Edit report at https://bugs.php.net/bug.php?id=64722&edit=1
ID: 64722
Comment by: tj dot botha at plista dot com
Reported by: tj dot botha at plista dot com
Summary: PDO extension causes zend_mm_heap corrupted
Status: Feedback
Type: Bug
Package: PDO related
Operating System: Ubuntu Server 12.10
PHP Version: master-Git-2013-04-26 (Git)
Block user comment: N
Private report: N
New Comment:
Also - some additional info which may help:
(gdb) frame 3
#3 0x00007fffeb3e0056 in pdo_dbh_free_storage (dbh=0x7fffd00f56c0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/ext/pdo/pdo_dbh.c:1577
1577 zend_object_std_dtor(&dbh->std TSRMLS_CC);
(gdb) print dbh->std
$1 = {ce = 0x7fffd6d3afc0, properties = 0x0, properties_table = 0x7fffd6d39378,
guards = 0x0}
(gdb)
and
for source_code/Zend/zend_objects.c:37 to 59:
ZEND_API void zend_object_std_dtor(zend_object *object TSRMLS_DC)
{
if (object->guards) {
zend_hash_destroy(object->guards);
FREE_HASHTABLE(object->guards);
}
if (object->properties) {
zend_hash_destroy(object->properties);
FREE_HASHTABLE(object->properties);
if (object->properties_table) {
efree(object->properties_table);
}
} else if (object->properties_table) {
int i;
for (i = 0; i < object->ce->default_properties_count; i++) {
if (object->properties_table[i]) {
zval_ptr_dtor(&object->properties_table[i]);
}
}
efree(object->properties_table);
}
}
(gdb) print object->properties_table[0]
$2 = (zval *) 0x5a5a5a5a5a5a5a5a
(gdb) print &object->properties_table[0]
$3 = (zval **) 0x7fffd6d39378
(gdb) print object->ce->default_properties_count
$4 = 2
(gdb) print i
$5 = 0
(gdb)
Not sure if this loop is thread safe:
for (i = 0; i < object->ce->default_properties_count; i++) {
if (object->properties_table[i]) {
zval_ptr_dtor(&object->properties_table[i]);
}
}
Thanks for your help!
Previous Comments:
------------------------------------------------------------------------
[2013-04-30 15:01:07] tj dot botha at plista dot com
That is an old backtrace - here is the newest:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd8fe9700 (LWP 31920)]
0x00007fffeb6a5722 in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/tj/php-
5.4.14/Zend/zend.h:395
395 return --pz->refcount__gc;
(gdb) backtrace
#0 0x00007fffeb6a5722 in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/tj/php-
5.4.14/Zend/zend.h:395
#1 0x00007fffeb6a7d06 in _zval_ptr_dtor (zval_ptr=0x7fffd6d39378,
__zend_filename=0x7fffebb88468 "/home/tj/php-5.4.14/Zend/zend_objects.c",
__zend_lineno=54)
at /home/tj/php-5.4.14/Zend/zend_execute_API.c:432
#2 0x00007fffeb6f258a in zend_object_std_dtor (object=0x7fffd00f56c0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/Zend/zend_objects.c:54
#3 0x00007fffeb3e0056 in pdo_dbh_free_storage (dbh=0x7fffd00f56c0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/ext/pdo/pdo_dbh.c:1577
#4 0x00007fffeb6fac18 in zend_objects_store_del_ref_by_handle_ex (handle=122,
handlers=0x7fffebeb8a20 <pdo_dbh_object_handlers>, tsrm_ls=0x7fffd0017170)
at /home/tj/php-5.4.14/Zend/zend_objects_API.c:221
