Opened 3 years ago
Closed 11 months ago
#240 closed defect (invalid)
trunk segfaults with 5.3
| Reported by: | tony2001 | Owned by: | moo |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | cacher | Version: | 2.0.0 |
| Keywords: | Cc: | ||
| Application: | PHP Version: | 5.3 | |
| Other Exts: | SAPI: | FastCGI | |
| Probability: | Blocked By: | ||
| Blocking: |
Description
XCache from SVN trunk crashes with PHP 5.3
Valgrind log:
==5152== Invalid read of size 1 ==5152== at 0x5CA95A2: xc_php_find_dmz (xcache.c:148) ==5152== by 0x5CADB4E: xc_compile_file_ex (xcache.c:1710) ==5152== by 0x5CAE25D: xc_compile_file (xcache.c:1904) ==5152== by 0x5FAAEF: compile_filename (zend_language_scanner.l:386) ==5152== by 0x705764: ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (zend_vm_execute.h:22390) ==5152== by 0x675463: execute (zend_vm_execute.h:104) ==5152== by 0x64344B: zend_execute_scripts (zend.c:1188) ==5152== by 0x5C4D84: php_execute_script (main.c:2244) ==5152== by 0x7369C2: main (cgi_main.c:2215)
GDB backtrace:
Program terminated with signal 11, Segmentation fault.
#0 0x00002b13584015a2 in xc_php_find_dmz (php=0x7fff53549680) at /local/build/xcache_trunk/xcache.c:148
148 if (memcmp(php->md5, p->md5, sizeof(php->md5)) == 0) {
(gdb) bt
#0 0x00002b13584015a2 in xc_php_find_dmz (php=0x7fff53549680) at /local/build/xcache_trunk/xcache.c:148
#1 0x00002b1358405b4f in xc_compile_file_ex (xce=0x7fff53549740, h=0x7fff53549870, type=2)
at /local/build/xcache_trunk/xcache.c:1710
#2 0x00002b135840625e in xc_compile_file (h=0x7fff53549870, type=2) at /local/build/xcache_trunk/xcache.c:1904
#3 0x00000000005faaf0 in compile_filename (type=2, filename=0x2b13638ee280) at Zend/zend_language_scanner.l:386
#4 0x0000000000705765 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x2b13632d8d38)
at /local/build/php/5_3.eye/Zend/zend_vm_execute.h:22390
#5 0x0000000000675464 in execute (op_array=0xd2ebc0) at /local/build/php/5_3.eye/Zend/zend_vm_execute.h:104
#6 0x000000000064344c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /local/build/php/5_3.eye/Zend/zend.c:1188
#7 0x00000000005c4d85 in php_execute_script (primary_file=0x7fff5354e0e0) at /local/build/php/5_3.eye/main/main.c:2244
#8 0x00000000007369c3 in main (argc=4, argv=0x7fff5354e318) at /local/build/php/5_3.eye/sapi/cgi/cgi_main.c:2215
php.ini entries:
xcache.coredump_directory = /local/tmp/php-cores/ xcache.cacher = On xcache.size = 150M xcache.slots = 16K xcache.count = 4 xcache.gc_interval = 0 xcache.ttl = 0 xcache.var_size = 0 xcache.var_count = 1 xcache.var_slots = 64K xcache.var_ttl = 0 xcache.var_maxttl = 0 xcache.var_gc_interval = 300 xcache.optimizer = On xcache.stat = On
Change History (5)
comment:1 Changed 3 years ago by moo
comment:2 Changed 3 years ago by tony2001
I doubt there is any chance for me to produce any short reproduce code, but it's 100% reproducible with our site, which has a huge number of classes and files. I suppose it might be related to that very fact btw.
The pointer in php->cache->phps array gets b0rked somehow and that's the only thing that is clear to me atm.
