From: imprec at gmail dot com Operating system: Linux / OSX PHP version: 5.4.9 Package: *General Issues Bug Type: Bug Bug description:Segmentation Fault when calling zend_std_object_get_class
Description: ------------ A segfault always happen when running Imagine test suite (https://github.com/avalanche123/Imagine). This segfault happens when running gmagick driver tests, but are not reproducible outside test scope. I think it's not completely gmagick related as the backtrace reference PHP core calls as responsible of the segfault (see attached backtrace) This bug occurs with PHP 5.3.10, PHP 5.4.9, PHP 5.5.0-dev I can provide a dedicated debug box for this error. Test script: --------------- Running Imagine tests suite with gmagick extension 1.1.1.RC1 or 1.1.0.RC3 will produce the segfault (https://github.com/avalanche123/Imagine). Expected result: ---------------- No segmentation fault Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0x000000000081e0c9 in zend_std_object_get_class (object=0x7ffff073bf70) at /usr/local/src/php-5.4.9/Zend/zend_object_handlers.c:1454 1454 return zobj->ce; (gdb) backtrace full #0 0x000000000081e0c9 in zend_std_object_get_class (object=0x7ffff073bf70) at /usr/local/src/php-5.4.9/Zend/zend_object_handlers.c:1454 zobj = 0x7fff00009e61 #1 0x00000000007e9ed0 in zend_get_class_entry (zobject=0x7ffff073bf70) at /usr/local/src/php-5.4.9/Zend/zend_API.c:238 No locals. #2 0x0000000000875f6b in ZEND_INIT_METHOD_CALL_SPEC_VAR_CONST_HANDLER (execute_data=0x7ffff7fa6a10) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:13466 opline = 0x7ffff0c316d8 function_name = 0x7ffff0c30738 function_name_strval = 0x7ffff7eb9768 "destroy" function_name_strlen = 7 free_op1 = {var = 0x0} #3 0x00000000008262e2 in execute (op_array=0x7ffff0c30e30) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:410 ret = 0 execute_data = 0x7ffff7fa6a10 nested = 1 '\001' original_in_execution = 1 '\001' #4 0x00000000007d5758 in zend_call_function (fci=0x7fffffff9890, fci_cache=0x7fffffff98e0) at /usr/local/src/php-5.4.9/Zend/zend_execute_API.c:958 i = 0 original_return_value = 0x0 calling_symbol_table = 0x0 original_op_array = 0x7ffff1806650 original_opline_ptr = 0x7ffff7fa6138 current_scope = 0x7ffff1802570 current_called_scope = 0x7ffff1802570 calling_scope = 0x7ffff073d6d8 called_scope = 0x7ffff073d6d8 current_this = 0x7fffed5d82b0 execute_data = {opline = 0x0, function_state = {function = 0x7ffff0c30e30, arguments = 0x7ffff7fa6a08}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, object = 0x7ffff08973d0, Ts = 0x7ffff7fa61d8, CVs = 0x7ffff7fa61c8, symbol_table = 0x0, prev_execute_data = 0x7ffff7fa6138, old_error_reporting = 0x0, nested = 1 '\001', original_return_value = 0x7ffff0dfddb8, current_scope = 0x7ffff0dfea80, current_called_scope = 0x7ffff0fc7638, current_this = 0x7ffff0fc7818, current_object = 0x0} fci_cache_local = {initialized = 144 '\220', function_handler = 0x0, calling_scope = 0x7fffffff9670, called_scope = 0x7ffff11188f0, object_ptr = 0x0} #5 0x0000000000807695 in zend_call_method (object_pp=0x7fffffff99b8, obj_ce=0x7ffff073d6d8, fn_proxy=0x7fffffff99b0, function_name=0xd039c6 "__destruct", function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0, arg2=0x0) at /usr/local/src/php-5.4.9/Zend/zend_interfaces.c:97 fcic = {initialized = 1 '\001', function_handler = 0x7ffff0c30e30, calling_scope = 0x7ffff073d6d8, called_scope = 0x7ffff073d6d8, object_ptr = 0x7ffff08973d0} result = 32 fci = {size = 72, function_table = 0xf9b2d0, function_name = 0x7fffffff9910, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffff9948, param_count = 0, params = 0x7fffffff9930, object_ptr = 0x7ffff08973d0, no_separation = 1 '\001'} z_fname = {value = {lval = 140737488329072, dval = 6.9533558065377856e- 310, str = { val = 0x7fffffff9970 "\360\231\377\377\377\177", len = 8280692}, ht = 0x7fffffff9970, obj = {handle = 4294941040, handlers = 0x7e5a74}}, refcount__gc = 4035539952, type = 255 '\377', is_ref__gc = 127 '\177'} retval = 0x0 function_table = 