Edit report at https://bugs.php.net/bug.php?id=63134&edit=1
ID: 63134 Updated by: larue...@php.net Reported by: vegeta at tuxpowered dot net Summary: garbage collector segfault -Status: Open +Status: Feedback Type: Bug Package: *General Issues Operating System: Debian 6.0.5 x86_64 PHP Version: 5.3.17 Block user comment: N Private report: N New Comment: Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. Could you please try to make a single reproduceable script? thanks Previous Comments: ------------------------------------------------------------------------ [2012-09-21 17:02:43] vegeta at tuxpowered dot net Description: ------------ There is an application which creates a rather complicated graph structure. Some of objects used in this structure have __destruct() method where they replace their own properties with new array()s. Most of the code runs fine, apart from the very end, where php runs the garbage collector. At this moment there is a segfault. Debian packages come with suhosin therefore I tested the issue also with custom built packages without it. I tested multiple php versions both of 5.3 and 5.4 ranges including 5.3.17, with and without suhosin and with USE_ZEND_ALLOC=1 and =0. Calling gc_disable() at the end of the script causes it to terminate properly. Modifying __destruct() so it does not try to "clean" itself also solves the issue. I attach results of 5.3.13 built without suhosin. Expected result: ---------------- I expect the script to finish in natural way without segfault. Actual result: -------------- $ gdb --arg /opt/php5-nosuhosin/php5 install/broken_script.php warning: Can not parse XML syscalls information; XML support was disabled at compile time. GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /opt/php5-nosuhosin/php5...Reading symbols from /usr/lib/debug/opt/php5-nosuhosin/php5...done. (no debugging symbols found)...done. (gdb) run Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. zend_mm_remove_from_free_list (heap=0xe9f290, mm_block=0x7fffd850f728) at /usr/src/php/Zend/zend_alloc.c:830 830 ZEND_MM_CHECK_TREE(mm_block); (gdb) bt #0 zend_mm_remove_from_free_list (heap=0xe9f290, mm_block=0x7fffd850f728) at /usr/src/php/Zend/zend_alloc.c:830 #1 0x00000000006a7c76 in _zend_mm_free_int (heap=0xe9f290, p=0x7fffd850f9d0) at /usr/src/php/Zend/zend_alloc.c:2034 #2 0x00000000006d1b31 in zend_hash_destroy (ht=0x7fffd8523b48) at /usr/src/php/Zend/zend_hash.c:534 #3 0x00000000006e4839 in zend_object_std_dtor (object=0x7fffd8bf0740) at /usr/src/php/Zend/zend_objects.c:45 #4 0x00000000006e4859 in zend_objects_free_object_storage (object=0x7fffd8bf0740) at /usr/src/php/Zend/zend_objects.c:126 #5 0x00000000006e80bc in zend_objects_store_free_object_storage (objects=0xe9dc18) at /usr/src/php/Zend/zend_objects_API.c:92 #6 0x00000000006b8feb in shutdown_executor () at /usr/src/php/Zend/zend_execute_API.c:304 #7 0x00000000006c59d2 in zend_deactivate () at /usr/src/php/Zend/zend.c:891 #8 0x00000000006714c5 in php_request_shutdown (dummy=0xe9f290) at /usr/src/php/main/main.c:1661 #9 0x0000000000752cd0 in main (argc=-4856, argv=0x7ffff7fece18) at /usr/src/php/sapi/cli/php_cli.c:1363 (gdb) l 825 rp = cp; 826 } 827 *rp = NULL; 828 829 subst_block: 830 ZEND_MM_CHECK_TREE(mm_block); 831 *mm_block->parent = prev; 832 prev->parent = mm_block->parent; 833 if ((prev->child[0] = mm_block->child[0])) { 834 ZEND_MM_CHECK_TREE(prev->child[0]); (gdb) print mm_block $1 = (zend_mm_free_block *) 0x7fffd850f728 (gdb) print *mm_block $2 = {info = {_size = 664, _prev = 97}, prev_free_block = 0x1a21af0, next_free_block = 0x1c682a8, parent = 0xffffffff, child = {0x0, 0x0}} $ USE_ZEND_ALLOC=0 gdb --arg /opt/php5-nosuhosin/php5 install/broken_script.php warning: Can not parse XML syscalls information; XML support was disabled at compile time. GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /opt/php5-nosuhosin/php5...Reading symbols from /usr/lib/debug/opt/php5-nosuhosin/php5...done. (no debugging symbols found)...done. (gdb) run Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php [Thread debugging using libthread_db enabled] Program exited normally. (gdb) run Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. zval_mark_grey (pz=0x1fbfc20) at /usr/src/php/Zend/zend_gc.c:372 372 pz = *(zval**)p->pData; (gdb) backtrace #0 zval_mark_grey (pz=0x1fbfc20) at /usr/src/php/Zend/zend_gc.c:372 #1 0x00000000006e2fa5 in gc_collect_cycles () at /usr/src/php/Zend/zend_gc.c:435 #2 0x00000000006c5aa5 in zend_deactivate () at /usr/src/php/Zend/zend.c:901 #3 0x00000000006714c5 in php_request_shutdown (dummy=0x1fbfc20) at /usr/src/php/main/main.c:1661 #4 0x0000000000752cd0 in main (argc=-4888, argv=0x7ffff7fece18) at /usr/src/php/sapi/cli/php_cli.c:1363 (gdb) l 367 } else { 368 p = Z_ARRVAL_P(pz)->pListHead; 369 } 370 } 371 while (p != NULL) { 372 pz = *(zval**)p->pData; 373 if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) { 374 pz->refcount__gc--; 375 } 376 if (p->pListNext == NULL) { (gdb) print p $1 = (Bucket *) 0x500000000 (gdb) print *(zval**)p->pData Cannot access memory at address 0x500000010 (gdb) print p $2 = (Bucket *) 0x500000000 (gdb) print pz.value.ht->pListHead $3 = (Bucket *) 0x500000000 (gdb) print *pz.value.ht $4 = {nTableSize = 872480768, nTableMask = 943208497, nNumOfElements = 49, nNextFreeElement = 33273840, pInternalPointer = 0x13d3490, pListHead = 0x500000000, pListTail = 0x0, arBuckets = 0x190, pDestructor = 0x60, persistent = 16 '\020', nApplyCount = 67 'C', bApplyProtection = 61 '='} ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=63134&edit=1
