php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69464 Segfault in zend_hash_destroy() during shutdown
Submitted: 2015-04-15 15:28 UTC Modified: 2015-04-20 14:09 UTC
From: berdir@php.net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: master-Git-2015-04-15 (Git) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2015-04-15 15:28 UTC] berdir@php.net 
Description:
------------
This is part of our efforts to get Drupal 8 green on PHP 7, see https://www.drupal.org/node/2454439.

I've been trying to test with the latest PHP 7 build, but I'm now getting a lot of segfaults during the installer and running any web test.

You can see the backtrace and code where it happens here: https://gist.githubusercontent.com/Berdir/f93e56c8a2643501ce51/raw/653fa8fea95d322f9f7836838177951db7fe57db/gistfile1.txt

I'll try to bisect this down to a certain commit, but I had troubles the last time I tried to do something like that.


Test script:
---------------
To debug, get drupal and drush (from https://github.com/drush-ops/drush), then:

gdb --args '/path/to/php7' '/path/to/drush.php' '--db-url=mysql://user:pass@localhost/db' 'si' '-y' 'standard' '-v' '-d'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-15 15:41 UTC] berdir@php.net 
https://gist.github.com/Berdir/f93e56c8a2643501ce51 has a more up to date debug output now, which shows which object is causing the crash, based on instructions from @ircmaxell
 [2015-04-15 21:16 UTC] dmitry@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: dmitry
 [2015-04-15 21:16 UTC] dmitry@php.net 
I didn't get how to reproduce this.
Please provide a detailed instruction: what to download, which commands to run, etc.
 [2015-04-16 07:32 UTC] berdir@php.net 
Not exactly sure what you need.

You need to get drupal and drush:

git clone http://git.drupal.org/project/drupal.git
git clone https://github.com/drush-ops/drush.git
cd drupal
gdb --args '/path/to/php7' '../drush/drush.php' '--db-url=mysql://user:pass@localhost/db' 'si' '-y' 'standard' '-v' '-d'

Update the path to php7 and use a valid mysql username/password and that should install drupal (which takes a while... ) and at the end, it crashes with the mentioned segfault.
 [2015-04-16 09:29 UTC] dmitry@php.net 
this doesn't work for me. I followed your instruction + made `composer update`.
Anyway, I get a error (that I expect), but not any memory corruptions.

Error: Cannot use Drupal\Component\Utility\String as String because 'String' is a special class name in ...

I probably need some branch of drupal adopted for PHP7.
Also, do you use any external extension (e.g. xdebug)?
 [2015-04-17 00:33 UTC] dmitry@php.net
-Status: Feedback +Status: Assigned
 [2015-04-17 00:33 UTC] dmitry@php.net 
I fixed two problems triggered by Drupal-8, however I see at least one unfixed GC related problem. It may be reproduced with simple script. The problem must be visible with valgrind.

<?php
class A {
	public $a;
	public $x;
	function __destruct() {
		unset($this->x);
	}
}
$a = new A;
$a->a = $a;
$a->x = [];
$a->x[] =& $a->x;
$a->x[] = $a;
var_dump($a);
var_dump(gc_collect_cycles());
unset($a);
var_dump(gc_collect_cycles());
var_dump(gc_collect_cycles());
?>

The problem that __destructor() breaks the garbage graph, and it's destroyed only partially, and the remaining part still keeps references to deallocated data.
 [2015-04-17 15:41 UTC] dmitry@php.net
-Status: Assigned +Status: Feedback
 [2015-04-17 15:41 UTC] dmitry@php.net 
I hope I fixed the GC problem. At least I can't reproduce it any more. Could you please retest.
 [2015-04-18 07:20 UTC] berdir@php.net 
Yes, the installer works again!

I have some new issues, though...

In certain places, I get zend_mm_heap corrupted errors in the apache logs and empty responses. For example at /aggregator/sources/add (after enabling the aggregator module with drush en -y aggregator or on /admin/modules. What's weird is that they go away when I disable opcache.

I also got another segfault, but I wasn't able to identify when exactly that happened:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  i_free_compiled_variables (execute_data=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_execute.c:1810
1810				if (!Z_DELREF_P(cv)) {
(gdb) bt
#0  i_free_compiled_variables (execute_data=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_execute.c:1810
#1  zend_leave_helper_SPEC () at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:445
#2  0x00007f870e6957bb in execute_ex (ex=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:394
#3  0x00007f870e64674e in zend_call_function (fci=fci@entry=0x7fffc29b51d0, fci_cache=<optimized out>, fci_cache@entry=0x7fffc29b51a0) at /home/berdir/tools/php-src/Zend/zend_execute_API.c:840
#4  0x00007f870e575d71 in zif_call_user_func_array (execute_data=0x7f8704e13520, return_value=0x7f8704e13510) at /home/berdir/tools/php-src/ext/standard/basic_functions.c:4787
#5  0x00007f870e6eaa2d in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:691
#6  0x00007f870e6957bb in execute_ex (ex=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:394
#7  0x00007f870e64674e in zend_call_function (fci=fci@entry=0x7fffc29b5410, fci_cache=<optimized out>, fci_cache@entry=0x7fffc29b53e0) at /home/berdir/tools/php-src/Zend/zend_execute_API.c:840
#8  0x00007f870e575d71 in zif_call_user_func_array (execute_data=0x7f8704e12150, return_value=0x7f8704e11fe0) at /home/berdir/tools/php-src/ext/standard/basic_functions.c:4787
#9  0x00007f870e6eaa2d in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:691
#10 0x00007f870e6957bb in execute_ex (ex=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:394
#11 0x00007f870e655b15 in zend_execute_scripts (type=8, retval=0x10, retval@entry=0x0, file_count=3) at /home/berdir/tools/php-src/Zend/zend.c:1398
#12 0x00007f870e5f8600 in php_execute_script (primary_file=primary_file@entry=0x7fffc29b7940) at /home/berdir/tools/php-src/main/main.c:2468
#13 0x00007f870e6ef68a in php_handler (r=<optimized out>) at /home/berdir/tools/php-src/sapi/apache2handler/sapi_apache2.c:673
#14 0x00007f8712f4ceb0 in ap_run_handler ()
#15 0x00007f8712f4d3f9 in ap_invoke_handler ()
#16 0x00007f8712f62bac in ap_internal_redirect ()

I have no idea if they are related, feel free to just close this bug report if you think not, I'll open new issues when I do more testing next week.
 [2015-04-19 21:51 UTC] berdir@php.net 
I've opened https://bugs.php.net/bug.php?id=69484 for the opcache related errors. I've also had another segfault that I reported there as well, as it happened in the same test and might be related.
 [2015-04-20 14:09 UTC] dmitry@php.net
-Status: Feedback +Status: Closed
 [2015-04-20 14:09 UTC] dmitry@php.net 
The GC bug is fixed.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 17:00:01 2025 UTC