Edit report at https://bugs.php.net/bug.php?id=64913&edit=1
ID: 64913 Updated by: fel...@php.net Reported by: slusarz at curecanti dot org Summary: Segfault in zend_hash_find -Status: Open +Status: Feedback Type: Bug Package: Reproducible crash Operating System: Linux PHP Version: 5.4.15 Block user comment: N Private report: N New Comment: Please try using this snapshot: http://snaps.php.net/php-trunk-latest.tar.gz For Windows: http://windows.php.net/snapshots/ Previous Comments: ------------------------------------------------------------------------ [2013-05-24 06:21:58] slusarz at curecanti dot org Description: ------------ (Mostly) reproducible segfault: [353713.319612] php-fpm[24273]: segfault at 30 ip 0000000000742b28 sp 00007fff3f5f3950 error 4 in php-fpm[400000+970000] Verified occuring if either APC, ZendOPcache, or neither is active. Appears to be happening in shutdown code. Main actions in code is successful, but valid response is never sent back to browser. Test script: --------------- Script causing segfault is Spam message reporting in IMP (http://www.horde.org/imp/). 90% of time script crashes, although spam reporting is successful. However, 10% of time script is successful with no segfault. Additionally, saw this for months, upgraded OS (using Arch Linux) - had no issues for a month. Recently rebooted (after several further upgrades) and am seeing again. Actual result: -------------- Core was generated by `php-fpm: pool www '. Program terminated with signal 11, Segmentation fault. #0 0x0000000000742b28 in zend_hash_find (ht=0x2ef2358, arKey=arKey@entry=0xc13e40 "stream", nKeyLength=nKeyLength@entry=7, pData=pData@entry=0x7fff3f5f39e8) at /disk2/src/php-5.4.15/Zend/zend_hash.c:924 924 p = ht->arBuckets[nIndex]; (gdb) bt full #0 0x0000000000742b28 in zend_hash_find (ht=0x2ef2358, arKey=arKey@entry=0xc13e40 "stream", nKeyLength=nKeyLength@entry=7, pData=pData@entry=0x7fff3f5f39e8) at /disk2/src/php-5.4.15/Zend/zend_hash.c:924 h = 229483039115121 nIndex = 0 p = <optimized out> #1 0x00000000006b0b30 in userfilter_filter (stream=0x3072540, thisfilter=<optimized out>, buckets_in=0x7fff3f5f3aa0, buckets_out=0x7fff3f5f3ab0, bytes_consumed=0x7fff3f5f3a98, flags=2) at /disk2/src/php-5.4.15/ext/standard/user_filters.c:183 ret = 0 obj = 0x2ef96d0 func_name = {value = {lval = 49225688, dval = 2.43207213336997e-316, str = {val = 0x2ef1fd8 "\220\376\355\002", len = 3}, ht = 0x2ef1fd8, obj = {handle = 49225688, handlers = 0x3}}, refcount__gc = 24, type = 0 '\000', is_ref__gc = 0 '\000'} retval = 0x0 args = {0x0, 0x7f3c4d876770, 0x7f3c4d876808, 0x75a5c4 <zend_objects_store_del_ref_by_handle_ex+564>} zclosing = 0x710c48 <_zend_mm_free_int+200> zconsumed = 0x2ef5058 zin = 0x710c48 <_zend_mm_free_int+200> zout = 0x2f75eb0 zstream = 0x710c48 <_zend_mm_free_int+200> zpropname = {value = {lval = 49225688, dval = 2.43207213336997e-316, str = {val = 0x2ef1fd8 "\220\376\355\002", len = 7408712}, ht = 0x2ef1fd8, obj = {handle = 49225688, handlers = 0x710c48 <_zend_mm_free_int+200>}}, refcount__gc = 49349512, type = 0 '\000', is_ref__gc = 0 '\000'} call_result = <optimized out> #2 0x00000000006eeff4 in _php_stream_write_filtered ( stream=stream@entry=0x3072540, buf=buf@entry=0x0, count=count@entry=0, flags=2) at /disk2/src/php-5.4.15/main/streams/streams.c:1177 consumed = 0 bucket = <optimized out> brig_in = {head = 0x0, tail = 0x0} brig_out = {head = 0x0, tail = 0x0} brig_inp = 0x7fff3f5f3aa0 brig_outp = 0x7fff3f5f3ab0 brig_swap = <optimized out> status = PSFS_ERR_FATAL filter = 0x2efb298 #3 0x00000000006f065c in _php_stream_flush (stream=0x3072540, closing=<optimized out>) at /disk2/src/php-5.4.15/main/streams/streams.c:1226 No locals. #4 0x00000000006f224a in _php_stream_free (stream=<optimized out>, close_options=11) at /disk2/src/php-5.4.15/main/streams/streams.c:461 ret = 1 preserve_handle = 0 release_cast = 1 context = 0x0 #5 0x00000000006f2521 in stream_resource_regular_dtor (rsrc=<optimized out>) at /disk2/src/php-5.4.15/main/streams/streams.c:1616 stream = <optimized out> #6 0x000000000074404e in list_entry_destructor (ptr=0x2efa320) at /disk2/src/php-5.4.15/Zend/zend_list.c:183 le = 0x2efa320 ld = 0x27aaae0 #7 0x0000000000741efe in zend_hash_del_key_or_index ( ht=0xfa0410 <executor_globals+656>, arKey=arKey@entry=0x0, nKeyLength=nKeyLength@entry=0, h=h@entry=89, flag=flag@entry=1) at /disk2/src/php-5.4.15/Zend/zend_hash.c:531 nIndex = <optimized out> p = 0x2efa360 #8 0x00000000007441f7 in _zend_list_delete (id=<optimized out>) at /disk2/src/php-5.4.15/Zend/zend_list.c:57 le = 0x2efa320 #9 0x00000000007269b2 in _zval_dtor (zvalue=<optimized out>) at /disk2/src/php-5.4.15/Zend/zend_variables.h:35 No locals. #10 _zval_ptr_dtor (zval_ptr=0x2ef7d80) at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:438 zval_ptr = 0x2ef7d80 #11 0x0000000000754917 in zend_object_std_dtor (object=0x2ef4810) at /disk2/src/php-5.4.15/Zend/zend_objects.c:54 i = 2 #12 0x0000000000754949 in zend_objects_free_object_storage (object=0x2ef4810) at /disk2/src/php-5.4.15/Zend/zend_objects.c:137 No locals. #13 0x000000000075a5c4 in zend_objects_store_del_ref_by_handle_ex (handle=259, handlers=<optimized out>) at /disk2/src/php-5.4.15/Zend/zend_objects_API.c:221 __orig_bailout = 0x7fff3f5f3e20 __bailout = {{__jmpbuf = {49237376, -7765129602178683652, 49376136, 139896975484784, 139896975484936, 139896975484496, 7764993663327071484, -7765135061082247940}, __mask_was_saved = 0, __saved_mask = {__val = {7408712, 49732072, 7408712, 49403632, 16385040, 90, 49262568, 0, 7408712, 49348960, 49348616, 0, 7408712, 49348568, 7408712, 49349168}}}} obj = 0x7f3c4d89b8c0 failure = 0 #14 0x000000000075a5e3 in zend_objects_store_del_ref (zobject=0x2ef4d80) at /disk2/src/php-5.4.15/Zend/zend_objects_API.c:173 handle = <optimized out> #15 0x00000000007269b2 in _zval_dtor (zvalue=<optimized out>) at /disk2/src/php-5.4.15/Zend/zend_variables.h:35 No locals. #16 _zval_ptr_dtor (zval_ptr=0x2f13e78) at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:438 zval_ptr = 0x2f13e78 #17 0x0000000000742008 in zend_hash_destroy (ht=0x2f12500) at /disk2/src/php-5.4.15/Zend/zend_hash.c:560 p = 0x2f16b88 q = 0x2f13e60 #18 0x0000000000734172 in _zval_dtor_func (zvalue=0x2f10358) at /disk2/src/php-5.4.15/Zend/zend_variables.c:45 No locals. #19 0x00000000007269b2 in _zval_dtor (zvalue=<optimized out>) at /disk2/src/php-5.4.15/Zend/zend_variables.h:35 