Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:67760
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42129 invoked from network); 21 Jun 2013 00:48:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jun 2013 00:48:03 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.175 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.128.175 mail-ve0-f175.google.com  
Received: from [209.85.128.175] ([209.85.128.175:52407] helo=mail-ve0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 56/61-33826-2C2A3C15 for <internals@lists.php.net>; Thu, 20 Jun 2013 20:48:02 -0400
Received: by mail-ve0-f175.google.com with SMTP id da11so5743095veb.34
        for <internals@lists.php.net>; Thu, 20 Jun 2013 17:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=SZMcDTXXN/mkUvJTc3uOWyXuAP5GPSzGiPmtKKTOcVU=;
        b=Uls1TNxothn5KAh8tWnxOQHDgMz6aPOI2JGuJGp5M1KbvMxm6BQHMnbbgO3+hKVeMz
         Op1VlmuGnCjIHYYW5NO4YdPscj8KXrGBCmq4z0pNRvkN+bAUcJFbLfRG2xqBzk5NkKWD
         MEHQQGcFr+ky0TaJFmU/VMo91NrFjhK+HhKRAM3QVSvbF5n5JEEFpXnH/3cO5Il81dCq
         5sxmOVhhNMR3AeiWUSHYyLGX/9+Ey7JwwRofl+guIydaSY7NpK3UfwsNXnA5bD+7v78y
         UhoxrGE7MomMgE5s7vwEis5ld1ep+NrKmLdqg10D8FpWVwn4kSOCM3BS8WOtNEEXrnjg
         Nyvw==
MIME-Version: 1.0
X-Received: by 10.52.33.47 with SMTP id o15mr3809773vdi.1.1371775679521; Thu,
 20 Jun 2013 17:47:59 -0700 (PDT)
Received: by 10.58.94.201 with HTTP; Thu, 20 Jun 2013 17:47:59 -0700 (PDT)
In-Reply-To: <51C38014.4090906@sugarcrm.com>
References: <CAAyV7nEx32ni3J0dOQprJCXd=4D06XwS0-Ro811OtqmPeEyYJg@mail.gmail.com>
	<CABBJUpcz3g6sWZR_K+p6fe0_nP7YZqW1XgZ54ktgA1KgD6xchg@mail.gmail.com>
	<CAAyV7nGFnDOzfR9B8PfgnbbG70ZVdwzx0XfZak9LoKuTSOkvEQ@mail.gmail.com>
	<51C38014.4090906@sugarcrm.com>
Date: Thu, 20 Jun 2013 20:47:59 -0400
Message-ID: <CAAyV7nGM5=e9bP7CtTjbUcnyk1m_C+MSDSEN5zYSbvt59wTSNQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Laruence <laruence@php.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=20cf307ca18416f16404df9f6a6a
Subject: Re: [PHP-DEV] Disabling the GC during shutdown
From: ircmaxell@gmail.com (Anthony Ferrara)

--20cf307ca18416f16404df9f6a6a
Content-Type: text/plain; charset=ISO-8859-1

Stas,

Why is this specific to shutdown? Hashtables are freed all the time,
> what specific shutdown is doing different from all others so that this
> bug only happens on shutdown?
>

Honestly, I am not sure. Every report that I've seen has it happening at
shutdown. Could very well be a coincidence.

As far as what's happening, figure out more.

Basically, zend_deactivate() (which gets fired long after destructors)
tries to destroy the object store:
http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute_API.c#293

This iterates through the objects and tries to free them.

Well, during this process, any properties which are still alive are
dtor'ed. However, at a certain point, the garbage collector is fired.
That's when things get funky.

With the latest dump, what appears to be happening is that *something*
between the zend_deactivate call, and the GC being fired, is overwriting
one of the object zval's with *some* data. Here's a sample dump of the zval:

(gdb) print (zval_gc_info) *pz
$1 = {z = {value = {lval = 31337624, dval = 1.5482843440690148e-316,
str = {val = 0x1de2c98 "0", len = 20823032}, ht = 0x1de2c98, obj = {
        handle = 31337624, handlers = 0x13dbbf8}}, refcount__gc =
4294967295, type = 5 '\005', is_ref__gc = 0 '\000'}, u = {
    buffered = 0x2, next = 0x2}}


As you can see, nasty. (Here's the full BT:
https://gist.github.com/odoucet/5796378#comment-848723 )

Well, when the GC hits that zval, it tries to access the object handle, and
throws a segfault (as it's WAY beyond the end of allocated memory).

I have a patch which prevents the segfault:
https://github.com/ircmaxell/php-src/compare/invalidate_object_on_dtor

However, that's not really fixing the situation either, as the zval is
still getting nuked (but only partially).

I am still trying to replicate the issue locally, and if I can, then I can
try to setup watches to check for what's overwriting the zval. But for now,
this is the current progress...

And no, I'm withdrawing the original concept of disabling the GC during
shutdown. The current patch I have works, but it's still just a bandaid on
a gunshot wound, and I'm going to try to figure out what's actually
overwriting the zval..

Anthony

--20cf307ca18416f16404df9f6a6a--