Created
June 17, 2013 12:00
-
-
Save odoucet/5796378 to your computer and use it in GitHub Desktop.
Backtrace for gdb trace - test branch https://github.com/ircmaxell/php-src/tree/zval_mark_grey_tail_recursion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #0 zend_objects_store_del_ref_by_handle_ex (handle=47, handlers=0x101b440) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:183 | |
| #1 0x000000000082eb43 in zend_objects_store_del_ref (zobject=0x1570d48) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:173 | |
| #2 0x00000000007f60f8 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35 | |
| #3 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81 | |
| #4 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute_API.c:426 | |
| #5 0x0000000000828cc7 in zend_object_std_dtor (object=0x2244070) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:54 | |
| #6 0x0000000000828cf9 in zend_objects_free_object_storage (object=0x2f) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:137 | |
| #7 0x000000000082eb1b in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:221 | |
| #8 0x000000000082eb43 in zend_objects_store_del_ref (zobject=0x2244180) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:173 | |
| #9 0x00000000007f60f8 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35 | |
| #10 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81 | |
| #11 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute_API.c:426 | |
| #12 0x0000000000828cc7 in zend_object_std_dtor (object=0x1570dd8) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:54 | |
| #13 0x0000000000828cf9 in zend_objects_free_object_storage (object=0x2f) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:137 | |
| #14 0x000000000082eb1b in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:221 | |
| #15 0x000000000082eb43 in zend_objects_store_del_ref (zobject=0x1570d48) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:173 | |
| #16 0x00000000007f60f8 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35 | |
| #17 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81 | |
| #18 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute_API.c:426 | |
| #19 0x0000000000828cc7 in zend_object_std_dtor (object=0x2244070) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:54 | |
| #20 0x0000000000828cf9 in zend_objects_free_object_storage (object=0x2f) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:137 | |
| #21 0x000000000082eb1b in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:221 | |
| #22 0x000000000082eb43 in zend_objects_store_del_ref (zobject=0x2244180) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:173 | |
| #23 0x00000000007f60f8 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35 | |
| #24 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81 | |
| #25 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute_API.c:426 | |
| #26 0x0000000000828cc7 in zend_object_std_dtor (object=0x1570dd8) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:54 | |
| #27 0x0000000000828cf9 in zend_objects_free_object_storage (object=0x2f) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:137 | |
| #28 0x000000000082eb1b in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:221 | |
| #29 0x000000000082eb43 in zend_objects_store_del_ref (zobject=0x1570d48) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:173 | |
| #30 0x00000000007f60f8 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35 | |
| #31 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81 | |
| #32 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute_API.c:426 | |
| #33 0x0000000000828cc7 in zend_object_std_dtor (object=0x2244070) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:54 | |
| #34 0x0000000000828cf9 in zend_objects_free_object_storage (object=0x2f) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:137 | |
| #35 0x000000000082eb1b in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:221 | |
| #36 0x000000000082eb43 in zend_objects_store_del_ref (zobject=0x2244180) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:173 | |
| #37 0x00000000007f60f8 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35 | |
| #38 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81 | |
| #39 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute_API.c:426 | |
| #40 0x0000000000828cc7 in zend_object_std_dtor (object=0x1570dd8) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:54 | |
| #41 0x0000000000828cf9 in zend_objects_free_object_storage (object=0x2f) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects.c:137 | |
| #42 0x000000000082eb1b in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:221 | |
| #43 0x000000000082eb43 in zend_objects_store_del_ref (zobject=0x1570d48) | |
| at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:173 | |
| #44 0x00000000007f60f8 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35 | |
| #45 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81 | |
| #46 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute_API.c:426 |
Program received signal SIGSEGV, Segmentation fault.
