Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64378
Return-Path: <jani.ollikainen@mmd.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80992 invoked from network); 20 Dec 2012 12:36:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Dec 2012 12:36:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=jani.ollikainen@mmd.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=jani.ollikainen@mmd.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain mmd.net from 80.83.1.197 cause and error)
X-PHP-List-Original-Sender: jani.ollikainen@mmd.net
X-Host-Fingerprint: 80.83.1.197 dyn-197.hel.mmd.net  
Received: from [80.83.1.197] ([80.83.1.197:10042] helo=smtp.pronetko.fi)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AE/8D-04341-63603D05 for <internals@lists.php.net>; Thu, 20 Dec 2012 07:36:07 -0500
Received: from [10.0.0.7] (k7.pronetko.fi [::ffff:10.0.0.7])
  (AUTH: PLAIN bestis@pronetko.fi, SSL: TLSv1/SSLv3,256bits,CAMELLIA256-SHA)
  by smtp.pronetko.fi with ESMTPSA; Thu, 20 Dec 2012 14:26:49 +0200
  id 000000000109800E.50D30409.00002F82
Message-ID: <50D30656.8090207@mmd.net>
Date: Thu, 20 Dec 2012 14:36:38 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: internals@lists.php.net
References: <50D1D9B9.4060505@mmd.net> <50D22321.5040808@sugarcrm.com> <50D2291F.4040402@mmd.net>
In-Reply-To: <50D2291F.4040402@mmd.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Crashes in lex_scan at  Zend/zend_language_scanner.c
 / BUG #52752
From: jani.ollikainen@mmd.net (Jani Ollikainen)

Hi,

If someone wants access to machine where you can reproduce this
send me email. It's not just one machine where I can reproduce
this, so can't blame hardware.

Reproduced this there in CentOS 6.3 default php, php-5.3.19, php-5.4.9
and php-trunk-201212200830.

What I noticed that with trunk I got different places in .l for
the crash so it seems to me that something is really wrong with
mmap functionality and it gets somehow broken files?

This is the most often place:
1917                    switch (*YYCURSOR++) {

But I've also got these:
2267                    switch (yych) {
1087                    if (yych != '<') goto yy4;

I see two possibilities here, php uses mmap somehow that there's
a possibility of that happening or there's a data corruption
bug in mmap itself.

Lets tackle the latter and lets get http://ltp.sourceforge.net/:
$ ./mmap-corruption01 -h1 -m1 -s1
mmap-corruption will run for=> 3661, seconds
mmap-corruption PASSED

Well, no corruption according to that test, so it leaves me
the first option.

This is the script "runme.sh" I used to reproduce crashes.
It usually only needs 1-4 iterations to get the crash:

#!/bin/sh

# Touch so first run aren't full of include() errors
touch test.tpl

# Remove old core
/bin/rm core.* 1>/dev/null 2>/dev/null

# Do crash
NOCRASH=1
while [ $NOCRASH -eq 1 ];do
         sapi/cli/php -n test3.php &
         PHPPID=$!
         echo "Running php with pid $PHPPID..."
         sleep 5
         ps $PHPPID >/dev/null && NOCRASH=1 || NOCRASH=0
         if [ $NOCRASH -eq 1 ];then
                 echo "Killing php...";
                 kill -9 $PHPPID;
         fi;
done

# Crash done
ls -la core.*

# Debug
gdb sapi/cli/php core.*


Where test3.php is almost the same, but added -n, so no apc or other
extension is to blame:

<?php
if ($argv[1] > 0) {
   while ($argv[1]--) file_put_contents('test.tpl', "<?php 
#".str_repeat('A', mt_rand(4000, 5000))." ?>\n", LOCK_EX);
} else {
   $p2 = popen("sapi/cli/php -n test3.php 100", "r");
   while (1) include 'test.tpl';
}
?>

With this patch, which disables mmap I've not been able to reproduce it
after it has been running for 10 minutes:
--- php-trunk-201212200830/main/main.c  2012-12-05 11:59:32.000000000 +0200
+++ php-trunk-patched-201212200830/main/main.c  2012-12-20 
12:18:10.491302651 +0200
@@ -1324,7 +1324,7 @@
                 /* can we mmap immeadiately? */
                 memset(&handle->handle.stream.mmap, 0, 
sizeof(handle->handle.stream.mmap));
                 len = php_zend_stream_fsizer(stream TSRMLS_CC);
-               if (len != 0
+               if (0 && len != 0
  #if HAVE_MMAP || defined(PHP_WIN32)
                 && ((len - 1) % page_size) <= page_size - ZEND_MMAP_AHEAD
  #endif

Without that patch the crash comes in under half minute.

And now I'm out of ideas of what I could do more to help
get this issue fixed with my knowledge and skills.


On 19.12.2012 22:52, Jani Ollikainen wrote:
> On 19.12.2012 22:27, Stas Malyshev wrote:
>>> https://bugs.php.net/bug.php?id=52752
>> Just tried to reproduce it on Centos 6.2 install (without APC), works
>> just fine for me. I suspect it's some APC issue, does it reproduce for
>> you without APC loaded?