php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69816 SIGSEGV in zend_hash_index_find_bucket
Submitted: 2015-06-12 23:59 UTC Modified: 2015-10-02 03:06 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: filip at prochazka dot su Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0alpha1 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2015-06-12 23:59 UTC] filip at prochazka dot su 
Description:
------------
I just compiled the 7.0.0alpha1


Configure Command =>  './configure'  '--with-openssl' '--with-kerberos' '--with-zlib' '--with-bz2' '--with-curl' '--enable-dba' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/include' '--with-png-dir=/usr/include' '--with-zlib-dir=/usr/include' '--with-xpm-dir=/usr/include' '--with-freetype-dir=/usr/lib' '--enable-gd-native-ttf' '--with-gettext' '--with-mhash' '--with-imap' '--with-imap-ssl' '--enable-mbstring' '--with-mcrypt' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-pdo-pgsql' '--with-pgsql' '--enable-shmop' '--enable-soap' '--enable-sockets' '--with-readline' '--enable-sysvmsg' '--with-tidy' '--with-xmlrpc' '--with-xsl' '--enable-zip' '--enable-intl' '--enable-fpm' '--enable-pcntl' '--enable-bcmath' '--with-gmp' '--prefix=/usr/php/7.0.0alpha1/' '--enable-phpdbg' '--enable-debug' '--without-pear'


and tried running our application. I'm not sure how to isolate the crashing code.

Actual result:
--------------
$ gdb /usr/php/7.0.0alpha1/sbin/php-fpm /tmp/core-php-fpm.16589 
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
This GDB was configured as "x86_64-linux-gnu".
Reading symbols from /usr/php/7.0.0alpha1/sbin/php-fpm...done.
[New LWP 16589]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                               '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000ae3517 in zend_hash_index_find_bucket (ht=0x7f2e1b7066c0, h=0) at /opt/php-7.0.0alpha1/Zend/zend_hash.c:464
464             idx = HT_HASH_EX(arData, nIndex);
(gdb) bt
#0  0x0000000000ae3517 in zend_hash_index_find_bucket (ht=0x7f2e1b7066c0, h=0) at /opt/php-7.0.0alpha1/Zend/zend_hash.c:464
#1  0x0000000000ae7a18 in zend_hash_index_exists (ht=0x7f2e1b7066c0, h=0) at /opt/php-7.0.0alpha1/Zend/zend_hash.c:1935
#2  0x00000000008f8c91 in zif_array_key_exists (execute_data=0x7f2e1c218a20, return_value=0x7f2e1c2185f0) at /opt/php-7.0.0alpha1/ext/standard/array.c:5009
#3  0x0000000000b2a747 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:692
#4  0x0000000000b29bab in execute_ex (ex=0x7f2e1c216010) at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:394
#5  0x0000000000ab8c79 in zend_call_function (fci=0x7fff346aff60, fci_cache=0x7fff346aff30) at /opt/php-7.0.0alpha1/Zend/zend_execute_API.c:841
#6  0x00000000008fe9a8 in zif_call_user_func_array (execute_data=0x7f2e1c215f90, return_value=0x7f2e1c215e90) at /opt/php-7.0.0alpha1/ext/standard/basic_functions.c:4805
#7  0x0000000000b2a747 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:692
#8  0x0000000000b29bab in execute_ex (ex=0x7f2e1c215030) at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:394
#9  0x0000000000b29cbe in zend_execute (op_array=0x7f2e1c273000, return_value=0x0) at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:434
#10 0x0000000000ad0a73 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-7.0.0alpha1/Zend/zend.c:1389
#11 0x0000000000a3df50 in php_execute_script (primary_file=0x7fff346b2520) at /opt/php-7.0.0alpha1/main/main.c:2475
#12 0x0000000000ba03b3 in main (argc=3, argv=0x7fff346b4ca8) at /opt/php-7.0.0alpha1/sapi/fpm/fpm/fpm_main.c:1940
(gdb) frame 4
#4  0x0000000000b29bab in execute_ex (ex=0x7f2e1c216010) at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:394
394                     if (UNEXPECTED((ret = ((opcode_handler_t)OPLINE->handler)(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU)) != 0)) {
(gdb) frame 3
#3  0x0000000000b2a747 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:692
692                     fbc->internal_function.handler(call, ret);
(gdb) frame 2
#2  0x00000000008f8c91 in zif_array_key_exists (execute_data=0x7f2e1c218a20, return_value=0x7f2e1c2185f0) at /opt/php-7.0.0alpha1/ext/standard/array.c:5009
5009                            if (zend_hash_index_exists(array, Z_LVAL_P(key))) {
(gdb) frame 1
#1  0x0000000000ae7a18 in zend_hash_index_exists (ht=0x7f2e1b7066c0, h=0) at /opt/php-7.0.0alpha1/Zend/zend_hash.c:1935
1935            p = zend_hash_index_find_bucket(ht, h);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-13 00:24 UTC] laruence@php.net 
are you about to give me a ssh access to your reproducible box(via mail)?

