ID: 45339
User updated by: willh at metavera dot com
Reported By: willh at metavera dot com
Status: Open
Bug Type: Reproducible crash
Operating System: Linux 2.6.18-5-686-bigmem
PHP Version: 5.2CVS-2008-06-23 (snap)
New Comment:
I have managed to isolate the PHP code that appeared to be triggering
this issue on our production server and have crafted a relativity
short, 71 lines, script that crashes PHP on our development servers.
These servers run a different distribution of Linux but PHP is
configured and compiled similarly. Unfortunately this script does not
crash on our development server.
The development server has php5.2-200806191230 configured in the
following manner...
'./configure' '--prefix=/usr/local/' '--with-apxs2' '--with-libxml-
dir' '--with-openssl' '--with-zlib' '--enable-bcmath' '--enable-
calendar' '--with-curl' '--with-curlwrappers' '--enable-exif' '--
enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--with-gettext' '--
with-gmp' '--enable-mbstring' '--with-pdo-pgsql' '--with-pgsql' '--
enable-soap' '--with-tidy' '--enable-zip' '--with-xsl' '--with-jpeg-
dir=/usr/lib' '--with-png-dir=/usr/lib' '--with-ttf=/usr/lib' '--
enable-zip' '--with-freetype-dir=/usr/lib' '--with-bz2' '--enable-
sockets' '--with-kerberos' '--with-mcrypt' '--enable-sysvshm' '--
enable-sysvsem' '--with-config-file-path=/etc'
The following script is expected to exit normally but it crashes when
USE_ZEND_ALLOC=1 . The following script does not crash when
USE_ZEND_ALLOC=0.
I apologize for the length of the script, it is a short as I was able
to make it and still manage to get it to crash.
_____________________
<?php
class MVCallback {
protected $key;
protected $object; /*The object to call the method on*/
protected $method; /*the method name */
protected $arguments = array();
static public function initialize($object,$method,$arguments =
array()){
$callback = new self();
$callback->object = $object;
$callback->method = $method;
$callback->arguments = $arguments;
return $callback;
}
}
class callback_db_column {
protected $callback = null;
protected $format_function;
public function __construct($name,$column_name=_U ){
$this->set_format_func('sprintf');
}
public function callback(){
return $this->callback;
}
public function set_callback($aMVCallback){
$this->callback = $aMVCallback;
return $this;
}
protected function & set_format_func($aString){
$this->format_function = &$aString;
}
}
class foo {
protected $columns = array();
function & add_column(&$col){
$this->columns[] = &$col;
}
public function
add_column_for_date($column_name,$value_name,$format_function){
$col = new callback_db_column($column_name,$value_name);
$col->set_callback(
MVCallback::initialize($this,
'value_with_timezone',
array($format_function,$value_name))
);
$this->add_column(&$col);
}
function __construct($base_table=_U) {
$this->add_column_for_date(COL_RES_START,RES_START,
'stamp_to_string');
$this->add_column_for_date(COL_RES_END, RES_END,
'stamp_to_string');
$this->add_column_for_date(COL_RES_START_SHORT, RES_START,
'stamp_to_input_string');
$this->add_column_for_date(COL_RES_END_SHORT, RES_END,
'stamp_to_input_string');
}
}
for($i=1; $i<=5000; ++$i){
$foo = &new foo($u='foo');
}
Previous Comments:
------------------------------------------------------------------------
[2008-06-23 20:40:30] willh at metavera dot com
We tried --enable-debug and having USE_ZEND_ALLOC=0 environment
variable
set- no crash.
We tried the non-enable-debug set and having USE_ZEND_ALLOC=0 set- no
crash.
So with USE_ZEND_ALLOC=0 no crashes.
------------------------------------------------------------------------
[2008-06-23 19:41:02] [EMAIL PROTECTED]
Compile with --enable-debug but disable the PHP memory manager.
You can do this with an environmental variable.
export USE_ZEND_ALLOC=0
Then start Apache in debug mode, you can do this with httpd -X
------------------------------------------------------------------------
[2008-06-23 18:49:45] willh at metavera dot com
Description:
------------
PHP crashes in ZEND_MM_CHECK_TREE. The problem is reproducible with
our source code but I have been unable to create a short script that
duplicates the issue.
The crash happens with with the CVS version of PHP, and the same crash
happens with 5.2.6.
I have a core file if needed. If PHP is configured with --enable-debug
the crash does not happen.
On crash, we also get:
----
/usr/src/t/php-5.2.6/Zend/zend_execute.c(403) : Freeing 0xB1272E30
(16
bytes), script=[redacted]/training/code/lmember/index.php
Last leak repeated 2 times
----
in the error logs
PHP 5.2 snap configured like ...
'./configure' '--prefix=/usr/local/php5' '--with-apxs2=/usr/bin/apxs2'
'--with-libxml-dir' '--with-openssl' '--with-zlib' '--enable-bcmath'
'--enable-calendar' '--with-curl' '--with-curlwrappers' '--enable-
exif' '--enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--with-
gettext' '--with-gmp' '--with-imap' '--enable-mbstring' '--with-pdo-
pgsql' '--with-pgsql' '--enable-soap' '--with-tidy' '--enable-zip' '--
with-xsl' '--with-imap-ssl' '--with-jpeg-dir=/usr/lib' '--with-png-
dir=/usr/lib' '--with-ttf=/usr/lib' '--enable-zip' '--with-freetype-
dir=/usr/lib' '--with-bz2' '--enable-sockets' '--with-kerberos' '--
with-mcrypt' '--enable-sysvshm' '--enable-sysvsem'
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215793472 (LWP 16822)]
0xb73c0298 in _zend_mm_free_int (heap=0x8230fe8, p=<value optimized
out>) at /usr/src/php-5.2.6/Zend/zend_alloc.c:817
817 ZEND_MM_CHECK_TREE(mm_block);
(gdb) bt
#0 0xb73c0298 in _zend_mm_free_int (heap=0x8230fe8, p=<value
optimized
out>) at /usr/src/php-5.2.6/Zend/zend_alloc.c:817
#1 0xb73f2482 in zend_objects_free_object_storage (object=0xa2edd24c)
at /usr/src/php-5.2.6/Zend/zend_objects.c:122
#2 0xb73f532f in zend_objects_store_free_object_storage
(objects=0xb76e2b28) at /usr/src/php-5.2.6/Zend/zend_objects_API.c:89
#3 0xb73cdce9 in shutdown_executor () at
/usr/src/php-5.2.6/Zend/zend_execute_API.c:299
#4 0xb73d98dd in zend_deactivate () at /usr/src/php-
5.2.6/Zend/zend.c:860
#5 0xb739a569 in php_request_shutdown (dummy=0x0) at
/usr/src/php-5.2.6/main/main.c:1486
#6 0xb745471d in php_handler (r=0x8355578) at
/usr/src/php-5.2.6/sapi/apache2handler/sapi_apache2.c:469
#7 0x08074607 in ap_run_handler ()
#8 0x080777b1 in ap_invoke_handler ()
#9 0x0808471a in ap_internal_redirect ()
...
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=45339&edit=1