#5 0x00007fffeb6fa759 in zend_objects_store_del_ref (zobject=0x7fffd6d240e0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/Zend/zend_objects_API.c:173
#6 0x00007fffeb6baacd in _zval_dtor_func (zvalue=0x7fffd6d240e0,
__zend_filename=0x7fffebb83be8 "/home/tj/php-5.4.14/Zend/zend_execute_API.c",
__zend_lineno=438)
at /home/tj/php-5.4.14/Zend/zend_variables.c:54
#7 0x00007fffeb6a58c1 in _zval_dtor (zvalue=0x7fffd6d240e0,
__zend_filename=0x7fffebb83be8 "/home/tj/php-5.4.14/Zend/zend_execute_API.c",
__zend_lineno=438)
at /home/tj/php-5.4.14/Zend/zend_variables.h:35
#8 0x00007fffeb6a7da9 in _zval_ptr_dtor (zval_ptr=0x7fffd6bee268,
__zend_filename=0x7fffebb84cb0 "/home/tj/php-5.4.14/Zend/zend_variables.c",
__zend_lineno=182)
at /home/tj/php-5.4.14/Zend/zend_execute_API.c:438
#9 0x00007fffeb6baef5 in _zval_ptr_dtor_wrapper (zval_ptr=0x7fffd6bee268) at
/home/tj/php-5.4.14/Zend/zend_variables.c:182
#10 0x00007fffeb6d3281 in zend_hash_destroy (ht=0x7fffd6d39768) at /home/tj/php-
5.4.14/Zend/zend_hash.c:560
#11 0x00007fffeb6baa76 in _zval_dtor_func (zvalue=0x7fffd7d18be8,
__zend_filename=0x7fffebb83be8 "/home/tj/php-5.4.14/Zend/zend_execute_API.c",
__zend_lineno=438)
at /home/tj/php-5.4.14/Zend/zend_variables.c:45
#12 0x00007fffeb6a58c1 in _zval_dtor (zvalue=0x7fffd7d18be8,
__zend_filename=0x7fffebb83be8 "/home/tj/php-5.4.14/Zend/zend_execute_API.c",
__zend_lineno=438)
at /home/tj/php-5.4.14/Zend/zend_variables.h:35
#13 0x00007fffeb6a7da9 in _zval_ptr_dtor (zval_ptr=0x7fffd7d18d98,
__zend_filename=0x7fffebb84228 "/home/tj/php-5.4.14/Zend/zend_opcode.c",
__zend_lineno=165)
at /home/tj/php-5.4.14/Zend/zend_execute_API.c:438
#14 0x00007fffeb6aef6a in cleanup_user_class_data (ce=0x7fffd7d185d0,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/Zend/zend_opcode.c:165
#15 0x00007fffeb6af1c8 in zend_cleanup_user_class_data (pce=0x7fffd00d6ad8,
tsrm_ls=0x7fffd0017170) at /home/tj/php-5.4.14/Zend/zend_opcode.c:198
#16 0x00007fffeb6d3ce3 in zend_hash_reverse_apply (ht=0x7fffd001a770,
apply_func=0x7fffeb6af194 <zend_cleanup_user_class_data>,
tsrm_ls=0x7fffd0017170)
at /home/tj/php-5.4.14/Zend/zend_hash.c:799
#17 0x00007fffeb6a71e8 in shutdown_executor (tsrm_ls=0x7fffd0017170) at
/home/tj/php-5.4.14/Zend/zend_execute_API.c:289
#18 0x00007fffeb6be217 in zend_deactivate (tsrm_ls=0x7fffd0017170) at
/home/tj/php-5.4.14/Zend/zend.c:938
#19 0x00007fffeb601c90 in php_request_shutdown (dummy=0x0) at /home/tj/php-
5.4.14/main/main.c:1800
#20 0x00007fffeb777c6d in php_apache_request_dtor (r=0x7fffd000f068,
tsrm_ls=0x7fffd0017170) at /home/tj/php-
5.4.14/sapi/apache2handler/sapi_apache2.c:507
#21 0x00007fffeb7787cf in php_handler (r=0x7fffd000f068) at /home/tj/php-
5.4.14/sapi/apache2handler/sapi_apache2.c:679
#22 0x0000000000447e40 in ap_run_handler (r=0x7fffd000f068) at config.c:169
#23 0x000000000044827b in ap_invoke_handler (r=r@entry=0x7fffd000f068) at
config.c:432
#24 0x000000000045b1bc in ap_internal_redirect (new_uri=<optimised out>, r=
<optimised out>) at http_request.c:644
#25 0x00007fffebed6658 in handler_redirect (r=0x7fffd0002970) at
mod_rewrite.c:5051
