From: mbeccati
Operating system: FreeBSD 6.2
PHP version: 5.3.3RC3
Package: Reproducible crash
Bug Type: Bug
Bug description:"zend_mm_heap corrupted" error
Description:
------------
A few things:
* It happens when running a specific "simpletest" integration test
* It doesn't always happen, roughly 33-50% of the times
* Never happened with 5.3.2, I got a report from Bamboo as soon as I
upgraded to 5.3.3RC3
Of course I can't get a simple reproduce script as the aforementioned test
does tons of things, but of course I can provide more information, SSH
access, or try anything I'm asked to.
Test script:
---------------
n/a
Expected result:
----------------
No failure
Actual result:
--------------
zend_mm_heap corrupted exit message, with the following backtrace
#0 0x000000000079f25b in zval_scan (pz=0x3b31970) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:485
p = (Bucket *) 0x3661108
#1 0x000000000079f6b9 in gc_collect_cycles () at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:535
p = (zval_gc_info *) 0xee5ee0
q = (zval_gc_info *) 0x0
orig_free_list = (zval_gc_info *) 0x7fffffffc6e0
orig_next_to_free = (zval_gc_info *) 0x211ef18
count = 0
#2 0x000000000079fbd8 in gc_zval_possible_root (zv=0x33588b0) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:166
newRoot = (gc_root_buffer *) 0x3627830
#3 0x00000000007a4fde in zend_assign_to_object (result=0x211ef18,
object_ptr=0xe567a0, property_name=0x211ef60, value_op=0x211efb0,
Ts=0x113b228, opcode=136) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute.c:602
object = (zval *) 0x3632b70
free_value = {var = 0x113b701}
value = (zval *) 0x33588b0
retval = (zval **) 0x113b6e0
#4 0x00000000007e2796 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER
(execute_data=0x113b190) at zend_vm_execute.h:17645
opline = (zend_op *) 0x0
#5 0x00000000007a65f9 in execute (op_array=0x2119968) at
zend_vm_execute.h:107
ret = 0
execute_data = (zend_execute_data *) 0x113b190
nested = 1 '\001'
original_in_execution = 1 '\001'
#6 0x0000000000777d94 in zend_call_function (fci=0x7fffffffc970,
fci_cache=0x0) at
/array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute_API.c:963
call_via_handler = 34934168
i = 18062328
original_return_value = (zval **) 0x1139bf8
calling_symbol_table = (HashTable *) 0x0
original_op_array = (zend_op_array *) 0x2150d98
original_opline_ptr = (zend_op **) 0x1139f28
current_scope = (zend_class_entry *) 0x2118528
current_called_scope = (zend_class_entry *) 0x2104658
calling_scope = (zend_class_entry *) 0x2104658
called_scope = (zend_class_entry *) 0x2104658
current_this = (zval *) 0x30c9840
execute_data = {opline = 0x0, function_state = {function =
0x2109b78, arguments = 0x113a068}, fbc = 0x0, called_scope = 0x0, op_array
= 0x0, object = 0x3632b70, Ts = 0x1139fe0, CVs = 0x1139fc0, symbol_table =
0x0,
prev_execute_data = 0x1139f28, old_error_reporting = 0x0, nested = 1
'\001', original_return_value = 0x2104658, current_scope = 0x30c9840,
current_called_scope = 0x0, current_this = 0x0, current_object = 0x0,
call_opline = 0x1139fc8}
#7 0x0000000000728986 in xml_call_handler (parser=0x2f77938,
handler=0x3356688, function_ptr=0x3627830, argc=3, argv=0x7fffffffca50) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:530
args = (zval ***) 0x2f7e210
retval = (zval *) 0x0
result = -13744
fci = {size = 72, function_table = 0xe58180, function_name =
0x3356688, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffc968, param_count
= 3, params = 0x2f7e210, object_ptr = 0x3632b70, no_separation = 0 '\0'}
i = 3
#8 0x000000000072926a in _xml_startElementHandler (userData=0x2f77938,
name=0x11fa8c0 "plugin", attributes=0x0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:822
attrs = (const char **) 0x0
att = 0x0
val = 0x11fa8c0 "plugin"
val_len = 0
retval = (zval *) 0x821ae6ce
args = {0x37ba0f0, 0x3359b18, 0x37ba450}
#9 0x000000000072b56e in _start_element_handler (user=0x2d40860,
name=0x11fa8c0 "plugin", attributes=0x0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:84
qualified_name = (xmlChar *) 0x11fa8c0 "plugin"
#10 0x00000000820fa26a in xmlParseStartTag () from
/usr/local/lib/libxml2.so.5
No symbol table info available.