thanks
 [2015-06-13 00:24 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-06-13 00:25 UTC] laruence@php.net 
or please use bt --full ... and paste out the result.
 [2015-06-13 00:25 UTC] laruence@php.net 
or please use bt --full ... and paste out the result.
 [2015-06-13 00:51 UTC] filip at prochazka dot su 
(gdb) bt full
#0  0x0000000000ae3517 in zend_hash_index_find_bucket (ht=0x7f2e1b7066c0, h=0) at /opt/php-7.0.0alpha1/Zend/zend_hash.c:464
        nIndex = 0
        idx = 11421359
        p = 0x7f2e1b7066c0
        arData = 0x1e
        __PRETTY_FUNCTION__ = "zend_hash_index_find_bucket"
#1  0x0000000000ae7a18 in zend_hash_index_exists (ht=0x7f2e1b7066c0, h=0) at /opt/php-7.0.0alpha1/Zend/zend_hash.c:1935
        p = 0x7f2e1c218a80
#2  0x00000000008f8c91 in zif_array_key_exists (execute_data=0x7f2e1c218a20, return_value=0x7f2e1c2185f0) at /opt/php-7.0.0alpha1/ext/standard/array.c:5009
        key = 0x7f2e1c218a80
        array = 0x7f2e1b7066c0
        __PRETTY_FUNCTION__ = "zif_array_key_exists"
#3  0x0000000000b2a747 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:692
        call = 0x7f2e1c218a20
        fbc = 0x2416100
        ret = 0x7f2e1c2185f0
        __PRETTY_FUNCTION__ = "ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER"
#4  0x0000000000b29bab in execute_ex (ex=0x7f2e1c216010) at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:394
        ret = 0
        orig_opline = 0x7f2e1b281ec0
        orig_execute_data = 0x7f2e1c215d80
#5  0x0000000000ab8c79 in zend_call_function (fci=0x7fff346aff60, fci_cache=0x7fff346aff30) at /opt/php-7.0.0alpha1/Zend/zend_execute_API.c:841
        call_via_handler = 0
        i = 1
        calling_scope = 0x7f2e1b2d6840
        call = 0x7f2e1c216010
        dummy_execute_data = {opline = 0x7f2e1b4cc008, call = 0x7fff346aff70, return_value = 0x7f2e1c215ff0, func = 0x7f2e1b35f000, This = {value = {lval = 140734072815264, dval = 6,9531870577342426e-310, counted = 0x7fff346afea0, 
              str = 0x7fff346afea0, arr = 0x7fff346afea0, obj = 0x7fff346afea0, res = 0x7fff346afea0, ref = 0x7fff346afea0, ast = 0x7fff346afea0, zv = 0x7fff346afea0, ptr = 0x7fff346afea0, ce = 0x7fff346afea0, func = 0x7fff346afea0, ww = {
                w1 = 879427232, w2 = 32767}}, u1 = {v = {type = 176 '\260', type_flags = 7 '\a', const_flags = 66 'B', reserved = 27 '\033'}, type_info = 457312176}, u2 = {var_flags = 32558, next = 32558, cache_slot = 32558, lineno = 32558, 
              num_args = 32558, fe_pos = 32558, fe_iter_idx = 32558}}, run_time_cache = 0x7f2e1b4cc008, literals = 0x7f2e1b373f88, called_scope = 0x7fff346afea0, prev_execute_data = 0xadef63 <zend_fcall_info_args+37>, 
          symbol_table = 0x7f2e1c216000}
        fci_cache_local = {initialized = 32 ' ', function_handler = 0x40a00000000, calling_scope = 0x7f2e1b4207c0, called_scope = 0x7f2e1b4cc028, object = 0x7f2e1b4cc028}
        func = 0x7f2e1c20faa0
        orig_scope = 0x7f2e1b3f0628
        __PRETTY_FUNCTION__ = "zend_call_function"