zend_objects_store_del_ref_by_handle_ex (handle=47, handlers=0x101b440)
at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:183
(gdb) print *(*(zend_object*)executor_globals.objects_store.object_buckets[47].bucket.obj.object).ce
$1 = {type = 2 '\002', name = 0x7fffed4890d0 "Mage_Core_Helper_Data", name_length = 21, parent = 0x157fdf0, refcount = 2, ce_flags = 9437184,
function_table = {nTableSize = 64, nTableMask = 63, nNumOfElements = 60, nNextFreeElement = 0, pInternalPointer = 0x1574ab8, pListHead = 0x1574ab8,
pListTail = 0x1573388, arBuckets = 0x1580a88, pDestructor = 0x7fada0 <zend_function_dtor>, persistent = 0 '\000', nApplyCount = 0 '\000',
bApplyProtection = 1 '\001'}, properties_info = {nTableSize = 8, nTableMask = 7, nNumOfElements = 5, nNextFreeElement = 0,
pInternalPointer = 0x1578638, pListHead = 0x1578638, pListTail = 0x1584a28, arBuckets = 0x1580968,
pDestructor = 0x7ffff3e43eb0 <zend_destroy_property_info>, persistent = 0 '\000', nApplyCount = 0 '\000', bApplyProtection = 1 '\001'},
default_properties_table = 0x1547988, default_static_members_table = 0x0, static_members_table = 0x0, constants_table = {nTableSize = 32,
nTableMask = 31, nNumOfElements = 19, nNextFreeElement = 0, pInternalPointer = 0x1547f38, pListHead = 0x1547f38, pListTail = 0x1574ee0,
arBuckets = 0x157a8e0, pDestructor = 0x7f60a0 <_zval_ptr_dtor>, persistent = 0 '\000', nApplyCount = 0 '\000', bApplyProtection = 1 '\001'},
default_properties_count = 5, default_static_members_count = 0, constructor = 0x0, destructor = 0x0, clone = 0x0, __get = 0x0, __set = 0x0,
__unset = 0x0, __isset = 0x0, __call = 0x0, __callstatic = 0x0, __tostring = 0x0, serialize_func = 0x0, unserialize_func = 0x0, iterator_funcs = {
funcs = 0x0, zf_new_iterator = 0x0, zf_valid = 0x0, zf_current = 0x0, zf_key = 0x0, zf_next = 0x0, zf_rewind = 0x0}, create_object = 0,
get_iterator = 0, interface_gets_implemented = 0, get_static_method = 0, serialize = 0, unserialize = 0, interfaces = 0x0, num_interfaces = 0,
traits = 0x0, num_traits = 0, trait_aliases = 0x0, trait_precedences = 0x0, info = {user = {
filename = 0x7fffee016430 "/home/userobfuscated/app/code/core/Mage/Core/Helper/Data.php", line_start = 32, line_end = 880,
doc_comment = 0x1576b70 "/**\n * Core data helper\n *\n * @author Magento Core Team <core@magentocommerce.com>\n */", doc_comment_len = 91},
internal = {builtin_functions = 0x7fffee016430, module = 0x37000000020}}}
Alright, I think I see what's going on here. The Mage_Core_Helper_Data class holds a reference to an Encryptor class, which then holds a reference back to the helper data object.
So what it looks like is happening, is that the Mage_Core_Helper_Data object is losing its reference in code (goes out of scope, or whatever).
Previously, there was a bug in the GC that caused an issue at the end... But my patch "fixes" that issue, allowing it to properly identify the circular reference, and send it to be freed.
But there's a bug in the free code that allows for infinite recursion in the free call. Which is what looks like is happening here.
There's one more minor change I'd like you to try to see if it fixes this issue. I'm not committing it, as I'd like a test first (before I tie the two together):
Edit Zend/zend_objects_API.c of my zval_mark_grey branch
Find line 218. Prior to that line (but after the if (obj->refcount == 1)), add the following line:
EG(objects_store).object_buckets[handle].valid = 0;
So the end result should look like:
if (obj->refcount == 1) {
EG(objects_store).object_buckets[handle].valid = 0;
GC_REMOVE_ZOBJ_FROM_BUFFER(obj);
if (obj->free_storage) {
zend_try {
That should prevent the infinite recursion from happening, and hence fix this particular crash.
