php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53768 Segfault at zend_vm_execute.h:428 in shutdown function
Submitted: 2011-01-17 16:08 UTC Modified: 2013-02-18 00:34 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: landeholm at gmail dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.5 OS: Linux 2.6.18-194.17.1
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-01-17 16:08 UTC] landeholm at gmail dot com 
Description:
------------
Just upgraded to 5.3.5 and PHP segfaults in a shutdown function (which is a closure) that calls session_write_close which has a registered callback for write (which is also a closure).

I have APC enabled but I disabled it and got the same problem. The line of PHP causing the segfault is basically a $object->function() call. Otherwise no weird extensions installed.

Test script:
---------------
I haven't bothered isolating the bug to a small testcase. It's not a single call or small piece of data causing the segfault but rather a complex code context. The actual line is a call to a class instance function of a database abstraction object instance in a closure.. in a session callback.. in a shutdown function closure... in a shutdown function closure. Just replacing the instance with a foo bar class instance makes the bug go away. It's also only happens in a production environment which is hard to interact with. Isolating it to a small testcase could take me hours, I hope you can figure it out by looking at the backtrace.

Expected result:
----------------
No segfault.

Actual result:
--------------
Backtrace from gdb:

Program received signal SIGSEGV, Segmentation fault.
ZEND_RECV_SPEC_HANDLER (execute_data=0x2af31f8d5250) at /root/php/php/php-5.3.5/Zend/zend_vm_execute.h:428
428             zval **param = zend_vm_stack_get_arg(arg_num TSRMLS_CC);
(gdb) backtrace
#0  ZEND_RECV_SPEC_HANDLER (execute_data=0x2af31f8d5250) at /root/php/php/php-5.3.5/Zend/zend_vm_execute.h:428
#1  0x00002af3234d2da0 in execute (op_array=0x10396ed0) at /root/php/php/php-5.3.5/Zend/zend_vm_execute.h:107
#2  0x00002af3234a1dff in zend_call_function (fci=0x7fff5cf09480, fci_cache=<value optimized out>) at /root/php/php/php-5.3.5/Zend/zend_execute_API.c:964
#3  0x00002af3234a21a0 in call_user_function_ex (function_table=<value optimized out>, object_pp=<value optimized out>, function_name=0xffffffff, retval_ptr_ptr=0x4,
    param_count=32, params=0x101010101010101, no_separation=1, symbol_table=0x0) at /root/php/php/php-5.3.5/Zend/zend_execute_API.c:754
#4  0x00002af3234a38b2 in call_user_function (function_table=0xfea9ac0, object_pp=0x0, function_name=0xffffffff, retval_ptr=0x7fff5cf09540, param_count=32,
    params=<value optimized out>) at /root/php/php/php-5.3.5/Zend/zend_execute_API.c:727
#5  0x00002af3233d98d7 in user_shutdown_function_call (shutdown_function_entry=0x10561610) at /root/php/php/php-5.3.5/ext/standard/basic_functions.c:4984
#6  0x00002af3234b9915 in zend_hash_apply (ht=0x102d8df0, apply_func=0x2af3233d9880 <user_shutdown_function_call>) at /root/php/php/php-5.3.5/Zend/zend_hash.c:676
#7  0x00002af3233d79b6 in php_call_shutdown_functions () at /root/php/php/php-5.3.5/ext/standard/basic_functions.c:5076
#8  0x00002af32345aefa in php_request_shutdown (dummy=<value optimized out>) at /root/php/php/php-5.3.5/main/main.c:1582
#9  0x00002af323536fe7 in php_apache_request_dtor (r=<value optimized out>) at /root/php/php/php-5.3.5/sapi/apache2handler/sapi_apache2.c:509
#10 php_handler (r=<value optimized out>) at /root/php/php/php-5.3.5/sapi/apache2handler/sapi_apache2.c:681
#11 0x0000000000443075 in ap_run_handler ()
#12 0x0000000000443966 in ap_invoke_handler ()
#13 0x000000000046661c in ap_internal_redirect ()
#14 0x00002af329166cd5 in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#15 0x0000000000443075 in ap_run_handler ()
#16 0x0000000000443966 in ap_invoke_handler ()
#17 0x0000000000465aeb in ap_process_request ()
#18 0x0000000000462a37 in ap_process_http_connection ()
#19 0x000000000044cdb6 in ap_run_process_connection ()
#20 0x000000000044d2a3 in ap_process_connection ()
#21 0x0000000000480348 in process_socket ()
#22 0x0000000000482241 in child_main ()
#23 0x00000000004831d4 in make_child ()
#24 0x0000000000483529 in create_new_childs ()
#25 0x000000000048358d in check_for_new_childs ()
#26 0x0000000000483fcd in ap_mpm_run ()
#27 0x00000000004297e9 in main ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-10 13:31 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-07-10 13:31 UTC] felipe@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 12:01:31 2024 UTC