[PHP-BUG] Bug #60935 [NEW]: Constant memory leaking, segfaults

[vytenis dot darulis at gmail dot com]

From:             
Operating system: Debian testing (kern. 3.2.2)
PHP version:      5.3.9
Package:          Reproducible crash
Bug Type:         Bug
Bug description:Constant memory leaking, segfaults

Description:
------------
Both fpm and apache2 module leak memory constantly in our application, have
to 
set max_requests to around 100 to prevent the machine from crashing -
server 
memory is overcommited by a factor of 1.5.
Situation was normal in PHP 5.3.6, but it broke in 5.3.8-9 and 5.4
RC6/trunk 
(5.4 was compiled without suhosin).
Currently using PHP 5.3.9-1 packages from dotdeb.org, but can reproduce it
on 
latest 5.4.



Jan 30 16:06:55 ns214205 kernel: apache2[30073]: segfault at 7f6ebd094ace
ip 
00007f6ebd094ace sp 00007f6e9a82ce78 error 14
Jan 30 16:06:55 ns214205 kernel: apache2[30069]: segfault at 7f6ebd094ace
ip 
00007f6ebd094ace sp 00007f6e9c830e78 error 14 in
pdo_mysql.so[7f6ebf935000+7000]
Jan 30 16:06:55 ns214205 kernel: in pdo_mysql.so[7f6ebf935000+7000]
Jan 30 16:13:22 ns214205 kernel: apache2[44953]: segfault at 7f6ebd094ace
ip 
00007f6ebd094ace sp 00007f6e9de75e78 error 14
Jan 30 16:13:22 ns214205 kernel: apache2[44958]: segfault at 7f6ebd094ace
ip 
00007f6ebd094ace sp 00007f6e9b1dfe78 error 14 in 
libgcc_s.so.1[7f6ec05ca000+15000]
Jan 30 16:13:22 ns214205 kernel: in libgcc_s.so.1[7f6ec05ca000+15000]
Jan 30 16:24:21 ns214205 kernel: apache2[3946]: segfault at 7f6ebd094ace ip

00007f6ebd094ace sp 00007f6e9ca63e78 error 14 in
pdo_mysql.so[7f6ebf935000+7000]
Jan 30 16:28:04 ns214205 kernel: apache2[12686]: segfault at 7f6ebd094ace
ip 
00007f6ebd094ace sp 00007f6e9de75e78 error 14 in 
libmysqlclient_r.so.16.0.0[7f6ebfd58000+1cf000]

Backtrace of 16:13:22 core dump:
warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal 11, Segmentation fault.
#0  malloc_consolidate (av=0x7f6ec6d7fe60) at malloc.c:5157
5157    malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0  malloc_consolidate (av=0x7f6ec6d7fe60) at malloc.c:5157
#1  0x00007f6ec6a73f88 in _int_free (av=0x7f6ec6d7fe60, p=0x7f6ec964ec50)
at 
malloc.c:5034
#2  0x00007f6ec6a7738c in *__GI___libc_free (mem=<optimized out>) at 
malloc.c:3738
#3  0x00007f6ec4e88e01 in __zend_mm_shutdown_canary (heap=0x7f6ec93b67a0, 
full_shutdown=1, silent=97) at /tmp/buildd/php5-
5.3.9/Zend/zend_alloc_canary.c:1724
#4  0x00007f6ec4e16b1f in php_module_shutdown () at /tmp/buildd/php5-
5.3.9/main/main.c:2214
#5  0x00007f6ec4e16b99 in php_module_shutdown_wrapper 
(sapi_globals=0x7f6ec6d7fe60) at /tmp/buildd/php5-5.3.9/main/main.c:2169
#6  0x00007f6ec4ef88b1 in php_apache_child_shutdown (tmp=0x7f6ec6d7fe60) at

/tmp/buildd/php5-5.3.9/sapi/apache2handler/sapi_apache2.c:399
#7  0x00007f6ec6fba8ae in apr_pool_destroy () from /usr/lib/libapr-1.so.0
#8  0x00007f6ec78ae19e in clean_child_exit (code=0) at prefork.c:196
#9  0x00007f6ec78ae58c in child_main (child_num_arg=<optimized out>) at 
prefork.c:692
#10 0x00007f6ec78aec5a in make_child (slot=59, s=0x7f6ec78417f8) at 
prefork.c:768
#11 make_child (s=0x7f6ec78417f8, slot=59) at prefork.c:696
#12 0x00007f6ec78af80f in perform_idle_server_maintenance (p=<optimized
out>) at 
prefork.c:903
#13 ap_mpm_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized
out>) 
at prefork.c:1107
#14 0x00007f6ec7884a1a in main (argc=3, argv=0x7fffa6794d28) at main.c:741

(gdb) bt full
#0  malloc_consolidate (av=0x7f6ec6d7fe60) at malloc.c:5157
        fb = 0x7f6ec6d7fe88
        maxfb = 0x7f6ec6d7feb0
        p = 0x7f6ec943f870
        nextp = 0x7f6ec943f810
        unsorted_bin = 0x7f6ec6d7feb8
        first_unsorted = <optimized out>
        nextchunk = 0x7f6ec943f8d0
        size = 96
        nextsize = 176
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = 0x7f6ec95b1600
        __func__ = "malloc_consolidate"
#1  0x00007f6ec6a73f88 in _int_free (av=0x7f6ec6d7fe60, p=0x7f6ec964ec50)
at 
malloc.c:5034
        size = 262160
        nextchunk = 0x7f6ec968ec60
        nextsize = 5648
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = 0x61
        errstr = <optimized out>
        __func__ = "_int_free"
#2  0x00007f6ec6a7738c in *__GI___libc_free (mem=<optimized out>) at 
malloc.c:3738
        ar_ptr = 0x7f6ec6d7fe60
        p = 0x61
#3  0x00007f6ec4e88e01 in __zend_mm_shutdown_canary (heap=0x7f6ec93b67a0, 
full_shutdown=1, silent=97) at /tmp/buildd/php5-
5.3.9/Zend/zend_alloc_canary.c:1724
        internal = 0
#4  0x00007f6ec4e16b1f in php_module_shutdown () at /tmp/buildd/php5-
5.3.9/main/main.c:2214
No locals.
#5  0x00007f6ec4e16b99 in php_module_shutdown_wrapper 
(sapi_globals=0x7f6ec6d7fe60) at /tmp/buildd/php5-5.3.9/main/main.c:2169
No locals.
#6  0x00007f6ec4ef88b1 in php_apache_child_shutdown (tmp=0x7f6ec6d7fe60) at

/tmp/buildd/php5-5.3.9/sapi/apache2handler/sapi_apache2.c:399
No locals.
#7  0x00007f6ec6fba8ae in apr_pool_destroy () from /usr/lib/libapr-1.so.0


Using apc 3.1.9, PDO, PDO Mysql, mongo, imagick, memcached, igbinary, json,

filter extensions - latest from pecl (if not provided with php). Build is
not 
thread-safe. Disabling Mongo, imagick, memcached, igbinary does not seem to
help 
the situation in any way.


-- 
Edit bug report at https://bugs.php.net/bug.php?id=60935&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=60935&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=60935&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=60935&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=60935&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=60935&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=60935&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=60935&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=60935&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=60935&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=60935&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=60935&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=60935&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=60935&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=60935&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=60935&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=60935&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=60935&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=60935&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=60935&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=60935&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=60935&r=mysqlcfg