From: martin dot schuette at icans-gmbh dot com Operating system: Debian Linux PHP version: 5.4.15 Package: Reproducible crash Bug Type: Bug Bug description:segfault in zval_mark_grey(), Zend/zend_gc.c:421
Description: ------------ As part of a PHPUnit test suite I get this segfault. Interestingly it depends on phpunit's command line options. Segfault with "phpunit -c app/phpunit.xml.dist --log-junit /dev/null" No problem with "phpunit -c app/phpunit.xml.dist" and "phpunit -c app/phpunit.xml.dist --log-junit /dev/null --debug" Without GC it works as well: "php -dzend.enable_gc=0 /usr/bin/phpunit -c app/phpunit.xml.dist --log-junit /dev/null" Expected result: ---------------- complete PHPUnit run Actual result: -------------- deploy@jenkins:/tmp/git>php -v PHP 5.4.4-14 (cli) (built: Mar 4 2013 14:08:43) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies deploy@jenkins:/tmp/git>gdb --args php /usr/bin/phpunit -c app/phpunit.xml.dist --log-junit /dev/null GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/php...Reading symbols from /usr/lib/debug/usr/bin/php5...done. done. (gdb) run Starting program: /usr/bin/php /usr/bin/phpunit -c app/phpunit.xml.dist --log-junit /dev/null [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525/mysql.so" does not match "/usr/lib/php5/20100525/mysql.so" (CRC mismatch). warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525/mysql.so" does not match "/usr/lib/php5/20100525/mysql.so" (CRC mismatch). warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525/mysqli.so" does not match "/usr/lib/php5/20100525/mysqli.so" (CRC mismatch). warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525/mysqli.so" does not match "/usr/lib/php5/20100525/mysqli.so" (CRC mismatch). warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525/pdo_mysql.so" does not match "/usr/lib/php5/20100525/pdo_mysql.so" (CRC mismatch). warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525/pdo_mysql.so" does not match "/usr/lib/php5/20100525/pdo_mysql.so" (CRC mismatch). [New Thread 0x7fffe80d8700 (LWP 27679)] [Thread 0x7fffe80d8700 (LWP 27679) exited] PHPUnit 3.7.10 by Sebastian Bergmann. Configuration read from /tmp/git/app/phpunit.xml.dist ............................................................. 61 / 3421 ( 1%) ...........................................................S. 122 / 3421 ( 3%) ............................................................. 183 / 3421 ( 5%) ............................................................. 244 / 3421 ( 7%) ............................................................. 305 / 3421 ( 8%) ............................................................. 366 / 3421 ( 10%) ............................................................. 427 / 3421 ( 12%) ............................................................. 488 / 3421 ( 14%) ............................................................. 549 / 3421 ( 16%) ............................................................. 610 / 3421 ( 17%) ............................................................. 671 / 3421 ( 19%) ............................................................. 732 / 3421 ( 21%) ............................................................. 793 / 3421 ( 23%) ............................................................. 854 / 3421 ( 24%) ............................................................. 915 / 3421 ( 26%) ............................................................. 976 / 3421 ( 28%) ............................................................. 1037 / 3421 ( 30%) ............................................................. 1098 / 3421 ( 32%) ............................................................. 1159 / 3421 ( 33%) ............................................................. 