Do you have any ideas on how to debug it or get more useful data for you?
comment:3 Changed 3 years ago by moo
(gdb) bt #0 0x00002b13584015a2 in xc_php_find_dmz (php=0x7fff53549680) at /local/build/xcache_trunk/xcache.c:148 #1 0x00002b1358405b4f in xc_compile_file_ex (xce=0x7fff53549740, h=0x7fff53549870, type=2)
do "frame 1". then "print *xce", u can go any frame id and print something that's in argument, see what's there. you may find the *.php file name, but i doubt it's the one that cause the problem. it might be the cache is corrupted by something else
comment:4 Changed 3 years ago by tony2001
bt full
#0 0x00002b13584015a2 in xc_php_find_dmz (php=0x7fff53549680) at /local/build/xcache_trunk/xcache.c:148
p = (xc_entry_data_php_t *) 0x4bb5be86
#1 0x00002b1358405b4f in xc_compile_file_ex (xce=0x7fff53549740, h=0x7fff53549870, type=2)
at /local/build/xcache_trunk/xcache.c:1710
__orig_bailout = (jmp_buf *) 0x7fff5354bcb0
__bailout = {{__jmpbuf = {47362070764544, -67374871976448866, 0, 140734591460112, 0, 0, -67374871976449570,
-67283492100464614}, __mask_was_saved = 0, __saved_mask = {__val = {6402805, 47362277216688, 1480612869, 0,
1062748880564, 9811496, 140, 140734591440000, 6630368, 140734591441136, 140734591440864, 47362070764544,
18379369201733102654, 0, 1398072080, 0}}}}
op_array = (zend_op_array *) 0x39d80
stored_xce = (xc_entry_t *) 0x0
stored_php = (xc_entry_data_php_t *) 0x0
cache = (xc_cache_t *) 0x2b135e5c4038
gaveup = 0 '\0'
catched = 0 '\0'
newlycompiled = 0 '\0'
sandbox = {alloc = 1672843696, filename = 0xd3f33ecd70c4feb4 <Address 0xd3f33ecd70c4feb4 out of bounds>,
orig_included_files = {nTableSize = 1398052216, nTableMask = 32767, nNumOfElements = 1672834941,
nNextFreeElement = 140734591440240, pInternalPointer = 0x4500655089, pListHead = 0x2b1363b56f38,
pListTail = 0xb1c288, arBuckets = 0x2b1363478080, pDestructor = 0xd3f33ecd70c4feb4, persistent = 120 'x',
nApplyCount = 149 '\225', bApplyProtection = 84 'T', inconsistent = 52}, tmp_included_files = 0x2b1363b591b0,
orig_zend_constants = 0x7fff53549500, tmp_zend_constants = {nTableSize = 6768212, nTableMask = 0, nNumOfElements = 1,
nNextFreeElement = 9822008, pInternalPointer = 0x340000015a, pListHead = 0x0, pListTail = 0x53549500,
arBuckets = 0x2b1363b56f38, pDestructor = 0x7fff53549578, persistent = 56 '8', nApplyCount = 111 'o',
bApplyProtection = 181 '�', inconsistent = 8}, orig_function_table = 0x7fff53549570, orig_class_table = 0x4500000400,
orig_auto_globals = 0x2b1363b56f38, tmp_function_table = {nTableSize = 11649672, nTableMask = 0,
nNumOfElements = 1398052224, nNextFreeElement = 6397680, pInternalPointer = 0x7fff535495b0, pListHead = 0x39d80,
pListTail = 0x800, arBuckets = 0x39d08, pDestructor = 0x7fff53549590, persistent = 17 '\021', nApplyCount = 0 '\0',
bApplyProtection = 0 '\0', inconsistent = 0}, tmp_class_table = {nTableSize = 1398052240, nTableMask = 32767,
nNumOfElements = 6385901, nNextFreeElement = 47362277216952, pInternalPointer = 0xb1d330, pListHead = 0x39d08,
pListTail = 0x11, arBuckets = 0xb1da50, pDestructor = 0x2b1363b59240, persistent = 120 'x', nApplyCount = 146 '\222',