#11 0x00000000820ff102 in xmlParseTryOrFinish () from
/usr/local/lib/libxml2.so.5
No symbol table info available.
#12 0x00000000821004ab in xmlParseChunk () from
/usr/local/lib/libxml2.so.5
No symbol table info available.
#13 0x000000000072c00d in php_XML_Parse (parser=0x2d40860, data=0x3540020
"", data_len=56784944, is_final=0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:605
error = 0
#14 0x000000000072a963 in zif_xml_parse (ht=62069104,
return_value=0x374c980, return_value_ptr=0x3627830, this_ptr=0x0,
return_value_used=0) at
/array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:1464
parser = (xml_parser *) 0x2f77938
pind = (zval *) 0x374ccf0
data = 0x3356e18 "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"
?>\n<?xml-stylesheet type=\"text/xsl\" href=\"\"?>\n\n<plugin>\n
<name>apRetargetingDriverExternalUI</name>\n
<creationDate>2010-06-10</creationDate>\n <author"...
data_len = 1075
ret = 0
isFinal = 1
#15 0x00000000007a7100 in zend_do_fcall_common_helper_SPEC
(execute_data=0x1139f28) at zend_vm_execute.h:316
i = 3
p = (zval **) 0x113a048
arg_count = 0
opline = (zend_op *) 0x213f2b8
should_change_scope = 0 '\0'
#16 0x00000000007a65f9 in execute (op_array=0x2150d98) at
zend_vm_execute.h:107
ret = 0
execute_data = (zend_execute_data *) 0x1139f28
nested = 1 '\001'
original_in_execution = 0 '\0'
#17 0x0000000000785675 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend.c:1194
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffffffcf30, reg_save_area = 0x7fffffffce40}}
i = 1
file_handle = (zend_file_handle *) 0x7fffffffe850
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval **) 0x0
#18 0x0000000000735158 in php_execute_script (primary_file=0x7fffffffe850)
at /array1/compile/php-5.3.3RC3-fcgi/main/main.c:2260
realfile =
"/usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK/tests/run.php\000\000>@Ã\200\000\000\000\000\000\027Ã\200\000\000\000\0000áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000é=Ã\200",
'\0' <repeats 13 times>,
"rÃ\200\000\000\000\000(áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000páÿÿÿ\177\000\000ç\016",
'\0' <repeats 14 times>,
"\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000\001<Ã\200\000\000\000"...
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle =
0x0, old_closer = 0},
reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0,
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle =
0x0, old_closer = 0},
reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
old_cwd = 0x7fffffffcf40 ""
retval = 0
#19 0x00000000008099fb in main (argc=9, argv=0x7fffffffe948) at
/array1/compile/php-5.3.3RC3-fcgi/sapi/cli/php_cli.c:1192
len = 140737488348832
argn = (zval *) 0x80de6600
input = 0x0
index = 9
argi = (zval *) 0x80ee0030
exit_status = 0
c = 0
file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffeb75
"run.php", opened_path = 0x0, handle = {fd = 15152376, fp = 0xe734f8,
stream = {handle = 0xe734f8, isatty = 0, mmap = {len = 5351, pos = 0, map =
0x80df4000,
buf = 0x80df4000 <Address 0x80df4000 out of bounds>, old_handle =
0x8270d840, old_closer = 0x797cd0 <zend_stream_stdio_closer>}, reader =
0x797cb0 <zend_stream_stdio_reader>, fsizer = 0x797cf0
<zend_stream_stdio_fsizer>,
closer = 0x797d50 <zend_stream_mmap_closer>}}, free_filename = 0
'\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffffffeb75 "run.php"
arg_excp = (char **) 0x3540020
script_file = 0x7fffffffeb75 "run.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = 0x0
hide_argv = 0
ini_entries_len = -6496
--
Edit bug report at http://bugs.php.net/bug.php?id=52349&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=52349&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=52349&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=52349&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=52349&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=52349&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=52349&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=52349&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=52349&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=52349&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=52349&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=52349&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=52349&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=52349&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=52349&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=52349&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=52349&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=52349&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=52349&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=52349&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=52349&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=52349&r=mysqlcfg