Can you let me know if it works?
Thanks!
Not working, still segfault before any output, but not at the same line :
Program received signal SIGSEGV, Segmentation fault.
0x000000000082eb50 in zend_objects_store_del_ref (zobject=0x1570d98)
at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:176
(gdb) bt
#0 0x000000000082eb50 in zend_objects_store_del_ref (zobject=0x1570d98)
at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_objects_API.c:176
#1 0x0000000000841060 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_variables.h:35
#2 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_execute.h:81
#3 ZEND_JMPNZ_SPEC_VAR_HANDLER (execute_data=0x7ffff7e97428) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_vm_execute.h:12732
#4 0x0000000000874320 in execute_ex (execute_data=0x7ffff7e97428)
at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend_vm_execute.h:356
#5 0x0000000000804479 in zend_execute_scripts (type=<optimized out>, retval=<optimized out>, file_count=<optimized out>)
at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/Zend/zend.c:1316
#6 0x00000000007a4889 in php_execute_script (primary_file=<optimized out>) at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/main/main.c:2481
#7 0x00000000008b08e7 in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/build/php/php-src-zval_mark_grey_tail_recursion/sapi/cgi/cgi_main.c:2450
Hrm, digging through this, I think I'm going to need to reproduce it to get further... If you wouldn't mind doing a few more things, this could be helpful in reproducing the issue:
Once you're paused at the segfault (the most recent one), move up to execute_ex. Then print out the following two lines:
print *execute_data.op_array
print *execute_data.opline
Those two should give you the filename and line number of the currently executed opcode. Now, since the segfault is triggered by the opcode, that implies that it's operating directly on an object. Looking at the ZEND_JMPNZ_SPEC_VAR_HANDLER, it can only really be fired in two places:
- the
while()part of ado {} while($foo)loop - The first branch of an
||ororconstruct
Considering the second is a lot more common, that's what I'd expect to see here.
When you find that "line", can you edit the line before and var_dump the variable that's there? It should be an object of some sort...
Of course this could just be chasing the rabbit down its hole...
Thanks again!
Anthony
Digging through it some more, it's not even worth it. The GC needs a direct recursive parser, so my technique won't work there. But I am working through some other tests, and will let you know if I come across anything else...
Thanks for the help!
Anthony
Thank you for your help Anthony ! This bug is very difficult to reproduce (need a whole install of Magento, with many products, etc.). I'm available to test any patch you may provide.
Alright, I've got another one for you to try... Could you give this branch: gc_lock_on_dtor a shot? It should alleviate the original problem, but may result in a memory leak (not sure, it shouldn't, but it's possible)... Either way, the segfault should be gone (with any luck)...
Segfault again :(
after page output (like original behaviour with 5.5.0rc1)
Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0x13cab58) at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_gc.c:408
(gdb) bt
#0 zval_mark_grey (pz=0x13cab58) at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_gc.c:408
#1 0x0000000000824e85 in zval_mark_grey (pz=0x13cab58) at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_gc.c:452
#2 0x0000000000825d95 in gc_mark_roots () at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_gc.c:521
#3 gc_collect_cycles () at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_gc.c:820
#4 0x00000000007f6218 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_variables.h:35
#5 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_execute.h:81
#6 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_execute_API.c:426
#7 0x00000000008291e7 in zend_object_std_dtor (object=0x1f99150) at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_objects.c:54
#8 0x0000000000829219 in zend_objects_free_object_storage (object=0x13cab58)
at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_objects.c:137
#9 0x000000000082eb68 in zend_objects_store_free_object_storage (objects=0x103afc0)
at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_objects_API.c:92
#10 0x00000000007f8e23 in shutdown_executor () at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend_execute_API.c:293
#11 0x0000000000805d22 in zend_deactivate () at /usr/src/build/php/php-src-gc_lock_on_dtor/Zend/zend.c:939
#12 0x00000000007a524c in php_request_shutdown (dummy=<optimized out>) at /usr/src/build/php/php-src-gc_lock_on_dtor/main/main.c:1800
#13 0x00000000008b0e4c in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/build/php/php-src-gc_lock_on_dtor/sapi/cgi/cgi_main.c:2501
(Is there any way to be notified on gist when there is a new comment ?)
