-07 22:15 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: correo at sevein dot com Assigned: pajoye (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3.3 OS: Linux/Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2010-08-02 19:12 UTC] correo at sevein dot com 
Description:
------------
A PHP process segfaults randomly when I try to build a complex search index with 
Symfony framework and Zend Lucene. Unfortunately, I can't figure out a short 
script to reproduce this problem.

I can reproduce it with all PHP versions, included PHP 5.3.3. In debug mode, the 
problem occurs fastly (the index build can take many hours).

This is how I compiled my PHP installation:

./configure \
--enable-dom \
--enable-libxml \
--with-xsl \
--enable-pdo \
--with-pdo-mysql \
--with-mysql \
--with-mysqli \
--enable-mbstring \
--enable-debug


gdb:

$ gdb /home/foobar/bin/php-5.3.3-debug ./core
Core was generated by `/home/foobar/bin/php-5.3.3-debug -d memory_limit=1200M 
symfony search:populate Q'.
Program terminated with signal 11, Segmentation fault.
#0  0x000000000086d775 in zend_objects_store_del_ref_by_handle_ex (handle=16159, 
handlers=0x106b340)
    at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:230
230		obj->refcount--;

(gdb) print obj
$1 = (struct _store_object *) 0x7ffc9fc80838

(gdb) print obj->refcount
Cannot access memory at address 0x7ffc9fc80860



The backtrack:

(gdb) bt
#0  0x000000000086d775 in zend_objects_store_del_ref_by_handle_ex (handle=16159, 
handlers=0x106b340)
    at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:230
#1  0x000000000086d477 in zend_objects_store_del_ref (zobject=0xd724c90) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:172
#2  0x000000000083d822 in _zval_dtor_func (zvalue=0xd724c90, 
__zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.c:52
#3  0x000000000082d73a in _zval_dtor (zvalue=0xd724c90, __zend_filename=0xdceb88 
"/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.h:35
#4  0x000000000082e6c8 in _zval_ptr_dtor (zval_ptr=0xddbaa00, 
__zend_filename=0xdd0400 "/home/foobar/bin/php-5.3.3/Zend/zend_variables.c", 
    __zend_lineno=178) at /home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c:443
#5  0x000000000083db9f in _zval_ptr_dtor_wrapper (zval_ptr=0xddbaa00) at 
/home/foobar/bin/php-5.3.3/Zend/zend_variables.c:178
#6  0x000000000084feb0 in zend_hash_destroy (ht=0xcba0578) at 
/home/foobar/bin/php-5.3.3/Zend/zend_hash.c:526
#7  0x0000000000868209 in zend_object_std_dtor (object=0xf2983f0) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects.c:45
#8  0x0000000000868585 in zend_objects_free_object_storage (object=0xf2983f0) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects.c:128
#9  0x000000000086d710 in zend_objects_store_del_ref_by_handle_ex (handle=16266, 
handlers=0x106b340)
    at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:220
#10 0x000000000086d477 in zend_objects_store_del_ref (zobject=0xe67c7b0) at 
/home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:172
#11 0x000000000083d822 in _zval_dtor_func (zvalue=0xe67c7b0, 
__zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.c:52
#12 0x000000000082d73a in _zval_dtor (zvalue=0xe67c7b0, __zend_filename=0xdceb88 
"/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", 
    __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.h:35
#13 0x000000000082e6c8 in _zval_ptr_dtor (zval_ptr=0x7ffca2525c10, 
__zend_filename=0xdd6728 "/home/foobar/bin/php-5.3.3/Zend/zend_vm_execute.h", 
    __zend_lineno=160) at /home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c:443
#14 0x00000000008732da in zend_leave_helper_SPEC (execute_data=0x7ffca2525b38) 
at /home/foobar/bin/php-5.3.3/Zend/zend_vm_execute.h:160
#15 0x0000000000878335 in ZEND_RETURN_SPEC_CONST_HANDLER 
(execute_data=0x7ffca2525b38) at /home/foobar/bin/php-
5.3.3/Zend/zend_vm_execute.h:1686
#16 0x0000000000873131 in execute (op_array=0x33a0410) at /home/foobar/bin/php-
5.3.3/Zend/zend_vm_execute.h:107
#17 0x00000000008401ec in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/foobar/bin/php-5.3.3/Zend/zend.c:1194
#18 0x00000000007ca328 in php_execute_script (primary_file=0x7fffd3b27230) at 
/home/foobar/bin/php-5.3.3/main/main.c:2260
#19 0x00000000009238a3 in main (argc=6, argv=0x7fffd3b27498) at 
/home/foobar/bin/php-5.3.3/sapi/cli/php_cli.c:1192

