Edit report at https://bugs.php.net/bug.php?id=60990&edit=1
ID: 60990
Comment by: flatline at hardwired dot hu
Reported by: flatline at hardwired dot hu
Summary: Segfault when trying to allocate more memory
Status: Open
Type: Bug
Package: FPM related
Operating System: Debian Squeeze x86_64
PHP Version: 5.3.10
Block user comment: N
Private report: N
New Comment:
Full backtrace without suhosin.so:
(gdb) thread apply all bt full
Thread 1 (Thread 13418):
#0 _zval_ptr_dtor (zval_ptr=0xa1) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:436
zv = 0x1221730
#1 0x00000000006d0a78 in zend_hash_destroy (ht=0x1bb0de0) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:729
p = 0x1221730
#2 0x00000000006c350f in _zval_dtor_func (zvalue=0x1bb0d90) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_variables.c:46
No locals.
#3 0x00000000006b74f9 in _zval_ptr_dtor (zval_ptr=0xa1) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_variables.h:35
zv = 0x1bb0d90
#4 0x00000000006d0712 in zend_hash_apply_deleter (ht=0xe31168, p=0x115ee48) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:814
retval = 0x10c92e0
#5 0x00000000006d0998 in zend_hash_graceful_reverse_destroy (ht=0xe31168) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:850
p = 0x3654f0c6cb0
#6 0x00000000006b7b0e in shutdown_executor () at
/usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:256
__orig_bailout = <incomplete type>
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__orig_bailout = <incomplete type>
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 2924945600, 862009622, 17601248,
0, 17605824, 0}, __mask_was_saved = 0, __saved_mask = {__val = {1280986688, 869,
14946704, 0, 7227061, 0, 18392456, 0, 18305824, 0, 14946704, 0,
7227061, 0, 14946704, 0}}}}
#7 0x00000000006c4762 in zend_deactivate () at
/usr/src/php5/source/php5-5.3.10/Zend/zend.c:963
__orig_bailout = 0x0
---Type <return> to continue, or q <return> to quit---
__bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600,
862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600,
862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
__orig_bailout = 0x6c46dd
__bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600,
862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
__orig_bailout = 0x6c46dd
__bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600,
862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
__orig_bailout = 0x10ca4c0
__bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600,
862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
__orig_bailout = 0x6c46dd
__bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600,
862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {152109408, 962, 14878784, 0, 2924945600,
862009622, 17601248, 0}, __mask_was_saved = 862134464, __saved_mask = {__val = {
0 <repeats 12 times>, 17680896, 0, 0, 145}}}}
#8 0x000000000066f3e5 in php_request_shutdown (dummy=0xa1) at
/usr/src/php5/source/php5-5.3.10/main/main.c:1664
report_memleaks = 0 '\000'
#9 0x0000000000758ca0 in main (argc=17601248, argv=0x10ca4c0) at
/usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1886
primary_script = 0x1000000 "\203â¨ü\201>ÄG\016"
__bailout = {{__jmpbuf = {0, 0, 11849916, 0, 4122419392, 887433970, 3,
0}, __mask_was_saved = -1285480256, __saved_mask = {__val = {0, 0, 0, 0, 0, 0,
1324713501, 869, 0, 0, 1270933192, 869, 0, 0, 1324685090,
869}}}}
exit_status = 0
c = 7091440
file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x4 <Address 0x4
out of bounds>,
opened_path = 0x10c9718
"'\177(Å»\017D>\"/xxxxx.hu/html/kat-origi.phtml", handle = {fd = 0, fp = 0x0,
stream = {handle = 0x0, isatty = 17723752, mmap = {
len = 0, pos = 20674, map = 0x0, buf = 0x3654f03c000 <Address
0x3654f03c000 out of bounds>, old_handle = 0x3654f03c000, old_closer =
0x1107220},
reader = 0x6d9820 <zend_stream_stdio_closer>, fsizer = 0x6d9e60
<zend_stream_stdio_reader>, closer = 0x6d98e0 <zend_stream_stdio_fsizer>}},
free_filename = 224 'Å'}
orig_optind = 0
orig_optarg = 0x0
max_requests = 0
requests = 17722696
fcgi_fd = 7042240
request = {listen_socket = 1, fd = 0, id = 0, keep = 3, closed = 1,
in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0x3c2091102f0 "",
out_buf =
"v\004\021\tÃ\003\000\000\000\006\000\000\000\000\000\000Expires: Thu, 19 Nov
1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0\r\nPragma: no-cache\r\nSet-Cookie:
sess_odi_sid=o7fjrtnnpohsuqg7a7114b"..., reserved = '\000' <repeats 15 times>,
env = 0x0}
fpm_config = 0x0
fpm_prefix = 0x0
---Type <return> to continue, or q <return> to quit---
fpm_pid = 0x3c20911266b ""
test_conf = 0
php_information = 0
__func__ = "main"
Previous Comments:
------------------------------------------------------------------------
[2012-02-07 10:58:06] flatline at hardwired dot hu
Full backtrace with suhosin.so:
(gdb) thread apply all bt full
Thread 1 (Thread 18218):
#0 zend_mm_remove_from_free_list (heap=0xe40ab0, mm_block=0x1c85988) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c:880
index = 9
rp = 0x9
cp = 0x1c85988
prev = 0x0
next = 0x0
#1 0x00000000006e4738 in _zend_mm_free_canary_int (heap=0xe40ab0, p=0x1c85960)
at /usr/src/php5/source/php5-5.3.10/Zend/zend_alloc_canary.c:2133
mm_block = 0x1c85938
next_block = 0x1c85988
size = 80
#2 0x00000000006d0712 in zend_hash_apply_deleter (ht=0xe31168, p=0x1126638) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:814
retval = 0x119b5e0
#3 0x00000000006d0998 in zend_hash_graceful_reverse_destroy (ht=0xe31168) at
/usr/src/php5/source/php5-5.3.10/Zend/zend_hash.c:850
p = 0x1c85988
#4 0x00000000006b7b0e in shutdown_executor () at
/usr/src/php5/source/php5-5.3.10/Zend/zend_execute_API.c:256