#6  0x00000000008fe9a8 in zif_call_user_func_array (execute_data=0x7f2e1c215f90, return_value=0x7f2e1c215e90) at /opt/php-7.0.0alpha1/ext/standard/basic_functions.c:4805
        params = 0x7f2e1c216000
        retval = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', 
              type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {var_flags = 32558, next = 32558, cache_slot = 32558, lineno = 32558, num_args = 32558, fe_pos = 32558, fe_iter_idx = 32558}}
        fci = {size = 72, function_table = 0x7f2e1b2d6880, function_name = {value = {lval = 139836001742848, dval = 6,9088164512937874e-310, counted = 0x7f2e1b35f000, str = 0x7f2e1b35f000, arr = 0x7f2e1b35f000, obj = 0x7f2e1b35f000, 
              res = 0x7f2e1b35f000, ref = 0x7f2e1b35f000, ast = 0x7f2e1b35f000, zv = 0x7f2e1b35f000, ptr = 0x7f2e1b35f000, ce = 0x7f2e1b35f000, func = 0x7f2e1b35f000, ww = {w1 = 456519680, w2 = 32558}}, u1 = {v = {type = 7 '\a', 
                type_flags = 28 '\034', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 7175}, u2 = {var_flags = 32767, next = 32767, cache_slot = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767}}, 
          symbol_table = 0x0, retval = 0x7fff346aff20, params = 0x7f2e1b4207b0, object = 0x7f2e1c266240, no_separation = 1 '\001', param_count = 1}
        fci_cache = {initialized = 1 '\001', function_handler = 0x7f2e1c20faa0, calling_scope = 0x7f2e1b2d6840, called_scope = 0x7f2e1b2d6840, object = 0x7f2e1c266240}
        __PRETTY_FUNCTION__ = "zif_call_user_func_array"
#7  0x0000000000b2a747 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:692
        call = 0x7f2e1c215f90
        fbc = 0x23b8720
        ret = 0x7f2e1c215e90
        __PRETTY_FUNCTION__ = "ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER"
#8  0x0000000000b29bab in execute_ex (ex=0x7f2e1c215030) at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:394
        ret = 0
        orig_opline = 0x0
        orig_execute_data = 0x0
#9  0x0000000000b29cbe in zend_execute (op_array=0x7f2e1c273000, return_value=0x0) at /opt/php-7.0.0alpha1/Zend/zend_vm_execute.h:434
        execute_data = 0x7f2e1c215030
#10 0x0000000000ad0a73 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-7.0.0alpha1/Zend/zend.c:1389
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff346b01f0, reg_save_area = 0x7fff346b0130}}
        i = 1
        file_handle = 0x7fff346b2520
        op_array = 0x7f2e1c273000
#11 0x0000000000a3df50 in php_execute_script (primary_file=0x7fff346b2520) at /opt/php-7.0.0alpha1/main/main.c:2475
        realfile = "a\356\224\313\000\200\377\377\320\024k4\377\177\000\000\003", '\000' <repeats 31 times>, "\220gT\002\000\000\000\000\006\024\000\000\000\000\000\000\220u\202\r\000\000\000\000/\025d\037.\177\000\000\000\000\001\000\002\000\023\000+\000k4\377\177\000\000P\032k4\377\177", '\000' <repeats 34 times>, "\234\216\214'.\177\000\000\377\377\377\377\377\377\377\377\220u\202\r\000\000\000\000\034\000\000\000\000\000\000\000D\000\000\000\000\000\000\000xz\251'.\177\000\000\026\230\214'.\177\000\000\002\000\000\000\000\000\000\000\000"...
