swoole2.1 动态成员变量赋值 有时会coredump

[JiankangMai]

exitCode为0,signal为11

core文件代号:5061（个人备注，方便后续沟通）

调用栈：

#0 zend_mm_gc (heap=0x7ff428e00040)
at /home/bromine/php-7.2.0/Zend/zend_alloc.c:1880
#1 0x0000000000838694 in zend_mm_alloc_huge (heap=0x7ff428e00040,
size=53362937280) at /home/bromine/php-7.2.0/Zend/zend_alloc.c:1732
#2 0x000000000086efaf in zend_array_dup (source=0x7ff420fbcf50)
at /home/bromine/php-7.2.0/Zend/zend_hash.c:1823
#3 0x00000000008ec32b in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_OP_DATA_CV_HANDLER
(execute_data=0x7ff420d27df0)
at /home/bromine/php-7.2.0/Zend/zend_vm_execute.h:28016
#4 0x00000000008a6188 in execute_ex (ex=)
at /home/bromine/php-7.2.0/Zend/zend_vm_execute.h:59726
#5 0x00007ff422c22ab7 in sw_coro_resume (
sw_current_context=, retval=0x7ffc040081b0,
coro_retval=)
at /home/bromine/swoole-src-2.1.0/swoole_coroutine.c:506
#6 0x00007ff422c21500 in client_execute_callback (zobject=0x7ff420cd0810,
type=)
at /home/bromine/swoole-src-2.1.0/swoole_client_coro.c:183
#7 0x00007ff422c95bf7 in swClient_onWrite (reactor=,
event=0x7ffc04008280)
at /home/bromine/swoole-src-2.1.0/src/network/Client.c:1499
#8 0x00007ff422c8d69f in swReactorEpoll_wait (reactor=0x17123e0,
timeo=)
---Type to continue, or q to quit---
at /home/bromine/swoole-src-2.1.0/src/reactor/ReactorEpoll.c:261
#9 0x00007ff422ca08b9 in swWorker_loop (factory=,
worker_id=)
at /home/bromine/swoole-src-2.1.0/src/network/Worker.c:766
#10 0x00007ff422c9d7f3 in swManager_spawn_worker (factory=0x17111d8,
worker_id=0) at /home/bromine/swoole-src-2.1.0/src/network/Manager.c:488
#11 0x00007ff422c9db1e in swManager_start (factory=0x17111d8)
at /home/bromine/swoole-src-2.1.0/src/network/Manager.c:146
#12 0x00007ff422c89e71 in swFactoryProcess_start (factory=0x17111d8)
at /home/bromine/swoole-src-2.1.0/src/factory/FactoryProcess.c:86
#13 0x00007ff422c91a67 in swServer_start (serv=0x1710d80)
at /home/bromine/swoole-src-2.1.0/src/network/Server.c:724
#14 0x00007ff422c34f27 in zim_swoole_http_server_start (
execute_data=0x7ff428e1eac0, return_value=0x7ffc04008490)
at /home/bromine/swoole-src-2.1.0/swoole_http_server.c:1639
#15 0x00000000008d9d84 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (
execute_data=0x7ff428e1e650)
at /home/bromine/php-7.2.0/Zend/zend_vm_execute.h:907
#16 0x00000000008a6188 in execute_ex (ex=)
at /home/bromine/php-7.2.0/Zend/zend_vm_execute.h:59726
#17 0x000000000090b663 in zend_execute (op_array=0x7ff428e7c2a0,
return_value=)
at /home/bromine/php-7.2.0/Zend/zend_vm_execute.h:63763
---Type to continue, or q to quit---
#18 0x000000000085e9c3 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/bromine/php-7.2.0/Zend/zend.c:1496
#19 0x00000000007fd468 in php_execute_script (primary_file=0x7ffc0400b960)
at /home/bromine/php-7.2.0/main/main.c:2592
#20 0x000000000090e913 in do_cli (argc=3, argv=0x1514980)
at /home/bromine/php-7.2.0/sapi/cli/php_cli.c:1011
#21 0x000000000090f0db in main (argc=3, argv=0x1514980)
at /home/bromine/php-7.2.0/sapi/cli/php_cli.c:1404

(gdb) f 0
#0 zend_mm_gc (heap=0x7ff428e00040)
at /home/bromine/php-7.2.0/Zend/zend_alloc.c:1880
1880 ZEND_MM_CHECK(chunk->heap == heap, "zend_mm_heap corrupted");
(gdb) f 1
#1 0x0000000000838694 in zend_mm_alloc_huge (heap=0x7ff428e00040,
size=53362937280) at /home/bromine/php-7.2.0/Zend/zend_alloc.c:1732
1732 if (zend_mm_gc(heap) && heap->real_size + new_size <= heap->limit) {
(gdb) f 2
#2 0x000000000086efaf in zend_array_dup (source=0x7ff420fbcf50)
at /home/bromine/php-7.2.0/Zend/zend_hash.c:1823
1823 HT_SET_DATA_ADDR(target, emalloc(HT_SIZE(target)));
(gdb) f 4
#4 0x00000000008a6188 in execute_ex (ex=)
at /home/bromine/php-7.2.0/Zend/zend_vm_execute.h:59726
59726 if (UNEXPECTED((ret = ((opcode_handler_t)OPLINE->handler)(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU)) != 0)) {

运行时linux内核信息
Linux localhost.localdomain 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

编译ggc版本信息
Using built-in specs.
Target: x86_64-redhat-linux
Thread model: posix
gcc version 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)

相关php版本信息
PHP 7.2.0 (cli) (built: Dec 14 2017 08:27:04) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2017 Zend Technologies

swoole版本信息
swoole support => enabled
Version => 2.1.0
Author => tianfeng.han[email: mikan.tenny@gmail.com]
epoll => enabled
eventfd => enabled
timerfd => enabled
signalfd => enabled
cpu affinity => enabled
spinlock => enabled
rwlock => enabled
async redis client => enabled
async http/websocket client => enabled
sockets => enabled
openssl => enabled
Linux Native AIO => enabled
zlib => enabled
mutex_timedlock => enabled
pthread_barrier => enabled
futex => enabled

Directive => Local Value => Master Value
swoole.aio_thread_num => 2 => 2
swoole.display_errors => On => On
swoole.use_namespace => 1 => 1
swoole.use_shortname => On => On
swoole.fast_serialize => Off => Off
swoole.unixsock_buffer_size => 8388608 => 8388608

[JiankangMai]

问题代码:
/** @var Swoole\Coroutine\Client client*/
$this->connection = $client;

如果client已经断开了链接,
当connection是动态成员变量时会直接coredump
当connection是显式定义的成员变量时，程序正常

[twose]

你说的动态成员变量是指没定义直接使用么?
请贴一下完整的复现代码, 看起来像是Immutable数组的错误, 你把opcache关了看看是否还会出现
最好使用最新的2.2.0版本

[matyhtf]

@JiankangMai

USE_ZEND_ALLOC=0 valgrind php your_file.php

[JiankangMai]

@matyhtf 无论export USE_ZEND_ALLOC为0/1 使用valgrind就完全不会dump,不使用valgrind才有概率dump

[matyhtf]

@JiankangMai 请使用 4.0.0-rc1 测试一下

[JiankangMai]

切换4.0后无法复现，十分稳定！