0x7ffff073d700 params = {0x7fffffff9988, 0x7fffffff9990} #6 0x0000000000814fbf in zend_objects_destroy_object (object=0x7ffff0745cc0, handle=45021) at /usr/local/src/php-5.4.9/Zend/zend_objects.c:123 old_exception = 0x0 obj = 0x7ffff08973d0 obj_bucket = 0x7fffee6a87b0 destructor = 0x7ffff0c30e30 #7 0x00000000008125d9 in gc_collect_cycles () at /usr/local/src/php- 5.4.9/Zend/zend_gc.c:814 p = 0x7ffff0745d38 q = 0x0 orig_free_list = 0x0 orig_next_to_free = 0x0 count = 84 #8 0x0000000000810b32 in gc_zval_possible_root (zv=0x7fffed5d8818) at /usr/local/src/php-5.4.9/Zend/zend_gc.c:166 newRoot = 0x0 #9 0x0000000000828642 in gc_zval_check_possible_root (z=0x7fffed5d8818) at /usr/local/src/php-5.4.9/Zend/zend_gc.h:183 No locals. #10 i_zval_ptr_dtor (__zend_lineno=<optimized out>, __zend_filename=0xd04300 "/usr/local/src/php-5.4.9/Zend/zend_execute.h", zval_ptr=0x7fffed5d8818) at /usr/local/src/php-5.4.9/Zend/zend_execute.h:97 No locals. #11 zend_vm_stack_clear_multiple () at /usr/local/src/php- 5.4.9/Zend/zend_execute.h:339 q = 0x7fffed5d8818 p = 0x7ffff7fa69f8 delete_count = 0 #12 zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa6138) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:736 opline = 0x7ffff18096c8 should_change_scope = 0 '\000' fbc = 0xfe3f20 #13 0x000000000082889c in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7fa6138) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:752 No locals. #14 0x00000000008262e2 in execute (op_array=0x7ffff1806650) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:410 ret = 0 execute_data = 0x7ffff7fa6138 nested = 1 '\001' original_in_execution = 1 '\001' #15 0x00000000007d5758 in zend_call_function (fci=0x7fffffffa0e0, fci_cache=0x7fffffffa130) at /usr/local/src/php-5.4.9/Zend/zend_execute_API.c:958 i = 1 original_return_value = 0x7ffff7fa5ae0 calling_symbol_table = 0x0 original_op_array = 0x7ffff0b19920 original_opline_ptr = 0x7ffff7fa5b48 current_scope = 0x7ffff073d6d8 current_called_scope = 0x7ffff073d6d8 calling_scope = 0x7ffff073d6d8 called_scope = 0x7ffff073d6d8 current_this = 0x7ffff0dff3b0 execute_data = {opline = 0x0, function_state = {function = 0x7ffff07f5f88, arguments = 0x7ffff7fa5cc8}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, object = 0x7ffff0dff3b0, Ts = 0x7ffff7fa5be8, CVs = 0x7ffff7fa5bd8, symbol_table = 0x0, prev_execute_data = 0x7ffff7fa5b48, old_error_reporting = 0x0, nested = 1 '\001', original_return_value = 0x7ffff7fa5a60, current_scope = 0x7ffff073d6d8, current_called_scope = 0x7ffff073d6d8, current_this = 0x7ffff0dff3b0, current_object = 0x0} fci_cache_local = {initialized = 225 '\341', function_handler = 0xcffb18, calling_scope = 0x10000, called_scope = 0xf9b2d0, object_ptr = 0x7fffffff9ec0} #16 0x00000000006baa98 in zif_array_map (ht=2, return_value=0x7ffff0a7fc88, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /usr/local/src/php-5.4.9/ext/standard/array.c:4337 str_key_len = 0 num_key = 4779 str_key = 0x20 <Address 0x20 out of bounds> key_type = 2 arrays = 0x7ffff0df8210 n_arrays = 1 params = 0x7ffff0df8210 result = 0x0 null = 0x7ffff0b57d18 array_pos = 0x7fffed2b3920 args = 0x7ffff0782bf8 fci = {size = 72, function_table = 0x7ffff073d700, function_name = 0x7fffed2c3e98, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffa168, param_count = 1, params = 0x7ffff0df8210, object_ptr = 0x7ffff0dff3b0, no_separation = 0 '\000'} fci_cache = {initialized = 0 '\000', function_handler = 0x7ffff07f5f88, calling_scope = 0x7ffff073d6d8, called_scope = 0x7ffff073d6d8, object_ptr = 0x7ffff0dff3b0} i = 1 k = 4779 maxlen = 6438 array_len = 0x7ffff0dff250 #17 0x00000000008279f8 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa5b48) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:642 ret = 0x7ffff7fa5c88 opline = 0x7ffff0b18598 should_change_scope = 0 '\000' fbc = 0xff6da0 #18 0x000000000082889c in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7fa5b48) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:752 No locals. #19 0x00000000008262e2 in execute (op_array=0x7ffff0b19920) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:410 ret = 0 execute_data = 0x7ffff7fa5b48 nested = 1 '\001' original_in_execution = 1 '\001' #20 0x00000000007d5758 in zend_call_function (fci=0x7fffffffa8d0, fci_cache=0x7fffffffa920) at /usr/local/src/php-5.4.9/Zend/zend_execute_API.c:958 i = 0 original_return_value = 0x7ffff7fa4208 calling_symbol_table = 0x0 original_op_array = 0x7ffff1473670 original_opline_ptr = 0x7ffff7fa4ea8 current_scope = 0x0 current_called_scope = 0x10e1f70 calling_scope = 0x7ffff14fb640 called_scope = 0x7ffff14fb640 current_this = 0x7ffff0dfe7a0 execute_data = {opline = 0x0, function_state = {function = 0x7ffff14fbae8, arguments = 0x7ffff7fa5920}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, object = 0x7ffff142d5c0, Ts = 0x7ffff7fa4fa8, CVs = 0x7ffff7fa4f38, symbol_table = 0x0, prev_execute_data = 0x7ffff7fa4ea8, old_error_reporting = 0x0, nested = 1 '\001', original_return_value = 0x0, current_scope = 0x7ffff1a42d70, current_called_scope = 0x7ffff14fb640, current_this = 0x7ffff142d5c0, current_object = 0x0} fci_cache_local = {initialized = 16 '\020', function_handler = 0x200000000, calling_scope = 0x7fffffffa6b0, called_scope = 0x0, object_ptr = 0x0} #21 0x0000000000652bc3 in zim_reflection_method_invokeArgs (ht=2, return_value=0x7ffff0dfec18, return_value_ptr=0x0, this_ptr=0x7ffff0dfe7a0, return_value_used=1) at /usr/local/src/php- 5.4.9/ext/reflection/php_reflection.c:3017 retval_ptr = 0x0 params = 0x7ffff0e5a280 object = 0x7ffff142d5c0 intern = 0x7ffff0dfe9f8 mptr = 0x7ffff14fbae8 argc = 0 result = 624 fci = {size = 72, function_table = 0x0, function_name = 0x0, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffa950, param_count = 0, params = 0x7ffff0e5a280, object_ptr = 0x7ffff142d5c0, no_separation = 1 '\001'} fcc = {initialized = 1 '\001', function_handler = 0x7ffff14fbae8, calling_scope = 0x7ffff14fb640, called_scope = 0x7ffff14fb640, object_ptr = 0x7ffff142d5c0} obj_ce = 0x7ffff14fb640 param_array = 0x7ffff0dfeb00 #22 0x00000000008279f8 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fa4ea8) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:642 ret = 0x7ffff7fa5288 opline = 0x7ffff19e5258 should_change_scope = 1 '\001' fbc = 0x10e3640 #23 0x000000000082889c in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff7fa4ea8) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:752 No locals. #24 0x00000000008262e2 in execute (op_array=0x7ffff1473670) at /usr/local/src/php-5.4.9/Zend/zend_vm_execute.h:410 ret = 0 execute_data = 0x7ffff7fa4ea8 nested = 1 '\001' original_in_execution = 0 '\000' #25 0x00000000007e8d32 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-5.4.9/Zend/zend.c:1309 files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffae70, reg_save_area = 0x7fffffffadb0}} i = 1 file_handle = 0x7fffffffd290 orig_op_array = 0x0 orig_retval_ptr_ptr = 0x0 orig_interactive = 0 #26 0x000000000075b3fa in php_execute_script (primary_file=0x7fffffffd290) at /usr/local/src/php-5.4.9/main/main.c:2482 realfile = "/usr/bin/phpunit", '\000' <repeats 24 times>, "\020\235\003\000\000\000\000\000\270\235\003\000\000\000\000\000\021", '\000' <repeats 15 times>"\200, \301\377\377\377\177\000\000P\347z\000\000\000\000\000t:\336\367\377\177\000\000 в \371\000\000\000\000\000\b\000\000\000\000\000\000\000\n\000\000\000\000\000\000 \000\330\340\375\367\377\177\000\000fII\"\000\000\000\000\236B\336\367\377\177\0 00\000\000\000\000\000\000\000\000\000&\000\000\000\000\000\000\000\060\303\377\ 377\377\177\000\000\377\377\377\377\000\000\000\000L\256\224\366\377\177\000\000 \250\274\224\366\377\177\000\000\000\303\377\377\377\177\000\000\000\000\000\000 \000\000\000\000\320\063\225\366\377\177\000\000\310W\316", '\000' <repeats 13 times>"\330, \342\375\367\377\177\000\000\310\371\375\367\377\177\000\000\261\024A\000\000\00 0\000\000\370\211\225\366\377\177\000\000xH@\000\000\000\000\000\000\000\000\000 \001\000\000\000\367\004\000\000\001", '\000' <repeats 11 times>... __orig_bailout = 