#26 0x0000000000447e40 in ap_run_handler (r=0x7fffd0002970) at config.c:169
#27 0x000000000044827b in ap_invoke_handler (r=r@entry=0x7fffd0002970) at
config.c:432
#28 0x000000000045bc5a in ap_process_async_request (r=0x7fffd0002970) at
http_request.c:317
#29 0x0000000000458b27 in ap_process_http_async_connection (c=0x7fffe4037410)
at
http_core.c:143
#30 ap_process_http_connection (c=0x7fffe4037410) at http_core.c:228
#31 0x0000000000450ff0 in ap_run_process_connection (c=0x7fffe4037410) at
connection.c:41
#32 0x000000000046284a in process_socket (my_thread_num=24, my_child_num=0,
cs=0x7fffe4037398, sock=0x7fffe4037190, p=0x7fffe4037118, thd=0x6bf770) at
event.c:964
#33 worker_thread (thd=0x6bf770, dummy=<optimised out>) at event.c:1812
#34 0x00007ffff7531e9a in start_thread () from /lib/x86_64-linux-
gnu/libpthread.so.0
#35 0x00007ffff725ecbd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#36 0x0000000000000000 in ?? ()
The project relies heavily on PDO and runs okay on PHP 5.3.24.
------------------------------------------------------------------------
[2013-04-30 14:50:35] [email protected]
I can't reproduce this on my machine.
Apparently your PHP is not compiled in threaded mode (no tsrm_ls parameters in
the stacktrace) so I assume you're not in threaded mode, so no race conditions.
Can you share more details on your setup and code?
------------------------------------------------------------------------
[2013-04-30 14:44:16] tj dot botha at plista dot com
I just want to emphasize - that commenting out the code not a solution - since
it
causes errors later down the line. Also, when stepping / breaking at problem
area through the code - the project starts loading in bits and pieces, no
segfaults occur. Only when left to run without breakpoints does it crash -
therefor this really does seem like a concurrency problem.
------------------------------------------------------------------------
[2013-04-30 12:45:41] tj dot botha at plista dot com
This appears to be a race condition - so I am unable to reproduce. I am
however
able to make the problem go away by modifying pdo_dbh.c to the following:
static void pdo_dbh_free_storage(pdo_dbh_t *dbh TSRMLS_DC)
{
if (dbh->in_txn && dbh->methods && dbh->methods->rollback) {
dbh->methods->rollback(dbh TSRMLS_CC);
dbh->in_txn = 0;
}
if (dbh->is_persistent && dbh->methods && dbh->methods-
>persistent_shutdown) {
dbh->methods->persistent_shutdown(dbh TSRMLS_CC);
}
//uncomment below to cause zend_mm_heap corrupted
//zend_object_std_dtor(&dbh->std TSRMLS_CC);
//dbh->std.properties = NULL;
dbh_free(dbh TSRMLS_CC);
}
If I recompile this into PHP it works - however now there is most likely a
memory leak. I checked and this code is also new from PHP 5.3. So definitely
it is causing the fault.
Don't know what the real solution is though.
TJ
------------------------------------------------------------------------
[2013-04-26 17:53:01] [email protected]
Do you have a reproducible testcase?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64722
--
Edit this bug report at https://bugs.php.net/bug.php?id=64722&edit=1
