Edit report at https://bugs.php.net/bug.php?id=52349&edit=1
ID: 52349 Updated by: [email protected] Reported by: [email protected] Summary: "zend_mm_heap corrupted" error -Status: Feedback +Status: No Feedback Type: Bug Package: Reproducible crash Operating System: FreeBSD 6.2 PHP Version: 5.3.3RC3 Assigned To: dmitry New Comment: No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. Previous Comments: ------------------------------------------------------------------------ [2011-03-18 12:20:58] jan-php at kantert dot net Same bug on Ubuntu 10.04 LTS x86_64 PHP 5.3.2-1ubuntu4.7 with Suhosin-Patch (cli) (built: Jan 12 2011 18:36:55) Also happens only 30% of the time. Some times "just" segfaults without error. Sometimes with this error. Happens when running the archive.sh in piwik. strace /usr/bin/php5 -q /home/XXX/misc/cron/../../index.php We did an strace on the process and noticed some things. If it segfaults (only then) there are a lot brk lines: brk(0x805a000) = 0x805a000 brk(0x809a000) = 0x809a000 brk(0x80da000) = 0x80da000 brk(0x811a000) = 0x811a000 brk(0x815a000) = 0x815a000 brk(0x819a000) = 0x819a000 brk(0x81da000) = 0x81da000 brk(0x821a000) = 0x821a000 brk(0x825a000) = 0x825a000 brk(0x829a000) = 0x829a000 brk(0x82da000) = 0x82da000 brk(0x831a000) = 0x831a000 brk(0x835a000) = 0x835a000 brk(0x839a000) = 0x839a000 brk(0x83da000) = 0x83da000 At the end: close(5) = 0 close(4) = 0 munmap(0x7fcae32e3000, 528384) = 0 write(3, "\1\0\0\0\1", 5) = 5 shutdown(3, 2 /* send and receive */) = 0 close(3) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault ------------------------------------------------------------------------ [2010-07-16 08:23:30] [email protected] Sorry, but I need a script to reproduce and fix this the bug. In case it's a big application, I can try to debug it on your system if you give me SSH access, but it's more difficult. ------------------------------------------------------------------------ [2010-07-15 18:19:34] [email protected] Assigning to dmitry, per IRC chat. ------------------------------------------------------------------------ [2010-07-15 18:12:40] [email protected] Description: ------------ A few things: * It happens when running a specific "simpletest" integration test * It doesn't always happen, roughly 33-50% of the times * Never happened with 5.3.2, I got a report from Bamboo as soon as I upgraded to 5.3.3RC3 Of course I can't get a simple reproduce script as the aforementioned test does tons of things, but of course I can provide more information, SSH access, or try anything I'm asked to. Test script: --------------- n/a Expected result: ---------------- No failure Actual result: -------------- zend_mm_heap corrupted exit message, with the following backtrace #0 0x000000000079f25b in zval_scan (pz=0x3b31970) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:485 p = (Bucket *) 0x3661108 #1 0x000000000079f6b9 in gc_collect_cycles () at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:535 p = (zval_gc_info *) 0xee5ee0 q = (zval_gc_info *) 0x0 orig_free_list = (zval_gc_info *) 0x7fffffffc6e0 orig_next_to_free = (zval_gc_info *) 0x211ef18 count = 0 #2 0x000000000079fbd8 in gc_zval_possible_root (zv=0x33588b0) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_gc.c:166 newRoot = (gc_root_buffer *) 0x3627830 #3 0x00000000007a4fde in zend_assign_to_object (result=0x211ef18, object_ptr=0xe567a0, property_name=0x211ef60, value_op=0x211efb0, Ts=0x113b228, opcode=136) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute.c:602 object = (zval *) 0x3632b70 free_value = {var = 0x113b701} value = (zval *) 0x33588b0 retval = (zval **) 0x113b6e0 #4 0x00000000007e2796 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER (execute_data=0x113b190) at zend_vm_execute.h:17645 opline = (zend_op *) 0x0 #5 0x00000000007a65f9 in execute (op_array=0x2119968) at zend_vm_execute.h:107 ret = 0 execute_data = (zend_execute_data *) 0x113b190 nested = 1 '\001' original_in_execution = 1 '\001' #6 0x0000000000777d94 in zend_call_function (fci=0x7fffffffc970, fci_cache=0x0) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend_execute_API.c:963 call_via_handler = 34934168 i = 18062328 original_return_value = (zval **) 0x1139bf8 calling_symbol_table = (HashTable *) 0x0 original_op_array = (zend_op_array *) 0x2150d98 original_opline_ptr = (zend_op **) 0x1139f28 current_scope = (zend_class_entry *) 0x2118528 current_called_scope = (zend_class_entry *) 0x2104658 calling_scope = (zend_class_entry *) 0x2104658 called_scope = (zend_class_entry *) 0x2104658 current_this = (zval *) 0x30c9840 execute_data = {opline = 0x0, function_state = {function = 0x2109b78, arguments = 0x113a068}, fbc = 0x0, called_scope = 0x0, op_array = 0x0, object = 0x3632b70, Ts = 0x1139fe0, CVs = 0x1139fc0, symbol_table = 0x0, prev_execute_data = 0x1139f28, old_error_reporting = 0x0, nested = 1 '\001', original_return_value = 0x2104658, current_scope = 0x30c9840, current_called_scope = 0x0, current_this = 0x0, current_object = 0x0, call_opline = 0x1139fc8} #7 0x0000000000728986 in xml_call_handler (parser=0x2f77938, handler=0x3356688, function_ptr=0x3627830, argc=3, argv=0x7fffffffca50) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:530 args = (zval ***) 0x2f7e210 retval = (zval *) 0x0 result = -13744 fci = {size = 72, function_table = 0xe58180, function_name = 0x3356688, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffc968, param_count = 3, params = 0x2f7e210, object_ptr = 0x3632b70, no_separation = 0 '\0'} i = 3 #8 0x000000000072926a in _xml_startElementHandler (userData=0x2f77938, name=0x11fa8c0 "plugin", attributes=0x0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:822 attrs = (const char **) 0x0 att = 0x0 val = 0x11fa8c0 "plugin" val_len = 0 retval = (zval *) 0x821ae6ce args = {0x37ba0f0, 0x3359b18, 0x37ba450} #9 0x000000000072b56e in _start_element_handler (user=0x2d40860, name=0x11fa8c0 "plugin", attributes=0x0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:84 qualified_name = (xmlChar *) 0x11fa8c0 "plugin" #10 0x00000000820fa26a in xmlParseStartTag () from /usr/local/lib/libxml2.so.5 No symbol table info available. #11 0x00000000820ff102 in xmlParseTryOrFinish () from /usr/local/lib/libxml2.so.5 No symbol table info available. #12 0x00000000821004ab in xmlParseChunk () from /usr/local/lib/libxml2.so.5 No symbol table info available. #13 0x000000000072c00d in php_XML_Parse (parser=0x2d40860, data=0x3540020 "", data_len=56784944, is_final=0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/compat.c:605 error = 0 #14 0x000000000072a963 in zif_xml_parse (ht=62069104, return_value=0x374c980, return_value_ptr=0x3627830, this_ptr=0x0, return_value_used=0) at /array1/compile/php-5.3.3RC3-fcgi/ext/xml/xml.c:1464 parser = (xml_parser *) 0x2f77938 pind = (zval *) 0x374ccf0 data = 0x3356e18 "<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<?xml-stylesheet type=\"text/xsl\" href=\"\"?>\n\n<plugin>\n <name>apRetargetingDriverExternalUI</name>\n <creationDate>2010-06-10</creationDate>\n <author"... data_len = 1075 ret = 0 isFinal = 1 #15 0x00000000007a7100 in zend_do_fcall_common_helper_SPEC (execute_data=0x1139f28) at zend_vm_execute.h:316 i = 3 p = (zval **) 0x113a048 arg_count = 0 opline = (zend_op *) 0x213f2b8 should_change_scope = 0 '\0' #16 0x00000000007a65f9 in execute (op_array=0x2150d98) at zend_vm_execute.h:107 ret = 0 execute_data = (zend_execute_data *) 0x1139f28 nested = 1 '\001' original_in_execution = 0 '\0' #17 0x0000000000785675 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /array1/compile/php-5.3.3RC3-fcgi/Zend/zend.c:1194 files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffcf30, reg_save_area = 0x7fffffffce40}} i = 1 file_handle = (zend_file_handle *) 0x7fffffffe850 orig_op_array = (zend_op_array *) 0x0 orig_retval_ptr_ptr = (zval **) 0x0 #18 0x0000000000735158 in php_execute_script (primary_file=0x7fffffffe850) at /array1/compile/php-5.3.3RC3-fcgi/main/main.c:2260 realfile = "/usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK/tests/run.php\000\000>@Ã\200\000\000\000\000\000\027Ã\200\000\000\000\0000áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000é=Ã\200", '\0' <repeats 13 times>, "rÃ\200\000\000\000\000(áÿÿÿ\177\000\000\000\000\000\000\000\000\000\000páÿÿÿ\177\000\000ç\016", '\0' <repeats 14 times>, "\001\000\000\000\000\000\000\000\t*¹\n\000\000\000\000\001<Ã\200\000\000\000"... prepend_file_p = (zend_file_handle *) 0x0 append_file_p = (zend_file_handle *) 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'} old_cwd = 0x7fffffffcf40 "" retval = 0 #19 0x00000000008099fb in main (argc=9, argv=0x7fffffffe948) at /array1/compile/php-5.3.3RC3-fcgi/sapi/cli/php_cli.c:1192 len = 140737488348832 argn = (zval *) 0x80de6600 input = 0x0 index = 9 argi = (zval *) 0x80ee0030 exit_status = 0 c = 0 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffeb75 "run.php", opened_path = 0x0, handle = {fd = 15152376, fp = 0xe734f8, stream = {handle = 0xe734f8, isatty = 0, mmap = {len = 5351, pos = 0, map = 0x80df4000, buf = 0x80df4000 <Address 0x80df4000 out of bounds>, old_handle = 0x8270d840, old_closer = 0x797cd0 <zend_stream_stdio_closer>}, reader = 0x797cb0 <zend_stream_stdio_reader>, fsizer = 0x797cf0 <zend_stream_stdio_fsizer>, closer = 0x797d50 <zend_stream_mmap_closer>}}, free_filename = 0 '\0'} behavior = 1 reflection_what = 0x0 orig_optind = 1 orig_optarg = 0x0 arg_free = 0x7fffffffeb75 "run.php" arg_excp = (char **) 0x3540020 script_file = 0x7fffffffeb75 "run.php" interactive = 0 module_started = 1 request_started = 1 lineno = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = 0x0 hide_argv = 0 ini_entries_len = -6496 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=52349&edit=1
