Bug #72945 for IO-Compress: Compress::Zlib::memGunzip holds reference to input parameter

Hi, thanks for the report. You mention that "Compress::Zlib::memGunzip takes a reference to $_[0] and stores it somewhere in a global". Can't say I'm aware of any global that stores a reference to $_[0] in my code. Did you confirm that was happening in your investigation, or are you assuming that must be the case if you are seeing a leak? I'm having difficulty reproducing the memory leak you are getting. I ran the code below for 30 minutes and didn't see any memory growth in the process. Does the code below leak for you? Finally, what version of Perl are you running? What platform (linux/Windows etc). Are you running mod_perl? If so, what version? use Compress::Zlib qw(memGunzip $gzerrno) ; use IO::Compress::Gzip qw(:all); use IO::File ; sub a { my $b = shift; my $u = Compress::Zlib::memGunzip($b); $b = IO::File->new(">/tmp/x"); return $u; } my $gz ; gzip \"hello world\n" => \$gz or die "cannot compress\n";; while(1) { my $d = a($gz); }

Show quoted text
Yes, I confirmed it. See example code below. Show quoted text
So it's not a "leak" in that it doesn't grow forever. It's just that somewhere there is a single reference held to the *last* input to memGunzip. Normally that's not a problem, but in long lived processes (eg apache mod_perl handlers) it can be because it can mean an object lives longer than expected. Show quoted text
It's debian linux, perl 5.10.1. ----- use Compress::Zlib; # new object my $f = test->new(); # dummy so we can call memGunzip my $z = Compress::Zlib::memGzip(""); uz($z, $f); # undef object reference, should cause test::DESTROY to be called # straight away because there should be no references left. # but that's not what happens, object is only destroyed in # global destruction phase warn "about to undef last reference"; $f = undef; warn "after undefing last reference"; sub uz { # $_[0] == gzip buffer, $_[1] == object reference my ($zp, $rp) = @_; # unzip the buffer, don't care about results. # the bug is that this ends up storing a reference to $zp somewhere # in a global Compress::Zlib::memGunzip($zp); # replace $zp with an object reference. because memGunzip holds a # reference to $zip somewhere, we now actually have a reference to # the "test" object held somewhere! $zp = $rp; return; } # Test object that logs creation/destruction package test; sub new { my $self = bless {}, 'test'; warn "new $self"; return $self; } sub DESTROY { my $self = shift; warn "destroy $self"; } ----- What you see: $ perl /tmp/t.pl new test=HASH(0x2059f70) at /tmp/t.pl line 41. about to undef last reference at /tmp/t.pl line 15. after undefing last reference at /tmp/t.pl line 17. destroy test=HASH(0x2059f70) at /tmp/t.pl line 47 during global destruction. Note that the object is only destroyed "during global destruction", not when the actual last reference is undef'd. Now if you comment out the call to memGunzip you see: $ perl /tmp/t.pl new test=HASH(0x1c25f70) at /tmp/t.pl line 41. about to undef last reference at /tmp/t.pl line 15. destroy test=HASH(0x1c25f70) at /tmp/t.pl line 47. after undefing last reference at /tmp/t.pl line 17. Which is the correct expected behaviour, the object is destroyed when the last reference to it is undef'd.

On Tue Dec 06 17:40:42 2011, PMQS wrote: Show quoted text
Perl bug to me. The thing is, that refcount is the number of references held to the $zp variable itself. So when you do $zp = $rp, it doesn't change the number of references to $zp at all, it's only changing the content of the $zp scalar (from a string to a reference) The more interesting thing is if you do a Dump before the memGunzip call and after the call. Here's what you see: Before: SV = PV(0x227c578) at 0x22a9d60 REFCNT = 1 FLAGS = (PADMY,POK,pPOK) PV = 0x1e992d0 "\37\213\10\0\0\0\0\0\0\377\3\0\0\0\0\0\0\0\0\0"\0 CUR = 20 LEN = 24 After: SV = PVIV(0x1e83928) at 0x22a9d60 REFCNT = 3 FLAGS = (PADMY,POK,OOK,pPOK) IV = 18 (OFFSET) PV = 0x1e992e2 ( "\37\213\10\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0" . ) ""\0 CUR = 0 LEN = 6 So it's the memGunzip call that adds extra references to $zp (2 extra in fact!), which is what I was seeing happening. It's possible to simulate this sort of bug by doing something like: sub addevilref { our $someglobal = \$_[0]; return "bar"; } If you now do something like: sub { my $a = "foo"; addevilref($a); $a = SomeObj->new(); } Then SomeObj won't actually be destroyed at the end of the sub like you might expect, and this is what we see memGunzip doing. Now given that different versions of perl fix it, I can see one of two options: 1. It's an internal perl bug 2. It's a bug/change of behavior in some core module included with perl Compress::Zlib uses Hope you can track it down :)

On Thu Dec 08 03:23:56 2011, PMQS wrote: Show quoted text
Interesting. I wonder what construct Compress::Zlib is using that tickles this bug, it would be nice to try and work around it if it's not hard to do. Anyway, for now I've made this patch to Cache::FastMmap to work around it. https://github.com/robmueller/cache-fastmmap/commit/e44829c2a8e0b72ef63d9811bbfdcf79a81324ac Thanks for investigating this so deeply!