php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60935 Constant memory leaking, segfaults
Submitted: 2012-01-30 14:44 UTC Modified: 2013-02-18 00:35 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: vytenis dot darulis at gmail dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.9 OS: Debian testing (kern. 3.2.2)
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-01-30 14:44 UTC] vytenis dot darulis at gmail dot com
Description:
------------
Both fpm and apache2 module leak memory constantly in our application, have to 
set max_requests to around 100 to prevent the machine from crashing - server 
memory is overcommited by a factor of 1.5.
Situation was normal in PHP 5.3.6, but it broke in 5.3.8-9 and 5.4 RC6/trunk 
(5.4 was compiled without suhosin).
Currently using PHP 5.3.9-1 packages from dotdeb.org, but can reproduce it on 
latest 5.4.



Jan 30 16:06:55 ns214205 kernel: apache2[30073]: segfault at 7f6ebd094ace ip 
00007f6ebd094ace sp 00007f6e9a82ce78 error 14
Jan 30 16:06:55 ns214205 kernel: apache2[30069]: segfault at 7f6ebd094ace ip 
00007f6ebd094ace sp 00007f6e9c830e78 error 14 in pdo_mysql.so[7f6ebf935000+7000]
Jan 30 16:06:55 ns214205 kernel: in pdo_mysql.so[7f6ebf935000+7000]
Jan 30 16:13:22 ns214205 kernel: apache2[44953]: segfault at 7f6ebd094ace ip 
00007f6ebd094ace sp 00007f6e9de75e78 error 14
Jan 30 16:13:22 ns214205 kernel: apache2[44958]: segfault at 7f6ebd094ace ip 
00007f6ebd094ace sp 00007f6e9b1dfe78 error 14 in 
libgcc_s.so.1[7f6ec05ca000+15000]
Jan 30 16:13:22 ns214205 kernel: in libgcc_s.so.1[7f6ec05ca000+15000]
Jan 30 16:24:21 ns214205 kernel: apache2[3946]: segfault at 7f6ebd094ace ip 
00007f6ebd094ace sp 00007f6e9ca63e78 error 14 in pdo_mysql.so[7f6ebf935000+7000]
Jan 30 16:28:04 ns214205 kernel: apache2[12686]: segfault at 7f6ebd094ace ip 
00007f6ebd094ace sp 00007f6e9de75e78 error 14 in 
libmysqlclient_r.so.16.0.0[7f6ebfd58000+1cf000]

Backtrace of 16:13:22 core dump:
warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0  malloc_consolidate (av=0x7f6ec6d7fe60) at malloc.c:5157
5157	malloc.c: No such file or directory.
	in malloc.c
(gdb) bt
#0  malloc_consolidate (av=0x7f6ec6d7fe60) at malloc.c:5157
#1  0x00007f6ec6a73f88 in _int_free (av=0x7f6ec6d7fe60, p=0x7f6ec964ec50) at 
malloc.c:5034
#2  0x00007f6ec6a7738c in *__GI___libc_free (mem=<optimized out>) at 
malloc.c:3738
#3  0x00007f6ec4e88e01 in __zend_mm_shutdown_canary (heap=0x7f6ec93b67a0, 
full_shutdown=1, silent=97) at /tmp/buildd/php5-
5.3.9/Zend/zend_alloc_canary.c:1724
#4  0x00007f6ec4e16b1f in php_module_shutdown () at /tmp/buildd/php5-
5.3.9/main/main.c:2214
#5  0x00007f6ec4e16b99 in php_module_shutdown_wrapper 
(sapi_globals=0x7f6ec6d7fe60) at /tmp/buildd/php5-5.3.9/main/main.c:2169
#6  0x00007f6ec4ef88b1 in php_apache_child_shutdown (tmp=0x7f6ec6d7fe60) at 
/tmp/buildd/php5-5.3.9/sapi/apache2handler/sapi_apache2.c:399
#7  0x00007f6ec6fba8ae in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#8  0x00007f6ec78ae19e in clean_child_exit (code=0) at prefork.c:196
#9  0x00007f6ec78ae58c in child_main (child_num_arg=<optimized out>) at 
prefork.c:692
#10 0x00007f6ec78aec5a in make_child (slot=59, s=0x7f6ec78417f8) at 
prefork.c:768
#11 make_child (s=0x7f6ec78417f8, slot=59) at prefork.c:696
#12 0x00007f6ec78af80f in perform_idle_server_maintenance (p=<optimized out>) at 
prefork.c:903
#13 ap_mpm_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) 
at prefork.c:1107
#14 0x00007f6ec7884a1a in main (argc=3, argv=0x7fffa6794d28) at main.c:741

