Edit report at https://bugs.php.net/bug.php?id=60598&edit=1
ID: 60598 Patch added by: larue...@php.net Reported by: arekm at maven dot pl Summary: cli/apache sapi segfault on objects manipulation Status: Feedback Type: Bug Package: Reproducible crash Operating System: Linux PHP Version: 5.4.0RC3 Block user comment: N Private report: N New Comment: The following patch has been added/updated: Patch Name: bug60598 Revision: 1377774584 URL: https://bugs.php.net/patch-display.php?bug=60598&patch=bug60598&revision=1377774584 Previous Comments: ------------------------------------------------------------------------ [2013-08-28 13:25:45] manuel-php at mausz dot at Still the same with 5.4.19 # php -n test.php If you see this, try to increase OBJECT_COUNT to 100,000Segmentation fault ------------------------------------------------------------------------ [2013-08-28 13:05:43] ras...@php.net Please try again with 5.4.19. There were some fixes related to this applied in 5.4.18. ------------------------------------------------------------------------ [2013-06-05 11:51:34] arjen at react dot com Problem still present in php-5.4.15 verified from php.net src. See https://gist.github.com/anonymous/5713352 for bt. ------------------------------------------------------------------------ [2012-11-25 15:07:30] manuel-php at mausz dot at Same on git master: [object_properties_init] name=Object addr=2e3b42b0 pt_addr=2e3b6270 pt[0]_addr=2e3b4dc8 pt[0].handle=#0 [zend_std_write_property] name=_guid (=pt[0]) old_addr=2e3b4dc8 new_addr=2e3b42f8 new.handle=#0 [object_properties_init] name=Object addr=2e3b6688 pt_addr=2e3b6a60 pt[0]_addr=2e3b4dc8 pt[0].handle=#0 [zend_std_write_property] name=_guid (=pt[0]) old_addr=2e3b4dc8 new_addr=2e3b66d0 new.handle=#1 [zval_collect_white] adding zval to zval_to_free-list zval: addr=2e3b42f8 refcnt=2 handle=#0 [gc_collect_cycles] freeing zval zval: addr=2e3b42f8 refcnt=2 handle=#0 ^^ - 1st zval free [zend_object_std_dtor] object=Object addr=2e3b42b0 pt_addr=2e3b6270 calling zval_ptr_dtor for pt[0]_addr=2e3b42f8 pt[0].refcnt=1515870810 ^^ - 2nd zval free pt[0].handle=#1515870810 [zend_object_std_dtor] object=Object addr=2e3b6688 pt_addr=2e3b6a60 calling zval_ptr_dtor for pt[0]_addr=2e3b66d0 pt[0].refcnt=1 pt[0].handle=#1 Patch for my debug output: https://gist.github.com/095e8dc10c3e18afb3e6 I recommend enabling ZEND_MM_HEAP_PROTECTION. This is why refcnt+handle is 0x5a5a5a5a on 2nd free. ------------------------------------------------------------------------ [2012-11-25 08:57:04] arekm at maven dot pl Tested http://snaps.php.net/php5.4-latest.tar.gz and still happens. [arekm@ixion-pld ~/test/php5.4-201211250630]$ export LC_ALL=C [arekm@ixion-pld ~/test/php5.4-201211250630]$ ./sapi/cli/php -n ./a.php If you see this, try to increase OBJECT_COUNT to 100,000 zsh: segmentation fault ./sapi/cli/php -n ./a.php [arekm@ixion-pld ~/test/php5.4-201211250630]$ ./sapi/cli/php -n --version PHP 5.5.0-dev (cli) (built: Nov 25 2012 09:37:34) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies [arekm@ixion-pld ~/test/php5.4-201211250630]$ gdb --args ./sapi/cli/php -n ./a.php GNU gdb (GDB) 7.4.50-0.20120120.2 (PLD Linux) Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pld-linux". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/users/arekm/test/php5.4- 201211250630/sapi/cli/php...done. (gdb) r Starting program: /home/users/arekm/test/php5.4-201211250630/sapi/cli/php -n ./a.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". If you see this, try to increase OBJECT_COUNT to 100,000 Program received signal SIGSEGV, Segmentation fault. 