PHP :: Bug #58543 :: Large remote multigets cause segfaults

Bug #58543	Large remote multigets cause segfaults
Submitted:	2009-02-08 23:14 UTC	Modified:	2009-02-27 18:32 UTC
From:	ns03ja at brocku dot ca	Assigned:	mikael (profile)
Status:	Closed	Package:	memcache (PECL)
PHP Version:	5.2.5	OS:	Gentoo Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ns03ja at brocku dot ca
New email:
PHP Version:		OS:

New/Additional Comment:

[2009-02-08 23:14 UTC] ns03ja at brocku dot ca

Description:
------------
I have 2 machines, both on the same local network (lets call
them server1 and server2), both of which are running
mutually accessible memcached servers. If I run the script
below on server1 and replace remote-server with server1,
segfaults are not observed, and the same goes for server2
connecting to server2. However, if I run the script on
server1 and replace remote-server with server2, then PHP
will segfault on me approximately 50% of the time (sometimes
more, sometimes less), and the same goes for server2
connecting to server1.

Segfaults occur in both CLI and mod_php mode.

The data stored to memcached does not seem to matter (I also
tried a string and an integer in lieu of the array).

What does seem to matter is the number of keys in the
multiget array. If I change the 2000 to 200 in the loop, I
don't get any more segfaults. The magic number seems to be
somewhere between 700 and 800 for me.

I also tried pecl-memcache 2.2.4, which does not have this
problem, while 3.0.1, 3.0.2 and 3.0.3 all exhibit this
problem.

I'm actually using PHP 5.2.8, which isn't in the list for
some reason.

Both machines are running memcached 1.2.6.

Reproduce code:
---------------
<?php
$memcache = new Memcache;
$memcache->addServer("remote-server");

$pids = array();
for ($i = 0; $i < 2000; $i++)
{
	$pids[] = "pid-$i-stats";
	$ar = array(
		"things" => "stuff",
		"thing" => 0.374822
	);
	$memcache->add("pid-$i-stats", $ar);
}

$memcache->get($pids);
print "no crash!\n";
?>


Expected result:
----------------
The code snippet above should never cause a segfault, but
rather (assuming the memcached server is up and running)
should always return the results as stored.

Actual result:
--------------
PHP segfaults approximately half the time.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-02-09 03:09 UTC] tony at daylessday dot org

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2009-02-09 19:30 UTC] ns03ja at brocku dot ca

Here's the backtrace:

#0  0x00007fba503c038b in mmc_pool_select ()
   from /usr/lib64/php5/lib/php/extensions/debug-non-
#1  0x00007fba503bfc15 in mmc_pool_schedule_get ()
   from /usr/lib64/php5/lib/php/extensions/debug-non-
#2  0x00007fba503bb10a in zif_memcache_get ()
   from /usr/lib64/php5/lib/php/extensions/debug-non-
#3  0x000000000074cb16 in ?? ()
#4  0x000000000074d990 in ?? ()
#5  0x000000000074c54b in execute ()
#6  0x000000000071fdfe in zend_execute_scripts ()
#7  0x00000000006bd304 in php_execute_script ()
#8  0x00000000007be933 in main ()

I tried peeking into frame 5, but the suggested print
statements didn't produce anything useful:

(gdb) frame 5
#5  0x000000000074c54b in execute ()
(gdb) print (char *)(executor_globals.function_state_ptr-
Attempt to extract a component of a value that is not a
structure.
(gdb) print (char *)executor_globals.active_op_array-
Attempt to extract a component of a value that is not a
structure.
(gdb) print (char *)executor_globals.active_op_array-
Attempt to extract a component of a value that is not a
structure.

Hopefully that's helpful...

[2009-02-10 02:15 UTC] tony at daylessday dot org

Please compile PHP with --enable-debug as described in the backtrace generation how-to and regenerate the bt again.