bApplyProtection = 181 '�', inconsistent = 11027}, tmp_auto_globals = {nTableSize = 1672843720, nTableMask = 11027,
nNumOfElements = 17, nNextFreeElement = 292064178279, pInternalPointer = 0x7fff53549680, pListHead = 0x619a51,
pListTail = 0x2b1363b56f38, arBuckets = 0x78, pDestructor = 0x2b1363b59290, persistent = 0 '\0',
nApplyCount = 0 '\0', bApplyProtection = 0 '\0', inconsistent = 0}, tmp_internal_constant_tail = 0x0,
tmp_internal_function_tail = 0x2c900000001, tmp_internal_class_tail = 0x95dcb8,
orig_user_error_handler_error_reporting = 32, orig_zend_error_cb = 0xb1d330,
compilererror_cnt = 1, compilererror_size = 1930623196,
compilererrors = 0x2b1363b59240, orig_compiler_options = 120}
#2 0x00002b135840625e in xc_compile_file (h=0x7fff53549870, type=2) at /local/build/xcache_trunk/xcache.c:1904
op_array = (zend_op_array *) 0x2b13632d8ea8
xce = {type = XC_TYPE_PHP, hvalue = 10254, next = 0x24, cache = 0x2b135e5c4038, size = 47362227164840,
refcount = 47362227164840, hits = 5693020064, ctime = 47362277216912, atime = 54144030545656, dtime = 51846015675496,
ttl = 9822280, name = {lval = 47362277216544, dval = 2.3400074081503968e-310, str = {
val = 0x2b1363b59120 "/home/inils/badoo/_packages/Mobile/SiteDialogsHelper.php", len = 56}, ht = 0x2b1363b59120,
obj = {handle = 1672843552, handlers = 0x7fff00000038}}, data = {php = 0x7fff53549680, var = 0x7fff53549680},
mtime = 1270109775, device = 2065, inode = 12951924, filepath_len = 0, filepath = 0x0, dirpath_len = 0, dirpath = 0x0}
php = {hvalue = 2773, next = 0x61b2f5, cache = 0x2b135e5c4038, md5 = "x\235/m�;\f=\0051�R\r\214��",
refcount = 3075206389920, sourcesize = 4409, hits = 47362277216912, size = 140734591440800, op_array_info = {
oplineinfo_cnt = 6993881, oplineinfos = 0x2b1363b59290}, op_array = 0x638ee29d, constinfo_cnt = 1622791848,
constinfos = 0x2b1363b591c8, funcinfo_cnt = 1663929824, funcinfos = 0x2b1360b9d6a0, classinfo_cnt = 1398052672,
classinfos = 0x2b1363b59290, autoglobal_cnt = 0, autoglobals = 0xb1c108,
compilererror_cnt = 9805984,
compilererrors = 0x2f270061b2f5, have_references = 72 'H'}
filename = 0x2b1363b59120 "/home/inils/badoo/_packages/Mobile/SiteDialogsHelper.php"
__PRETTY_FUNCTION__ = "xc_compile_file"
#3 0x00000000005faaf0 in compile_filename (type=2, filename=0x2b13638ee280) at Zend/zend_language_scanner.l:386
file_handle = {type = ZEND_HANDLE_FILENAME,
filename = 0x2b1363b59120 "/home/inils/badoo/_packages/Mobile/SiteDialogsHelper.php", opened_path = 0x0, handle = {
fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 1465445480, mmap = {len = 47362069818592, pos = 140734591441472,
map = 0x67b2cc, buf = 0x2b135758ec68 "\210±", old_handle = 0xa0, old_closer = 0x2b13632d8d38},
reader = 0x2b135758ec68, fsizer = 0x2b13632d8dd0, closer = 0x1}}, free_filename = 0 '\0'}
tmp = {value = {lval = 47362069818656, dval = 2.3399971613332487e-310, str = {val = 0x2b135758ed20 "GLOBALS",
len = 1465445624}, ht = 0x2b135758ed20, obj = {handle = 1465445664, handlers = 0x2b135758ecf8}},
refcount__gc = 1398052864, type = 255 '�', is_ref__gc = 127 '\177'}
retval = (zend_op_array *) 0x2b13632d8e08
opened_path = 0x0
#4 0x0000000000705765 in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x2b13632d8d38)
