https://bugzilla.wikimedia.org/show_bug.cgi?id=62623

--- Comment #18 from Tim Starling <tstarl...@wikimedia.org> ---
I discovered the checkpoint feature in gdb, and used it to set a watchpoint on
a consistent pointer location. It showed an XMPReader->xmlParser property being
freed during garbage collection, and then the same zval was decref'd later. The
reference count was in a memory location now used for an allocator header.

It appears to be a garbage collection bug: the garbage collector scans arrays
and object properties for live zval pointers, but it has no way to scan inside
resources. XMPReader stores a reference to itself inside an XML resource, by
passing $this to xml_set_element_handler() and
xml_set_character_data_handler(). $this has an xmlParser property pointing to
the resource, completing the circle. After the XMPReader goes out of scope in
its caller, only the resource reference would be keeping it alive -- but the
garbage collector doesn't know about that.

I did see a zend_mm_panic() even after disabling the XMPReader tests, but it's
possible that another test case hit the same GC bug. I haven't looked into it.

Setting zend.enable_gc=0 should be a suitable workaround -- it worked for me.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to