[2009-02-10 21:17 UTC] ns03ja at brocku dot ca

Oops. I had built with USE=debug, but didn't realize that it
still stripped the resulting binary, I was wondering why
there were no line numbers. Anyways, here's backtrace
version 2.0, now with line numbers!

#0  0x00007fe3c968b38b in mmc_pool_select (pool=0x2a57698,
timeout=0) at /var/tmp/portage/dev-php5/pecl-
#1  0x00007fe3c968ac15 in mmc_pool_schedule_get
(pool=0x2a57698, protocol=1, op=0, zkey=0x2af3330,
value_handler=0x7fe3c9685b61 <mmc_value_handler_multi>,
    value_handler_param=0x7fffd679c950,
failover_handler=0x7fe3c9685d73
<mmc_value_failover_handler>,
failover_handler_param=0x7fffd679c940, failed_request=0x0)
    at /var/tmp/portage/dev-php5/pecl-
#2  0x00007fe3c968610a in zif_memcache_get (ht=1,
return_value=0x2b25128, return_value_ptr=0x0,
this_ptr=0x2a54f08, return_value_used=0)
    at /var/tmp/portage/dev-php5/pecl-
#3  0x00000000006fe659 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffd679ce80) at /var/tmp/portage/dev-
#4  0x00000000006ff3c4 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fffd679ce80) at /var/tmp/portage/dev-
#5  0x00000000006fe0fc in execute (op_array=0x2a55b50) at
/var/tmp/portage/dev-lang/php-5.2.8-
#6  0x00000000006d5827 in zend_execute_scripts (type=8,
retval=0x0, file_count=3) at /var/tmp/portage/dev-
#7  0x000000000067b500 in php_execute_script
(primary_file=0x7fffd679f4f0) at /var/tmp/portage/dev-
#8  0x000000000076867d in main (argc=2, argv=0x7fffd679f748)
at /var/tmp/portage/dev-lang/php-5.2.8-
(gdb) frame 5
#5  0x00000000006fe0fc in execute (op_array=0x2a55b50) at
/var/tmp/portage/dev-lang/php-5.2.8-
92      /var/tmp/portage/dev-lang/php-5.2.8-
directory.
        in /var/tmp/portage/dev-lang/php-5.2.8-
(gdb) print (char *)(executor_globals.function_state_ptr-
$1 = 0x7fe3c969539f "get"
(gdb) print (char *)executor_globals.active_op_array-
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array-
$3 = 0x2a54e98 "/home/neil/testm.php"

I should also note that with debugging enabled, the crash
triggers *much* less frequently, about about 1% of the time
it seems.

[2009-02-10 21:21 UTC] ns03ja at brocku dot ca

Gah, the bug tracker is trimming my lines...

Try this: http://otc.dyndns.org/memcache-bt

[2009-02-11 03:56 UTC] tony at daylessday dot org

Mikael, could look at it plz?

[2009-02-17 23:01 UTC] phat_breakz1 at yahoo dot com

I'm glad I'm not the only person having the same issue.

I'm doing a multi-key with an array that has around 3k keys.

What's weird is that when I'm monitoring memcache it begins grabbing keys starting around 2300th key, though it should start at the 1st key.

After it segfaults, when I try to get a key I had previously retrieved at the beginning of the script, it returns Null.

[2009-02-21 03:23 UTC] mikael at synd dot info

This problem is already fixed in CVS I believe, would you mind testing if it indeed solves your problem? You can check out and build a copy like:

cvs -d :pserver:cvsread@cvs.php.net:/repository co -r NON_BLOCKING_IO pecl/memcache 
cd pecl/memcache 
phpize 
./configure 
make && make install

[2009-02-22 11:08 UTC] mikael at synd dot info

Release 3.0.4 is out which incorporates the fix I mentioned, so you can avoid the trouble of building from CVS

//Mikael

[2009-02-27 18:32 UTC] ns03ja at brocku dot ca

I gave 3.0.4 a shot, and this issue appears to be fixed.
Thanks!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Apr 29 12:01:32 2024 UTC