php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60990 Segfault when trying to allocate more memory
Submitted: 2012-02-06 13:15 UTC Modified: 2012-05-22 16:04 UTC
Votes:8
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:5 (71.4%)
Same OS:3 (42.9%)
From: flatline at hardwired dot hu Assigned:
Status: Open Package: Reproducible crash
PHP Version: 5.3.10 OS: Debian Squeeze x86_64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-02-06 13:15 UTC] flatline at hardwired dot hu
Description:
------------
Kernel: 2.6.32.50 with Grsecurity+PAX

PHP Version 5.3.10-1~dotdeb.1

Grsecurity/PAX installed

Additional .ini files parsed 	/etc/php5/fpm/conf.d/apc.ini, /etc/php5/fpm/conf.d/curl.ini, /etc/php5/fpm/conf.d/gd.ini, /etc/php5/fpm/conf.d/imagick.ini, /etc/php5/fpm/conf.d/mysql.ini, /etc/php5/fpm/conf.d/mysqli.ini, /etc/php5/fpm/conf.d/pdo.ini, /etc/php5/fpm/conf.d/pdo_mysql.ini, /etc/php5/fpm/conf.d/pdo_sqlite.ini, /etc/php5/fpm/conf.d/sqlite.ini, /etc/php5/fpm/conf.d/sqlite3.ini, /etc/php5/fpm/conf.d/suhosin.ini 



