Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:22670 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19579 invoked by uid 1010); 5 Apr 2006 14:47:33 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 19563 invoked from network); 5 Apr 2006 14:47:33 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Apr 2006 14:47:33 -0000 X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4) Received: from ([204.11.219.139:58041] helo=lerdorf.com) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 18/B4-09482-488D3344 for ; Wed, 05 Apr 2006 10:47:33 -0400 Received: from [192.168.200.106] (c-24-6-5-134.hsd1.ca.comcast.net [24.6.5.134]) (authenticated bits=0) by lerdorf.com (8.13.6/8.13.6/Debian-1) with ESMTP id k35ElSDv029135 for ; Wed, 5 Apr 2006 07:47:29 -0700 Message-ID: <4433D880.7050000@lerdorf.com> Date: Wed, 05 Apr 2006 07:47:28 -0700 User-Agent: Thunderbird 3.0a1 (Macintosh/20060326) MIME-Version: 1.0 To: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Recurring core dump on y2 From: rasmus@lerdorf.com (Rasmus Lerdorf) I am out of ideas on this one. I started chasing a problem yesterday where we were crashing repeatedly on y2. I removed APC and a couple of other things to rule those out. The crash is consistently in exactly the same place. It is always on a request to: http://www.php.net/manual/en/ref.mysql.php in the highlight_string() call from layout.inc: function highlight_php($code, $return = FALSE) { // Using OB, as highlight_string() only supports // returning the result from 4.2.0 ob_start(); highlight_string($code); $highlighted = ob_get_contents(); ob_end_clean(); and it is always on the second note on that page. I yanked the raw note data out of the backend files and tried to reproduce it with: http://www.php.net/~rasmus/note.php note.phps for source But no luck. Somehow CG(op_array) is getting set to crap coming into that call, but only sometimes. Yet if it is random memory corruption like that, why is the crash always exactly the same? It looks like this: (gdb) bt #0 0x0000000800b59953 in strlen () from /lib/libc.so.6 #1 0x000000080109dac6 in lex_scan (zendlval=0x7fffffff8d20) at zend_language_scanner.l:1301 #2 0x00000008010b1214 in zend_highlight (syntax_highlighter_ini=0x7fffffff8e10) at /home/rasmus/php51/Zend/zend_highlight.c:178 #3 0x00000008010a03b4 in highlight_string (str=0x7fffffff8d80, syntax_highlighter_ini=0x7fffffff8e10, str_name=0x981d18 "/home/local/Web/sites/www.php.net/include/layout.inc(21) : highlighted code") at zend_language_scanner.l:621 #4 0x00000008010072ac in zif_highlight_string (ht=40, return_value=0x986c58, return_value_ptr=0xc, this_ptr=0x978340, return_value_used=19651040) at /home/rasmus/php51/ext/standard/basic_functions.c:2537 #5 0x00000008010d9407 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff91e0) at zend_vm_execute.h:200 #6 0x00000008010d8d21 in execute (op_array=0x893f00) at zend_vm_execute.h:92 #7 0x00000008010d8ff5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff9440) at zend_vm_execute.h:234 #8 0x00000008010d8d21 in execute (op_array=0x8f5400) at zend_vm_execute.h:92 #9 0x00000008010d8ff5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff9b80) at zend_vm_execute.h:234 #10 0x00000008010d8d21 in execute (op_array=0x842300) at zend_vm_execute.h:92 #11 0x00000008010d8ff5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffa370) at zend_vm_execute.h:234 #12 0x00000008010d8d21 in execute (op_array=0x842000) at zend_vm_execute.h:92 #13 0x00000008010d8ff5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffa7a0) at zend_vm_execute.h:234 #14 0x00000008010d8d21 in execute (op_array=0x816b00) at zend_vm_execute.h:92 #15 0x00000008010d8ff5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffffc750) at