PHP :: Bug #50519 :: segfault in garbage collection when using set_error

Bug #50519

segfault in garbage collection when using set_error_handler and DomDocument

Submitted:

2009-12-18 16:17 UTC

Modified:

2010-01-11 10:07 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

robin dot kunde at gmail dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.3, 6

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2009-12-18 16:17 UTC] robin dot kunde at gmail dot com

Description:
------------
After setting a custom class based error handler, then using DomDocument, then setting the same error handler again, without resetting it first, PHP segfaults during shutdown. A function based error handler doesn't cause the problem. Executed the three commands in any other order doesn't cause the problem.

tested with:
php-5.3.1
php5.3-200912181330 (./configure --enable-debug)
libxml2 (2.7.5)

Reproduce code:
---------------
<?php

set_error_handler(array('ErrorHandler', 'handlePhpError'));

new DomDocument();

set_error_handler(array('ErrorHandler', 'handlePhpError'));

class ErrorHandler
{
  static function handlePhpError($errno, $errstr, $errfile, $errline)
  {
    return true;
  }
}

>?

Expected result:
----------------
nothing

Actual result:
--------------
segmentation fault

backtrace:

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0x86fafec) at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:360
360				pz = *(zval**)p->pData;
(gdb) bt
#0  zval_mark_grey (pz=0x86fafec) at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:360
#1  0x082f3aed in gc_mark_roots () at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:417
#2  gc_collect_cycles () at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:628
#3  0x082d85f5 in zend_deactivate () at /home/xxx/src/php5.3-200912181330/Zend/zend.c:900
#4  0x08287953 in php_request_shutdown (dummy=0x0) at /home/xxx/src/php5.3-200912181330/main/main.c:1606
#5  0x08357956 in main (argc=2, argv=0xbffff4c4) at /home/xxx/src/php5.3-200912181330/sapi/cli/php_cli.c:1373

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-18 16:27 UTC] johannes@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

sounds like #43918

[2009-12-18 17:32 UTC] robin dot kunde at gmail dot com

that snapshot (200912181530) seems to be identical to the one i used 
(200912181330). anyway, the problem persists.

[2009-12-18 18:41 UTC] jani@php.net

Happens with latest SVN, disabling GC makes the crash go away. Backtrace:

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0xa6cb578) at /home/jani/src/php-5.3/Zend/zend_gc.c:360
360                             pz = *(zval**)p->pData;
(gdb) bt
#0  zval_mark_grey (pz=0xa6cb578) at /home/jani/src/php-5.3/Zend/zend_gc.c:360
#1  0x082c5525 in gc_collect_cycles () at /home/jani/src/php-5.3/Zend/zend_gc.c:417
#2  0x082aa9d5 in zend_deactivate () at /home/jani/src/php-5.3/Zend/zend.c:900
#3  0x0825abcf in php_request_shutdown (dummy=0x0) at /home/jani/src/php-5.3/main/main.c:1606
#4  0x08329604 in main (argc=3, argv=0xbff82544) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1373

[2009-12-18 18:46 UTC] jani@php.net

Dmitry, check this out, it's your code crashing here. :)

[2009-12-18 18:47 UTC] jani@php.net

Quite likely same as bug #50382

[2009-12-25 13:11 UTC] svn@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=292624
Log: Fixed bug #50519 (segfault in garbage collection when using set_error_handler and DomDocument)

[2009-12-25 13:11 UTC] dmitry@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2009-12-31 18:17 UTC] jani@php.net

Dmitry, I don't know what you fixed but the example script still causes a segfault, with same backtrace I posted before..

[2009-12-31 18:21 UTC] jani@php.net

Well, you fixed it only with --enable-debug being used? :)

[2010-01-11 10:07 UTC] svn@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=293400
Log: Fixed bug #50519 (segfault in garbage collection when using set_error_handler and DomDocument)

[2010-01-11 10:07 UTC] dmitry@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2010-01-25 16:46 UTC] svn@php.net

Automatic comment from SVN on behalf of johannes
Revision: http://svn.php.net/viewvc/?view=revision&revision=294000
Log: merge -r292624: Fixed bug #50519 (segfault in garbage collection when using
set_error_handler and DomDocument (dmitry)

[2010-02-03 18:07 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=294427
Log: - Fixed bug #50519 (segfault in garbage collection when using set_error_handler an..

[2012-10-05 09:06 UTC] mplomer at gmx dot de

Hi ... we currently reproduced the segfault in the same line (zend_gc.c - "pz = *(zval**)p->pData;":

- PHP 5.4.7
- Very long running and memory intensive command line script
- Always reproducable


GDB-Backtrace:

Program terminated with signal 11, Segmentation fault.
#0  0x00000000006e7576 in zval_mark_grey (pz=0x2c36d00) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:425
425                             pz = *(zval**)p->pData;

(gdb) bt
#0  0x00000000006e7576 in zval_mark_grey (pz=0x2c36d00) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:425
#1  0x00000000006e84ce in gc_collect_cycles () at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:471
#2  0x00000000006e8864 in gc_zval_possible_root (zv=0x2c36d00) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:166
#3  0x00000000006d5dbb in zend_hash_destroy (ht=0x1811dcb8) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_hash.c:560
#4  0x00000000006c8179 in _zval_dtor_func (zvalue=0x189270f0) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_variables.c:43
#5  0x00000000006bb29d in _zval_ptr_dtor (zval_ptr=0x2ac8cc0) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_variables.h:35
#6  0x00000000006d7f28 in _zend_hash_add_or_update (ht=0x7f27eb1873b0, arKey=0x18cb3870 "instruments", nKeyLength=12, pData=0x1,
    nDataSize=415173616, pDest=0x0, flag=6061480) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_hash.c:234
#7  0x00000000005c7da8 in T.292 (ht=0x2c36d00, arKey=0x7fff0da8a360 "\370\025\016\353'\177", nKeyLength=2, pData=0x7f27eb1a1200)
    at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_hash.h:351
#8  0x00000000005ccd66 in spl_array_write_dimension_ex (check_inherited=415524600, object=0x18c466f8, offset=0x18bf5238, value=0x6a624f7961727241)
    at /usr/src/php5.4/source/php5-5.4.7/ext/spl/spl_array.c:461
#9  0x00000000005cd3b6 in zim_spl_Array_offsetSet (ht=46361856, return_value=0x7fff0da8a360, return_value_ptr=0x2, this_ptr=0x7f27eb1874f0,
    return_value_used=415173616) at /usr/src/php5.4/source/php5-5.4.7/ext/spl/spl_array.c:713
#10 0x00007f280964206b in xdebug_execute_internal () from /usr/lib/php5/20100525/xdebug.so
#11 0x0000000000745806 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f280da03108)
    at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:644
#12 0x0000000000732978 in execute (op_array=0x7f27eb19e648) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:410
#13 0x00007f2809642509 in xdebug_execute () from /usr/lib/php5/20100525/xdebug.so
#14 0x0000000000745b03 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f280da01e40)
    at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:669
#15 0x0000000000732978 in execute (op_array=0x33d0240) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:410
...

[2012-10-05 09:23 UTC] nikic@php.net

@mplomer at gmx dot de:

Your issue probably isn't related to this one, could you maybe open a new bug? It would also be nice if you could attach a short reproduce script, otherwise it's very hard to guess what is going on ;)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Dec 30 14:01:28 2024 UTC