Bug #40479 [Com]: zend_mm_heap corrupted

[from dot php dot net at brainbox dot cz]

Edit report at https://bugs.php.net/bug.php?id=40479&edit=1

 ID:                 40479
 Comment by:         from dot php dot net at brainbox dot cz
 Reported by:        rrossi at maggioli dot it
 Summary:            zend_mm_heap corrupted
 Status:             Feedback
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   Suse Linux 9.0
 PHP Version:        5.2.1
 Block user comment: N
 Private report:     N

 New Comment:

I can reproduce the bug on Microsoft Windows XP SP3, with latest official PHP 
5.3.8 NTS build.

When we run script from "f dot ardelian at gmail dot com", PHP does not output 
"zend_mm_heap corrupted", but right after displaying the "If you see this…" 
line CRASHES.

However, I found that when I call "gc_disable();" before script end, it 
finishes successfully. This helped me run the test script without problems, but 
didn't solve the issue in my other scripts.

<?
define('OBJECT_COUNT', 100 * 1000 * 10);

class Object {
    private static $world = array();
    private static $maxGuid = 0;
    protected $_guid = null;
    public function __construct() {
         self::$world[$this->_guid = self::$maxGuid++] = $this;
    }
    public function __destruct() {
         unset(self::$world[$this->_guid]);
    }
}

for ($i = 0; $i < OBJECT_COUNT; ++$i) {
    new Object();
}

// You probably won't see this because of the "zend_mm_heap corrupted"
echo 'If you see this, try to increase OBJECT_COUNT to 100,000';

gc_disable(); // ADDED - works for me - PHP does not crash
?>


Previous Comments:
------------------------------------------------------------------------
[2011-10-17 20:24:44] rob dot spekschoor at gmail dot com

problem solved by compiling apache with prefork. Somehow Apache worker MPM + 
PHP 5.2 works fine but Apache worker MPM + PHP 5.3 fails terribly. Prefork 
seems stable

------------------------------------------------------------------------
[2011-10-05 20:08:42] rob dot spekschoor at gmail dot com

I can also reproduce with script from 'f dot ardelian at gmail dot com' this 
error on:

php --version
PHP 5.3.8-pl0-gentoo (cli) (built: Oct  4 2011 10:42:38) 
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

------------------------------------------------------------------------
[2011-09-26 08:00:03] laacz at laacz dot lv

Second this by running code, provided by "f dot ardelian at gmail dot com" at 
2011-08-31 07:49 UTC:

# php -q zend_mm_heap_corrupted.php
If you see this, try to increase OBJECT_COUNT to 100,000zend_mm_heap corrupted

# php --version
PHP 5.3.8 (cli) (built: Aug 29 2011 14:48:33)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with eAccelerator v0.9.6.1, Copyright (c) 2004-2010 eAccelerator, by 
eAccelerator
    with Xdebug v2.1.2, Copyright (c) 2002-2011, by Derick Rethans

------------------------------------------------------------------------
[2011-09-02 11:28:40] christoffer at westart dot se

I must agree with Florin, we are experiencing the same kinds of issues, both 
with 
CLI and mod_php, su_php and across 5.2.* and 5.3.*. We really need this to be 
fixed. Any updates?

------------------------------------------------------------------------
[2011-08-31 07:49:32] f dot ardelian at gmail dot com

The cause is pretty clear to me: when the script ends, the garbage collector 
starts to destroy the objects and the `unset()` in the destructor probably 
invokes the garbage collector again. The error message doesn't always appear on 
the screen nor in the error log (sometimes it does). The "Segmentation fault" 
always appears in the error log. Breaks if PHP is installed using apt-get or 
yum or comes with your Linux distro. Seems to work fine on Windows and codepads 
(custom compiled PHPs). Definitely breaks on Debian. Don't forget to set 
memory_limit to have enough room in memory to create all the objects (128M 
seems to be enough on Debian to create 150,000 objects).

<?php
define('OBJECT_COUNT', 20 * 1000);

class Object {
    private static $world = array();
    private static $maxGuid = 0;
    protected $_guid = null;
    public function __construct() {
         self::$world[$this->_guid = self::$maxGuid++] = $this;
    }
    public function __destruct() {
         unset(self::$world[$this->_guid]);
    }
}

for ($i = 0; $i < OBJECT_COUNT; ++$i) {
    new Object();
}

// You probably won't see this because of the "zend_mm_heap corrupted"
echo 'If you see this, try to increase OBJECT_COUNT to 100,000';
?>

If this code pinpoints the four and a half years-old issue, email me a beer.
Florin Ardelian

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=40479


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=40479&edit=1