Test script:
---------------
-

Expected result:
----------------
-

Actual result:
--------------
gdb /usr/sbin/php5-fpm ./core-phpfpm
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/php5-fpm...Reading symbols from /usr/lib/debug/usr/sbin/php5-fpm...done.
(no debugging symbols found)...done.
Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libonig.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libonig.so.2
Reading symbols from /usr/lib/libcrypto.so.0.9.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libcrypto.so.0.9.8
Reading symbols from /usr/lib/libssl.so.0.9.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libssl.so.0.9.8
Reading symbols from /usr/lib/libdb-4.8.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libdb-4.8.so
Reading symbols from /usr/lib/libqdbm.so.14...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libqdbm.so.14
Reading symbols from /lib/libbz2.so.1.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libbz2.so.1.0
Reading symbols from /lib/librt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/lib/libgssapi_krb5.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib/libkrb5.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libkrb5.so.3
Reading symbols from /usr/lib/libk5crypto.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libk5crypto.so.3
Reading symbols from /lib/libcom_err.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libcom_err.so.2
Reading symbols from /usr/lib/libxml2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib/libkrb5support.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libkrb5support.so.0
Reading symbols from /lib/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libkeyutils.so.1
Reading symbols from /usr/lib/php5/20090626/apc.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/apc.so
Reading symbols from /usr/lib/php5/20090626/curl.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/curl.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/curl.so
Reading symbols from /usr/lib/libcurl.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libcurl.so.4
Reading symbols from /usr/lib/libidn.so.11...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libidn.so.11
Reading symbols from /usr/lib/libssh2.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libssh2.so.1
Reading symbols from /usr/lib/liblber-2.4.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblber-2.4.so.2
Reading symbols from /usr/lib/libldap_r-2.4.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libldap_r-2.4.so.2
Reading symbols from /usr/lib/libgcrypt.so.11...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgcrypt.so.11
Reading symbols from /usr/lib/libsasl2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libsasl2.so.2
Reading symbols from /usr/lib/libgnutls.so.26...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgnutls.so.26
Reading symbols from /usr/lib/libgpg-error.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgpg-error.so.0
Reading symbols from /usr/lib/libtasn1.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libtasn1.so.3
Reading symbols from /usr/lib/php5/20090626/gd.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/gd.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/gd.so
Reading symbols from /usr/lib/libt1.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libt1.so.5
Reading symbols from /usr/lib/libfreetype.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libfreetype.so.6
Reading symbols from /usr/lib/libX11.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libX11.so.6
Reading symbols from /usr/lib/libXpm.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXpm.so.4
Reading symbols from /lib/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpng12.so.0
Reading symbols from /usr/lib/libjpeg.so.62...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libjpeg.so.62
Reading symbols from /usr/lib/libxcb.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libxcb.so.1
Reading symbols from /usr/lib/libXau.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXau.so.6
Reading symbols from /usr/lib/libXdmcp.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXdmcp.so.6
Reading symbols from /usr/lib/php5/20090626/imagick.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/imagick.so
Reading symbols from /usr/lib/libMagickWand.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libMagickWand.so.3
Reading symbols from /usr/lib/libMagickCore.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libMagickCore.so.3
Reading symbols from /usr/lib/liblcms.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblcms.so.1
Reading symbols from /usr/lib/libtiff.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libtiff.so.4
Reading symbols from /usr/lib/liblqr-1.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblqr-1.so.0
Reading symbols from /lib/libglib-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libglib-2.0.so.0
Reading symbols from /usr/lib/libfontconfig.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libfontconfig.so.1
Reading symbols from /usr/lib/libXext.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXext.so.6
Reading symbols from /usr/lib/libSM.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libSM.so.6
Reading symbols from /usr/lib/libICE.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libICE.so.6
Reading symbols from /usr/lib/libXt.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXt.so.6
Reading symbols from /usr/lib/libgomp.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgomp.so.1
Reading symbols from /usr/lib/libltdl.so.7...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libltdl.so.7
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /usr/lib/libexpat.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libexpat.so.1
Reading symbols from /lib/libuuid.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libuuid.so.1
Reading symbols from /usr/lib/php5/20090626/mysql.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/mysql.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/mysql.so
Reading symbols from /usr/lib/php5/20090626/mysqli.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/mysqli.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/mysqli.so
Reading symbols from /usr/lib/php5/20090626/pdo.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/pdo.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/pdo.so
Reading symbols from /usr/lib/php5/20090626/pdo_mysql.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/pdo_mysql.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/pdo_mysql.so
Reading symbols from /usr/lib/php5/20090626/pdo_sqlite.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/pdo_sqlite.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/pdo_sqlite.so
Reading symbols from /usr/lib/libsqlite3.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libsqlite3.so.0
Reading symbols from /usr/lib/php5/20090626/sqlite.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/sqlite.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/sqlite.so
Reading symbols from /usr/lib/libsqlite.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libsqlite.so.0
Reading symbols from /usr/lib/php5/20090626/sqlite3.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/sqlite3.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/sqlite3.so
Reading symbols from /usr/lib/php5/20090626/suhosin.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/suhosin.so
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnss_nis.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /usr/lib/gconv/ISO8859-2.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/gconv/ISO8859-2.so
Core was generated by `php-fpm: pool xxxxx                                       '.
Program terminated with signal 11, Segmentation fault.
#0  zend_mm_remove_from_free_list (heap=0xe40ab0, mm_block=0x1c85988) at /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c:880
880     /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c: No such file or directory.
        in /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c

(gdb) bt
#0  zend_mm_remove_from_free_list (heap=0xe40ab0, mm_block=0x1c85988) at /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c:880
#1  0x00000000006e4738 in _zend_mm_free_canary_int (heap=0xe40ab0, p=0x1c85960) at /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c:2133
#2  0x00000000006d0712 in zend_hash_apply_deleter (ht=0xe31168, p=0x1126638) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:814
#3  0x00000000006d0998 in zend_hash_graceful_reverse_destroy (ht=0xe31168) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:850
#4  0x00000000006b7b0e in shutdown_executor () at /usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:256
#5  0x00000000006c4762 in zend_deactivate () at /usr/src/php5/source/php5-5.3.10/Zend/zend.c:963
#6  0x000000000066f3e5 in php_request_shutdown (dummy=0xe40ab0) at /usr/src/php5/source/php5-5.3.10/main/main.c:1664
#7  0x0000000000758ca0 in main (argc=18462176, argv=0x119c2f0) at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1886