Ok, one last try... Can you give this branch a try: https://github.com/ircmaxell/php-src/tree/gc_deactivate_on_shutdown
It disables the garbage collector on shutdown (forever), so it should prevent this issue in the first place...
I can confirm that with this specific branch, everything is OK \o/ (page output and no segfault at the end).
FYI: I made a post to internals discussing this fix, which we hopefully can get into core before long (at least 5.4 and 5.5, possibly 5.3): http://news.php.net/php.internals/67735
As a hot-fix, you could theoretically try:
register_shutdown_function('gc_disable');
That should fix it as well without the core patch...
I confirm that your hotfix is working :)
Yay! That validates this approach!
Thanks, and we'll see if the actual fix can get in as well :-D
I'm absolutely not familiar with PHP internals, but could disabling garbage collector have an impact on php-fpm (or any fastcgi implementation) ?
It depends on application. Of course it's better to fix the problem in right way.
I may take a look into it, if you provide a way to reproduce it.
I'll try to package the application to have a reproducible code within today.
Update : it's too difficult to provide a reproducible code. Default install of Magento (with sample data) does not segfault, so it would need a specific database version and mine has sensitive information. If you provide me tests, branches or anything, I can be very effective and test everything fast.
GDI. Gist keeps loosing my comments.
Can you please try again using this branch: https://github.com/ircmaxell/php-src/tree/invalidate_object_on_dtor
As far as disabling the GC, it won't cause any issues. This is disabling it after destructors are run, so it's literally impossible for it to have an effect on the application (considering 3 steps later the memory is all nuked from orbit using a giant efree().)
But this new branch is a different approach that attempts to solve the problem at the root instead of just turning it off...
segfault again.
zval_mark_grey (pz=0x13c1ee0) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:388
388 /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c: No such file or directory.
(gdb) bt
#0 zval_mark_grey (pz=0x13c1ee0) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:388
#1 0x0000000000824dd5 in zval_mark_grey (pz=0x13c1ee0) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:432
#2 0x0000000000825cf5 in gc_mark_roots () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:501
#3 gc_collect_cycles () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:795
#4 0x0000000000826080 in gc_zval_possible_root (zv=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:166
#5 0x00000000008130a0 in zend_hash_destroy (ht=0x428e968) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_hash.c:536
#6 0x00000000008049bd in _zval_dtor_func (zvalue=0x44db0d8)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.c:45
#7 0x00000000007f61e8 in _zval_dtor (zvalue=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.h:35
#8 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute.h:81
#9 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:426
#10 0x00000000008130a0 in zend_hash_destroy (ht=0x428c368) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_hash.c:536
#11 0x00000000008049bd in _zval_dtor_func (zvalue=0x48780b0)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.c:45
#12 0x00000000007f61e8 in _zval_dtor (zvalue=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.h:35
#13 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute.h:81
#14 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:426
#15 0x0000000000829117 in zend_object_std_dtor (object=0x23b7248)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:54
#16 0x0000000000829149 in zend_objects_free_object_storage (object=0x13c1ee0)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:137
#17 0x000000000082ef63 in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects_API.c:223
#18 0x000000000082ef83 in zend_objects_store_del_ref (zobject=0x354f848)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects_API.c:173
#19 0x00000000007f61e8 in _zval_dtor (zvalue=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.h:35
#20 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute.h:81
#21 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:426
#22 0x0000000000829117 in zend_object_std_dtor (object=0x1f982e0)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:54
#23 0x0000000000829149 in zend_objects_free_object_storage (object=0x13c1ee0)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:137
#24 0x000000000082ea98 in zend_objects_store_free_object_storage (objects=0x103af40)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects_API.c:92
#25 0x00000000007f8df3 in shutdown_executor () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:293
#26 0x0000000000805c92 in zend_deactivate () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend.c:939
#27 0x00000000007a523c in php_request_shutdown (dummy=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/main/main.c:1800
#28 0x00000000008b0d6c in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/sapi/cgi/cgi_main.c:2501
I've uploaded core dump and php binary here : https://www.dropbox.com/sh/0mmpv63jzqeu2d6/6lFFkceMR_
I've updated the patch to move the check up a bit in the GC... Can you try again (hopefully last time)...
