php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67434 Segfault in _zval_dtor_func
Submitted: 2014-06-13 07:49 UTC Modified: 2015-07-22 13:14 UTC
From: Dessa at gmake dot de Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.6.0beta4 OS: Gentoo Linux
Private report: No CVE-ID: None
 [2014-06-13 07:49 UTC] Dessa at gmake dot de
Description:
------------
./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --prefix=/usr/lib64/php5.6 --mandir=/usr/lib64/php5.6/man --infodir=/usr/lib64/php5.6/info --libdir=/usr/lib64/php5.6/lib --with-libdir=lib64 --without-pear --enable-maintainer-zts --disable-bcmath --with-bz2=/usr --disable-calendar --enable-ctype --with-curl=/usr --enable-dom --without-enchant --enable-exif --enable-fileinfo --enable-filter --disable-ftp --with-gettext=/usr --without-gmp --enable-hash --without-mhash --with-iconv --enable-intl --enable-ipv6 --enable-json --without-kerberos --enable-libxml --with-libxml-dir=/usr --enable-mbstring --with-mcrypt=/usr --without-mssql --with-onig=/usr --with-openssl=/usr --with-openssl-dir=/usr --enable-pcntl --enable-phar --enable-pdo --enable-opcache --without-pgsql --enable-posix --without-pspell --without-recode --enable-simplexml --disable-shmop --without-snmp --enable-soap --enable-sockets --with-sqlite3=/usr --without-sybase-ct --disable-sysvmsg --disable-sysvsem --disable-sysvshm --without-fpm-systemd --without-tidy --enable-tokenizer --disable-wddx --enable-xml --enable-xmlreader --disable-xmlwriter --without-xmlrpc --with-xsl=/usr --disable-zip --with-zlib=/usr --enable-debug --enable-dba --without-cdb --with-db4=/usr --disable-flatfile --with-gdbm=/usr --disable-inifile --without-qdbm --with-freetype-dir=/usr --with-t1lib=/usr --disable-gd-jis-conv --with-jpeg-dir=/usr --with-png-dir=/usr --without-xpm-dir --with-gd --with-ldap=/usr --without-ldap-sasl --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-mysql-sock=/var/run/mysqld/mysqld.sock --without-pdo-dblib --with-pdo-mysql=mysqlnd --without-pdo-pgsql --with-pdo-sqlite=/usr --without-pdo-odbc --with-readline=/usr --without-libedit --without-mm --with-pic --with-pcre-regex=/usr --with-pcre-dir=/usr --with-config-file-path=/etc/php/fpm-php5.6 --with-config-file-scan-dir=/etc/php/fpm-php5.6/ext-active --disable-embed --disable-cli --disable-cgi --enable-fpm --without-apxs2

its happening from a mediawiki from git master, but i have no idea how to reproduce it properly, im afraid (though it seems to happen more often with debug enabled than without)

