Segmentation fault情况

[skaic]

在服务器dmesg中查到大量报错如下：

[8465402.373110] php5-fpm[2329]: segfault at 10181592f ip 00007f0f0f6709c6 sp 00007fff16283638 error 4 in libc-2.15.so[7f0f0f527000+1b5000]
[8465404.455885] php5-fpm[2367]: segfault at 2ca1000 ip 00007fe3d2e638c4 sp 00007fff96861268 error 6 in libc-2.15.so[7fe3d2d1a000+1b5000]
[8465405.006887] php5-fpm[2083]: segfault at 101870f87 ip 00007f1765c5e9c6 sp 00007fffd6a33498 error 4 in libc-2.15.so[7f1765b15000+1b5000]
[8465409.078165] php5-fpm[2423]: segfault at 5823000 ip 00007f98690618d3 sp 00007fff8191eb68 error 6 in libc-2.15.so[7f9868f18000+1b5000]
[8465420.685318] php5-fpm[2365]: segfault at 1027d5a7f ip 00007fe3d2e639c6 sp 00007fff96861268 error 4 in libc-2.15.so[7fe3d2d1a000+1b5000]
[8465425.057961] php5-fpm[2501]: segfault at 101a61a8f ip 00007f1765c5e9c6 sp 00007fffd6a33498 error 4 in libc-2.15.so[7f1765b15000+1b5000]
[8465425.703124] php5-fpm[2402]: segfault at 1dbe000 ip 00007f98690618d8 sp 00007fff8191eb68 error 6 in libc-2.15.so[7f9868f18000+1b5000]
[8465445.054118] php5-fpm[2050]: segfault at 585b000 ip 00007f98690618d8 sp 00007fff8191eb68 error 6 in libc-2.15.so[7f9868f18000+1b5000]
[8465470.522951] php5-fpm[2328]: segfault at 1024d6fff ip 00007fe3d2e639c6 sp 00007fff96861268 error 4 in libc-2.15.so[7fe3d2d1a000+1b5000]
[8465486.467350] php5-fpm[1897]: segfault at 1017a896f ip 00007f0f0f6709c6 sp 00007fff16283638 error 4 in libc-2.15.so[7f0f0f527000+1b5000]

获取core后跟踪到以下信息：

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www-9006 '.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f44602fe8dd in ?? () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) bt
#0 0x00007f44602fe8dd in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x000000000067c2e6 in _estrndup ()
#2 0x00007f4455900235 in yaf_application_parse_option (options=) at /tmp/pear/temp/yaf/yaf_application.c:143
#3 zim_yaf_application___construct (ht=, return_value=0x1f3e930, return_value_ptr=, this_ptr=0x1f3b578, return_value_used=)

at /tmp/pear/temp/yaf/yaf_application.c:358

#4 0x000000000070f05d in ?? ()
#5 0x00000000006bfbcb in execute ()
#6 0x000000000069b130 in zend_execute_scripts ()
#7 0x00000000006477a3 in php_execute_script ()
#8 0x000000000042b895 in ?? ()
#9 0x00007f44601d676d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x000000000042c0f5 in _start ()

我自己本地没重现到这个Segmentation fault，不知道是什么原因，求助 =。=

yaf版本是 2.2.9

[laruence]

这个看起来很奇怪, 代码很简单:

 if (*(Z_STRVAL_PP(ppzval) + Z_STRLEN_PP(ppzval) - 1) == DEFAULT_SLASH) {
        YAF_G(directory) = estrndup(Z_STRVAL_PP(ppzval), Z_STRLEN_PP(ppzval) - 1);    <= 说这行呢
    } else {
        YAF_G(directory) = estrndup(Z_STRVAL_PP(ppzval), Z_STRLEN_PP(ppzval));
    }

你的配置里面application.directory是个啥?

[skaic]

application.directory 写 application 的目录，是绝对地址。

而且是这个情况不是每次请求都会发生的，是fpm运行一段时间后会出现这个情况。

[laruence]

你们的PHP是什么版本? 奇怪了, 这个代码看起来不会有问题啊. 是不是你的二进制文件搞错了, bt显示的不对?

[skaic]

php版本是5.3.10 php5-fpm，ubuntu 12.04 apt-get下来的。应该不会搞错，我是直接在报错的机器上gdb的。
我在怀疑会不会是内存泄漏，php.ini 的 memory_limit 是512M。超过限制。然后就estrndup失败了？
我简单跟了下代码，貌似这一条刚好是请求中第一个申请内存的。

[wenjun1055]

鸟哥，在yaf_application还是在yaf_ dispatcher中之前的确有内存泄露，我找不到之前跟你的聊天记录了

[laruence]

如果estrndup失败, PHP会直接退出的, 不会core的

[laruence]

你gdb看看, 能不能打印出来ppzval的具体内容是啥

[skaic]

(gdb) bt
#0 0x00007f5c6c72b8c9 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x000000000067c2e6 in _estrndup ()
#2 0x00007f5c61d2d235 in yaf_application_parse_option (options=) at /tmp/pear/temp/yaf/yaf_application.c:143
#3 zim_yaf_application___construct (ht=, return_value=0x1aca368, return_value_ptr=, this_ptr=0x1ac6ff0, return_value_used=)
at /tmp/pear/temp/yaf/yaf_application.c:358
#4 0x000000000070f05d in ?? ()
#5 0x00000000006bfbcb in execute ()
#6 0x000000000069b130 in zend_execute_scripts ()
#7 0x00000000006477a3 in php_execute_script ()
#8 0x000000000042b895 in ?? ()
#9 0x00007f5c6c60376d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x000000000042c0f5 in _start ()
(gdb) up
#1 0x000000000067c2e6 in _estrndup ()
(gdb) up
#2 0x00007f5c61d2d235 in yaf_application_parse_option (options=) at /tmp/pear/temp/yaf/yaf_application.c:143
143 /tmp/pear/temp/yaf/yaf_application.c: No such file or directory.
(gdb) info locals
conf = 0x1aca1a8
ppzval = 0x1aca138
ppsval =
app = 0x1ac74e8
(gdb) p ppzval
$1 = (zval **) 0x1aca138
(gdb) x/2s 0x1aca138
0x1aca138: "\240o\254\001"
0x1aca13d: ""

这样子么？

[laruence]

恩, 然后你再p **ppzval 看看

thanks

[skaic]

(gdb) p **ppzval
$2 = {value = {lval = 28078616, dval = 1.3872679548368359e-316, str = {val = 0x1ac7218 "", len = 0}, ht = 0x1ac7218, obj = {handle = 28078616, handlers = 0x0}},
refcount__gc = 1, type = 6 '\006', is_ref__gc = 0 '\000'}

[skaic]

哦，最后 len 负一了 0.0

[skaic]

找到代码了。有这样的调用 new Yaf_Application(array("application" => array("directory"=>""))); THX 鸟哥。

[laruence]

holy shit....这个bug不应该...修复之...