0x0000000000824ee5 in zval_mark_grey (pz=0x13cab58) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:382
382 /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c: No such file or directory.
(gdb) bt
#0 0x0000000000824ee5 in zval_mark_grey (pz=0x13cab58) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:382
#1 0x0000000000824fd5 in zval_mark_grey (pz=0x13cab58) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:430
#2 0x0000000000825cad in gc_mark_roots () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:498
#3 gc_collect_cycles () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:788
#4 0x0000000000826090 in gc_zval_possible_root (zv=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_gc.c:166
#5 0x00000000008130a0 in zend_hash_destroy (ht=0x42907c0) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_hash.c:536
#6 0x00000000008049bd in _zval_dtor_func (zvalue=0x4595360)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.c:45
#7 0x00000000007f61e8 in _zval_dtor (zvalue=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.h:35
#8 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute.h:81
#9 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:426
#10 0x00000000008130a0 in zend_hash_destroy (ht=0x428e1c0) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_hash.c:536
#11 0x00000000008049bd in _zval_dtor_func (zvalue=0x4878988)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.c:45
#12 0x00000000007f61e8 in _zval_dtor (zvalue=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.h:35
#13 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute.h:81
#14 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:426
#15 0x0000000000829127 in zend_object_std_dtor (object=0x1fe5b40)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:54
#16 0x0000000000829159 in zend_objects_free_object_storage (object=0x13cab58)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:137
#17 0x000000000082ef73 in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects_API.c:223
#18 0x000000000082ef93 in zend_objects_store_del_ref (zobject=0x3550ba8)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects_API.c:173
#19 0x00000000007f61e8 in _zval_dtor (zvalue=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_variables.h:35
#20 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute.h:81
#21 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:426
#22 0x0000000000829127 in zend_object_std_dtor (object=0x1f985d0)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:54
#23 0x0000000000829159 in zend_objects_free_object_storage (object=0x13cab58)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects.c:137
#24 0x000000000082eaa8 in zend_objects_store_free_object_storage (objects=0x103af60)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_objects_API.c:92
#25 0x00000000007f8df3 in shutdown_executor () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend_execute_API.c:293
#26 0x0000000000805c92 in zend_deactivate () at /usr/src/build/php/php-src-invalidate_object_on_dtor/Zend/zend.c:939
#27 0x00000000007a523c in php_request_shutdown (dummy=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/main/main.c:1800
#28 0x00000000008b0d7c in main (argc=<optimized out>, argv=<optimized out>)
at /usr/src/build/php/php-src-invalidate_object_on_dtor/sapi/cgi/cgi_main.c:2501
With commit e5a9be2e49 :
Program received signal SIGSEGV, Segmentation fault.
