Edit report at http://bugs.php.net/bug.php?id=52518&edit=1
ID: 52518 Updated by: fel...@php.net Reported by: correo at sevein dot com Summary: Segfault in /Zend/zend_objects_API.c:230 -Status: Open +Status: Feedback Type: Bug Package: Reproducible crash Operating System: Linux/Windows PHP Version: 5.3.3 Block user comment: N Private report: N New Comment: Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ Previous Comments: ------------------------------------------------------------------------ [2010-08-07 12:48:09] correo at sevein dot com I continue investigating this issue. I ran valgrind to complete this report and got this: ==1994== Invalid read of size 4 ==1994== at 0x701E1C: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:230) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35) ==1994== by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526) ==1994== by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45) ==1994== by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128) ==1994== by 0x701F49: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:220) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691) ==1994== by 0x704927: execute (zend_vm_execute.h:107) ==1994== by 0x6E0179: zend_execute_scripts (zend.c:1194) ==1994== by 0x68F8CC: php_execute_script (main.c:2260) ==1994== by 0x76638D: main (php_cli.c:1192) ==1994== Address 0x10611c30 is 1,014,768 bytes inside a block of size 1,048,576 free'd ==1994== at 0x4C285A2: realloc (vg_replace_malloc.c:525) ==1994== by 0x702080: zend_objects_store_put (zend_objects_API.c:113) ==1994== by 0x6FE2C7: zend_objects_new (zend_objects.c:138) ==1994== by 0x6E86F2: _object_and_properties_init (zend_API.c:1079) ==1994== by 0x709168: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:476) ==1994== by 0x704927: execute (zend_vm_execute.h:107) ==1994== by 0x6D6D03: zend_call_function (zend_execute_API.c:963) ==1994== by 0x6F5F4E: zend_call_method (zend_interfaces.c:97) ==1994== by 0x6FE4DE: zend_objects_destroy_object (zend_objects.c:113) ==1994== by 0x701F30: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:206) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35) ==1994== by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526) ==1994== by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45) ==1994== by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128) ==1994== by 0x701F49: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:220) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35) ==1994== by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526) ==1994== by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45) ==1994== by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128) ==1994== by 0x701F49: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:220) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691) ==1994== by 0x704927: execute (zend_vm_execute.h:107) ==1994== by 0x6E0179: zend_execute_scripts (zend.c:1194) ==1994== by 0x68F8CC: php_execute_script (main.c:2260) ==1994== by 0x76638D: main (php_cli.c:1192) ==1994== ==1994== Invalid read of size 4 ==1994== at 0x701E1C: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:230) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691) ==1994== by 0x704927: execute (zend_vm_execute.h:107) ==1994== by 0x6E0179: zend_execute_scripts (zend.c:1194) ==1994== by 0x68F8CC: php_execute_script (main.c:2260) ==1994== by 0x76638D: main (php_cli.c:1192) ==1994== Address 0x106172f0 is 1,036,976 bytes inside a block of size 1,048,576 free'd ==1994== at 0x4C285A2: realloc (vg_replace_malloc.c:525) ==1994== by 0x702080: zend_objects_store_put (zend_objects_API.c:113) ==1994== by 0x6FE2C7: zend_objects_new (zend_objects.c:138) ==1994== by 0x6E86F2: _object_and_properties_init (zend_API.c:1079) ==1994== by 0x709168: ZEND_NEW_SPEC_HANDLER (zend_vm_execute.h:476) ==1994== by 0x704927: execute (zend_vm_execute.h:107) ==1994== by 0x6D6D03: zend_call_function (zend_execute_API.c:963) ==1994== by 0x6F5F4E: zend_call_method (zend_interfaces.c:97) ==1994== by 0x6FE4DE: zend_objects_destroy_object (zend_objects.c:113) ==1994== by 0x701F30: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:206) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35) ==1994== by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526) ==1994== by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45) ==1994== by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128) ==1994== by 0x701F49: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:220) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x6D4B04: _zval_ptr_dtor (zend_variables.h:35) ==1994== by 0x6EC4CA: zend_hash_destroy (zend_hash.c:526) ==1994== by 0x6FE5F8: zend_object_std_dtor (zend_objects.c:45) ==1994== by 0x6FE618: zend_objects_free_object_storage (zend_objects.c:128) ==1994== by 0x701F49: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:220) ==1994== by 0x701F62: zend_objects_store_del_ref (zend_objects_API.c:172) ==1994== by 0x75AE41: ZEND_ASSIGN_SPEC_CV_CONST_HANDLER (zend_execute.c:691) ==1994== by 0x704927: execute (zend_vm_execute.h:107) ==1994== by 0x6E0179: zend_execute_scripts (zend.c:1194) ==1994== by 0x68F8CC: php_execute_script (main.c:2260) ==1994== by 0x76638D: main (php_cli.c:1192) ------------------------------------------------------------------------ [2010-08-05 03:41:32] fel...