Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87741
Return-Path: <neclimdul@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44974 invoked from network); 13 Aug 2015 12:37:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Aug 2015 12:37:05 -0000
Authentication-Results: pb1.pair.com header.from=neclimdul@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=neclimdul@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.169 as permitted sender)
X-PHP-List-Original-Sender: neclimdul@gmail.com
X-Host-Fingerprint: 209.85.213.169 mail-ig0-f169.google.com  
Received: from [209.85.213.169] ([209.85.213.169:33105] helo=mail-ig0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1D/64-00702-D6F8CC55 for <internals@lists.php.net>; Thu, 13 Aug 2015 08:37:01 -0400
Received: by igbpg9 with SMTP id pg9so131815050igb.0
        for <internals@lists.php.net>; Thu, 13 Aug 2015 05:36:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=Rdhb2Yk/58SCE4CtPFX+TZXmYmF+1wYT0h0RduUAbP4=;
        b=gcmcxijhebpK1ilW7TNFjwsHUzwyoyhw6MGlGfSGMq8vSTwxCtZGAS16PqD7fNk3TH
         k45qku4Zzw70hhpnchXASpdU1ND3VIvXUOwz2so9WwyU0V7wZd28MQLch1l46noxjPdb
         CSAr8bfJQ3zhvuDuWc/YlqCxANyJoCLR+DGp7on66o/4TXlLCrWvnyGNlug5jKJ+7hyP
         tj+G+d7f54Z/nXoftz1qC4xpvDT92p4FC/l1o76U45pgdr+UkurmmNb84lDg3gft+B7S
         VEXaX0KZNtaIXe5qcuHvxY49bTE36nfats62RGdsT4M7YPWXWHMWvJG2VLkBOK4GjeEZ
         0mzA==
MIME-Version: 1.0
X-Received: by 10.50.147.35 with SMTP id th3mr2694546igb.83.1439469418836;
 Thu, 13 Aug 2015 05:36:58 -0700 (PDT)
Received: by 10.79.79.66 with HTTP; Thu, 13 Aug 2015 05:36:58 -0700 (PDT)
Date: Thu, 13 Aug 2015 07:36:58 -0500
Message-ID: <CAO3MkaBiX-vDk5xJwwNhvpGRtt_WR2uMSjA31WHcoU6xH0pWAA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0149c05060044f051d3097be
Subject: Need help finding segfault in php 7
From: neclimdul@gmail.com (James Gilliland)

--089e0149c05060044f051d3097be
Content-Type: text/plain; charset=UTF-8

So I've been trying for a couple days to narrow down this bug:
https://bugs.php.net/bug.php?id=70242

I can consistently recreate it with a complex test, but I have thus far not
been able to find a pattern that helps me narrow down to a test script. I
thought maybe I could reach out and see if I could get some help
understanding what is happening in php and see if that has any clues.


Seemingly important facts I've found digging through in gdb.
1) The connection related pointers on the stmt are already freed when the
fault happens. It looks like the statement is being freed after the
connection and the if (S->H->server) { surrounding the failing code is not
sufficient to catch this
2) The trace has a spl_iterator in it so it seems like that is holding on
to the stmt pointer. There is a IteratorIterator used on a PDO stmt in the
code. But also in a lot of other non-triggering seemingly identical code
and I haven't been able to get this to work.
3) The code in shutdown_executor that is triggering this is the 6th block
of cleanups which seems to support 1). It is the block without any
documentation which is sort of my luck in this.

I'm guessing there is some way I need to trick a object to hold onto a
reference through the other cleanups or something or trigger some sort of
reference counter quirk but I just can't find it. Any help is appreciated.

--089e0149c05060044f051d3097be--