(gdb) x/8i $pc
0x6e4178 <zend_mm_remove_from_free_list+104>:   cmp    (%rax),%rdx
0x6e417b <zend_mm_remove_from_free_list+107>:   jne    0x6e4333 <zend_mm_remove_from_free_list+547>
0x6e4181 <zend_mm_remove_from_free_list+113>:   mov    %ecx,%ecx
0x6e4183 <zend_mm_remove_from_free_list+115>:   movq   $0x0,(%rax)
0x6e418a <zend_mm_remove_from_free_list+122>:   lea    0x698(%rdi,%rcx,8),%rax
0x6e4192 <zend_mm_remove_from_free_list+130>:   cmp    %rax,0x38(%rdx)
0x6e4196 <zend_mm_remove_from_free_list+134>:   je     0x6e41a0 <zend_mm_remove_from_free_list+144>
0x6e4198 <zend_mm_remove_from_free_list+136>:   add    $0x8,%rsp


(gdb) x/8x $sp
0x3be1991dad0:  0x01c85960      0x00000000      0x006e4738      0x00000000
0x3be1991dae0:  0x00e31168      0x00000000      0x01126638      0x00000000


(gdb) info reg
rax            0x0      0
rbx            0xe40ab0 14944944
rcx            0x9      9
rdx            0x1c85988        29907336
rsi            0x1c85988        29907336
rdi            0xe40ab0 14944944
rbp            0x1c85960        0x1c85960
rsp            0x3be1991dad0    0x3be1991dad0
r8             0x1c85988        29907336
r9             0x10cf050        17625168
r10            0x33eae48be90    3567746858640
r11            0x33eae1ac5ae    3567743845806
r12            0x1c85938        29907256
r13            0x1c85988        29907336
r14            0x50     80
r15            0x104a140        17080640
rip            0x6e4178 0x6e4178 <zend_mm_remove_from_free_list+104>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x27f    639
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x6c2150 7086416
foseg          0x3be    958
fooff          0x1991b460       428979296
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-06 14:49 UTC] stefan at nopiracy dot de
Because you are running Suhosin you will most probably get no help here.

Anyway to increase your chances try the following:

restart PHP with the environment variable
SUHOSIN_MM_USE_CANARY_PROTECTION=0

If you do this then PHP will no longer use the memory allocator with carnaries, 
but use the normal one which is nearly identical to the vanilla one.

Check if that gives you a similar backtrace.

The code is obviously crashing while shutting down the system.
There is a NULL pointer dereference.

And the code triggering this is:
zend_hash_graceful_reverse_destroy(&EG(symbol_table));

This means something is corrupt in the symbol_table.

Do you have NO PHP code running on the system? Or does it crash always? Or...?
 [2012-02-06 18:05 UTC] flatline at hardwired dot hu
When I remove the suhosin.so extension it still segfaults. I don't know what you mean under "Do you have NO PHP code running on the system?". It's a quite complex script, but I can reproduce the problem each and every time. If I'm not mistaken when Zend tries to allocate some more memory and it bumps into the memory_limit parameter, it blindly uses the resulting (NULL) pointer, so that causes this segfault.


Here is the new backtrace, without suhosin.so loaded, with the env parameter you suggested:

gdb /usr/sbin/php5-fpm ./core-fpm
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/php5-fpm...Reading symbols from /usr/lib/debug/usr/sbin/php5-fpm...done.
(no debugging symbols found)...done.

