php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63984 Generators segfault
Submitted: 2013-01-14 11:20 UTC Modified: 2013-01-14 23:53 UTC
From: arpad@php.net Assigned: nikic (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 5.5.0alpha2 OS: Linux
Private report: No CVE-ID: None
 [2013-01-14 11:20 UTC] arpad@php.net
Description:
------------
Can't provide a reproduce script yet I'm afraid, but I have a tree of objects, some of which are generators. I think this segfault is happening when destroying the tree. The generators are likely to not have finished iterating at this point.

Program received signal SIGSEGV, Segmentation fault.
_zval_ptr_dtor (zval_ptr=0x7ffff8e08f38) at /home/arpad/w/php/php-src/Zend/zend_execute_API.c:428
428		i_zval_ptr_dtor(*zval_ptr ZEND_FILE_LINE_RELAY_CC);
(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0x7ffff8e08f38) at /home/arpad/w/php/php-src/Zend/zend_execute_API.c:428
#1  0x00007ffff417f674 in zend_generator_close (generator=0x7ffff8e084c8, finished_execution=<value optimised out>)
    at /home/arpad/w/php/php-src/Zend/zend_generators.c:132
#2  0x00007ffff417f7cb in zend_generator_free_storage (generator=0x7ffff8e084c8)
    at /home/arpad/w/php/php-src/Zend/zend_generators.c:180
#3  0x00007ffff4185823 in zend_objects_store_free_object_storage (objects=0x7ffff485bf20)
    at /home/arpad/w/php/php-src/Zend/zend_objects_API.c:92
#4  0x00007ffff414e983 in shutdown_executor () at /home/arpad/w/php/php-src/Zend/zend_execute_API.c:295
#5  0x00007ffff415d8f5 in zend_deactivate () at /home/arpad/w/php/php-src/Zend/zend.c:938
#6  0x00007ffff40fe3ec in php_request_shutdown (dummy=<value optimised out>) at /home/arpad/w/php/php-src/main/main.c:1799
#7  0x00007ffff420c2f7 in php_apache_request_dtor (r=0x7ffff8a087f0)
    at /home/arpad/w/php/php-src/sapi/apache2handler/sapi_apache2.c:507
#8  php_handler (r=0x7ffff8a087f0) at /home/arpad/w/php/php-src/sapi/apache2handler/sapi_apache2.c:679
#9  0x00007ffff7fd5478 in ap_run_handler (r=0x7ffff8a087f0) at /build/buildd/apache2-2.2.17/server/config.c:159
#10 0x00007ffff7fd58dc in ap_invoke_handler (r=0x7ffff8a087f0) at /build/buildd/apache2-2.2.17/server/config.c:377
#11 0x00007ffff7fe4cfc in ap_internal_redirect (new_uri=<value optimised out>, r=<value optimised out>)
    at /build/buildd/apache2-2.2.17/modules/http/http_request.c:549
#12 0x00007fffefdc612d in ?? () from /usr/lib/apache2/modules/mod_rewrite.so
#13 0x00007ffff7fd5478 in ap_run_handler (r=0x7ffff8830270) at /build/buildd/apache2-2.2.17/server/config.c:159
---Type <return> to continue, or q <return> to quit---
#14 0x00007ffff7fd58dc in ap_invoke_handler (r=0x7ffff8830270) at /build/buildd/apache2-2.2.17/server/config.c:377
#15 0x00007ffff7fe56c0 in ap_process_request (r=0x7ffff8830270) at /build/buildd/apache2-2.2.17/modules/http/http_request.c:282
#16 0x00007ffff7fe2698 in ap_process_http_connection (c=0x7ffff865bab0) at /build/buildd/apache2-2.2.17/modules/http/http_core.c:190
#17 0x00007ffff7fdc058 in ap_run_process_connection (c=0x7ffff865bab0) at /build/buildd/apache2-2.2.17/server/connection.c:43
#18 0x00007ffff7fea6c0 in child_main (child_num_arg=<value optimised out>)
    at /build/buildd/apache2-2.2.17/server/mpm/prefork/prefork.c:662
#19 0x00007ffff7fea986 in make_child (s=0x7ffff8214938, slot=0) at /build/buildd/apache2-2.2.17/server/mpm/prefork/prefork.c:707
#20 0x00007ffff7feb163 in ap_mpm_run (_pconf=<value optimised out>, plog=<value optimised out>, s=<value optimised out>)
    at /build/buildd/apache2-2.2.17/server/mpm/prefork/prefork.c:983
#21 0x00007ffff7fc03aa in main (argc=2, argv=0x7fffffffe5f8) at /build/buildd/apache2-2.2.17/server/main.c:741


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-14 11:43 UTC] arpad@php.net
Also the generators are all closures, the following is one of the simpler ones:

		$exp = new Ruler_Expression_Anonymous;
		$exp->provides = array('friend');

		$self = $this;
		$friends = $this->friends;

		$exp->func = function() use ($self, $friends) {
			foreach ($friends as $id => $name) {
				yield [
					'friend' => new Resource_User($id, $self),
				];
			}
		};

Bit more information from GDB (frame 1 in the above backtrace):

(gdb) p stack_frame
$1 = (void **) 0x7ffff8e08f38
(gdb) p *stack_frame
$2 = (void *) 0x0
 [2013-01-14 15:13 UTC] laruence@php.net
-Assigned To: +Assigned To: nikic
 [2013-01-14 15:21 UTC] nikic@php.net
Do you know whether this segfault happens in conjunction with a fatal error? It's probably the same as https://bugs.php.net/bug.php?id=63830.
 [2013-01-14 15:28 UTC] arpad@php.net
I think it's when "exit" is called during the execution of the generator, wasn't getting any errors though. I'll put together a repro script later.
 [2013-01-14 15:53 UTC] nikic@php.net
@arpad: If it happens when exit; is called then it's basically the same issue, just a different cause. I'll try to fix this issue sometime soon.
 [2013-01-14 23:53 UTC] arpad@php.net
Yes indeed, cheers Nikita.
 [2013-01-14 23:53 UTC] arpad@php.net
-Status: Assigned +Status: Duplicate
 [2013-01-14 23:53 UTC] arpad@php.net
Duplicate of #63830
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC