Edit report at https://bugs.php.net/bug.php?id=62358&edit=1
ID: 62358
Comment by: maciej dot sz at gmail dot com
Reported by: maciej dot sz at gmail dot com
Summary: Segfault when using traits a lot
Status: Assigned
Type: Bug
Package: Reproducible crash
Operating System: Linux 3.2.0-25-generic Ubuntu
PHP Version: 5.4.4
Assigned To: laruence
Block user comment: N
Private report: N
New Comment:
Nope, no cache, not even Xdebug nor Zend debug. Pure PHP compiled with
following configuration:
'./configure' '--with-mysql' '--with-pgsql' '--with-zlib' '--enable-calendar'
'--with-curl' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-gd'
'--enable-bcmath' '--enable-soap' '--with-pdo-mysql' '--with-pdo-pgsql'
'--with-pdo-sqlite' '--with-config-file-path=/usr/local/php54/etc'
'--with-config-file-scan-dir=/usr/local/php54/etc/conf.d'
'--prefix=/usr/local/php54' '--enable-debug' '--with-mysqli'
'--enable-mbstring' '--enable-fpm'
Previous Comments:
------------------------------------------------------------------------
[2012-08-20 14:39:26] larue...@php.net
did you use some opcodes cache?
seems the function struct is totally mess.
------------------------------------------------------------------------
[2012-08-20 14:30:42] maciej dot sz at gmail dot com
It is close to impossible to reproduce this bug on two separate machines. I've
tried moving exact code which caused the segfault on one computer to another,
but it executed normally there.
Meanwhile I've encountered another, very similar fault with slightly different
backtrace, which I think is related (maybe this one will be of any help?):
Program received signal SIGSEGV, Segmentation fault.
0x000000000094e506 in zend_get_function_declaration (fptr=0x1e68018)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3072
3072 if (arg_info->class_name) {
(gdb) bt
#0 0x000000000094e506 in zend_get_function_declaration (fptr=0x1e68018)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3072
#1 0x000000000094f37b in do_inheritance_check_on_method (child=0x1eb8700,
parent=0x1e6e320)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3263
#2 0x000000000094f531 in do_inherit_method_check
(child_function_table=0x1ea6a80, parent=0x1e6e320,
hash_key=0x7fffffff9db0, child_ce=0x1ea6a58)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3288
#3 0x0000000000988bf0 in zend_hash_replace_checker_wrapper (target=0x1ea6a80,
source_data=0x1e6e320,
p=0x1e7af20, pParam=0x1ea6a58, merge_checker_func=0x94f4aa
<do_inherit_method_check>)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_hash.c:878
#4 0x0000000000988c71 in zend_hash_merge_ex (target=0x1ea6a80,
source=0x1e501a8,
pCopyConstructor=0x94ddb3 <do_inherit_method>, size=240,
pMergeSource=0x94f4aa <do_inherit_method_check>, pParam=0x1ea6a58)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_hash.c:892
#5 0x00000000009507df in zend_do_inheritance (ce=0x1ea6a58,
parent_ce=0x1e50180)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3519
#6 0x00000000009540a7 in do_bind_inherited_class (op_array=0x1e60190,
opline=0x1ea6f90,
class_table=0x126eeb0, parent_ce=0x1e50180, compile_time=0 '\000')
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:4570
#7 0x00000000009b742a in ZEND_DECLARE_INHERITED_CLASS_SPEC_HANDLER
(execute_data=0x7ffff7f94f30)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:936
#8 0x00000000009b4122 in execute (op_array=0x1e60190)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:410
#9 0x000000000096381c in zend_call_function (fci=0x7fffffffa3f0,
fci_cache=0x7fffffffa440)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_execute_API.c:958
#10 0x0000000000717021 in zim_reflection_method_invokeArgs (ht=2,
return_value=0x1ea8ac0,
return_value_ptr=0x0, this_ptr=0x1e66070, return_value_used=1)
at /home/maciek/Downloads/php-5.4.6RC1/ext/reflection/php_reflection.c:3024
#11 0x00000000009b5838 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7f937e8)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:642
#12 0x00000000009b66dc in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7ffff7f937e8)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:752
#13 0x00000000009b4122 in execute (op_array=0x7ffff083e960)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_vm_execute.h:410
#14 0x0000000000976ca1 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend.c:1289
#15 0x00000000008e90aa in php_execute_script (primary_file=0x7fffffffcdb0)
at /home/maciek/Downloads/php-5.4.6RC1/main/main.c:2473
