php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70481 Memory leak in auto_global_copy_ctor()
Submitted: 2015-09-13 15:46 UTC Modified: 2015-09-14 09:20 UTC
From: sathya at laufers dot net Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 7.0.0RC2 OS: Ubuntu 14.04 amd64
Private report: No CVE-ID:
 [2015-09-13 15:46 UTC] sathya at laufers dot net
Description:
------------
I'm using the PHP embed library with ZTS enabled in a program of mine and just switched to PHP7. Using valgrind to search for memory leaks I noticed that memory allocated in auto_global_copy_ctor() in Zend/zend.c is not freed in compiler_globals_dtor() causing a memory leak of (global_auto_globals_table->nNumUsed * sizeof(zend_auto_global)) Bytes for every new thread. Here's the full valgrind output:

==6621== 
==6621== HEAP SUMMARY:
==6621==     in use at exit: 192,047 bytes in 2,902 blocks
==6621==   total heap usage: 1,224,943 allocs, 1,222,041 frees, 123,484,720 bytes allocated
==6621== 
==6621== 416 (216 direct, 200 indirect) bytes in 9 blocks are definitely lost in loss record 91 of 152
==6621==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6621==    by 0x5B3AB5: auto_global_copy_ctor (zend_alloc.h:192)
==6621==    by 0x5C7EFB: zend_hash_copy (zend_hash.c:1601)
==6621==    by 0x5B384C: compiler_globals_ctor (zend.c:499)
==6621==    by 0x5B4C24: zend_post_startup (zend.c:832)
==6621==    by 0x551565: php_module_startup (main.c:2220)
.
.
.
==6621== 
==6621== 2,264 (2,160 direct, 104 indirect) bytes in 90 blocks are definitely lost in loss record 135 of 152
==6621==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6621==    by 0x5B3AB5: auto_global_copy_ctor (zend_alloc.h:192)
==6621==    by 0x5C7EFB: zend_hash_copy (zend_hash.c:1601)
==6621==    by 0x5B384C: compiler_globals_ctor (zend.c:499)
==6621==    by 0x54E671: allocate_new_resource (TSRM.c:301)
==6621==    by 0x54E798: ts_resource_ex (TSRM.c:368)
.
.
.
==6621==    by 0x4E3F181: start_thread (pthread_create.c:312)
==6621== 
==6621== LEAK SUMMARY:
==6621==    definitely lost: 2,376 bytes in 99 blocks
==6621==    indirectly lost: 304 bytes in 9 blocks
==6621==      possibly lost: 0 bytes in 0 blocks
==6621==    still reachable: 189,367 bytes in 2,794 blocks
==6621==         suppressed: 0 bytes in 0 blocks
==6621== Reachable blocks (those to which a pointer was found) are not shown.
==6621== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==6621== 
==6621== For counts of detected and suppressed errors, rerun with: -v
==6621== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

I didn't do much more digging than this and didn't have the time to come up with a patch. I figured you guys are much faster in fixing this than I am ;-).

Cheers,

Sathya


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-14 03:00 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-09-14 03:00 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2015-09-14 09:20 UTC] sathya at laufers dot net
-Status: Feedback +Status: Open -Operating System: Ubuntu 14.04 +Operating System: Ubuntu 14.04 amd64
 [2015-09-14 09:20 UTC] sathya at laufers dot net
Hey,

there's no script execution necessary to cause the leak. It occurs even if I comment out "php_execute_script()" in my program.

But for completeness :-P:

<?php
print "Hello World";
?>

As the line numbers in the previous valgrind trace were incorrect due to changes I made to the PHP source to track the error and to see if the compiler globals destructor is actually called, here's another one with an unmodified library and no script execution (php_execute_script() commented out). Only initialization and deinitialization functions are called. This is the result after 10 request threads:

==1138== 
==1138== HEAP SUMMARY:
==1138==     in use at exit: 192,047 bytes in 2,902 blocks
==1138==   total heap usage: 1,145,600 allocs, 1,142,698 frees, 94,725,940 bytes allocated
==1138== 
==1138== 520 (216 direct, 304 indirect) bytes in 9 blocks are definitely lost in loss record 93 of 152
==1138==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1138==    by 0x5B41B5: auto_global_copy_ctor (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x5C85DB: zend_hash_copy (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x5B3F6F: compiler_globals_ctor (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x5B5324: zend_post_startup (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x551E05: php_module_startup (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
.
.
.
==1138== 
==1138== 2,160 bytes in 90 blocks are definitely lost in loss record 135 of 152
==1138==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1138==    by 0x5B41B5: auto_global_copy_ctor (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x5C85DB: zend_hash_copy (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x5B3F6F: compiler_globals_ctor (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x54EF11: allocate_new_resource (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
==1138==    by 0x54F038: ts_resource_ex (in /home/PREETZ/sathya/GitHub/Homegear/Homegear/homegear/src/homegear)
.
.
.
==1138==    by 0x4E3F181: start_thread (pthread_create.c:312)
==1138== 
==1138== LEAK SUMMARY:
==1138==    definitely lost: 2,376 bytes in 99 blocks
==1138==    indirectly lost: 304 bytes in 9 blocks
==1138==      possibly lost: 0 bytes in 0 blocks
==1138==    still reachable: 189,367 bytes in 2,794 blocks
==1138==         suppressed: 0 bytes in 0 blocks
==1138== Reachable blocks (those to which a pointer was found) are not shown.
==1138== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==1138== 
==1138== For counts of detected and suppressed errors, rerun with: -v
==1138== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Cheers,

Sathya
 [2015-09-18 09:35 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7680194a930165f50194a48e324d11001aef3465
Log: Fixed bug #70481 (Memory leak in auto_global_copy_ctor() in ZTS build)
 [2015-09-18 09:35 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-09-29 13:10 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7680194a930165f50194a48e324d11001aef3465
Log: Fixed bug #70481 (Memory leak in auto_global_copy_ctor() in ZTS build)
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7680194a930165f50194a48e324d11001aef3465
Log: Fixed bug #70481 (Memory leak in auto_global_copy_ctor() in ZTS build)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 08:01:41 2017 UTC