0x7fffffffd130 __bailout = {{__jmpbuf = {0, -827595844864590484, 4327200, 140737488348784, 0, 0, -827595847093863060, 827596775867399532}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 4276675, 0, 0, 0, 0, 0, 0, 0, 0, 140737330383064, 140737354004936, 0, 0, 0}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = { handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = { handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} old_cwd = 0x7fffffffae90 "" use_heap = 0 '\000' retval = 0 #27 0x0000000000931a75 in do_cli (argc=2, argv=0x7fffffffe678) at /usr/local/src/php-5.4.9/sapi/cli/php_cli.c:988 __orig_bailout = 0x7fffffffe460 __bailout = {{__jmpbuf = {0, -827595845275632276, 4327200, 140737488348784, 0, 0, -827595844862493332, 827597107621117292}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 96, 0, 210453397508, 472446402651, 532575944823, 0, 46, 140737488346816, 2, 140737352007912, 140737488345952, 140737351999926}}}} c = -1 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffe8b5 "/usr/bin/phpunit", opened_path = 0x0, handle = { fd = -134405872, fp = 0x7ffff7fd2110, stream = {handle = 0x7ffff7fd2110, isatty = 0, mmap = {len = 2018, pos = 0, map = 0x7ffff1ce7000, buf = 0x7ffff1ce700f <Address 0x7ffff1ce700f out of bounds>, old_handle = 0x1160b40, old_closer = 0x80631b <zend_stream_stdio_closer>}, reader = 0x8062ec <zend_stream_stdio_reader>, fsizer = 0x806349 <zend_stream_stdio_fsizer>, closer = 0x806459 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'} behavior = 1 reflection_what = 0x0 request_started = 1 exit_status = 0 php_optarg = 0x0 orig_optarg = 0x0 php_optind = 2 orig_optind = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 arg_free = 0x7fffffffe8b5 "/usr/bin/phpunit" arg_excp = 0x7fffffffe680 script_file = 0x7fffffffe8b5 "/usr/bin/phpunit" translated_path = 0x115fc90 "/usr/bin/phpunit" interactive = 0 lineno = 2 param_error = 0x0 hide_argv = 0 #28 0x0000000000932bae in main (argc=2, argv=0x7fffffffe678) at /usr/local/src/php-5.4.9/sapi/cli/php_cli.c:1364 __orig_bailout = 0x0 __bailout = {{__jmpbuf = {0, -827595845227397780, 4327200, 140737488348784, 0, 0, -827595845273535124, 827597107464748396}, __mask_was_saved = 0, __saved_mask = {__val = {140737354114296, 140737488348816, 140737331860032, 140737349700096, 10240, 0, 140737354130976, 8453442528, 0, 140737354114296, 4265583, 140737331844832, 140737330974368, 140737349695456, 15774436, 9}}}} c = -1 exit_status = 0 module_started = 1 sapi_started = 1 php_optarg = 0x0 php_optind = 1 use_extended_info = 0 ini_path_override = 0x0 ini_entries = 0xf9b230 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_ execution_time=0\nmax_input_time=-1\n" ini_entries_len = 110 ini_ignore = 0 sapi_module = 0xf7a1c0 -- Edit bug report at https://bugs.php.net/bug.php?id=63677&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=63677&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=63677&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=63677&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=63677&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=63677&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=63677&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=63677&r=needscript Try newer version: https://bugs.php.net/fix.php?id=63677&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=63677&r=support Expected behavior: https://bugs.php.net/fix.php?id=63677&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=63677&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=63677&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=63677&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63677&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=63677&r=dst IIS Stability: https://bugs.php.net/fix.php?id=63677&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=63677&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=63677&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=63677&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=63677&r=mysqlcfg