at /local/build/php/5_3.eye/Zend/zend_vm_execute.h:22390
opline = (zend_op *) 0x2b1360b9d6f0
new_op_array = (zend_op_array *) 0x0
return_value_used = 0
inc_filename = (zval *) 0x2b13638ee280
tmp_inc_filename = {value = {lval = 11649288, dval = 5.7555129993106833e-317, str = {val = 0xb1c108 "",
len = 1663929944}, ht = 0xb1c108, obj = {handle = 11649288, handlers = 0x2b13632d8e58}}, refcount__gc = 0,
type = 0 '\0', is_ref__gc = 0 '\0'}
failure_retval = 0 '\0'
#5 0x0000000000675464 in execute (op_array=0xd2ebc0) at /local/build/php/5_3.eye/Zend/zend_vm_execute.h:104
ret = 0
execute_data = (zend_execute_data *) 0x2b13632d8d38
nested = 1 '\001'
original_in_execution = 0 '\0'
#6 0x000000000064344c in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /local/build/php/5_3.eye/Zend/zend.c:1188
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff53549c60, reg_save_area = 0x7fff53549ba0}}
i = 1
file_handle = (zend_file_handle *) 0x7fff5354e0e0
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval **) 0x0
#7 0x00000000005c4d85 in php_execute_script (primary_file=0x7fff5354e0e0) at /local/build/php/5_3.eye/main/main.c:2244
realfile = "<some garbage here>"...
__orig_bailout = (jmp_buf *) 0x7fff5354bf50
__bailout = {{__jmpbuf = {47362070764544, -67374871976459138, 0, 140734591460112, 0, 0, -67374871976450386,
-67310906206932971}, __mask_was_saved = 0, __saved_mask = {__val = {11653936, 47362069811880, 0, 120, 4, 11654120,
47360604373025, 140734591450480, 6402946, 1, 1477391364, 0, 2095950122662, 9726872, 47362069811960,
140734591450800}}}}
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0,
stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0,
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0,
stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0,
old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
old_cwd = 0x7fff53549c80 "/home/local/build/xcache_trunk"
use_heap = 0 '\0'
retval = 0
#8 0x00000000007369c3 in main (argc=4, argv=0x7fff5354e318) at /local/build/php/5_3.eye/sapi/cgi/cgi_main.c:2215
__orig_bailout = (jmp_buf *) 0x0
__bailout = {{__jmpbuf = {47362070764544, -67374871976470274, 0, 140734591460112, 0, 0, -67374871976459250,
-67310906204641314}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
free_query_string = 0
exit_status = 0
cgi = 0
c = 60
i = 1465268855
len = 11027
file_handle = {type = ZEND_HANDLE_FP, filename = 0x2b13575a7ab8 "/home/inils/badoo/www/index.phtml",
opened_path = 0x0, handle = {fd = 14808720, fp = 0xe1f690, stream = {handle = 0xe1f690, isatty = 0, mmap = {len = 6438,
pos = 0, map = 0x2b1363359000, buf = 0x2b1363359000 " D�\023+", old_handle = 0xd07520,
old_closer = 0x65f968 <zend_stream_stdio_closer>}, reader = 0x65f93c <zend_stream_stdio_reader>,
fsizer = 0x65f999 <zend_stream_stdio_fsizer>, closer = 0x65fab2 <zend_stream_mmap_closer>}}, free_filename = 0 '\0'}
s = 0x2b13582d66e0 "\221NA"
behavior = 1
no_headers = 0
orig_optind = 1
orig_optarg = 0x0
script_file = 0x0
ini_entries_len = 0
max_requests = 1000
requests = 293
fastcgi = 1
bindpath = 0x0
fcgi_fd = 0
request = {listen_socket = 0, fd = 8, id = 1, keep = 0, closed = 0, in_len = 0, in_pad = 3, out_hdr = 0x0,
