php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #61576 Zend's Memory Management seems to be completely buggy since 5.4.0
Submitted: 2012-03-30 23:12 UTC Modified: 2012-03-31 01:07 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dev at pp3345 dot de Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: 5.4.0 OS: Debian Squeeze
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2012-03-30 23:12 UTC] dev at pp3345 dot de 
Description:
------------
I'm currently developing an HTTP-Server in PHP ( 
https://github.com/pp3345/Pancake ) which uses the Zend-Extension 
DeepTrace ( https://github.com/NeoXiD/DeepTrace ). Since PHP 5.4 I'm 
experiencing crashs under some circumstances. 
For example, when running typo3 (Version 4.6.6 Blank Package) Pancake's 
PHPWorkers often crash when trying to run 
typo3's installer with strange errors like those:

PHP Fatal error:  Call to undefined function ▒() in 
/var/vhosts/pancake/default/typo3/typo3_src-
4.6.6/typo3/sysext/install/mod/class.tx_install_session.php on line 395 
PHP Fatal error:  Couldn't execute method ▒0/::t3lib_autoloader::autoload in 
Unknown on line 0 
PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to 
allocate 12624869704 bytes) in 
validpathstr on line 926
PHP Fatal error:  Cannot call overloaded function for non-object in 
/var/vhosts/pancake/default/typo3/typo3_src-
4.6.6/t3lib/config_default.php on line 924 (this line is only trying to run a 
public static function of some class!)

Often they even crash without showing any errors. Another example is Wordpress, 
which crashes only under 1 specific 
(at least I only found 1 till now) circumstance: When trying to run die() when 
trying to delete a comment in the 
adminpanel. Pancake configures DeepTrace to set a user-defined handler for the 
exit-opcode. So then DeepTrace calls 
Pancake's function to handle the exit, which still seems to run fine, but then 
zend_fcall_info_call() causes a crash, 
AFTER executing my handler. This only happens in this specific case under 
Wordpress, I couldn't reproduce it with 
other calls to die(). But I found a way to avoid this crash. Look at these three 
lines of code from Wordpress:

wp-admin/admin-ajax.php line 195
-------------------------------

if ( !$total || !$per_page || !$page || !$url ) {
    	die( (string) time() );
    }

This is the die() that causes the crash. It only crashes if these three lines 
are in EXACTLY this way. So if I for 
example do this:

if ( !$total || !$per_page || !$page || !$url || 
!$some_dummy_that_does_not_even_exist) {
    	die( (string) time() );
    }
or this:

if ( !$total || !$per_page || !$page || !$url ) {
        some_dummy_function_that_does_not_do_anything();
    	die( (string) time() );
    }

it will not crash.

I believe that there is a serious bug in the parser / the memory management that 
causes this strange behaviour.

I tried to use valgrind to find out what exactly is causing the crashs:
http://dev.pp3345.de/valgrind_pancake_crash.txt

As you can see, Zend causes a lot of errors including a General Protection Fault 
and it tries to access memory 
addresses that don't even exist.

These problems seem to be reproducible as it will also crash with similar errors 
on other machines with Pancake and 
this configuration. Anyway, I was unable to find a way to reproduce it outside 
Pancake and I'm really sorry for that.

I commited the current version of Pancake but please be aware that the delivered 
version of DeepTrace is outdated so 
you'll probably need to compile it again yourself.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-30 23:22 UTC] rasmus@php.net 
And if you disable DeepTrace can you reproduce this? The memory management is 
obviously not completely buggy as it works fine for a whole lot of people and as 
your Valgrind shows right at the top:

==3187== Invalid read of size 1
==3187==    at 0x8E25081: zif_dt_remove_constant (DeepTrace_constants.c:74)

there are memory issues in the DeepTrace extension, so I suspect that DeepTrace 
has not been updated to support 5.4 properly.
 [2012-03-30 23:30 UTC] dev at pp3345 dot de 
These problems also occured with DeepTrace 1.2, which was completely free of any 
leaks or memory issues. 1.3 is a complete recode which mainly adds some features 
to remove interfaces. I know the developer of DeepTrace and I was working with him 
to track down and fix all memory issues. Pancake will also run with DeepTrace 1.2 
but typo3 probably won't work because it uses interfaces, which were not supported 
in 1.2. Also, it is quite impossible to run Pancake without DeepTrace as it is 
really necessary to replace some PHP-functions in order to be able to directly run 
PHP-source under Pancake.
 [2012-03-30 23:55 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2012-03-30 23:55 UTC] rasmus@php.net 
Ok, so you can't test without DeepTrace, I understand that. But that doesn't make 
it any less likely that the problem is in that extension. It does a lot of low-
level stuff and there were a lot of changes related to memory management in 5.4 
that would affect an extension like DeepTrace. I see no evidence here that there 
is a PHP bug.
 [2012-03-31 00:05 UTC] pmathis at snapserv dot net 
I'm the developer of this extension and I tested 
already many different things. Every function 
runs through without any problem and I can't 
see any issues so far.  I already tried different 
things like repairing all the internal functions, 
setting the opcode handlers to NULL (eq. default 
handler) or destroying some hashtables by 
myself.  Actually it is impossible to reproduce 
this "bug", it happens randomly and I can't see 
any kind of critical memory leak. Because of 
that and the fact that these simple changes in 
code (see above) will fix the crash, I think it is 
Zend related
 [2012-03-31 00:09 UTC] rasmus@php.net 
Well, without a concrete example that doesn't involve DeepTrace messing around in 
the internals I don't see how we could possibly track this down. Nothing remotely 
like it has been reported so far.
 [2012-03-31 01:07 UTC] rasmus@php.net 
A quick check of the DeepTrace code that deletes constants shows a pretty 
obvious bug. In DeepTrace_constants.c you have:

        // Get constant
        if(zend_hash_find(EG(zend_constants), constName, len + 1, (void**) 
&constant) == FAILURE) {

Ok, so *constant now points to the constant named constName. Then later on:

        // Delete constant
        if(zend_hash_del(EG(zend_constants), constName, len + 1) == FAILURE) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not remove 
constant %s.", constName);
                if((constant->flags & CONST_CS) == 0) efree(constName);
                RETURN_FALSE;
        }

Ok, you have deleted the constant from the hash table which means constant now 
points to free'ed memory. But on the next line you do:

        // Free memory
        if((constant->flags & CONST_CS) == 0) efree(constName);

You can't look at constant->flags there, it has been free'ed.

Probably not related to these particular issues, although it did show up in your 
Valgrind output there, but a sign to me that this code needs a bit more 
attention.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 00:01:41 2024 UTC