        __orig_bailout = 0x7fff346b2590
        __bailout = {{__jmpbuf = {16, 8727222397168074030, 4497440, 140734072835232, 0, 0, 8727222398067752238, -8727066670248674002}, __mask_was_saved = 0, __saved_mask = {__val = {140734072821232, 193291732856, 18206501, 140734072824576, 
                11074847, 18446744069414584319, 8589934592, 8589934592, 0, 0, 140734072824416, 128, 140734072820816, 140734072820816, 140734072821216, 140734072821216}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, 
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        append_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, 
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        old_cwd = 0x7fff346b01f0 "/"
        use_heap = 0 '\000'
        retval = 0
#12 0x0000000000ba03b3 in main (argc=3, argv=0x7fff346b4ca8) at /opt/php-7.0.0alpha1/sapi/fpm/fpm/fpm_main.c:1940
        primary_script = 0x7f2e1c203500 "/var/www/hosts/rohlik.l/index.php"
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, 8727222400552877358, 4497440, 140734072835232, 0, 0, 8727222397170171182, -8727066585289507538}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        exit_status = 0
        cgi = 0
        c = -1
        use_extended_info = 0
        file_handle = {handle = {fd = 472237312, fp = 0x7f2e1c25c500, stream = {handle = 0x7f2e1c25c500, isatty = 0, mmap = {len = 528, pos = 0, map = 0x0, buf = 0x7f2e27ac7000 <error: Cannot access memory at address 0x7f2e27ac7000>, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0xa5bde4 <_php_stream_read>, fsizer = 0xa3b7f6 <php_zend_stream_fsizer>, closer = 0xa3b7d0 <php_zend_stream_mmap_closer>}}, 
          filename = 0x7f2e1c203000 "/var/www/hosts/rohlik.l/index.php", opened_path = 0x0, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        max_requests = 500
        requests = 1
        fcgi_fd = 0
        request = {listen_socket = 0, tcp = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0x0, 
          out_buf = "h'k4\377\177\000\000\001\006\000\001\001T\004\000\\n\";\n\t\tfor (var i = 0, scripts = debug.getElementsByTagName('script'); i < scripts.length; i++) {\n\t\t\t(window.execScript || function(data) {\n\t\t\t\twindow['eval'].call(window, data);\n\t\t\t})"..., reserved = "Sheets.l\000\000\000\000\000\000\000", hook = {on_accept = 0xba2d3e <fpm_request_accepting>, on_read = 0xba2dff <fpm_request_reading_headers>, on_close = 0xba339c <fpm_request_finished>}, 
          has_env = 12124692, env = {hash_table = {0x1, 0x0, 0x2548f00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x25490b0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2549290, 0x0, 0x0, 0x0, 0x2548ff0, 0x0, 0x0, 0x0, 0x25492c0, 0x0, 0x0, 0x0, 0x2549380, 0x0, 0x0, 
              0x0, 0x0, 0x0, 0x2549080, 0x0, 0x2549020, 0x2549050, 0x0 <repeats 18 times>, 0x2549170, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2548fc0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2549260, 0x0, 0x2549200, 0x0, 0x25492f0, 0x0, 0x0, 0x0, 0x0, 0x0, 
              0x2549230, 0x2549440, 0x0, 0x0, 0x25491d0, 0x0, 0x0, 0x0, 0x0, 0x2549470, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2548f60, 0x0, 0x2549410, 0x0, 0x0, 0x0, 0x0, 0x25490e0, 0x0, 0x25491a0, 0x0, 0x0, 0x0, 0x25494a0, 0x2548f90, 
              0x0, 0x2549350, 0x0, 0x0, 0x0, 0x0, 0x2549320, 0x25493e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, list = 0x25493b0, buckets = 0x25494a0, data = 0x2548ef0}}
        fpm_config = 0x7fff346b4f6f ""
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = -1
        force_stderr = 0
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"
 [2015-06-13 10:02 UTC] cmb@php.net
-Status: Feedback +Status: Open
 [2015-06-13 13:28 UTC] laruence@php.net 
I can only see the adroit is wrong...