0x000000000082c055 in zval_mark_grey (pz=0x13cb4e0) at /usr/src/build/php/php-src/Zend/zend_gc.c:382
(gdb) backtrace full
#0 0x000000000082c055 in zval_mark_grey (pz=0x13cb4e0) at /usr/src/build/php/php-src/Zend/zend_gc.c:382
p = 0x1398fc0
#1 0x000000000082c145 in zval_mark_grey (pz=0x13cb4e0) at /usr/src/build/php/php-src/Zend/zend_gc.c:430
p = 0x1398fc0
#2 0x000000000082ce1d in gc_mark_roots () at /usr/src/build/php/php-src/Zend/zend_gc.c:498
current = 0x7ffff7e73cd0
#3 gc_collect_cycles () at /usr/src/build/php/php-src/Zend/zend_gc.c:788
p = 0x1043ae0
q = <optimized out>
orig_free_list = <optimized out>
orig_next_to_free = <optimized out>
count = <optimized out>
#4 0x000000000082d200 in gc_zval_possible_root (zv=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_gc.c:166
newRoot = 0x80006398d630
#5 0x000000000081a210 in zend_hash_destroy (ht=0x4298d60) at /usr/src/build/php/php-src/Zend/zend_hash.c:536
p = 0x52e48d8
#6 0x000000000080bb2d in _zval_dtor_func (zvalue=0x46e4448) at /usr/src/build/php/php-src/Zend/zend_variables.c:45
No locals.
#7 0x00000000007fd358 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_variables.h:35
No locals.
#8 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_execute.h:81
No locals.
#9 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_execute_API.c:426
No locals.
#10 0x000000000081a210 in zend_hash_destroy (ht=0x4296760) at /usr/src/build/php/php-src/Zend/zend_hash.c:536
p = 0x0
#11 0x000000000080bb2d in _zval_dtor_func (zvalue=0x4880d60) at /usr/src/build/php/php-src/Zend/zend_variables.c:45
No locals.
#12 0x00000000007fd358 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_variables.h:35
No locals.
#13 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_execute.h:81
No locals.
#14 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_execute_API.c:426
No locals.
#15 0x0000000000830297 in zend_object_std_dtor (object=0x1feeeb0) at /usr/src/build/php/php-src/Zend/zend_objects.c:54
i = 2
#16 0x00000000008302c9 in zend_objects_free_object_storage (object=0x13cb4e0) at /usr/src/build/php/php-src/Zend/zend_objects.c:137
No locals.
#17 0x00000000008360e3 in zend_objects_store_del_ref_by_handle_ex (handle=<optimized out>, handlers=<optimized out>)
at /usr/src/build/php/php-src/Zend/zend_objects_API.c:222
__orig_bailout = 0x7fffffffdc00
__bailout = {{__jmpbuf = {140737154143856, 7275734198484622543, 152, 0, 140737488350355, 1, -7275734197326553905,
7275733091453918415}, __mask_was_saved = 0, __saved_mask = {__val = {8278659, 37319544, 37308072, 128, 8278659, 216,
8278659, 112, 8278659, 37488040, 33532248, 680, 8278659, 48, 8278659, 2864}}}}
obj = 0x7fffec145678
failure = 0
#18 0x0000000000836103 in zend_objects_store_del_ref (zobject=0x3556a58) at /usr/src/build/php/php-src/Zend/zend_objects_API.c:172
handle = 20755680
#19 0x00000000007fd358 in _zval_dtor (zvalue=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_variables.h:35
No locals.
#20 i_zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_execute.h:81
No locals.
#21 _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/build/php/php-src/Zend/zend_execute_API.c:426
No locals.
#22 0x0000000000830297 in zend_object_std_dtor (object=0x1fa31d0) at /usr/src/build/php/php-src/Zend/zend_objects.c:54
i = 19
#23 0x00000000008302c9 in zend_objects_free_object_storage (object=0x13cb4e0) at /usr/src/build/php/php-src/Zend/zend_objects.c:137
No locals.