(gdb) bt full
#0  malloc_consolidate (av=0x7f6ec6d7fe60) at malloc.c:5157
        fb = 0x7f6ec6d7fe88
        maxfb = 0x7f6ec6d7feb0
        p = 0x7f6ec943f870
        nextp = 0x7f6ec943f810
        unsorted_bin = 0x7f6ec6d7feb8
        first_unsorted = <optimized out>
        nextchunk = 0x7f6ec943f8d0
        size = 96
        nextsize = 176
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = 0x7f6ec95b1600
        __func__ = "malloc_consolidate"
#1  0x00007f6ec6a73f88 in _int_free (av=0x7f6ec6d7fe60, p=0x7f6ec964ec50) at 
malloc.c:5034
        size = 262160
        nextchunk = 0x7f6ec968ec60
        nextsize = 5648
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = 0x61
        errstr = <optimized out>
        __func__ = "_int_free"
#2  0x00007f6ec6a7738c in *__GI___libc_free (mem=<optimized out>) at 
malloc.c:3738
        ar_ptr = 0x7f6ec6d7fe60
        p = 0x61
#3  0x00007f6ec4e88e01 in __zend_mm_shutdown_canary (heap=0x7f6ec93b67a0, 
full_shutdown=1, silent=97) at /tmp/buildd/php5-
5.3.9/Zend/zend_alloc_canary.c:1724
        internal = 0
#4  0x00007f6ec4e16b1f in php_module_shutdown () at /tmp/buildd/php5-
5.3.9/main/main.c:2214
No locals.
#5  0x00007f6ec4e16b99 in php_module_shutdown_wrapper 
(sapi_globals=0x7f6ec6d7fe60) at /tmp/buildd/php5-5.3.9/main/main.c:2169
No locals.
#6  0x00007f6ec4ef88b1 in php_apache_child_shutdown (tmp=0x7f6ec6d7fe60) at 
/tmp/buildd/php5-5.3.9/sapi/apache2handler/sapi_apache2.c:399
No locals.
#7  0x00007f6ec6fba8ae in apr_pool_destroy () from /usr/lib/libapr-1.so.0


Using apc 3.1.9, PDO, PDO Mysql, mongo, imagick, memcached, igbinary, json, 
filter extensions - latest from pecl (if not provided with php). Build is not 
thread-safe. Disabling Mongo, imagick, memcached, igbinary does not seem to help 
the situation in any way.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-30 20:38 UTC] felipe@php.net
Please, try disabling suhosin.
 [2012-01-30 20:43 UTC] vytenis dot darulis at gmail dot com
I could easily compile it from source w/o suhosin, but is there an easy way to 
make PHP generate core dumps when using the fast-cgi version?
 [2012-01-31 07:27 UTC] vytenis dot darulis at gmail dot com
Now using vanilla PHP-FPM, still waiting for a core dump but error log is filled 
with:

[31-Jan-2012 09:20:03] WARNING: [pool www] child 10623 said into stderr: "=== 
Total 435 memory leaks detected ==="
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "[Tue 
Jan 31 09:20:03 2012]  Script:  '-'"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: 
"/home/vd/php_exts/apc/APC-3.1.9/apc_zend.c(38) :  Freeing 0x019D3F78 (4 bytes), 
script=-"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "Last 
leak repeated 323 times"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "[Tue 
Jan 31 09:20:03 2012]  Script:  '-'"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: 
"/usr/src/php-5.3.9/Zend/zend_hash.c(315) :  Freeing 0x019D7590 (76 bytes), 
script=-"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "Last 
leak repeated 1 time"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "[Tue 
Jan 31 09:20:03 2012]  Script:  '-'"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: 
"/home/vd/php_exts/apc/APC-3.1.9/apc_compile.c(1657) :  Freeing 0x019DAB78 (232 
bytes), script=-"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "Last 
leak repeated 67 times"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "[Tue 
Jan 31 09:20:03 2012]  Script:  '-'"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: 
"/usr/src/php-5.3.9/Zend/zend_hash.c(851) :  Freeing 0x019DCF68 (232 bytes), 
script=-"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: 
"/usr/src/php-5.3.9/Zend/zend_hash.c(322) : Actual location (location was 
relayed)"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "Last 
leak repeated 1 time"
[31-Jan-2012 09:20:03] WARNING: [pool www] child 11098 said into stderr: "=== 
Total 396 memory leaks detected ==="


Configure line:
'./configure' '--build=x86_64-linux-gnu' '--prefix=/usr/local' '--enable-fpm' '-
-disable-cgi' '--with-fpm-user=www-data' '--with-fpm-group=www-data' '--with-
config-file-path=/etc/php5/fpm' '--with-config-file-scan-
dir=/etc/php5/fpm/conf.d' '--host=x86_64-linux-gnu' '--sysconfdir=/etc' '--
localstatedir=/var' '--mandir=/usr/share/man' '--enable-debug' '--with-
regex=php' '--with-gd' '--enable-gd-native-ttf' '--disable-rpath' '--disable-
static' '--with-pic' '--with-layout=GNU' '--with-pear=/usr/local/share/php' '--
enable-fileinfo' '--enable-hash' '--enable-json' '--with-bz2' '--enable-ctype' 
'--without-db4' '--without-gdbm' '--with-iconv' '--enable-mbstring' '--with-
onig' '--with-pcre-regex' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--
with-mysqli=shared' '--enable-pdo=shared' '--with-pdo-mysql=shared' '--without-
pdo-sqlite' '--enable-sockets' '--with-zlib' '--enable-zip' '--with-mhash=yes' 
'--without-mm' '--without-sybase-ct' '--without-mssql' '--without-sqlite3' '--
without-sqlite' '--with-curl=/usr' '--with-mcrypt' '--disable-calendar' '--
disable-phar' '--disable-tokenizer' '--disable-posix' '--enable-simplexml' '--
disable-dom' '--with-png-dir=/usr/lib/x86_64-linux-gnu/' '--with-jpeg-
dir=/usr/lib/x86_64-linux-gnu/' '--with-freetype-dir' '--with-t1lib'



php.ini:

apc.serializer	igbinary
apc.shm_size	900M	
apc.stat	Off	
apc.include_once_override	Off
apc.canonicalize	Off
 [2012-01-31 11:47 UTC] vytenis dot darulis at gmail dot com
Unable to replicate segfault with the debug build, only gigabytes of memory leak 
reports in logs.
 [2012-01-31 13:15 UTC] pajoye@php.net
zend_mm_shutdown_canary is not something we have in PHP.

Please try using a stock PHP versions, available at 
http://www.php.net/downloads.php.
 [2012-01-31 13:15 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2013-02-18 00:35 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 12:01:59 2014 UTC