it's better you can have a reproducible script...otherwise... I can not do much thing here..(or maybe grant me a ssh access :))
 [2015-06-13 13:28 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-06-13 14:35 UTC] filip at prochazka dot su 
I've encountered this problem on localhost and the software is proprietary. I'll try more to isolate it, but it's dying on me at very deep point of application in a getter. I'm not sure how to isolate that...
 [2015-06-16 08:24 UTC] arjen at react dot com 
Poor mans debugging: register a tick function which prints the current file and line every n ticks (current file and line can be fetched from debug_backtrace()).

declare(ticks=1);

register_tick_function(function(){
 $bt = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 2);
 //gc_collect_cycles(); // uncomment to run gc collection to find invalid object destruction early, not at end of request
 echo $bt[0]['file'] . '::' . $bt[0]['line'] . PHP_EOL;
});

This has worked for me to find exact location (file, line) of errors in big projects.
 [2015-06-17 10:17 UTC] kalle@php.net
-Status: Assigned +Status: Feedback
 [2015-06-27 16:29 UTC] filip at prochazka dot su 
I've tried arjen's tick function and it dies in this file either here
https://github.com/nette/di/blob/26637ad8fa71bfc60935646fb04a9ef8815a0ab6/src/DI/ContainerBuilder.php#L833 or while calling the function. Also, on other few lines for example here https://github.com/nette/di/blob/26637ad8fa71bfc60935646fb04a9ef8815a0ab6/src/DI/ContainerBuilder.php#L742.
Is it stupid to thinkg that accessing the index of array somehow got broken?

Also, I've been running this on alpha2 and the core dump with backtrace is pretty similar

(gdb) bt full
#0  0x0000000000ad6cdf in zend_hash_index_find_bucket (ht=0x7ff45fabb6c0, h=0) at /opt/php-7.0.0alpha2/Zend/zend_hash.c:464
        nIndex = 0
        idx = 11370103
        p = 0x7ff45fabb6c0
        arData = 0x1e
        __PRETTY_FUNCTION__ = "zend_hash_index_find_bucket"
#1  0x0000000000adb1e0 in zend_hash_index_exists (ht=0x7ff45fabb6c0, h=0) at /opt/php-7.0.0alpha2/Zend/zend_hash.c:1935
        p = 0x7ff460c19a60
#2  0x00000000008ef394 in zif_array_key_exists (execute_data=0x7ff460c19a00, return_value=0x7ff460c195d0) at /opt/php-7.0.0alpha2/ext/standard/array.c:5036
        key = 0x7ff460c19a60
        array = 0x7ff45fabb6c0
        __PRETTY_FUNCTION__ = "zif_array_key_exists"
#3  0x0000000000b1e7a7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.0alpha2/Zend/zend_vm_execute.h:705
        call = 0x7ff460c19a00
        fbc = 0x27f8130
        ret = 0x7ff460c195d0
        __PRETTY_FUNCTION__ = "ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER"
#4  0x0000000000b1dc3e in execute_ex (ex=0x7ff460c16fc0) at /opt/php-7.0.0alpha2/Zend/zend_vm_execute.h:403
        orig_opline = 0x7ff460087ec0
        orig_execute_data = 0x7ff460c16d30
#5  0x0000000000aac99e in zend_call_function (fci=0x7fffd02112d0, fci_cache=0x7fffd02112a0) at /opt/php-7.0.0alpha2/Zend/zend_execute_API.c:841
        call_via_handler = 0
        i = 1
        calling_scope = 0x7ff4600d6840
        call = 0x7ff460c16fc0
        dummy_execute_data = {opline = 0x7ff45fc1a408, call = 0x7fffd02112e0, return_value = 0x7ff460c16fa0, func = 0x7ff45fc203c0, This = {value = {lval = 140736685216272, dval = 6,953316127493364e-310, counted = 0x7fffd0211210, 
              str = 0x7fffd0211210, arr = 0x7fffd0211210, obj = 0x7fffd0211210, res = 0x7fffd0211210, ref = 0x7fffd0211210, ast = 0x7fffd0211210, zv = 0x7fffd0211210, ptr = 0x7fffd0211210, ce = 0x7fffd0211210, func = 0x7fffd0211210, ww = {
                w1 = 3491828240, w2 = 32767}}, u1 = {v = {type = 224 '\340', type_flags = 215 '\327', const_flags = 225 '\341', reserved = 95 '_'}, type_info = 1608636384}, u2 = {var_flags = 32756, next = 32756, cache_slot = 32756, 
