Re: [PHP-DEV] PHP_5_3 GC segfaults

Dmitry Stogov Mon, 07 Dec 2009 07:24:56 -0800

Hi Rasmus,

Let me know how to reproduce them and I'll try to look into them.


Thanks. Dmitry.

Rasmus Lerdorf wrote:

I'm seeing some GC-related segfaults in current PHP_5_3.  I haven't had
time to dive into it very far.  All I have is a couple of bts and the
request that triggers it, but it is a gallery2 request and there is a
lot of code there.  I'll see if I can get it down to something
manageable.  The first bt is:

Program received signal SIGSEGV, Segmentation fault.
0x00007f4d6b3df8f1 in gc_zval_possible_root (zv=0x232e098) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:143
143                     GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x00007f4d6b3df8f1 in gc_zval_possible_root (zv=0x232e098) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:143
#1  0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323e78) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
#2  0x00007f4d6b3c14ff in _zval_dtor_func (zvalue=0x232df78) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.c:43
#3  0x00007f4d6b3b5ccd in _zval_dtor (zval_ptr=0x232df58) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.h:35
#4  _zval_ptr_dtor (zval_ptr=0x232df58) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:435
#5  0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323f88) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
#6  0x00007f4d6b3c14ff in _zval_dtor_func (zvalue=0x232df28) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.c:43
#7  0x00007f4d6b3b5ccd in _zval_dtor (zval_ptr=0x23561e8) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.h:35
#8  _zval_ptr_dtor (zval_ptr=0x23561e8) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:435
#9  0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323ce0) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
#10 0x00007f4d6b3e0e69 in zend_object_std_dtor (object=0x2355790) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:45
#11 0x00007f4d6b3e0e89 in zend_objects_free_object_storage
(object=0x232e098) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:114
#12 0x00007f4d6b3e47c9 in zend_objects_store_del_ref_by_handle_ex
(handle=9, handlers=<value optimized out>)
    at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects_API.c:220
#13 0x00007f4d6b3e47e3 in zend_objects_store_del_ref (zobject=0x2342c00)
at /home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects_API.c:172
#14 0x00007f4d6b3b5ccd in _zval_dtor (zval_ptr=0x22fe8b8) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_variables.h:35
#15 _zval_ptr_dtor (zval_ptr=0x22fe8b8) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:435
#16 0x00007f4d6b3ce11b in zend_hash_destroy (ht=0x2323bb0) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_hash.c:526
#17 0x00007f4d6b3e0e69 in zend_object_std_dtor (object=0x22fe990) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:45
#18 0x00007f4d6b3e0e89 in zend_objects_free_object_storage
(object=0x232e098) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects.c:114
#19 0x00007f4d6b3e42fc in zend_objects_store_free_object_storage
(objects=0x7f4d6bb79f58) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_objects_API.c:92
#20 0x00007f4d6b3b82e5 in shutdown_executor () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c:298
#21 0x00007f4d6b3c21d2 in zend_deactivate () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend.c:890
#22 0x00007f4d6b36e182 in php_request_shutdown (dummy=<value optimized
out>) at /home/rasmus/src/php/php-src/branches/PHP_5_3/main/main.c:1606

And another:

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0x114f458) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:356
356                                     p = Z_ARRVAL_P(pz)->pListHead;
(gdb) bt
#0  zval_mark_grey (pz=0x114f458) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:356
#1  0x00007f7ef6d57e39 in zval_mark_grey (pz=0x114f458) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:367
#2  0x00007f7ef6d5846d in gc_mark_roots () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:417
#3  gc_collect_cycles () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:628
#4  0x00007f7ef6d3b2a5 in zend_deactivate () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend.c:900
#5  0x00007f7ef6ce7182 in php_request_shutdown (dummy=<value optimized
out>) at /home/rasmus/src/php/php-src/branches/PHP_5_3/main/main.c:1606
#6  0x00007f7ef6dc4f83 in php_apache_request_dtor (r=0xee3148) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/sapi/apache2handler/sapi_apache2.c:493
(gdb) p pz
$1 = (zval *) 0x114f458
(gdb) p *pz
$2 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 17070608}, ht
= 0x0, obj = {handle = 0, handlers = 0x1047a10}}, refcount__gc =
4294967295, type = 4 '\004',
  is_ref__gc = 0 '\000'

garbage zval there with a null value.ht, so that Z_ARRVAL_P isn't going
to work.

And another:

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0x1c6e950) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:360
360                             pz = *(zval**)p->pData;
(gdb) bt
#0  zval_mark_grey (pz=0x1c6e950) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:360
#1  0x00007ff6de77246d in gc_mark_roots () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:417
#2  gc_collect_cycles () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:628
#3  0x00007ff6de7552a5 in zend_deactivate () at
/home/rasmus/src/php/php-src/branches/PHP_5_3/Zend/zend.c:900
#4  0x00007ff6de701182 in php_request_shutdown (dummy=<value optimized
out>) at /home/rasmus/src/php/php-src/branches/PHP_5_3/main/main.c:1606
#5  0x00007ff6de7def83 in php_apache_request_dtor (r=0x1368118) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/sapi/apache2handler/sapi_apache2.c:493
#6  php_handler (r=0x1368118) at
/home/rasmus/src/php/php-src/branches/PHP_5_3/sapi/apache2handler/sapi_apache2.c:665
(gdb) p p
$2 = (Bucket *) 0x100000000

Obviously a bogus addr there.

Vanilla PHP_5_3 build from today.  No APC, Suhosin, xdebug or any deep
extensions like that.

With "zend.enable_gc=Off" the segfaults go away, of course.

-Rasmus


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP_5_3 GC segfaults

Reply via email to