0x00000000006810d2 in gc_zval_possible_root (zv=0x7ffff7fabe78) at /home/users/arekm/test/php5.4-201211250630/Zend/zend_gc.c:143 143 GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv); (gdb) bt #0 0x00000000006810d2 in gc_zval_possible_root (zv=0x7ffff7fabe78) at /home/users/arekm/test/php5.4-201211250630/Zend/zend_gc.c:143 #1 0x0000000000682ce7 in zend_object_std_dtor (object=0x7ffff7fabe48) at /home/users/arekm/test/php5.4-201211250630/Zend/zend_objects.c:54 #2 0x0000000000682d19 in zend_objects_free_object_storage (object=0x7ffff7fabe48) at /home/users/arekm/test/php5.4- 201211250630/Zend/zend_objects.c:137 #3 0x0000000000688398 in zend_objects_store_free_object_storage (objects=0xd0b260) at /home/users/arekm/test/php5.4- 201211250630/Zend/zend_objects_API.c:92 #4 0x0000000000655003 in shutdown_executor () at /home/users/arekm/test/php5.4- 201211250630/Zend/zend_execute_API.c:297 #5 0x00000000006632a6 in zend_deactivate () at /home/users/arekm/test/php5.4- 201211250630/Zend/zend.c:941 #6 0x00000000006050bd in php_request_shutdown (dummy=dummy@entry=0x0) at /home/users/arekm/test/php5.4-201211250630/main/main.c:1781 #7 0x00000000007072c4 in do_cli (argc=3, argv=0x7fffffffe968) at /home/users/arekm/test/php5.4-201211250630/sapi/cli/php_cli.c:1174 #8 0x0000000000422925 in main (argc=3, argv=0x7fffffffe968) at /home/users/arekm/test/php5.4-201211250630/sapi/cli/php_cli.c:1364 (gdb) l 138 * currently running GC */ 139 return; 140 } 141 142 if (zv->type == IS_OBJECT) { 143 GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv); 144 return; 145 } 146 147 GC_BENCH_INC(zval_possible_root); (gdb) built with: ./configure --prefix=$HOME/test/php5.4 --disable-dom --disable-simplexml on a Linux x86_64 [arekm@ixion-pld ~/test/php5.4-201211250630]$ gcc -v Reading specs from /usr/lib64/gcc/x86_64-pld-linux/4.7.2/specs COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-pld-linux/4.7.2/lto-wrapper Target: x86_64-pld-linux Configured with: ../configure --prefix=/usr --with-local-prefix=/usr/local -- libdir=/usr/lib64 --libexecdir=/usr/lib64 --infodir=/usr/share/info -- mandir=/usr/share/man --x-libraries=/usr/lib64 --enable-bootstrap --disable- build-with-cxx --disable-build-poststage1-with-cxx --enable-c99 --enable- checking=release --disable-cld --enable-cloog-backend=isl --enable-cmath -- enable-decimal-float --enable-gnu-unique-object --enable-initfini-array -- enable-languages=c,c++,fortran,objc,obj-c++,ada,java,go --enable-libgomp -- enable-libitm --enable-libmudflap --enable-linker-build-id --enable-linux-futex --enable-long-long --enable-nls --enable-lto --enable-plugin --enable-shared -- enable-threads=posix --disable-werror --with-cloog --with-demangler-in-ld -- with-gnu-as --with-gnu-ld --with-linker-hash-style=gnu --with-long-double-128 -- with-ppl --with-slibdir=/lib64 --without-system-libunwind --with-system-zlib -- enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch -- enable-libstdcxx-threads --enable-libstdcxx-time=rt --enable-libstdcxx- visibility --enable-symvers=gnu --with-gxx-include-dir=/usr/include/c++/4.7.2 -- disable-gconf-peer --enable-gtk-cairo --enable-java-awt=xlib,gtk --enable-jni -- enable-libgcj --enable-libgcj-multifile --enable-libgcj-database --disable- libjava-multilib --enable-static-libjava --enable-xmlj --with-pkgversion=PLD- Linux --with-bugurl=http://bugs.pld-linux.org x86_64-pld-linux Thread model: posix gcc version 4.7.2 20121104 (release) (PLD-Linux) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=60598 -- Edit this bug report at https://bugs.php.net/bug.php?id=60598&edit=1