zend_vm_execute.h:234 #16 0x00000008010d8d21 in execute (op_array=0x7e8a18) at zend_vm_execute.h:92 #17 0x00000008010bc4a9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/rasmus/php51/Zend/zend.c:1109 #18 0x000000080107d17d in php_execute_script (primary_file=0x7fffffffdfd0) at /home/rasmus/php51/main/main.c:1726 #19 0x0000000801130d4f in apache_php_module_main (r=0x28, display_source_mode=0) at /home/rasmus/php51/sapi/apache/sapi_apache.c:53 #20 0x0000000801131995 in send_php (r=0x7bf060, display_source_mode=0, filename=0x0) at /home/rasmus/php51/sapi/apache/mod_php5.c:661 #21 0x0000000000427cec in ap_invoke_handler () #22 0x0000000000439a6c in process_request_internal () #23 0x0000000000439bad in ap_process_request () #24 0x000000000043132f in child_main () #25 0x00000000004316b9 in make_child () #26 0x000000000043295e in standalone_main () #27 0x0000000000433453 in main () (gdb) up #1 0x000000080109dac6 in lex_scan (zendlval=0x7fffffff8d20) at zend_language_scanner.l:1301 1301 zendlval->value.str.len = strlen(func_name); (gdb) p func_name $3 = 0x28
(gdb) frame 2 #2 0x00000008010b1214 in zend_highlight (syntax_highlighter_ini=0x7fffffff8e10) at /home/rasmus/php51/Zend/zend_highlight.c:178 178 token.type = 0; (gdb) l 173 break; 174 } 175 } else if (token_type == T_END_HEREDOC) { 176 efree(token.value.str.val); 177 } 178 token.type = 0; 179 } 180 done: 181 if (last_color != syntax_highlighter_ini->highlight_html) { 182 zend_printf("\n"); (gdb) p token $8 = {value = {lval = 12225272, dval = 6.0400869062649078e-317, str = {val = 0xba8af8 "::", len = 2}, ht = 0xba8af8, obj = {handle = 12225272, handlers = 0x2}}, refcount = 4294937984, type = 0 '\0', is_ref = 127 '\177'} (gdb) frame 3 #3 0x00000008010a03b4 in highlight_string (str=0x7fffffff8d80, syntax_highlighter_ini=0x7fffffff8e10, str_name=0x981d18 "/home/local/Web/sites/www.php.net/include/layout.inc(21) : highlighted code") at zend_language_scanner.l:621 621 zend_highlight(syntax_highlighter_ini TSRMLS_CC); (gdb) p *str $5 = {value = {lval = 9998360, dval = 4.9398461907532858e-317, str = { val = 0x989018 "This is a small function I wrote to handle queries on a table.\nIt can query a table, order and sort, and supports inner joins.\n\nThis function also returns the result as a single row or all rows.\n\nEnjo"..., len = 3374}, ht = 0x989018, obj = {handle = 9998360, handlers = 0xd2e}}, refcount = 3, type = 6 '\006', is_ref = 0 '\0'} (gdb) frame 4 #4 0x00000008010072ac in zif_highlight_string (ht=40, return_value=0x986c58, return_value_ptr=0xc, this_ptr=0x978340, return_value_used=19651040) at /home/rasmus/php51/ext/standard/basic_functions.c:2537 2537 if (highlight_string(expr, &syntax_highlighter_ini, hicompiled_string_description TSRMLS_CC) == FAILURE) { (gdb) p *expr $2 = {value = {lval = 9994264, dval = 4.9378224978679201e-317, str = { val = 0x988018 "This is a small function I wrote to handle queries on a table.\nIt can query a table, order and sort, and supports inner joins.\n\nThis function also returns the result as a single row or all rows.\n\nEnjo"..., len = 3374}, ht = 0x988018, obj = {handle = 9994264, handlers = 0xd2e}}, refcount = 3, type = 6 '\006', is_ref = 0 '\0'} I have also tried to reproduce this running under valgrind, but no luck there either. So it could be 64-bit specific, or somehow I didn't recreate the exact same environment for it. Since it is the second user note with code to highlight on that page that always crashes, it could be some sort of re-entrancy problem as well. Or perhaps it is totally unrelated, although the fact that it is always the exact same crash is extremely suspicious. If you have an account on y2, do: gdb /local/httpd/bin/httpd /local/httpd/httpd.core This is running PHP_5_1 as of yesterday. -Rasmus