ID: 31624
User updated by: ericvanblokland at gmail dot com
Reported By: ericvanblokland at gmail dot com
-Status: Feedback
+Status: Open
Bug Type: Session related
Operating System: Fedora Core 2
PHP Version: 4.3.10
New Comment:
Reproduced with latest CVS
I've been trying to create a stripped test environment for the session
that causes the segmentation fault.
I've copied the session from my project after the segfault and made a
stripped script with the same functionality that decodes the saved
session.
However, when decoding the session nothing goes wrong, when reloading
the script, with the decoded session implemented, it segfaulted again.
After this, I started experimenting some more. I put a return; on top
of the __wakeup of one my objects. The segfaults disappeared. Al my
wakeup functions check for external input meant for them. This object
however, also synchronises itself, and some children objects with the
database.
When running in my project environment, the segfault is caused, or "the
cause is caused" by a foreach on an array ($this->propertypages)
containing objects.
However, when running in the stripped environment, the segfault, is
caused (or again the cause of the cause) by a child related object
which unserialized another object from the database data.
Furthermore, this particular object, which __wakeup seems to
malfunction, is places directly in the session
($_SESSION['fs_structure_properties_object'])
Finally, I thought it had something to do with having a reference from
$_SESSION['fs_structure_properties_object'] to
$_SESSION['fs_structure_properties'] but the segfaults continued when I
used copies instead of references.
Combining all this information, I believe it might have something to do
with the $this reference during __wakeup() particullary when $this
refers to an object that exists in a session. Still I suggest to look
for a possible memory leak/infinite loop.
Last but not least, I've got a backtrace of the stripped version of my
script. Note again, that this script seams to segfault during the
unserialization of another object during wakeup.
_zval_ptr_dtor (zval_ptr=0x0) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute_API.c:287
287 (*zval_ptr)->refcount--;
(gdb) bt
#0 _zval_ptr_dtor (zval_ptr=0x0) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute_API.c:287
#1 0x027657a8 in zend_hash_destroy (ht=0x91d5754) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_hash.c:556
#2 0x0275f454 in _zval_dtor (zvalue=0x919d32c) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_variables.c:60
#3 0x02774796 in zend_assign_to_variable (result=0x90837dc,
op1=0x90837ec, op2=0x90837fc, value=0x9201444, type=4,
Ts=0xfeefe73c) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:480
#4 0x0276f6b8 in execute (op_array=0x90737a4) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1384
#5 0x02770d15 in execute (op_array=0x9025ebc) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1686
#6 0x02770d15 in execute (op_array=0x91d4cf4) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1686
#7 0x027723fa in execute (op_array=0x8f2b398) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:2212
#8 0x02770d15 in execute (op_array=0x904b834) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1686
#9 0x02770d15 in execute (op_array=0x904dfe4) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1686
#10 0x02770d15 in execute (op_array=0x90640e4) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1686
#11 0x02770d15 in execute (op_array=0x8ebc044) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1686
#12 0x02760d51 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at /usr/src/redhat/BUILD/php-4.3.10/Zend/zend.c:900
#13 0x027330af in php_execute_script (primary_file=0xfef0ef10) at
/usr/src/redhat/BUILD/php-4.3.10/main/main.c:1736
#14 0x0277607f in php_handler (r=0x8fca138) at
/usr/src/redhat/BUILD/php-4.3.10/sapi/apache2handler/sapi_apache2.c:557
#15 0x00760c88 in ap_run_handler () from /usr/sbin/httpd
#16 0x08ca99f8 in ?? ()
#17 0x00000000 in ?? ()
Previous Comments:
------------------------------------------------------------------------
[2005-01-20 20:37:22] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
------------------------------------------------------------------------
[2005-01-20 17:00:33] ericvanblokland at gmail dot com
Description:
------------
PHP seems to crash on complex objects at exit or on session_start();
I suspect the php internal session_encode, session_decode, serialize
and unserialize functions.
Ive not been able to reproduce this as it only seems to occur with
*VERY* complex objects like my code generates.
Some strange facts I've found out about while trying to pinpoint the
exact cause:
- In some occasions, escaping a foreach on $this->property in an
objects __wakeup(); made the problem disappear.
- When manually decoding a session file, (about 3M) I also got a
segmentation fault. After increasing the available memory to over 64M
the session got correctly decoded. With this *SICK* amount of memory,
the actual script kept segfaulting, however, it took longer to segfault
so expect a memory leak or infinite loop.
- This problem occurs on a Fedora Core 2, Apache 2.0, PHP 4.3.10
machine, while on RedHat 7.3, Apache 1.3.29, PHP 4.3.6 everything works
fine. So suspect the bugfix (4.3.9->4.3.10) on session handling for
spooky behaviour.
I will try to keep you all up to date.
Thank you,
Eric van Blokland
Reproduce code:
---------------
Contact me for access to code. The code is very large and complex, I
haven't been able to pinpoint to exact cause of this problem
Actual result:
--------------
Suspect internal session_encode to puke, all output correct though
#0 0x005086ae in malloc_consolidate () from /lib/tls/libc.so.6
#1 0x0050854d in _int_free () from /lib/tls/libc.so.6
#2 0x0050972b in free () from /lib/tls/libc.so.6
#3 0x01eea6af in shutdown_memory_manager (silent=0, clean_cache=0) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_alloc.c:492
#4 0x01eca73a in php_request_shutdown (dummy=0x0) at
/usr/src/redhat/BUILD/php-4.3.10/main/main.c:1003
#5 0x01f0ec10 in php_apache_request_dtor (r=0x945d6c0)
at
/usr/src/redhat/BUILD/php-4.3.10/sapi/apache2handler/sapi_apache2.c:453
#6 0x01f0eeda in php_handler (r=0x945d6c0) at
/usr/src/redhat/BUILD/php-4.3.10/sapi/apache2handler/sapi_apache2.c:577
#7 0x0094ec88 in ap_run_handler () from /usr/sbin/httpd
#8 0x0925f9f8 in ?? ()
#9 0x00000000 in ?? ()
Might by 31106 Related
http://bugs.php.net/bug.php?id=31106
Error occurs with session_start(); suspect session_decode to puke. No
output generated
#0 _zval_ptr_dtor (zval_ptr=0x6) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute_API.c:287
#1 0x0177d898 in zend_hash_clean (ht=0x8832aac) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_hash.c:582
#2 0x01788dcb in execute (op_array=0x862b22c) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1702
#3 0x01788d15 in execute (op_array=0x8703514) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:1686
#4 0x0178a3fa in execute (op_array=0x8881b4c) at
/usr/src/redhat/BUILD/php-4.3.10/Zend/zend_execute.c:2212
#5 0x01778d51 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/redhat/BUILD/php-4.3.10/Zend/zend.c:900
#6 0x0174b0af in php_execute_script (primary_file=0xfee57db0) at
/usr/src/redhat/BUILD/php-4.3.10/main/main.c:1736
#7 0x0178e07f in php_handler (r=0x869e170) at
/usr/src/redhat/BUILD/php-4.3.10/sapi/apache2handler/sapi_apache2.c:557
#8 0x00e18c88 in ap_run_handler () from /usr/sbin/httpd
#9 0x0832d9f8 in ?? ()
#10 0x00000000 in ?? ()
Might be 31313 Related, crash can be avoided by disabling foreach on
$this->property
http://bugs.php.net/bug.php?id=31313
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31624&edit=1