1220 / 3421 ( 35%) ............................................................. 1281 / 3421 ( 37%) ............................................................. 1342 / 3421 ( 39%) ............................................................. 1403 / 3421 ( 41%) ............................................................. 1464 / 3421 ( 42%) ................. Program received signal SIGSEGV, Segmentation fault. zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421 421 /tmp/buildd/php5-5.4.4/Zend/zend_gc.c: No such file or directory. (gdb) bt full #0 zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421 p = 0xcf1fd58 #1 0x00000000006bcbdc in zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:432 p = 0xcf1fd58 #2 0x00000000006bda55 in gc_collect_cycles () at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:501 current = 0x7ffff4306f30 q = 0x7ffff4306f30 orig_free_list = 0x0 orig_next_to_free = 0x2 #3 0x00000000006bdde4 in gc_zval_possible_root (zv=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:166 newRoot = 0x0 #4 0x00000000006ac968 in zend_hash_destroy (ht=0xcf1fa08) at /tmp/buildd/php5-5.4.4/Zend/zend_hash.c:560 No locals. #5 0x000000000069dba7 in _zval_dtor_func (zvalue=0xcf09770) at /tmp/buildd/php5-5.4.4/Zend/zend_variables.c:43 No locals. #6 0x0000000000476c78 in php_pcre_match_impl (pce=0x0, subject=0x40faa20 "\340\026\221\006", subject_len=217094144, return_value=0x2, subpats=0xcf09770, global=1, use_flags=4682104, flags=0, start_offset=0) at /tmp/buildd/php5-5.4.4/Zend/zend_variables.h:35 result_set = 0x50cf09c70 match_sets = 0x7fffffffb1e8 extra = 0xcf1fe08 extra_data = {flags = 3, study_data = 0x12, match_limit = 68135456, callout_data = 0xf4240, tables = 0xcf09e18 "\235\065", match_limit_recursion = 1, mark = 0x186a0, executable_jit = 0x7fffe729bff0} exoptions = 1 offsets = 0x1 num_subpats = 32767 matched = 0 g_notempty = 2 stringlist = 0x3000000010 subpat_names = 0x6ad3d0 rc = 0 subpats_order = 332 offset_capture = 2 start_offset = 0 #7 0x0000000000477178 in php_do_pcre_match.isra.8 (ht=3, return_value=0xcf1fe08, global=1) at /tmp/buildd/php5-5.4.4/ext/pcre/php_pcre.c:520 regex = 0x14c00000043 <Address 0x14c00000043 out of bounds> subject = 0xcefe7d8 "/@requires\\s+(?P<name>function|extension)\\s(?P<value>([^ ]+))\\r?$/m" regex_len = 6785162 subject_len = 0 pce = 0x0 subpats = 0xcf09800 flags = 217094000 start_offset = 0 #8 0x0000000000746bd2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e4ce50) at /tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:642 ret = 0x7ffff52ae3f0 opline = 0x7fffe73cbd40 should_change_scope = 0 '\000' fbc = 0xddc650 #9 0x0000000000700447 in execute (op_array=0x7fffe73c9918) at /tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:410 ret = 0 execute_data = 0x7ffff7e4ce50 nested = 1 '\001' original_in_execution = 0 '\000' #10 0x00000000006a028e in zend_execute_scripts (type=8, retval=0x7ffff7e74f60, file_count=3) at /tmp/buildd/php5-5.4.4/Zend/zend.c:1279 files = 0x7fffffffb3a0 i = 1 file_handle = <incomplete type> orig_op_array = 0xdb8898 orig_retval_ptr_ptr = 0x0 #11 0x000000000063f863 in php_execute_script (primary_file=0x74696d6d6f632d68) at /tmp/buildd/php5-5.4.4/main/main.c:2473 ---Type <return> to continue, or q <return> to quit--- __orig_bailout = 0x6170736b726f772f __bailout = {{__jmpbuf = {0, 0, 0, 0, 1, 0, 7053200, 0}, __mask_was_saved = 1, __saved_mask = {__val = {14386368, 0, 6328, 0, 0, 2, 14, 0, 1, 0, 0, 0, 4294943848, 32767, 14, 0}}}} prepend_file_p = 0x0 append_file_p = 0x0 prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\000'} append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 6996323, fp = 0x6ac163, stream = { handle = 0x6ac163, isatty = -23247, mmap = {len = 0, pos = 0, map = 0xce8ffb0, buf = 0x7fffffffa551 "", old_handle = 0x7fffffffada0, old_closer = 0x7fffffffa3e8}, reader = 0x6b9aa0 <d2b+208>, fsizer = 0xceca668, closer = 0x1500000000}}, free_filename = 0 '\000'} retval = 0 #12 0x00000000007491b3 in do_cli (argc=0, argv=0x7fffffffee07) at /tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:988 __orig_bailout = 0x7fffffffebb8 __bailout = {{__jmpbuf = {0, 0, 0, 0, 508161992, 3784896587, 0, 0}, __mask_was_saved = 455471048, __saved_mask = {__val = {0, 0, 10978083, 0, 10978107, 0, 10892777, 0, 10892798, 0, 10978120, 0, 10978140, 0, 10978157, 0}}}} file_handle = {type = 6538160, filename = 0x4 <Address 0x4 out of bounds>, opened_path = 0x7fffffffee07 "/usr/bin/phpunit", handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = -135835472, mmap = {len = 0, pos = 2018, map = 0x0, buf = 0x7ffff7e3e000 "\023", old_handle = 0x7ffff7e3e00f, old_closer = 0x10dd230}, reader = 0x6b4c10 <zend_stream_stdio_closer>, fsizer = 0x6b4d00 <zend_stream_stdio_reader>, closer = 0x6b4c40 <zend_stream_stdio_fsizer>}}, free_filename = 144 '\220'} behavior = 1 reflection_what = 0x0 request_started = 6609936 exit_status = 0 php_optarg = 0x200000002 <Address 0x200000002 out of bounds> php_optind = 1 exec_direct = 0x0 exec_run = 0x7fffffffe9d0 "" exec_begin = 0x0 exec_end = 0x0 arg_excp = 0x7fffffffebc0 interactive = 0 lineno = 0 param_error = 0x7fffffffebc0 "\a\356\377\377\377\177" hide_argv = 0 #13 0x000000000043110a in main (argc=32767, argv=0xdb9230) at /tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:1361 __bailout = {{__jmpbuf = {0, 0, 0, 0, 508161992, 3784896587, 0, 0}, __mask_was_saved = 98693064, __saved_mask = {__val = {0, 0, 0, 0, 3, 0, 0, 0, 4147400704, 32767, 4158564850, 32767, 1, 0, 0, 0}}}} c = 0 exit_status = 0 module_started = 0 sapi_started = 0 php_optarg = 0x100000000 <Address 0x100000000 out of bounds> php_optind = 32767 use_extended_info = 0 ini_ignore = 0 sapi_module = 0x6ffffea30 (gdb) info frame 0 Stack frame at 0x7fffffffaf80: rip = 0x6bcc17 in zval_mark_grey (/tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421); saved rip 0x6bcbdc called by frame at 0x7fffffffafc0 source language c. Arglist at 0x7fffffffaf38, args: pz=0xcf1fa60 Locals at 0x7fffffffaf38, Previous frame's sp is 0x7fffffffaf80 Saved registers: rbx at 0x7fffffffaf58, rbp at 0x7fffffffaf60, r12 at 0x7fffffffaf68, r13 at 0x7fffffffaf70, rip at 0x7fffffffaf78 (gdb) p pz $1 = (zval *) 0xcf1fa60 (gdb) p *pz $2 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 217184848}, ht = 0x0, obj = {handle = 0, handlers = 0xcf1fa50}}, refcount__gc = 4294967295, type = 4 '\004', is_ref__gc = 0 '\000'} (gdb) -- Edit bug report at https://bugs.php.net/bug.php?id=64868&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=64868&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=64868&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=64868&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=64868&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=64868&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=64868&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=64868&r=needscript Try newer version: https://bugs.php.net/fix.php?id=64868&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=64868&r=support Expected behavior: https://bugs.php.net/fix.php?id=64868&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=64868&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=64868&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=64868&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64868&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=64868&r=dst IIS Stability: https://bugs.php.net/fix.php?id=64868&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=64868&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=64868&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=64868&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=64868&r=mysqlcfg