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libonig.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libonig.so.2
Reading symbols from /usr/lib/libcrypto.so.0.9.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libcrypto.so.0.9.8
Reading symbols from /usr/lib/libssl.so.0.9.8...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libssl.so.0.9.8
Reading symbols from /usr/lib/libdb-4.8.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libdb-4.8.so
Reading symbols from /usr/lib/libqdbm.so.14...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libqdbm.so.14
Reading symbols from /lib/libbz2.so.1.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libbz2.so.1.0
Reading symbols from /lib/librt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/lib/libgssapi_krb5.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib/libkrb5.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libkrb5.so.3
Reading symbols from /usr/lib/libk5crypto.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libk5crypto.so.3
Reading symbols from /lib/libcom_err.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libcom_err.so.2
Reading symbols from /usr/lib/libxml2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib/libkrb5support.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libkrb5support.so.0
Reading symbols from /lib/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libkeyutils.so.1
Reading symbols from /usr/lib/php5/20090626/apc.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/apc.so
Reading symbols from /usr/lib/php5/20090626/curl.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/curl.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/curl.so
Reading symbols from /usr/lib/libcurl.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libcurl.so.4
Reading symbols from /usr/lib/libidn.so.11...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libidn.so.11
Reading symbols from /usr/lib/libssh2.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libssh2.so.1
Reading symbols from /usr/lib/liblber-2.4.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblber-2.4.so.2
Reading symbols from /usr/lib/libldap_r-2.4.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libldap_r-2.4.so.2
Reading symbols from /usr/lib/libgcrypt.so.11...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgcrypt.so.11
Reading symbols from /usr/lib/libsasl2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libsasl2.so.2
Reading symbols from /usr/lib/libgnutls.so.26...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgnutls.so.26
Reading symbols from /usr/lib/libgpg-error.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgpg-error.so.0
Reading symbols from /usr/lib/libtasn1.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libtasn1.so.3
Reading symbols from /usr/lib/php5/20090626/gd.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/gd.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/gd.so
Reading symbols from /usr/lib/libt1.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libt1.so.5
Reading symbols from /usr/lib/libfreetype.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libfreetype.so.6
Reading symbols from /usr/lib/libX11.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libX11.so.6
Reading symbols from /usr/lib/libXpm.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXpm.so.4
Reading symbols from /lib/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpng12.so.0
Reading symbols from /usr/lib/libjpeg.so.62...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libjpeg.so.62
Reading symbols from /usr/lib/libxcb.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libxcb.so.1
Reading symbols from /usr/lib/libXau.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXau.so.6
Reading symbols from /usr/lib/libXdmcp.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXdmcp.so.6
Reading symbols from /usr/lib/php5/20090626/imagick.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/imagick.so
Reading symbols from /usr/lib/libMagickWand.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libMagickWand.so.3
Reading symbols from /usr/lib/libMagickCore.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libMagickCore.so.3
Reading symbols from /usr/lib/liblcms.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblcms.so.1
Reading symbols from /usr/lib/libtiff.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libtiff.so.4
Reading symbols from /usr/lib/liblqr-1.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblqr-1.so.0
Reading symbols from /lib/libglib-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libglib-2.0.so.0
Reading symbols from /usr/lib/libfontconfig.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libfontconfig.so.1
Reading symbols from /usr/lib/libXext.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXext.so.6
Reading symbols from /usr/lib/libSM.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libSM.so.6
Reading symbols from /usr/lib/libICE.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libICE.so.6
Reading symbols from /usr/lib/libXt.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libXt.so.6
Reading symbols from /usr/lib/libgomp.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgomp.so.1
Reading symbols from /usr/lib/libltdl.so.7...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libltdl.so.7
Reading symbols from /lib/libpcre.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libpcre.so.3
Reading symbols from /usr/lib/libexpat.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libexpat.so.1
Reading symbols from /lib/libuuid.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libuuid.so.1
Reading symbols from /usr/lib/php5/20090626/mysql.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/mysql.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/mysql.so
Reading symbols from /usr/lib/php5/20090626/mysqli.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/mysqli.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/mysqli.so
Reading symbols from /usr/lib/php5/20090626/pdo.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/pdo.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/pdo.so
Reading symbols from /usr/lib/php5/20090626/pdo_mysql.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/pdo_mysql.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/pdo_mysql.so
Reading symbols from /usr/lib/php5/20090626/pdo_sqlite.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/pdo_sqlite.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/pdo_sqlite.so
Reading symbols from /usr/lib/libsqlite3.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libsqlite3.so.0
Reading symbols from /usr/lib/php5/20090626/sqlite.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/sqlite.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/sqlite.so
Reading symbols from /usr/lib/libsqlite.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libsqlite.so.0
Reading symbols from /usr/lib/php5/20090626/sqlite3.so...Reading symbols from /usr/lib/debug/usr/lib/php5/20090626/sqlite3.so...done.
(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/sqlite3.so
Reading symbols from /usr/lib/php5/20090626/suhosin.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/php5/20090626/suhosin.so
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnss_nis.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_nis.so.2
Core was generated by `php-fpm: pool xxxxx                                       '.
Program terminated with signal 11, Segmentation fault.
#0  _zval_ptr_dtor (zval_ptr=0xa1) at /usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:436
436     /usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c: No such file or directory.
        in /usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c

(gdb) x/8i $pc
0x6b74c1 <_zval_ptr_dtor+1>:    mov    (%rdi),%rbx
0x6b74c4 <_zval_ptr_dtor+4>:    mov    0x10(%rbx),%eax
0x6b74c7 <_zval_ptr_dtor+7>:    sub    $0x1,%eax
0x6b74ca <_zval_ptr_dtor+10>:   test   %eax,%eax
0x6b74cc <_zval_ptr_dtor+12>:   mov    %eax,0x10(%rbx)
0x6b74cf <_zval_ptr_dtor+15>:   jne    0x6b7508 <_zval_ptr_dtor+72>
0x6b74d1 <_zval_ptr_dtor+17>:   mov    0x750ea8(%rip),%rax        # 0xe08380 <_GLOBAL_OFFSET_TABLE_+8512>
0x6b74d8 <_zval_ptr_dtor+24>:   add    $0x8,%rax


(gdb) x/8x $sp
0x3c20910fbf0:  0x01221730      0x00000000      0x006d0a78      0x00000000
0x3c20910fc00:  0x01bb0d90      0x00000000      0x0115ee48      0x00000000


(gdb) info reg
rax            0x6b74c0 7042240
rbx            0x1221730        19011376
rcx            0x3654f0c3590    3733652780432
rdx            0x6c34f0 7091440
rsi            0x3654f0c6cb0    3733652794544
rdi            0xa1     161
rbp            0x1bb0de0        0x1bb0de0
rsp            0x3c20910fbf0    0x3c20910fbf0
r8             0x223e440faf29a69f       2467484479999551135
r9             0x11676b8        18249400
r10            0x3654c5a4e90    3733607566992
r11            0x3654c64fb20    3733608266528
r12            0x6c70ac1e0aa0fa2d       7813934598515128877
r13            0x10ca4c0        17605824
r14            0x10ca4c0        17605824
r15            0xe41a60 14948960
rip            0x6b74c1 0x6b74c1 <_zval_ptr_dtor+1>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
fctrl          0x27f    639
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x6c2150 7086416
foseg          0x3c2    962
fooff          0x910d590        152098192
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
 [2012-02-07 07:42 UTC] stas@php.net
Full backtrace (or even better, a run under valgrind if it's reproduceable) would 
be helpful.
I'd also recommend trying without suhosin.so just to ensure the problem is not 
there (second trace still shows it loading). 
From the trace it looks like the fault is in _zval_ptr_dtor which doesn't look 
like segfault as a result of allocator returning null - the argument is not null 
and _zval_ptr_dtor is not usually called right after allocator. Does it also 
crash if you set envt variable USE_ZEND_MM to 0 (that turns off Zend MM)?
 [2012-02-07 10:03 UTC] sesser@php.net
"I don't know what you mean under "Do you have NO PHP code running on the 
system?"

I just wanted to know how this crash happens:

a) one specific PHP file
b) nearly all files
c) by just requesting any file

(in case of C the most obvious reason would be some extension being compiled in 
a different way than PHP itself - Debian e.g. for a long time compiled their PHP 
with LFS support, but forgot to set this flag in PHP-DEV so all compiled 
extensions had different struct sizes for some structs. And this caused crashes 
e.g. in Suhosin.so)
 [2012-02-07 10:50 UTC] flatline at hardwired dot hu
Sesser: Several sites run with different pools under php5-fpm. Lots of different codebases, it only occurs with one of the hosted pages, with one specific file, when the result set is larger than the allowed php memory_limit. Starts with a big search query, does lots of manipulation on the result set, and when it gets back to the main file, segfaults.

Mainfile.php -> includes Searchfile.php -> data manipulation, hits memory limit -> gets back to Mainfile.php and it immediately segfaults.

The script runs well 99,9% of the time, but when it bumps into the memory_limit, the segfault occurs.

I'll get the full backtrace, I'm not sure about valgrind, but if you tell me the details, I can get that too.
 [2012-02-07 10:58 UTC] flatline at hardwired dot hu
Full backtrace with suhosin.so:

(gdb) thread apply all bt full

Thread 1 (Thread 18218):
#0  zend_mm_remove_from_free_list (heap=0xe40ab0, mm_block=0x1c85988) at /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c:880
        index = 9
        rp = 0x9
        cp = 0x1c85988
        prev = 0x0
        next = 0x0
#1  0x00000000006e4738 in _zend_mm_free_canary_int (heap=0xe40ab0, p=0x1c85960) at /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c:2133
        mm_block = 0x1c85938
        next_block = 0x1c85988
        size = 80
#2  0x00000000006d0712 in zend_hash_apply_deleter (ht=0xe31168, p=0x1126638) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:814
        retval = 0x119b5e0
#3  0x00000000006d0998 in zend_hash_graceful_reverse_destroy (ht=0xe31168) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:850
        p = 0x1c85988
#4  0x00000000006b7b0e in shutdown_executor () at /usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:256
        __orig_bailout = <incomplete type>
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __orig_bailout = <incomplete type>
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966, 18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val = {2924002880, 830,
                14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0, 7227061, 0, 14944944, 0}}}}
---Type <return> to continue, or q <return> to quit---
#5  0x00000000006c4762 in zend_deactivate () at /usr/src/php5/source/php5-5.3.10/Zend/zend.c:963
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780, 3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val = {
                0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780, 3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val = {
                0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
        __orig_bailout = 0x6c46dd
        __bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780, 3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val = {
                0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
        __orig_bailout = 0x6c46dd
        __bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780, 3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val = {
                0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
        __orig_bailout = 0x119c2f0
        __bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780, 3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val = {
                0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
        __orig_bailout = 0x6c46dd
        __bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780, 3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val = {
                0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780, 3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val = {
                0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
#6  0x000000000066f3e5 in php_request_shutdown (dummy=0xe40ab0) at /usr/src/php5/source/php5-5.3.10/main/main.c:1664
        report_memleaks = 0 '\000'
#7  0x0000000000758ca0 in main (argc=18462176, argv=0x119c2f0) at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1886
        primary_script = 0x1000000 "ÖÓe\237i\177ôh\023"
        __bailout = {{__jmpbuf = {0, 0, 11849916, 0, 1996138836, 2988407700, 3, 0}, __mask_was_saved = 2106370388, __saved_mask = {__val = {0, 0, 0, 0, 0, 0,
                2967729693, 830, 0, 0, 2913949384, 830, 0, 0, 2967701282, 830}}}}
        exit_status = 0
        c = 29907336
        file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x2 <Address 0x2 out of bounds>,
          opened_path = 0x119b500 "ż\235K\212w\216lÜ/xxxxx.hu/html/kat-origi.phtml", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 18169248, mmap = {
                len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
        orig_optind = 0
        orig_optarg = 0x0
        max_requests = 0
        requests = 18583184
        fcgi_fd = 0
        request = {listen_socket = 1, fd = 0, id = 0, keep = 3, closed = 1, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0x3be1991e1c0 "\001\006",
          out_buf = "Fă\221\031ž\003\000\000\001\006\000\001\000\006\002\000Expires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nSet-Cookie: sess_odi_sid=rlkoioa5p89rt75mbou02m"..., reserved = "erticum.\000\000\000\000\000\000\000", env = 0x0}
        fpm_config = 0x0
        fpm_prefix = 0x0
---Type <return> to continue, or q <return> to quit---
        fpm_pid = 0x3be19920522 ""
        test_conf = 0
        php_information = 0
        __func__ = "main"
 [2012-02-07 10:59 UTC] flatline at hardwired dot hu
Full backtrace without suhosin.so:

