php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63305 zend_mm_heap corrupted with traits
Submitted: 2012-10-18 14:08 UTC Modified: 2012-10-22 11:20 UTC
From: johan dot groth at sorona dot se Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.4.8 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: johan dot groth at sorona dot se
New email:
PHP Version: OS:

 

 [2012-10-18 14:08 UTC] johan dot groth at sorona dot se
Description:
------------
Note: This problem appears on 5.4.8 as well, but it was not available in the list when I created the report.

Sometimes when using traits, I get "zend_mm_heap corrupted". I get it both while running under apache and while running from the command line. It's a problem under apache, since then I do not get any output sent to the browser. If I run the same script on the command line, I get output but with "zend_mm_heap corrupted" at the end. So, the script seem to finish every time but with an error afterwards.

I have gotten this error in the past a few times, but could solve it every time by upgrading to a newer release of PHP. Now however, I'm on the latest release and have run into this problem yet again. It seems really hard to reproduce, and I have not been able to do it in a test script, it only appears when I run my full application and only when using traits.

These bugs seem to be related:
#62339
#55382
#62358

I have tried to generate a dump according to these instructions: https://bugs.php.net/bugs-generating-backtrace-win32.php
However, I have not been able to get something useful out of it. It seems that the program does not detect that a crash has occured, even if it says the following in the apache error log:
zend_mm_heap corrupted
[Thu Oct 18 15:35:12 2012] [notice] Parent: child process exited with status 1 -- Restarting.

Test script:
---------------
I have not been able to reproduce this problem in a test script. 

Expected result:
----------------
Not "zend_mm_heap corrupted"

Actual result:
--------------
zend_mm_heap corrupted

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-18 14:24 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-10-18 14:24 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

we really need a testscript or backtrace to diagnosis the problem
 [2012-10-19 09:31 UTC] johan dot groth at sorona dot se
-Status: Feedback +Status: Open -PHP Version: 5.4.7 +PHP Version: 5.4.8
 [2012-10-19 09:31 UTC] johan dot groth at sorona dot se
As I said I was not able to get a stacktrace on windows, so I decided to try it on ubuntu. After building the same php version I used on windows, I was able to get php to crash with my application. 
However, I was not able to get a stacktrace in this case either. It just says "No stack." at the end. I did get some other messages but I doubt it will be of any help.

I want to help as much as I can on this, but I'm not familiar with core dumps and stacktraces. If I could get some help generating these I would appreciate it.

jgroth@ubuntu:~$ gdb php
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/php...done.
(gdb) run /home/jgroth/crash-test/sorona-tms/src/main/php/index.php test
Starting program: /usr/local/bin/php /home/jgroth/crash-test/sorona-tms/src/main/php/index.php test
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Fri Oct 19 02:21:01 2012]  Script:  '/home/jgroth/crash-test/sorona-tms/src/main/php/index.php'
---------------------------------------
/tmp/php-5.4.8/Zend/zend_opcode.c(404) : Block 0x016854a8 status:
Invalid pointer: ((prev=0x00000248) != (prev.size=0x00000510))
---------------------------------------
[Fri Oct 19 02:21:01 2012]  Script:  '/home/jgroth/crash-test/sorona-tms/src/main/php/index.php'
---------------------------------------
/tmp/php-5.4.8/Zend/zend_opcode.c(404) : Block 0x01682188 status:
Invalid pointer: ((size=0x00000108) != (next.prev=0x000001b0))
Invalid pointer: ((prev=0x000000a9) != (prev.size=0x000001b0))
---------------------------------------
[Fri Oct 19 02:21:01 2012]  Script:  '/home/jgroth/crash-test/sorona-tms/src/main/php/index.php'
---------------------------------------
/tmp/php-5.4.8/Zend/zend_opcode.c(404) : Block 0x016857d0 status:
Beginning:      Freed
    Start:      OK
      End:      OK
---------------------------------------
[Inferior 1 (process 6653) exited normally]
(gdb) bt
No stack.
(gdb)
 [2012-10-19 12:35 UTC] johan dot groth at sorona dot se
Ok, so I have somewhat been able to reproduce the problem. I can still not do it in a small script, but I have been able to remove enough code from my application so I can send it to anyone who might be looking into this issue. The application is based on CodeIgniter, so it's basicly the CI code + a few extra files from my application.
 [2012-10-20 04:39 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-10-20 04:39 UTC] laruence@php.net
great, if it's okey, you can tar your application as a reproduce script for us
 [2012-10-22 06:38 UTC] johan dot groth at sorona dot se
-Status: Feedback +Status: Open -Operating System: Windows 7 64-bit +Operating System: All
 [2012-10-22 06:38 UTC] johan dot groth at sorona dot se
I could not find a way to upload anything to this report so I created a temporary repository over at github with the source. I hope this is OK, you can find it here: https://github.com/jgroth/php-crash

Something I found interesting while removing as much code as possible from my application was that I could not remove comments for some methods in some of the classes/interfaces. Doing so would not reproduce the bug. Also, when I turned off error reporting, I did not get the bug either.

Note that there is one "Notice" error reported by PHP in this test application. I do not have any such errors in the full application, but still got a php crash.
 [2012-10-22 10:25 UTC] laruence@php.net
-Assigned To: +Assigned To: dmitry
 [2012-10-22 10:25 UTC] laruence@php.net
thanks, I can reproduce now, dmitry, seems related to the previous traits bug we 
fixed.
 [2012-10-22 11:20 UTC] laruence@php.net
A simple reproduce script:

<?php

new Attachment("");

function __autoload($class) {
    switch ($class) {
    case "Attachment":
        eval(<<<'PHP'
class Attachment extends File {
}
PHP
    );
        break;
    case "File":
        eval(<<<'PHP'
class File {
    use TDatabaseObject {
        TDatabaseObject::__construct as private databaseObjectConstruct;
    }
    public function __construct() {
    }
}
PHP
    );
        break;
    case "TDatabaseObject":
        eval(<<<'PHP'
trait TDatabaseObject {
    public function __construct() {
    }
}
PHP
    );
        break;
    }
    return TRUE;
}
 [2012-10-23 03:34 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74228c515197c8a3bda878a077d30c9b14482eb2
Log: Fixed bug #63305 (zend_mm_heap corrupted with traits)
 [2012-10-23 03:34 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-10-23 03:35 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=74228c515197c8a3bda878a077d30c9b14482eb2
Log: Fixed bug #63305 (zend_mm_heap corrupted with traits)
 [2014-10-07 23:21 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=74228c515197c8a3bda878a077d30c9b14482eb2
Log: Fixed bug #63305 (zend_mm_heap corrupted with traits)
 [2014-10-07 23:32 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=74228c515197c8a3bda878a077d30c9b14482eb2
Log: Fixed bug #63305 (zend_mm_heap corrupted with traits)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 09 06:01:26 2024 UTC