#16 0x0000000000abf8c1 in do_cli (argc=6, argv=0x7fffffffe198)
at /home/maciek/Downloads/php-5.4.6RC1/sapi/cli/php_cli.c:988
#17 0x0000000000ac09fa in main (argc=6, argv=0x7fffffffe198)
at /home/maciek/Downloads/php-5.4.6RC1/sapi/cli/php_cli.c:1364
(gdb) p *arg_info
Cannot access memory at address 0xcf5d2b8b
(gdb) p *fptr
$3 = {type = 152 '\230', common = {type = 152 '\230', function_name = 0x1e7c320
"\001",
scope = 0x1e7c288, fn_flags = 9911106, prototype = 0x5a010000, num_args =
2241651391,
required_num_args = 1515870810, arg_info = 0xcf5d2b8b}, op_array = {type =
152 '\230',
function_name = 0x1e7c320 "\001", scope = 0x1e7c288, fn_flags = 9911106,
prototype = 0x5a010000,
num_args = 2241651391, required_num_args = 1515870810, arg_info =
0xcf5d2b8b, refcount = 0x79,
opcodes = 0xa1, last = 1930623196, vars = 0xfb24d0, last_var = 2019, T = 0,
brk_cont_array = 0x0,
last_brk_cont = 0, try_catch_array = 0x20, last_try_catch = 1011079938,
static_variables = 0x7ffff7f1f490, this_var = 32,
filename = 0x600000001 <Address 0x600000001 out of bounds>, line_start = 0,
line_end = 0,
doc_comment = 0x5a5a5a5a859ce2bf <Address 0x5a5a5a5a859ce2bf out of
bounds>,
doc_comment_len = 3478989571, early_binding = 0, literals = 0x81,
last_literal = 121,
run_time_cache = 0x7312f8dc, last_cache_slot = 16458960, reserved = {0x7e3,
0x0, 0x0, 0x20}},
internal_function = {type = 152 '\230', function_name = 0x1e7c320 "\001",
scope = 0x1e7c288,
fn_flags = 9911106, prototype = 0x5a010000, num_args = 2241651391,
required_num_args = 1515870810,
arg_info = 0xcf5d2b8b, handler = 0x79, module = 0xa1}}
------------------------------------------------------------------------
[2012-08-13 20:42:57] maciej dot sz at gmail dot com
I'm having trouble putting together a reproduce script because, as I've
mentioned before, there is a lot of randomness in this crash. I'll keep trying,
meanwhile the requested fptr (don't know if I'm doing it right...):
(gdb) f
#0 0x000000000094e37d in zend_get_function_declaration (fptr=0x1b6a6e8)
at /home/maciek/Downloads/php-5.4.6RC1/Zend/zend_compile.c:3052
3052 memcpy(offset, fptr->common.scope->name,
fptr->common.scope->name_length);
(gdb) p *fptr
$2 = {type = 90 'Z', common = {type = 90 'Z',
function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of
bounds>,
scope = 0x5a5a5a5a5a5a5a5a, fn_flags = 1515870810, prototype =
0x5a5a5a5a5a5a5a5a,
num_args = 1515870810, required_num_args = 1515870810, arg_info =
0x5a5a5a5a5a5a5a5a}, op_array = {
type = 90 'Z', function_name = 0x5a5a5a5a5a5a5a5a <Address
0x5a5a5a5a5a5a5a5a out of bounds>,
scope = 0x5a5a5a5a5a5a5a5a, fn_flags = 1515870810, prototype =
0x5a5a5a5a5a5a5a5a,
num_args = 1515870810, required_num_args = 1515870810, arg_info =
0x5a5a5a5a5a5a5a5a,
refcount = 0x5a5a5a5a5a5a5a5a, opcodes = 0x5a5a5a5a5a5a5a5a, last =
1515870810,
vars = 0x5a5a5a5a5a5a5a5a, last_var = 1515870810, T = 1515870810,
brk_cont_array = 0x5a5a5a5a5a5a5a5a, last_brk_cont = 1515870810,
try_catch_array = 0x5a5a5a5a5a5a5a5a, last_try_catch = 1515870810,
static_variables = 0x5a5a5a5a5a5a5a5a, this_var = 1515870810,
filename = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of bounds>,
line_start = 1515870810,
line_end = 1515870810, doc_comment = 0x5a5a5a5a5a5a5a5a <Address
0x5a5a5a5a5a5a5a5a out of bounds>,
doc_comment_len = 1515870810, early_binding = 1515870810, literals =
0x5a5a5a5a5a5a5a5a,
last_literal = 1515870810, run_time_cache = 0x5a5a5a5a5a5a5a5a,
last_cache_slot = 1515870810,
reserved = {0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a,
0x5a5a5a5a5a5a5a5a}},
internal_function = {type = 90 'Z',
function_name = 0x5a5a5a5a5a5a5a5a <Address 0x5a5a5a5a5a5a5a5a out of
bounds>,
scope = 0x5a5a5a5a5a5a5a5a, fn_flags = 1515870810, prototype =
0x5a5a5a5a5a5a5a5a,
num_args = 1515870810, required_num_args = 1515870810, arg_info =
0x5a5a5a5a5a5a5a5a,
handler = 0x5a5a5a5a5a5a5a5a, module = 0x5a5a5a5a5a5a5a5a}}
(gdb) p $f0
$3 = void
------------------------------------------------------------------------
[2012-08-13 06:36:01] larue...@php.net
and btw: could you please print the fptr in your bt out? maybe it will be help,
like:
gdb > f0
gdb > p *fptr
------------------------------------------------------------------------
[2012-08-13 06:34:06] larue...@php.net
could you give us a reproduce script?
seems you are using reflection in your scripts. (assign to myself, then I can
get
your feedback as soon as possible)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=62358
--
Edit this bug report at https://bugs.php.net/bug.php?id=62358&edit=1
