From: vegeta at tuxpowered dot net Operating system: Debian 6.0.5 x86_64 PHP version: 5.3.17 Package: *General Issues Bug Type: Bug Bug description:garbage collector segfault
Description: ------------ There is an application which creates a rather complicated graph structure. Some of objects used in this structure have __destruct() method where they replace their own properties with new array()s. Most of the code runs fine, apart from the very end, where php runs the garbage collector. At this moment there is a segfault. Debian packages come with suhosin therefore I tested the issue also with custom built packages without it. I tested multiple php versions both of 5.3 and 5.4 ranges including 5.3.17, with and without suhosin and with USE_ZEND_ALLOC=1 and =0. Calling gc_disable() at the end of the script causes it to terminate properly. Modifying __destruct() so it does not try to "clean" itself also solves the issue. I attach results of 5.3.13 built without suhosin. Expected result: ---------------- I expect the script to finish in natural way without segfault. Actual result: -------------- $ gdb --arg /opt/php5-nosuhosin/php5 install/broken_script.php warning: Can not parse XML syscalls information; XML support was disabled at compile time. GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /opt/php5-nosuhosin/php5...Reading symbols from /usr/lib/debug/opt/php5-nosuhosin/php5...done. (no debugging symbols found)...done. (gdb) run Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. zend_mm_remove_from_free_list (heap=0xe9f290, mm_block=0x7fffd850f728) at /usr/src/php/Zend/zend_alloc.c:830 830 ZEND_MM_CHECK_TREE(mm_block); (gdb) bt #0 zend_mm_remove_from_free_list (heap=0xe9f290, mm_block=0x7fffd850f728) at /usr/src/php/Zend/zend_alloc.c:830 #1 0x00000000006a7c76 in _zend_mm_free_int (heap=0xe9f290, p=0x7fffd850f9d0) at /usr/src/php/Zend/zend_alloc.c:2034 #2 0x00000000006d1b31 in zend_hash_destroy (ht=0x7fffd8523b48) at /usr/src/php/Zend/zend_hash.c:534 #3 0x00000000006e4839 in zend_object_std_dtor (object=0x7fffd8bf0740) at /usr/src/php/Zend/zend_objects.c:45 #4 0x00000000006e4859 in zend_objects_free_object_storage (object=0x7fffd8bf0740) at /usr/src/php/Zend/zend_objects.c:126 #5 0x00000000006e80bc in zend_objects_store_free_object_storage (objects=0xe9dc18) at /usr/src/php/Zend/zend_objects_API.c:92 #6 0x00000000006b8feb in shutdown_executor () at /usr/src/php/Zend/zend_execute_API.c:304 #7 0x00000000006c59d2 in zend_deactivate () at /usr/src/php/Zend/zend.c:891 #8 0x00000000006714c5 in php_request_shutdown (dummy=0xe9f290) at /usr/src/php/main/main.c:1661 #9 0x0000000000752cd0 in main (argc=-4856, argv=0x7ffff7fece18) at /usr/src/php/sapi/cli/php_cli.c:1363 (gdb) l 825 rp = cp; 826 } 827 *rp = NULL; 828 829 subst_block: 830 ZEND_MM_CHECK_TREE(mm_block); 831 *mm_block->parent = prev; 832 prev->parent = mm_block->parent; 833 if ((prev->child[0] = mm_block->child[0])) { 834 ZEND_MM_CHECK_TREE(prev->child[0]); (gdb) print mm_block $1 = (zend_mm_free_block *) 0x7fffd850f728 (gdb) print *mm_block $2 = {info = {_size = 664, _prev = 97}, prev_free_block = 0x1a21af0, next_free_block = 0x1c682a8, parent = 0xffffffff, child = {0x0, 0x0}} $ USE_ZEND_ALLOC=0 gdb --arg /opt/php5-nosuhosin/php5 install/broken_script.php warning: Can not parse XML syscalls information; XML support was disabled at compile time. GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /opt/php5-nosuhosin/php5...Reading symbols from /usr/lib/debug/opt/php5-nosuhosin/php5...done. (no debugging symbols found)...done. (gdb) run Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php [Thread debugging using libthread_db enabled] Program exited normally. (gdb) run Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. zval_mark_grey (pz=0x1fbfc20) at /usr/src/php/Zend/zend_gc.c:372 372 pz = *(zval**)p->pData; (gdb) backtrace #0 zval_mark_grey (pz=0x1fbfc20) at /usr/src/php/Zend/zend_gc.c:372 #1 0x00000000006e2fa5 in gc_collect_cycles () at /usr/src/php/Zend/zend_gc.c:435 #2 0x00000000006c5aa5 in zend_deactivate () at /usr/src/php/Zend/zend.c:901 #3 0x00000000006714c5 in php_request_shutdown (dummy=0x1fbfc20) at /usr/src/php/main/main.c:1661 #4 0x0000000000752cd0 in main (argc=-4888, argv=0x7ffff7fece18) at /usr/src/php/sapi/cli/php_cli.c:1363 (gdb) l 367 } else { 368 p = Z_ARRVAL_P(pz)->pListHead; 369 } 370 } 371 while (p != NULL) { 372 pz = *(zval**)p->pData; 373 if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) { 374 pz->refcount__gc--; 375 } 376 if (p->pListNext == NULL) { (gdb) print p $1 = (Bucket *) 0x500000000 (gdb) print *(zval**)p->pData Cannot access memory at address 0x500000010 (gdb) print p $2 = (Bucket *) 0x500000000 (gdb) print pz.value.ht->pListHead $3 = (Bucket *) 0x500000000 (gdb) print *pz.value.ht $4 = {nTableSize = 872480768, nTableMask = 943208497, nNumOfElements = 49, nNextFreeElement = 33273840, pInternalPointer = 0x13d3490, pListHead = 0x500000000, pListTail = 0x0, arBuckets = 0x190, pDestructor = 0x60, persistent = 16 '\020', nApplyCount = 67 'C', bApplyProtection = 61 '='} -- Edit bug report at https://bugs.php.net/bug.php?id=63134&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=63134&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=63134&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=63134&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=63134&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=63134&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=63134&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=63134&r=needscript Try newer version: https://bugs.php.net/fix.php?id=63134&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=63134&r=support Expected behavior: https://bugs.php.net/fix.php?id=63134&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=63134&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=63134&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=63134&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63134&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=63134&r=dst IIS Stability: https://bugs.php.net/fix.php?id=63134&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=63134&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=63134&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=63134&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=63134&r=mysqlcfg