              lineno = 32756, num_args = 32756, fe_pos = 32756, fe_iter_idx = 32756}}, run_time_cache = 0x7ff45fc1a408, literals = 0x7ff460159fc0, called_scope = 0x7fffd0211210, prev_execute_data = 0xad272b <zend_fcall_info_args+37>, 
          symbol_table = 0x7ff460c16fb0}
        fci_cache_local = {initialized = 144 '\220', function_handler = 0x40a00000000, calling_scope = 0x7ff45fe1d7f0, called_scope = 0x7ff45fc1a428, object = 0x7ff45fc1a428}
        func = 0x7ff460c10aa0
        orig_scope = 0x7ff4601edab8
        __PRETTY_FUNCTION__ = "zend_call_function"
#6  0x00000000008f4f97 in zif_call_user_func_array (execute_data=0x7ff460c16f40, return_value=0x7ff460c16e40) at /opt/php-7.0.0alpha2/ext/standard/basic_functions.c:4805
        params = 0x7ff460c16fb0
        retval = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000',
              type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {var_flags = 32756, next = 32756, cache_slot = 32756, lineno = 32756, num_args = 32756, fe_pos = 32756, fe_iter_idx = 32756}}
        fci = {size = 72, function_table = 0x7ff4600d6880, function_name = {value = {lval = 140687555298240, dval = 6,9508887870251033e-310, counted = 0x7ff45fc203c0, str = 0x7ff45fc203c0, arr = 0x7ff45fc203c0, obj = 0x7ff45fc203c0,
              res = 0x7ff45fc203c0, ref = 0x7ff45fc203c0, ast = 0x7ff45fc203c0, zv = 0x7ff45fc203c0, ptr = 0x7ff45fc203c0, ce = 0x7ff45fc203c0, func = 0x7ff45fc203c0, ww = {w1 = 1606550464, w2 = 32756}}, u1 = {v = {type = 7 '\a',
                type_flags = 28 '\034', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 7175}, u2 = {var_flags = 32767, next = 32767, cache_slot = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767}},
          symbol_table = 0x0, retval = 0x7fffd0211290, params = 0x7ff45fe1d7e0, object = 0x7ff460c74240, no_separation = 1 '\001', param_count = 1}
        fci_cache = {initialized = 1 '\001', function_handler = 0x7ff460c10aa0, calling_scope = 0x7ff4600d6840, called_scope = 0x7ff4600d6840, object = 0x7ff460c74240}
        __PRETTY_FUNCTION__ = "zif_call_user_func_array"
#7  0x0000000000b1e7a7 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.0alpha2/Zend/zend_vm_execute.h:705
        call = 0x7ff460c16f40
        fbc = 0x279a720
        ret = 0x7ff460c16e40
        __PRETTY_FUNCTION__ = "ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER"
#8  0x0000000000b1dc3e in execute_ex (ex=0x7ff460c16030) at /opt/php-7.0.0alpha2/Zend/zend_vm_execute.h:403
        orig_opline = 0x0
        orig_execute_data = 0x0
#9  0x0000000000b1dd50 in zend_execute (op_array=0x7ff460c71000, return_value=0x0) at /opt/php-7.0.0alpha2/Zend/zend_vm_execute.h:447
        execute_data = 0x7ff460c16030
#10 0x0000000000ac4559 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-7.0.0alpha2/Zend/zend.c:1389
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffd0211550, reg_save_area = 0x7fffd0211490}}
        i = 1
        file_handle = 0x7fffd0213880
        op_array = 0x7ff460c71000
#11 0x0000000000a31105 in php_execute_script (primary_file=0x7fffd0213880) at /opt/php-7.0.0alpha2/main/main.c:2475
        realfile = "\001\333\336/\000\200\377\377\060(!\320\377\177\000\000\003", '\000' <repeats 31 times>, "\300\210\222\002\000\000\000\000\006\024\000\000\000\000\000\000\220u\202\r\000\000\000\000/\305\td\364\177\000\000\000\000\001\000\002\000\023\000+\000!\320\377\177\000\000\260-!\320\377\177", '\000' <repeats 34 times>, "\234N2l\364\177\000\000\377\377\377\377\377\377\377\377\220u\202\r\000\000\000\000\034\000\000\000\000\000\000\000D\000\000\000\000\000\000\000x:Ol\364\177\000\000\026X2l\364\177\000\000\002\000\000\000\000\000\000\000"...