#24 0x0000000000835c18 in zend_objects_store_free_object_storage (objects=0x1043e80)
at /usr/src/build/php/php-src/Zend/zend_objects_API.c:92
i = 392
#25 0x00000000007fff63 in shutdown_executor () at /usr/src/build/php/php-src/Zend/zend_execute_API.c:293
__bailout = {{__jmpbuf = {17054432, 7275733101346577615, 140737488350355, 0, 140737488350355, 1, -7275734197278319409,
7275733747685547215}, __mask_was_saved = 0, __saved_mask = {__val = {7275733853810613455, 32, 8278659, 32, 8278659, 184,
140737286049376, 21133808, 140737286049376, 104, 17054168, 1, 140737488350355, 0, 8433742, 17054080}}}}
#26 0x000000000080ce02 in zend_deactivate () at /usr/src/build/php/php-src/Zend/zend.c:939
No locals.
#27 0x00000000007ac3ac in php_request_shutdown (dummy=<optimized out>) at /usr/src/build/php/php-src/main/main.c:1800
report_memleaks = 1 '\001'
#28 0x00000000008b7eec in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/build/php/php-src/sapi/cgi/cgi_main.c:2501
__bailout = {{__jmpbuf = {0, 7275736378235706575, 17022496, 0, 1, 43, -7275734197414634289, 7275733022379629775},
__mask_was_saved = 0, __saved_mask = {__val = {140737351951257, 0, 140737351949442, 140733193388032, 140737488347552, 1,
140737352919840, 140737488347888, 25, 21, 140737351950416, 23, 140737488347912, 140737282571452, 0, 140737488347552}}}}
free_query_string = 0
exit_status = 0
cgi = 1
c = <optimized out>
i = -4973
len = <optimized out>
file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7ffff7e94040 "8\343\235\t", opened_path = 0x0, handle = {fd = -135509520,
fp = 0x7ffff7ec49f0, stream = {handle = 0x7ffff7ec49f0, isatty = 0, mmap = {len = 3018, pos = 0, map = 0x0,
buf = 0x7ffff7ff9000 <Address 0x7ffff7ff9000 out of bounds>, old_handle = 0x0, old_closer = 0},
reader = 0x7c49a0 <_php_stream_read>, fsizer = 0x7acbf0 <php_zend_stream_fsizer>,
closer = 0x7acbe0 <php_zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
s = 0x7fffffffec93 "index.php"
behavior = -4973
no_headers = -4973
orig_optind = 1
orig_optarg = 0x0
script_file = <optimized out>
ini_entries_len = <optimized out>
max_requests = 500
requests = 0
fastcgi = 0
bindpath = 0x0
fcgi_fd = <optimized out>
request = 0x0
repeats = 1
benchmark = 0
start = {tv_sec = 0, tv_usec = 4665115}
end = {tv_sec = 1, tv_usec = 9160448}
status = 0
query_string = <optimized out>
decoded_query_string = <optimized out>
skip_getopt = 0
(gdb) print (zval_gc_info) *pz
$1 = {z = {value = {lval = 31337624, dval = 1.5482843440690148e-316, str = {val = 0x1de2c98 "0", len = 20823032}, ht = 0x1de2c98, obj = {
handle = 31337624, handlers = 0x13dbbf8}}, refcount__gc = 4294967295, type = 5 '\005', is_ref__gc = 0 '\000'}, u = {
buffered = 0x2, next = 0x2}}
FYI, same bug with PHP 5.4.25 : https://gist.github.com/odoucet/8918221
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This looks exceedingly interesting... Can you run it in GDB again, and when it breaks, move the frame up to
zend_objects_store_del_ref_by_handle_ex(if it doesn't stop there). Then, run:Replacing the
3with thehandle=value from the frame (the example above would be 47)...Then could you paste back here the entry?
I think I've traced it to a bug with a double-destruction of an object (which calls the destructor once, but then winds up infinitely recursing over itself)... Considering that the above is calling the free_object_storage API with the same object each time, there's a clue...
Thanks!