Edit report at https://bugs.php.net/bug.php?id=60598&edit=1
ID: 60598 Comment by: manuel-php at mausz dot at Reported by: arekm at maven dot pl Summary: cli/apache sapi segfault on objects manipulation Status: Open Type: Bug Package: Reproducible crash Operating System: Linux PHP Version: 5.4.0RC3 Block user comment: N Private report: N New Comment: Hi, I've tried to debug this yesterday but was unable to come up with a working fix. So I decided to share my results. Maybe someone with more in-depth knowledge of the php gc/heap can fix it more easily now. First of all: The problem is also reproducible with 2 (and more) objects. It just doesn't crash due to phps memory heap. The corruption occurs during PHPs garbage collection which kicks in just after __destruct() but before releasing the objects. Since GC_ROOT_BUFFER_MAX_ENTRIES is 10000 per default you'll see heap memory corruption warnings starting at 9994 objects (looks like 6 other zvals are created during startup). Reducing GC_ROOT_BUFFER_MAX_ENTRIES to 8 allows to reduce OBJECT_COUNT (in the example script from arekm) to 2. Another more simple solution is to call gc_collect_cycles() in __destruct() just after unset(...). So here comes my (stripped down) debug output (verified via valgrind + gdb): * GC_ROOT_BUFFER_MAX_ENTRIES=default (10k) * OBJECT_COUNT=2 * call gc_collect_cycles() in __destruct() * abbr.: pt ...(object) properties_table [...] [object_properties_init] name=Object addr=b20d9d88 pt_addr=b20d9808 pt[0]_addr=b20d6148 pt[0].handle=#0 [zend_std_write_property] name=_guid (=pt[0]) old_addr=b20d6148 new_addr=b20d9db8 new.handle=#0 [...] [zval_collect_white] adding zval to zval_to_free-list zval: addr=b20d9db8 refcnt=2 handle=#0 [gc_collect_cycles] freeing zval zval: addr=b20d9db8 refcnt=2 handle=#0 [...] [zend_object_std_dtor] object=Object addr=b20d9d88 pt_addr=b20d9808 calling zval_ptr_dtor for pt[0]_addr=b20d9db8 pt[0].handle=#-1307730616 [...] Hope this helps. Previous Comments: ------------------------------------------------------------------------ [2012-03-16 15:56:14] eugen at kochuev dot com We also face the similar issue in symfony 1.4 project. Issue appears in %.3 and 5.4 versions and does not happen in 5.2. Disabling GC makes segfaults less frequent, but still does not solve the problem. ------------------------------------------------------------------------ [2012-01-08 10:26:09] arekm at maven dot pl PHP 5.4.0 RC5 also dies $ ~/test/php-test/bin/php --version PHP 5.4.0RC5 (cli) (built: Jan 8 2012 11:23:44) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies [arekm@ixion-pld php-5.4.0RC5]$ ~/test/php-test/bin/php ~/a.php If you see this, try to increase OBJECT_COUNT to 100,000Segmentation fault ------------------------------------------------------------------------ [2012-01-06 14:09:16] daan at react dot com Looks alot like https://bugs.php.net/bug.php?id=39346 Curiously, the segfault looks alot like https://bugs.php.net/bug.php?id=60457 - but that might just be PHPs reaction to memory corruption. ------------------------------------------------------------------------ [2011-12-22 22:33:07] arekm at maven dot pl Description: ------------ [arekm@ixion-pld php-5.4.0RC3]$ export LC_ALL=C [arekm@ixion-pld php-5.4.0RC3]$ ./sapi/cli/php -n ~/a.php If you see this, try to increase OBJECT_COUNT to 100,000Segmentation fault [arekm@ixion-pld php-5.4.0RC3]$ ./sapi/cli/php -n --version PHP 5.4.0RC3 (cli) (built: Dec 22 2011 23:19:37) Copyright (c) 1997-2011 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2011 Zend Technologies Test script: --------------- <? define('OBJECT_COUNT', 130000); class Object { private static $world = array(); private static $maxGuid = 0; protected $_guid = null; public function __construct() { self::$world[$this->_guid = self::$maxGuid++] = $this; } public function __destruct() { unset(self::$world[$this->_guid]); } } for ($i = 0; $i < OBJECT_COUNT; ++$i) { new Object(); } // You probably won't see this because of the "zend_mm_heap corrupted" echo 'If you see this, try to increase OBJECT_COUNT to 100,000'; ?> Expected result: ---------------- cli not segfaulting Actual result: -------------- Starting program: /home/users/arekm/rpm/BUILD/php-5.4.0RC3/sapi/cli/.libs/php -n /home/users/arekm/a.php [Thread debugging using libthread_db enabled] If you see this, try to increase OBJECT_COUNT to 100,000 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7a462b9 in gc_zval_possible_root (zv=0x7ffff5677420) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_gc.c:143 143 GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv); (gdb) bt #0 0x00007ffff7a462b9 in gc_zval_possible_root (zv=0x7ffff5677420) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_gc.c:143 #1 0x00007ffff7a48ba2 in zend_object_std_dtor (object=0x7ffff56773d0) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_objects.c:54 #2 0x00007ffff7a48bd9 in zend_objects_free_object_storage (object=0x7ffff56773d0) at /home/users/arekm/rpm/BUILD/php- 5.4.0RC3/Zend/zend_objects.c:137 #3 0x00007ffff7a4e56f in zend_objects_store_free_object_storage (objects=0x7ffff7dda700) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_objects_API.c:92 #4 0x00007ffff7a18c83 in shutdown_executor () at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_execute_API.c:297 #5 0x00007ffff7a27555 in zend_deactivate () at /home/users/arekm/rpm/BUILD/php- 5.4.0RC3/Zend/zend.c:934 #6 0x00007ffff79c820f in php_request_shutdown (dummy=<optimized out>) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/main/main.c:1781 #7 0x0000000000405538 in do_cli (argc=3, argv=0x7fffffffea38) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/sapi/cli/php_cli.c:1169 #8 0x0000000000404d4c in main (argc=3, argv=0x7fffffffea38) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/sapi/cli/php_cli.c:1356 (gdb) frame 0 #0 0x00007ffff7a462b9 in gc_zval_possible_root (zv=0x7ffff5677420) at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_gc.c:143 143 GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv); (gdb) print zv $1 = (zval *) 0x7ffff5677420 (gdb) print *zv $2 = { value = { lval = 140737303870936, dval = 6.9533466930949762e-310, str = { val = 0x7ffff500fdd8 "\270", len = -184485184 }, ht = 0x7ffff500fdd8, obj = { handle = 4110482904, handlers = 0x7ffff500fac0 } }, refcount__gc = 4294967295, type = 5 '\005', is_ref__gc = 0 '\000' } (gdb) ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60598&edit=1