@php.net Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. ------------------------------------------------------------------------ [2010-08-02 19:12:54] correo at sevein dot com Description: ------------ A PHP process segfaults randomly when I try to build a complex search index with Symfony framework and Zend Lucene. Unfortunately, I can't figure out a short script to reproduce this problem. I can reproduce it with all PHP versions, included PHP 5.3.3. In debug mode, the problem occurs fastly (the index build can take many hours). This is how I compiled my PHP installation: ./configure \ --enable-dom \ --enable-libxml \ --with-xsl \ --enable-pdo \ --with-pdo-mysql \ --with-mysql \ --with-mysqli \ --enable-mbstring \ --enable-debug gdb: $ gdb /home/foobar/bin/php-5.3.3-debug ./core Core was generated by `/home/foobar/bin/php-5.3.3-debug -d memory_limit=1200M symfony search:populate Q'. Program terminated with signal 11, Segmentation fault. #0 0x000000000086d775 in zend_objects_store_del_ref_by_handle_ex (handle=16159, handlers=0x106b340) at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:230 230 obj->refcount--; (gdb) print obj $1 = (struct _store_object *) 0x7ffc9fc80838 (gdb) print obj->refcount Cannot access memory at address 0x7ffc9fc80860 The backtrack: (gdb) bt #0 0x000000000086d775 in zend_objects_store_del_ref_by_handle_ex (handle=16159, handlers=0x106b340) at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:230 #1 0x000000000086d477 in zend_objects_store_del_ref (zobject=0xd724c90) at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:172 #2 0x000000000083d822 in _zval_dtor_func (zvalue=0xd724c90, __zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.c:52 #3 0x000000000082d73a in _zval_dtor (zvalue=0xd724c90, __zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.h:35 #4 0x000000000082e6c8 in _zval_ptr_dtor (zval_ptr=0xddbaa00, __zend_filename=0xdd0400 "/home/foobar/bin/php-5.3.3/Zend/zend_variables.c", __zend_lineno=178) at /home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c:443 #5 0x000000000083db9f in _zval_ptr_dtor_wrapper (zval_ptr=0xddbaa00) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.c:178 #6 0x000000000084feb0 in zend_hash_destroy (ht=0xcba0578) at /home/foobar/bin/php-5.3.3/Zend/zend_hash.c:526 #7 0x0000000000868209 in zend_object_std_dtor (object=0xf2983f0) at /home/foobar/bin/php-5.3.3/Zend/zend_objects.c:45 #8 0x0000000000868585 in zend_objects_free_object_storage (object=0xf2983f0) at /home/foobar/bin/php-5.3.3/Zend/zend_objects.c:128 #9 0x000000000086d710 in zend_objects_store_del_ref_by_handle_ex (handle=16266, handlers=0x106b340) at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:220 #10 0x000000000086d477 in zend_objects_store_del_ref (zobject=0xe67c7b0) at /home/foobar/bin/php-5.3.3/Zend/zend_objects_API.c:172 #11 0x000000000083d822 in _zval_dtor_func (zvalue=0xe67c7b0, __zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.c:52 #12 0x000000000082d73a in _zval_dtor (zvalue=0xe67c7b0, __zend_filename=0xdceb88 "/home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c", __zend_lineno=443) at /home/foobar/bin/php-5.3.3/Zend/zend_variables.h:35 #13 0x000000000082e6c8 in _zval_ptr_dtor (zval_ptr=0x7ffca2525c10, __zend_filename=0xdd6728 "/home/foobar/bin/php-5.3.3/Zend/zend_vm_execute.h", __zend_lineno=160) at /home/foobar/bin/php-5.3.3/Zend/zend_execute_API.c:443 #14 0x00000000008732da in zend_leave_helper_SPEC (execute_data=0x7ffca2525b38) at /home/foobar/bin/php-5.3.3/Zend/zend_vm_execute.h:160 #15 0x0000000000878335 in ZEND_RETURN_SPEC_CONST_HANDLER (execute_data=0x7ffca2525b38) at /home/foobar/bin/php- 5.3.3/Zend/zend_vm_execute.h:1686 #16 0x0000000000873131 in execute (op_array=0x33a0410) at /home/foobar/bin/php- 5.3.3/Zend/zend_vm_execute.h:107 #17 0x00000000008401ec in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/foobar/bin/php-5.3.3/Zend/zend.c:1194 #18 0x00000000007ca328 in php_execute_script (primary_file=0x7fffd3b27230) at /home/foobar/bin/php-5.3.3/main/main.c:2260 #19 0x00000000009238a3 in main (argc=6, argv=0x7fffd3b27498) at /home/foobar/bin/php-5.3.3/sapi/cli/php_cli.c:1192 Test script: --------------- Unfortunately, I can't figure out a short script to reproduce this problem. Expected result: ---------------- The process should not segfault. Actual result: -------------- Segfault ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=52518&edit=1