No locals. #20 _zval_ptr_dtor (zval_ptr=0x2f0ef58) at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:438 zval_ptr = 0x2f0ef58 #21 0x0000000000754917 in zend_object_std_dtor (object=0x2ef0bf8) at /disk2/src/php-5.4.15/Zend/zend_objects.c:54 i = 7 #22 0x0000000000754949 in zend_objects_free_object_storage (object=0x2ef0bf8) at /disk2/src/php-5.4.15/Zend/zend_objects.c:137 No locals. #23 0x000000000075a1a8 in zend_objects_store_free_object_storage ( objects=0xfa0540 <executor_globals+960>) at /disk2/src/php-5.4.15/Zend/zend_objects_API.c:92 obj = <optimized out> i = 255 #24 0x0000000000726e8a in shutdown_executor () at /disk2/src/php-5.4.15/Zend/zend_execute_API.c:297 __orig_bailout = 0x7fff3f5f4290 __bailout = {{__jmpbuf = {45348848, -7765133929708458756, 1, 139896975484784, 139896975484936, 139896975484496, 7764993663387888892, -7765135110167925508}, __mask_was_saved = 0, __saved_mask = {__val = {8, 0, 7408712, 139896975728504, 7408712, 139895674765312, 50744240, 44795704, 7408712, 49366816, 44795704, 0, 44253864, 16382864, 16382864, 1}}}} #25 0x0000000000735076 in zend_deactivate () at /disk2/src/php-5.4.15/Zend/zend.c:938 No locals. #26 0x00000000006d8a20 in php_request_shutdown (dummy=dummy@entry=0x0) at /disk2/src/php-5.4.15/main/main.c:1800 report_memleaks = 1 '\001' #27 0x0000000000435a51 in main (argc=<optimized out>, argv=<optimized out>) at /disk2/src/php-5.4.15/sapi/fpm/fpm/fpm_main.c:1952 primary_script = <optimized out> __orig_bailout = 0x0 __bailout = {{__jmpbuf = {0, -7765135777435554564, 70, 4294967295, 4294967295, 0, 7764993662408518908, -7765135255906882308}, __mask_was_saved = 0, __saved_mask = {__val = { 0 <repeats 16 times>}}}} exit_status = 0 c = <optimized out> use_extended_info = 0 file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7f3c4d877818 " \237}\002", opened_path = 0x0, handle = { fd = 1300922880, fp = 0x7f3c4d8a8200, stream = { handle = 0x7f3c4d8a8200, isatty = 0, mmap = {len = 2713, pos = 0, map = 0x0, buf = 0x7f3c4d8db000 <Address 0x7f3c4d8db000 out of bounds>, old_handle = 0x0, old_closer = 0x0}, reader = 0x6efe80 <_php_stream_read>, fsizer = 0x6d6960 <php_zend_stream_fsizer>, closer = 0x6d6940 <php_zend_stream_mmap_closer>}}, free_filename = 0 '\000'} orig_optind = 1 orig_optarg = 0x0 ini_entries_len = <optimized out> max_requests = 0 requests = 200 fcgi_fd = <optimized out> request = {listen_socket = 0, fd = 3, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 0, out_hdr = 0x7fff3f5f4460, out_pos = 0x7fff3f5f475e "n line 835\nPHP message: PHP Strict Standards: Non-static method serendipity_plugin_api::probePlugin() should not be called statically in /httpd/s9y/include/plugin_api.inc.php on line 542\nPHP message:"..., out_buf = "\001\006\000\001\f\267\001\000Expires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nContent-Type: application/json\r\nContent-Encoding: gzip\r"..., reserved = '\000' <repeats 15 times>, env = 0x7f3c4d876040} fpm_config = 0x0 fpm_prefix = 0x0 fpm_pid = 0x0 test_conf = 0 force_daemon = <optimized out> php_information = 0 php_allow_to_run_as_root = 0 __func__ = "main" ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64913&edit=1