__orig_bailout = <incomplete type>
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__orig_bailout = <incomplete type>
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
__bailout = {{__jmpbuf = {14880736, 0, 1622845780, 3043182966,
18462176, 0, 18465520, 0}, __mask_was_saved = 0, __saved_mask = {__val =
{2924002880, 830,
14944944, 0, 7227061, 0, 17601944, 0, 18074376, 0, 14944944, 0,
7227061, 0, 14944944, 0}}}}
---Type <return> to continue, or q <return> to quit---
#5 0x00000000006c4762 in zend_deactivate () at
/usr/src/php5/source/php5-5.3.10/Zend/zend.c:963
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780,
3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val =
{
0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780,
3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val =
{
0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
__orig_bailout = 0x6c46dd
__bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780,
3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val =
{
0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
__orig_bailout = 0x6c46dd
__bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780,
3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val =
{
0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
__orig_bailout = 0x119c2f0
__bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780,
3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val =
{
0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
__orig_bailout = 0x6c46dd
__bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780,
3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val =
{
0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {428990512, 958, 14878784, 0, 1622845780,
3043182966, 18462176, 0}, __mask_was_saved = -40982188, __saved_mask = {__val =
{
0 <repeats 12 times>, 18541400, 0, 0, 145}}}}
#6 0x000000000066f3e5 in php_request_shutdown (dummy=0xe40ab0) at
/usr/src/php5/source/php5-5.3.10/main/main.c:1664
report_memleaks = 0 '\000'
#7 0x0000000000758ca0 in main (argc=18462176, argv=0x119c2f0) at
/usr/src/php5/source/php5-5.3.10/sapi/fpm/fpm/fpm_main.c:1886
primary_script = 0x1000000 "ÃÃe\237i\177ôh\023"
__bailout = {{__jmpbuf = {0, 0, 11849916, 0, 1996138836, 2988407700, 3,
0}, __mask_was_saved = 2106370388, __saved_mask = {__val = {0, 0, 0, 0, 0, 0,
2967729693, 830, 0, 0, 2913949384, 830, 0, 0, 2967701282,
830}}}}
exit_status = 0
c = 29907336
file_handle = {type = ZEND_HANDLE_FILENAME, filename = 0x2 <Address 0x2
out of bounds>,
opened_path = 0x119b500
"ż\235K\212w\216lÃ/xxxxx.hu/html/kat-origi.phtml", handle = {fd = 0, fp =
0x0, stream = {handle = 0x0, isatty = 18169248, mmap = {
len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0,
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'}
orig_optind = 0
orig_optarg = 0x0
max_requests = 0
requests = 18583184
fcgi_fd = 0
request = {listen_socket = 1, fd = 0, id = 0, keep = 3, closed = 1,
in_len = 0, in_pad = 0, out_hdr = 0x0, out_pos = 0x3be1991e1c0 "\001\006",
out_buf =
"FÄ\221\031ž\003\000\000\001\006\000\001\000\006\002\000Expires: Thu, 19 Nov
1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0\r\nPragma: no-cache\r\nSet-Cookie:
sess_odi_sid=rlkoioa5p89rt75mbou02m"..., reserved =
"erticum.\000\000\000\000\000\000\000", env = 0x0}
fpm_config = 0x0
fpm_prefix = 0x0
---Type <return> to continue, or q <return> to quit---
fpm_pid = 0x3be19920522 ""
test_conf = 0
php_information = 0
__func__ = "main"
------------------------------------------------------------------------
[2012-02-07 10:50:05] flatline at hardwired dot hu
Sesser: Several sites run with different pools under php5-fpm. Lots of
different codebases, it only occurs with one of the hosted pages, with one
specific file, when the result set is larger than the allowed php memory_limit.
Starts with a big search query, does lots of manipulation on the result set,
and when it gets back to the main file, segfaults.
Mainfile.php -> includes Searchfile.php -> data manipulation, hits memory limit
-> gets back to Mainfile.php and it immediately segfaults.
The script runs well 99,9% of the time, but when it bumps into the
memory_limit, the segfault occurs.
I'll get the full backtrace, I'm not sure about valgrind, but if you tell me
the details, I can get that too.
------------------------------------------------------------------------
[2012-02-07 10:03:02] [email protected]
"I don't know what you mean under "Do you have NO PHP code running on the
system?"
I just wanted to know how this crash happens:
a) one specific PHP file
b) nearly all files
c) by just requesting any file
(in case of C the most obvious reason would be some extension being compiled in
a different way than PHP itself - Debian e.g. for a long time compiled their
PHP
with LFS support, but forgot to set this flag in PHP-DEV so all compiled
extensions had different struct sizes for some structs. And this caused crashes
e.g. in Suhosin.so)
------------------------------------------------------------------------
[2012-02-07 07:42:31] [email protected]
Full backtrace (or even better, a run under valgrind if it's reproduceable)
would
be helpful.
I'd also recommend trying without suhosin.so just to ensure the problem is not
there (second trace still shows it loading).
>From the trace it looks like the fault is in _zval_ptr_dtor which doesn't look
like segfault as a result of allocator returning null - the argument is not
null
and _zval_ptr_dtor is not usually called right after allocator. Does it also
crash if you set envt variable USE_ZEND_MM to 0 (that turns off Zend MM)?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=60990
--
Edit this bug report at https://bugs.php.net/bug.php?id=60990&edit=1
