php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74877 Segmentation fault in zend_mm_alloc_small
Submitted: 2017-07-07 17:59 UTC Modified: 2021-06-20 04:22 UTC
Votes:13
Avg. Score:4.4 ± 1.1
Reproduced:11 of 11 (100.0%)
Same Version:9 (81.8%)
Same OS:8 (72.7%)
From: mcfedr at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 7.2.0-beta1 OS: linux/macos
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mcfedr at gmail dot com
New email:
PHP Version: OS:

 

 [2017-07-07 17:59 UTC] mcfedr at gmail dot com 
Description:
------------
This crash happens in exactly the same place each time i run this script. Its actually my entire phpunit suite for a big project, so its not easy to pin down a short reproducible test script.

If I run the individual test where the crash happens only there is no crash.

I have tried running, calling gc_disable() at the start and this crash doesnt happen.

Its a Symfony project, and the crash only happens with Symfony 3.3, no crashes for Symfony 3.2, but the size of a Symfony update makes it hard to put a finger on the change that causes the issue.

Only crashes on php >7.1 - its fine on <=7.0.

I'm very willing to provide more information, I just dont know what to add at this point.

Actual result:
--------------
Core was generated by `php ./vendor/bin/phpunit'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000557af77e66ae in zend_mm_alloc_small (heap=0x7f604dc00040, size=216, bin_num=14, __zend_filename=0x557af7e7b100 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php/Zend/zend_alloc.c:1261
1261			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  0x0000557af77e66ae in zend_mm_alloc_small (heap=0x7f604dc00040, size=216, bin_num=14, __zend_filename=0x557af7e7b100 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php/Zend/zend_alloc.c:1261
#1  0x0000557af77e6950 in zend_mm_alloc_heap (heap=0x7f604dc00040, size=216, __zend_filename=0x557af7e7b100 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php/Zend/zend_alloc.c:1332
#2  0x0000557af77e9397 in _emalloc (size=184, __zend_filename=0x557af7e7b100 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at /usr/src/php/Zend/zend_alloc.c:2417
#3  0x0000557af787bb18 in zend_string_alloc (len=158, persistent=0) at /usr/src/php/Zend/zend_string.h:122
#4  0x0000557af78ffa50 in ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:54658
#5  0x0000557af7884fd2 in execute_ex (ex=0x7f604dc1a190) at /usr/src/php/Zend/zend_vm_execute.h:429
#6  0x0000557af780880c in zend_call_function (fci=0x7ffec2dd1cb0, fci_cache=0x7ffec2dd1c80) at /usr/src/php/Zend/zend_execute_API.c:855
#7  0x0000557af784b62e in zend_call_method (object=0x7f604dc1a160, obj_ce=0x7f6043809c68, fn_proxy=0x7f6043809dc0, function_name=0x557af7e771af "getiterator",
    function_name_len=11, retval_ptr=0x7ffec2dd1d80, param_count=0, arg1=0x0, arg2=0x0) at /usr/src/php/Zend/zend_interfaces.c:99
#8  0x0000557af784b89d in zend_user_it_new_iterator (ce=0x7f6043809c68, object=0x7f604dc1a160, retval=0x7ffec2dd1d80) at /usr/src/php/Zend/zend_interfaces.c:130
#9  0x0000557af784bea9 in zend_user_it_get_new_iterator (ce=0x7f6043809c68, object=0x7f604dc1a160, by_ref=0) at /usr/src/php/Zend/zend_interfaces.c:282
#10 0x0000557af78a958c in ZEND_FE_RESET_R_SPEC_VAR_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:16508
#11 0x0000557af7884fd2 in execute_ex (ex=0x7f604dc18c60) at /usr/src/php/Zend/zend_vm_execute.h:429
#12 0x0000557af780880c in zend_call_function (fci=0x7ffec2dd20d0, fci_cache=0x7ffec2dd20a0) at /usr/src/php/Zend/zend_execute_API.c:855
#13 0x0000557af75fa599 in reflection_method_invoke (execute_data=0x7f604dc18bf0, return_value=0x7f604dc18880, variadic=0) at /usr/src/php/ext/reflection/php_reflection.c:3331
#14 0x0000557af75fa762 in zim_reflection_method_invokeArgs (execute_data=0x7f604dc18bf0, return_value=0x7f604dc18880) at /usr/src/php/ext/reflection/php_reflection.c:3367
#15 0x0000557af7886c2e in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:1097
#16 0x0000557af7884fd2 in execute_ex (ex=0x7f604dc14030) at /usr/src/php/Zend/zend_vm_execute.h:429
#17 0x0000557af78850e7 in zend_execute (op_array=0x7f604dc7f000, return_value=0x0) at /usr/src/php/Zend/zend_vm_execute.h:474
#18 0x0000557af7822368 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php/Zend/zend.c:1476
#19 0x0000557af7786fbb in php_execute_script (primary_file=0x7ffec2dd4820) at /usr/src/php/main/main.c:2537
#20 0x0000557af790bc03 in do_cli (argc=2, argv=0x557af9ff4090) at /usr/src/php/sapi/cli/php_cli.c:993
#21 0x0000557af790cdb8 in main (argc=2, argv=0x557af9ff4090) at /usr/src/php/sapi/cli/php_cli.c:1381