(gdb) thread apply all bt full

Thread 1 (Thread 13418):
#0  _zval_ptr_dtor (zval_ptr=0xa1) at /usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:436
        zv = 0x1221730
#1  0x00000000006d0a78 in zend_hash_destroy (ht=0x1bb0de0) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:729
        p = 0x1221730
#2  0x00000000006c350f in _zval_dtor_func (zvalue=0x1bb0d90) at /usr/src/php5/source/php5-5.3.10/Zend/zend_variables.c:46
No locals.
#3  0x00000000006b74f9 in _zval_ptr_dtor (zval_ptr=0xa1) at /usr/src/php5/source/php5-5.3.10/Zend/zend_variables.h:35
        zv = 0x1bb0d90
#4  0x00000000006d0712 in zend_hash_apply_deleter (ht=0xe31168, p=0x115ee48) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:814
        retval = 0x10c92e0
#5  0x00000000006d0998 in zend_hash_graceful_reverse_destroy (ht=0xe31168) at /usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:850
        p = 0x3654f0c6cb0
#6  0x00000000006b7b0e in shutdown_executor () at /usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:256
        __orig_bailout = <incomplete type>
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __orig_bailout = <incomplete type>
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
        __bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248, 0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
                14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0, 7227061, 0, 14946704, 0}}}}
#7  0x00000000006c4762 in zend_deactivate () at /usr/src/php5/source/php5-5.3.10/Zend/zend.c:963
        __orig_bailout = 0x0
---Type <return> to continue, or q <return> to quit---
        __bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600, 862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
                0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600, 862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
                0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
        __orig_bailout = 0x6c46dd
        __bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600, 862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
                0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
        __orig_bailout = 0x6c46dd
        __bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600, 862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
                0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
        __orig_bailout = 0x10ca4c0
        __bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600, 862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
                0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
        __orig_bailout = 0x6c46dd
        __bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600, 862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
                0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600, 862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
                0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
#8  0x000000000066f3e5 in php_request_shutdown (dummy=0xa1) at /usr/src/php5/source/php5-5.3.10/main/main.c:1664
        report_memleaks = 0 '\000'
#9  0x0000000000758ca0 in main (argc=17601248, argv=0x10ca4c0) at /usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1886
        primary_script = 0x1000000 "\203â¨ü\201>ĂG\016"
        __bailout = {{__jmpbuf = {0, 0, 11849916, 0, 4122419392, 887433970, 3, 0}, __mask_was_saved = -1285480256, __saved_mask = {__val = {0, 0, 0, 0, 0, 0,
                1324713501, 869, 0, 0, 1270933192, 869, 0, 0, 1324685090, 869}}}}
        exit_status = 0
        c = 7091440
        file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x4 <Address 0x4 out of bounds>,
          opened_path = 0x10c9718 "'\177(Ż\017D>\"/xxxxx.hu/html/kat-origi.phtml", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 17723752, mmap = {
                len = 0, pos = 20674, map = 0x0, buf = 0x3654f03c000 <Address 0x3654f03c000 out of bounds>, old_handle = 0x3654f03c000, old_closer = 0x1107220},
              reader = 0x6d9820 <zend_stream_stdio_closer>, fsizer = 0x6d9e60 <zend_stream_stdio_reader>, closer = 0x6d98e0 <zend_stream_stdio_fsizer>}},
          free_filename = 224 'ŕ'}
        orig_optind = 0
        orig_optarg = 0x0
        max_requests = 0
        requests = 17722696
        fcgi_fd = 7042240
        request = {listen_socket = 1, fd = 0, id = 0, keep = 3, closed = 1, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0x3c2091102f0 "",
          out_buf = "v\004\021\tÂ\003\000\000\000\006\000\000\000\000\000\000Expires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nSet-Cookie: sess_odi_sid=o7fjrtnnpohsuqg7a7114b"..., reserved = '\000' <repeats 15 times>, env = 0x0}
        fpm_config = 0x0
        fpm_prefix = 0x0
---Type <return> to continue, or q <return> to quit---
        fpm_pid = 0x3c20911266b ""
        test_conf = 0
        php_information = 0
        __func__ = "main"
 [2012-05-22 16:04 UTC] fat@php.net
-Package: FPM related +Package: Reproducible crash
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat May 25 23:01:27 2019 UTC