Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:46329
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.185 as permitted sender)
Message-ID: <4B1D1E1D.106@zend.com>
Date: Mon, 07 Dec 2009 18:24:13 +0300
User-Agent: Thunderbird 2.0.0.23 (X11/20090825)
MIME-Version: 1.0
To: Rasmus Lerdorf <rasmus@lerdorf.com>
CC: PHP Developers Mailing List <internals@lists.php.net>
References: <4B1B4BC9.1040403@lerdorf.com>
In-Reply-To: <4B1B4BC9.1040403@lerdorf.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP_5_3 GC segfaults
From: dmitry@zend.com (Dmitry Stogov)

Hi Rasmus,

Let me know how to reproduce them and I'll try to look into them.

Thanks. Dmitry.

Rasmus Lerdorf wrote:
> I'm seeing some GC-related segfaults in current PHP_5_3.  I haven't had
> time to dive into it very far.  All I have is a couple of bts and the
> request that triggers it, but it is a gallery2 request and there is a
> lot of code there.  I'll see if I can get it down to something
> manageable.  The first bt is:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007f4d6b3df8f1 in gc_zval_possible_root (zv=0x232e098) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:143
> 143			GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
> (gdb) bt
> #0  0x00007f4d6b3df8f1 in gc_zval_possible_root (zv=0x232e098) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:143
> #1  0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323e78) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
> #2  0x00007f4d6b3c14ff in _zval_dtor_func (zvalue=0x232df78) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.c:43
> #3  0x00007f4d6b3b5ccd in _zval_dtor (zval_ptr=0x232df58) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.h:35
> #4  _zval_ptr_dtor (zval_ptr=0x232df58) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:435
> #5  0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323f88) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
> #6  0x00007f4d6b3c14ff in _zval_dtor_func (zvalue=0x232df28) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.c:43
> #7  0x00007f4d6b3b5ccd in _zval_dtor (zval_ptr=0x23561e8) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.h:35
> #8  _zval_ptr_dtor (zval_ptr=0x23561e8) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:435
> #9  0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323ce0) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
> #10 0x00007f4d6b3e0e69 in zend_object_std_dtor (object=0x2355790) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:45
> #11 0x00007f4d6b3e0e89 in zend_objects_free_object_storage
> (object=0x232e098) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:114
> #12 0x00007f4d6b3e47c9 in zend_objects_store_del_ref_by_handle_ex
> (handle=9, handlers=<value optimized out>)
>     at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects_API.c:220
> #13 0x00007f4d6b3e47e3 in zend_objects_store_del_ref (zobject=0x2342c00)
> at /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects_API.c:172
> #14 0x00007f4d6b3b5ccd in _zval_dtor (zval_ptr=0x22fe8b8) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.h:35
> #15 _zval_ptr_dtor (zval_ptr=0x22fe8b8) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:435
> #16 0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323bb0) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
> #17 0x00007f4d6b3e0e69 in zend_object_std_dtor (object=0x22fe990) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:45
> #18 0x00007f4d6b3e0e89 in zend_objects_free_object_storage
> (object=0x232e098) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:114
> #19 0x00007f4d6b3e42fc in zend_objects_store_free_object_storage
> (objects=0x7f4d6bb79f58) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects_API.c:92
> #20 0x00007f4d6b3b82e5 in shutdown_executor () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:298
> #21 0x00007f4d6b3c21d2 in zend_deactivate () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend.c:890
> #22 0x00007f4d6b36e182 in php_request_shutdown (dummy=<value optimized
> out>) at /home/rasmus/src/php/php-src/branches/PHP_5_3/main/main.c:1606
> 
> And another:
> 
> Program received signal SIGSEGV, Segmentation fault.
> zval_mark_grey (pz=0x114f458) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:356
> 356					p = Z_ARRVAL_P(pz)->pListHead;
> (gdb) bt
> #0  zval_mark_grey (pz=0x114f458) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:356
> #1  0x00007f7ef6d57e39 in zval_mark_grey (pz=0x114f458) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:367
> #2  0x00007f7ef6d5846d in gc_mark_roots () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:417
> #3  gc_collect_cycles () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:628
> #4  0x00007f7ef6d3b2a5 in zend_deactivate () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend.c:900
> #5  0x00007f7ef6ce7182 in php_request_shutdown (dummy=<value optimized
> out>) at /home/rasmus/src/php/php-src/branches/PHP_5_3/main/main.c:1606
> #6  0x00007f7ef6dc4f83 in php_apache_request_dtor (r=0xee3148) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/sapi/apache2handler/sapi_apache2.c:493
> (gdb) p pz
> $1 = (zval *) 0x114f458
> (gdb) p *pz
> $2 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 17070608}, ht
> = 0x0, obj = {handle = 0, handlers = 0x1047a10}}, refcount__gc =
> 4294967295, type = 4 '\004',
>   is_ref__gc = 0 '\000'
> 
> garbage zval there with a null value.ht, so that Z_ARRVAL_P isn't going
> to work.
> 
> And another:
> 
> Program received signal SIGSEGV, Segmentation fault.
> zval_mark_grey (pz=0x1c6e950) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:360
> 360				pz = *(zval**)p->pData;
> (gdb) bt
> #0  zval_mark_grey (pz=0x1c6e950) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:360
> #1  0x00007ff6de77246d in gc_mark_roots () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:417
> #2  gc_collect_cycles () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:628
> #3  0x00007ff6de7552a5 in zend_deactivate () at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend.c:900
> #4  0x00007ff6de701182 in php_request_shutdown (dummy=<value optimized
> out>) at /home/rasmus/src/php/php-src/branches/PHP_5_3/main/main.c:1606
> #5  0x00007ff6de7def83 in php_apache_request_dtor (r=0x1368118) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/sapi/apache2handler/sapi_apache2.c:493
> #6  php_handler (r=0x1368118) at
> /home/rasmus/src/php/php-src/branches/PHP_5_3/sapi/apache2handler/sapi_apache2.c:665
> (gdb) p p
> $2 = (Bucket *) 0x100000000
> 
> Obviously a bogus addr there.
> 
> Vanilla PHP_5_3 build from today.  No APC, Suhosin, xdebug or any deep
> extensions like that.
> 
> With "zend.enable_gc=Off" the segfaults go away, of course.
> 
> -Rasmus
>