(gdb) zbacktrace
[0x7f604dc1f8f0] Symfony\Component\Cache\Adapter\FilesystemAdapter->getFile("%5B%5BC%5DKidslox%5CDevice%5CProfileBundle%5CEntity%5CDisabledAppPayload%24forceProxy%40%5BAnnot%5D%5D%5B1%5D") /Users/mcfedr/projects/kidslox/server2/vendor/symfony/symfony/src/Symfony/Component/Cache/Traits/FilesystemCommonTrait.php:101
[0x7f604dc1f630] Symfony\Component\Cache\Adapter\FilesystemAdapter->doFetch(array(1)[0x7f604dc1f680]) /Users/mcfedr/projects/kidslox/server2/vendor/symfony/symfony/src/Symfony/Component/Cache/Traits/FilesystemTrait.php:34
[0x7f604dc1f480] Symfony\Component\Cache\Adapter\AbstractAdapter->getItem("%5B%5BC%5DKidslox%5CDevice%5CProfileBundle%5CEntity%5CDisabledAppPayload%24forceProxy%40%5BAnnot%5D%5D%5B1%5D") /Users/mcfedr/projects/kidslox/server2/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php:144
[0x7f604dc1f300] Symfony\Component\Cache\Adapter\ChainAdapter->getItem("%5B%5BC%5DKidslox%5CDevice%5CProfileBundle%5CEntity%5CDisabledAppPayload%24forceProxy%40%5BAnnot%5D%5D%5B1%5D") /Users/mcfedr/projects/kidslox/server2/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/ChainAdapter.php:80
[0x7f604dc1f1b0] Symfony\Component\Cache\Adapter\TraceableAdapter->getItem("%5B%5BC%5DKidslox%5CDevice%5CProfileBundle%5CEntity%5CDisabledAppPayload%24forceProxy%40%5BAnnot%5D%5D%5B1%5D") /Users/mcfedr/projects/kidslox/server2/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TraceableAdapter.php:40
[0x7f604dc1f0d0] Symfony\Component\Cache\DoctrineProvider->doFetch("[[C]Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload$forceProxy@[Annot]][1]") /Users/mcfedr/projects/kidslox/server2/vendor/symfony/symfony/src/Symfony/Component/Cache/DoctrineProvider.php:34
[0x7f604dc1f050] Doctrine\Common\Cache\CacheProvider->fetch("[C]Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload$forceProxy@[Annot]") /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/cache/lib/Doctrine/Common/Cache/CacheProvider.php:78
[0x7f604dc1ef50] Doctrine\Common\Annotations\CachedReader->isCacheFresh("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload$forceProxy@[Annot]", object[0x7f604dc1efb0]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/CachedReader.php:233
[0x7f604dc1ee20] Doctrine\Common\Annotations\CachedReader->fetchFromCache("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload$forceProxy", object[0x7f604dc1ee80]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/CachedReader.php:194
[0x7f604dc1ec50] Doctrine\Common\Annotations\CachedReader->getPropertyAnnotations(object[0x7f604dc1eca0]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/CachedReader.php:116
[0x7f604dc1eb90] Doctrine\Common\Annotations\CachedReader->getPropertyAnnotation(object[0x7f604dc1ebe0], "Doctrine\ORM\Mapping\JoinColumn") /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/CachedReader.php:129
[0x7f604dc1ca50] Doctrine\ORM\Mapping\Driver\AnnotationDriver->loadMetadataForClass("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload", object[0x7f604dc1cab0]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/Mapping/Driver/AnnotationDriver.php:280