setting always_populate_raw_post_data to 1 as pointed out by the last line doesn't help either.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fd6740 (LWP 9344)]
0x00000000009f8bfb in _zval_dtor_func (zvalue=0x7ffff7fc8488,
    __zend_filename=0xf5aaf8 "/var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_execute.h", __zend_lineno=79)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_variables.c:36
36                              CHECK_ZVAL_STRING_REL(zvalue);
(gdb) bt full
#0  0x00000000009f8bfb in _zval_dtor_func (zvalue=0x7ffff7fc8488,
    __zend_filename=0xf5aaf8 "/var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_execute.h", __zend_lineno=79)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_variables.c:36
No locals.
#1  0x00000000009e1fe7 in _zval_dtor (zvalue=0x7ffff7fc8488,
    __zend_filename=0xf5aaf8 "/var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_execute.h", __zend_lineno=79)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_variables.h:35
No locals.
#2  0x00000000009e20d2 in i_zval_ptr_dtor (zval_ptr=0x7ffff7fc8488,
    __zend_filename=0xf5ce10 "/var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_variables.c", __zend_lineno=187, tsrm_ls=0x12e6e00)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_execute.h:79
        __PRETTY_FUNCTION__ = "i_zval_ptr_dtor"
#3  0x00000000009e428c in _zval_ptr_dtor (zval_ptr=0x7ffff7fc8780,
    __zend_filename=0xf5ce10 "/var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_variables.c", __zend_lineno=187)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_execute_API.c:427
---Type <return> to continue, or q <return> to quit---
        tsrm_ls = 0x12e6e00
#4  0x00000000009f914e in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fc8780)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_variables.c:187
No locals.
#5  0x0000000000a100d9 in i_zend_hash_bucket_delete (ht=0x12ea5c8,
    p=0x7ffff7fc8768)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_hash.c:182
No locals.
#6  0x0000000000a101b0 in zend_hash_bucket_delete (ht=0x12ea5c8,
    p=0x7ffff7fc8768)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_hash.c:192
No locals.
#7  0x0000000000a11da2 in zend_hash_graceful_reverse_destroy (ht=0x12ea5c8)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_hash.c:613
No locals.
#8  0x00000000009e32df in shutdown_executor (tsrm_ls=0x12e6e00)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend_execute_API.c:247
        __orig_bailout = 0x7fffffffbc80
---Type <return> to continue, or q <return> to quit---
        __bailout = {{__jmpbuf = {0, -5710573567885411517, 4721168,
              140737488347312, 0, 0, -5710573567921063101,
              5710574616515214147}, __mask_was_saved = 0, __saved_mask = {
              __val = {10174605, 3045131812864, 0, 16108904, 4294967395,
                140737353922336, 760, 9964748, 19833832, 140737488337344,
                18446744069424750906, 140737488337328, 10454346,
                140737353922096, 4314788816, 9964748}}}}
#9  0x00000000009fc360 in zend_deactivate (tsrm_ls=0x12e6e00)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/Zend/zend.c:949
No locals.
#10 0x0000000000940e9e in php_request_shutdown (dummy=0x0)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/main/main.c:1884
        report_memleaks = 1 '\001'
        tsrm_ls = 0x12e6e00
#11 0x0000000000ad212a in main (argc=3, argv=0x7fffffffe0b8)
    at /var/tmp/portage/dev-lang/php-5.6.0_beta4/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1972
        primary_script = 0x7ffff7fc9160 'Z' <repeats 38 times>, "g\304\023\031\304\023\031ZZZ\033\337td\377\177"
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -5710573569160479933, 4721168,
---Type <return> to continue, or q <return> to quit---
              140737488347312, 0, 0, -5710573568036406461,
              5710574488583437123}, __mask_was_saved = 0, __saved_mask = {
              __val = {0 <repeats 16 times>}}}}
        exit_status = 0
        cgi = 0
        c = -1
        use_extended_info = 0
        file_handle = {type = ZEND_HANDLE_FILENAME,
          filename = 0x7ffff7f97ce0 'Z' <repeats 38 times>, "g\304\023\031",
          opened_path = 0x0, handle = {fd = -134431960, fp = 0x7ffff7fcbb28,
            stream = {handle = 0x7ffff7fcbb28, isatty = 0, mmap = {len = 1755,
                pos = 0, map = 0x0,
                buf = 0x7ffff7ff4000 <error: Cannot access memory at address 0x7ffff7ff4000>, old_handle = 0x0, old_closer = 0x0},
              reader = 0x962cd0 <_php_stream_read>,
              fsizer = 0x93eeb9 <php_zend_stream_fsizer>,
              closer = 0x93ee81 <php_zend_stream_mmap_closer>}},
          free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        tsrm_ls = 0x12e6e00
        max_requests = 500
---Type <return> to continue, or q <return> to quit---
        requests = 3
        fcgi_fd = 0
        request = {listen_socket = 0, fd = -1, id = 1, keep = 0, closed = 0,
          in_len = 0, in_pad = 0, out_hdr = 0x0,
          out_pos = 0x7fffffffbe70 "\001\003",
          out_buf = "\001\003\000\001\000\b\000\000\000\000\000\000\000essage: PHP Deprecated:  Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '"..., reserved = '\000' <repeats 15 times>,
          env = 0x7ffff7f960d8}
        fpm_config = 0x7fffffffe35f ""
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = -1
        force_stderr = 0
        php_information = 0
        php_allow_to_run_a

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-22 13:01 UTC] mike@php.net
-Status: Open +Status: Feedback -Package: FPM related +Package: Scripting Engine problem
 [2015-07-22 13:01 UTC] mike@php.net
Does it also happen with a current version?
 [2015-07-22 13:14 UTC] Dessa at gmake dot de
-Status: Feedback +Status: Closed
 [2015-07-22 13:14 UTC] Dessa at gmake dot de
i do not recall anymore when it stopped happening but it definitely did stop with a newer version
 [2016-05-26 22:11 UTC] kenorb+nospam at gmail dot com
Same SEGV happen here with PHP 5.6.20 (cli) when running builtin server on OS X:

[Thu May 26 22:58:41 2016] 127.0.0.1:53495 [200]: /sites/all/themes/rubik/images/buttons.png
[Thu May 26 22:58:41 2016] PHP Deprecated:  Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0
Segmentation fault: 11

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000

VM Regions Near 0:
--> 
    __TEXT                 000000010ca0f000-000000010d427000 [ 10.1M] r-x/rwx SM=COW  /usr/local/Cellar/php56/5.6.20/bin/php

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   php                           	0x000000010ce499a5 _zval_dtor_func + 61
1   php                           	0x000000010ce3cca9 _zval_ptr_dtor + 108
2   php                           	0x000000010ce59785 zend_hash_bucket_delete + 148
3   php                           	0x000000010ce5982a zend_hash_graceful_reverse_destroy + 29
4   php                           	0x000000010ce3c909 shutdown_executor + 114
5   php                           	0x000000010ce4c0dc zend_deactivate + 103
6   php                           	0x000000010cdec944 php_request_shutdown + 551
7   php                           	0x000000010cf00569 php_cli_server_recv_event_read_request + 1444
8   php                           	0x000000010cf0108a php_cli_server_do_event_for_each_fd_callback + 186
9   php                           	0x000000010cefe8e2 do_cli_server + 2244
10  php                           	0x000000010cef9570 main + 1260
11  libdyld.dylib                 	0x00007fff9dc7d5ad start + 1

This happened when the site was processing feed with Drupal on the page and it crashed. I won't be able to reproduce easily.
 [2016-05-26 22:32 UTC] kenorb+nospam at gmail dot com
The same happened again with the same HTTP_RAW_POST_DATA message on batch run. So I assume it's reproducible.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Jan 19 22:01:23 2021 UTC