        __orig_bailout = 0x7fffd02138f0
        __bailout = {{__jmpbuf = {16, 5475004362929379715, 4497408, 140736685226864, 0, 0, 5475004361815792003, -5475041851745461885}, __mask_was_saved = 0, __saved_mask = {__val = {140736685222224, 193291665912, 18139557, 140736685225568,
                11021397, 18446744069414584319, 8589934592, 8589934592, 0, 0, 140736685225408, 128, 140736685221808, 140736685221808, 140736685222208, 140736685222208}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
---Type <return> to continue, or q <return> to quit---
        prepend_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0,
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        append_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0,
          opened_path = 0x0, type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        old_cwd = 0x7fffd0211550 "/"
        use_heap = 0 '\000'
        retval = 0
#12 0x0000000000b92382 in main (argc=3, argv=0x7fffd0213b78) at /opt/php-7.0.0alpha2/sapi/fpm/fpm/fpm_main.c:1941
        primary_script = 0x7ff460c04500 "/var/www/hosts/rohlik.l/index.php"
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, 5475004362830813571, 4497408, 140736685226864, 0, 0, 5475004362931476867, -5475042041189197437}, __mask_was_saved = 0, __saved_mask = {__val = {4351400, 140687688703352, 4249168, 4294967296, 4294969392,
                140736685226384, 140736685226728, 140736685226688, 140687765872784, 1, 140687766189344, 140687766188488, 140687763986833, 0, 140687765872784, 140685948747777}}}}
        exit_status = 0
        cgi = 0
        c = -1
        use_extended_info = 0
        file_handle = {handle = {fd = 1623614080, fp = 0x7ff460c66280, stream = {handle = 0x7ff460c66280, isatty = 0, mmap = {len = 553, pos = 0, map = 0x0, buf = 0x7ff46c50f000 <error: Cannot access memory at address 0x7ff46c50f000>,
                old_handle = 0x0, old_closer = 0x0}, reader = 0xa4ee67 <_php_stream_read>, fsizer = 0xa2e9ab <php_zend_stream_fsizer>, closer = 0xa2e985 <php_zend_stream_mmap_closer>}},
          filename = 0x7ff460c04000 "/var/www/hosts/rohlik.l/index.php", opened_path = 0x0, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        orig_optind = 1
        orig_optarg = 0x0
        ini_entries_len = 0
        max_requests = 500
        requests = 0
        fcgi_fd = 0
        request = 0x292af20
        fpm_config = 0x7fffd0214f6f ""
        fpm_prefix = 0x0
        fpm_pid = 0x0
        test_conf = 0
        force_daemon = -1
        force_stderr = 0
        php_information = 0
        php_allow_to_run_as_root = 0
        __func__ = "main"
 [2015-06-28 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-06-28 07:16 UTC] requinix@php.net
-Status: No Feedback +Status: Open
 [2015-07-03 09:08 UTC] arjen at react dot com 
Hi filip, did you try to run it with gc_collect_cycles() uncommented?

It looks like some sort of memory corruption, which could be triggered earlier than the locations you specified. By calling gc_collect_cycles() every tick the problem can appear earlier.
 [2015-08-14 09:13 UTC] bugs dot php dot net at majkl578 dot cz 
Hi laruence, could you please have a look aƄ #70262? It seems to be exactly the same bug, but with a repro script/demo included.
Thanks!
 [2015-08-15 15:24 UTC] filip at prochazka dot su 
Hello, the patch from https://bugs.php.net/bug.php?id=70262 solved also this issue. I've cloned master, applied the patch, compiled it and it started working.

Great work Laruence, thank you!
 [2015-10-02 03:06 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Nov 03 10:00:02 2025 UTC