out_pos = 0x7fff5354c0c0 "\001\006",
out_buf = "<some cookie garbage>"...,
reserved = '\0' <repeats 15 times>, env = 0x2b135758b0c8}
fpm_config = 0x7fff5354ef61 "/local/php5/etc/php-fpm.conf"
repeats = 1
benchmark = 0
start = {tv_sec = 0, tv_usec = 0}
end = {tv_sec = 0, tv_usec = 0}
status = 0
func arguments:
(gdb) f 1
#1 0x00002b1358405b4f in xc_compile_file_ex (xce=0x7fff53549740, h=0x7fff53549870, type=2)
at /local/build/xcache_trunk/xcache.c:1710
1710 stored_php = xc_php_find_dmz(xce->data.php TSRMLS_CC);
(gdb) p *xce
$5 = {type = XC_TYPE_PHP, hvalue = 10254, next = 0x24, cache = 0x2b135e5c4038, size = 47362227164840,
refcount = 47362227164840, hits = 5693020064, ctime = 47362277216912, atime = 54144030545656, dtime = 51846015675496,
ttl = 9822280, name = {lval = 47362277216544, dval = 2.3400074081503968e-310, str = {
val = 0x2b1363b59120 "/home/inils/badoo/_packages/Mobile/SiteDialogsHelper.php", len = 56}, ht = 0x2b1363b59120,
obj = {handle = 1672843552, handlers = 0x7fff00000038}}, data = {php = 0x7fff53549680, var = 0x7fff53549680},
mtime = 1270109775, device = 2065, inode = 12951924, filepath_len = 0, filepath = 0x0, dirpath_len = 0, dirpath = 0x0}
(gdb) p *h
$6 = {type = ZEND_HANDLE_FILENAME, filename = 0x2b1363b59120 "/home/inils/badoo/_packages/Mobile/SiteDialogsHelper.php",
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 1465445480, mmap = {
len = 47362069818592, pos = 140734591441472, map = 0x67b2cc, buf = 0x2b135758ec68 "\210±", old_handle = 0xa0,
old_closer = 0x2b13632d8d38}, reader = 0x2b135758ec68, fsizer = 0x2b13632d8dd0, closer = 0x1}},
free_filename = 0 '\0'}
(gdb) f 2
#2 0x00002b135840625e in xc_compile_file (h=0x7fff53549870, type=2) at /local/build/xcache_trunk/xcache.c:1904
1904 op_array = xc_compile_file_ex(&xce, h, type TSRMLS_CC);
(gdb) p *h
$7 = {type = ZEND_HANDLE_FILENAME, filename = 0x2b1363b59120 "/home/inils/badoo/_packages/Mobile/SiteDialogsHelper.php",
opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 1465445480, mmap = {
len = 47362069818592, pos = 140734591441472, map = 0x67b2cc, buf = 0x2b135758ec68 "\210±", old_handle = 0xa0,
old_closer = 0x2b13632d8d38}, reader = 0x2b135758ec68, fsizer = 0x2b13632d8dd0, closer = 0x1}},
free_filename = 0 '\0'#3 0x00000000005faaf0 in compile_filename (type=2, filename=0x2b13638ee280) at Zend/zend_language_scanner.l:386
386 retval = zend_compile_file(&file_handle, type TSRMLS_CC);
(gdb) f 3
#3 0x00000000005faaf0 in compile_filename (type=2, filename=0x2b13638ee280) at Zend/zend_language_scanner.l:386
386 retval = zend_compile_file(&file_handle, type TSRMLS_CC);
(gdb) p filename
$8 = (zval *) 0x2b13638ee280
(gdb) p *filename
$9 = {value = {lval = 47362277216544, dval = 2.3400074081503968e-310, str = {
val = 0x2b1363b59120 "/home/inils/ooooo/_packages/Mobile/SiteDialogsHelper.php", len = 56}, ht = 0x2b1363b59120,
obj = {handle = 1672843552, handlers = 0x600000038}}, refcount__gc = 2, type = 6 '\006', is_ref__gc = 0 '\0'}
comment:5 Changed 11 months ago by moo
- Resolution set to invalid
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
any reproducable script? i can't yet find a way to reproduce it