Test script:
---------------
Unfortunately, I can't figure out a short script to reproduce this problem.

Expected result:
----------------
The process should not segfault.

Actual result:
--------------
Segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-05 03:41 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2010-08-05 03:41 UTC] felipe@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2010-08-07 12:48 UTC] correo at sevein dot com
-Status: Feedback +Status: Open
 [2010-08-07 12:48 UTC] correo at sevein dot com 
I continue investigating this issue. I ran valgrind to complete this report and 
got this:

==1994== Invalid read of size 4
==1994==    at 0x701E1C: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:230)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
==1994==  Address 0x10611c30 is 1,014,768 bytes inside a block of size 1,048,576 
free'd
==1994==    at 0x4C285A2: realloc (vg_replace_malloc.c:525)
==1994==    by 0x702080: zend_objects_store_put (zend_objects_API.c:113)
==1994==    by 0x6FE2C7: zend_objects_new (zend_objects.c:138)
==1994==    by 0x6E86F2: _object_and_properties_init (zend_API.c:1079)
==1994==    by 0x709168: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:476)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6D6D03: zend_call_function (zend_execute_API.c:963)
==1994==    by 0x6F5F4E: zend_call_method (zend_interfaces.c:97)
==1994==    by 0x6FE4DE: zend_objects_destroy_object (zend_objects.c:113)
==1994==    by 0x701F30: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:206)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
==1994== 
==1994== Invalid read of size 4
==1994==    at 0x701E1C: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:230)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
==1994==  Address 0x106172f0 is 1,036,976 bytes inside a block of size 1,048,576 
free'd
==1994==    at 0x4C285A2: realloc (vg_replace_malloc.c:525)
==1994==    by 0x702080: zend_objects_store_put (zend_objects_API.c:113)
==1994==    by 0x6FE2C7: zend_objects_new (zend_objects.c:138)
==1994==    by 0x6E86F2: _object_and_properties_init (zend_API.c:1079)
==1994==    by 0x709168: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:476)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6D6D03: zend_call_function (zend_execute_API.c:963)
==1994==    by 0x6F5F4E: zend_call_method (zend_interfaces.c:97)
==1994==    by 0x6FE4DE: zend_objects_destroy_object (zend_objects.c:113)
==1994==    by 0x701F30: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:206)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35)
==1994==    by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526)
==1994==    by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45)
==1994==    by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128)
==1994==    by 0x701F49: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:220)
==1994==    by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172)
==1994==    by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691)
==1994==    by 0x704927: execute (zend_vm_execute.h:107)
==1994==    by 0x6E0179: zend_execute_scripts (zend.c:1194)
==1994==    by 0x68F8CC: php_execute_script (main.c:2260)
==1994==    by 0x76638D: main (php_cli.c:1192)
 [2011-06-13 04:02 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-06-13 04:02 UTC] felipe@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2012-03-07 22:14 UTC] correo at sevein dot com 
I'm happy to say that I am not able to reproduce this segfault anymore. Thank you 
guys!
 [2012-03-07 22:14 UTC] correo at sevein dot com
-Status: Feedback +Status: Open
 [2012-03-07 22:15 UTC] pajoye@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: pajoye
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun May 05 07:01:32 2024 UTC