[0x7f604dc1c8e0] Doctrine\Common\Persistence\Mapping\Driver\MappingDriverChain->loadMetadataForClass("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload", object[0x7f604dc1c940]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/common/lib/Doctrine/Common/Persistence/Mapping/Driver/MappingDriverChain.php:102
[0x7f604dc1c0c0] Doctrine\ORM\Mapping\ClassMetadataFactory->doLoadMetadata(object[0x7f604dc1c110], object[0x7f604dc1c120], true, array(1)[0x7f604dc1c140]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/Mapping/ClassMetadataFactory.php:151
[0x7f604dc1bdd0] Doctrine\Common\Persistence\Mapping\AbstractClassMetadataFactory->loadMetadata("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload") /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/common/lib/Doctrine/Common/Persistence/Mapping/AbstractClassMetadataFactory.php:332
[0x7f604dc1bce0] Doctrine\ORM\Mapping\ClassMetadataFactory->loadMetadata("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload") /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/Mapping/ClassMetadataFactory.php:78
[0x7f604dc1b8b0] Doctrine\Common\Persistence\Mapping\AbstractClassMetadataFactory->getMetadataFor("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload") /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/common/lib/Doctrine/Common/Persistence/Mapping/AbstractClassMetadataFactory.php:216
[0x7f604dc1b830] Doctrine\ORM\EntityManager->getClassMetadata("Kidslox\Device\ProfileBundle\Entity\DisabledAppPayload") /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/EntityManager.php:281
---Type <return> to continue, or q <return> to quit---
[0x7f604dc1b260] Doctrine\ORM\Persisters\Entity\SingleTablePersister->getSelectColumnsSQL() /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/Persisters/Entity/SingleTablePersister.php:71
[0x7f604dc1ac10] Doctrine\ORM\Persisters\Entity\BasicEntityPersister->getSelectSQL(array(1)[0x7f604dc1ac60], array(15)[0x7f604dc1ac70], NULL, NULL, NULL) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/Persisters/Entity/BasicEntityPersister.php:1070
[0x7f604dc1a650] Doctrine\ORM\Persisters\Entity\BasicEntityPersister->getOneToManyStatement(array(15)[0x7f604dc1a6a0], object[0x7f604dc1a6b0]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/Persisters/Entity/BasicEntityPersister.php:1805
[0x7f604dc1a590] Doctrine\ORM\Persisters\Entity\BasicEntityPersister->loadOneToManyCollection(array(15)[0x7f604dc1a5e0], object[0x7f604dc1a5f0], object[0x7f604dc1a600]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/Persisters/Entity/BasicEntityPersister.php:1747
[0x7f604dc1a430] Doctrine\ORM\UnitOfWork->loadCollection(object[0x7f604dc1a480]) /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/UnitOfWork.php:2835
[0x7f604dc1a2c0] Doctrine\ORM\PersistentCollection->doInitialize() /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/PersistentCollection.php:699
[0x7f604dc1a210] Doctrine\ORM\PersistentCollection->initialize() /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/orm/lib/Doctrine/ORM/PersistentCollection.php:214
[0x7f604dc1a190] Doctrine\Common\Collections\AbstractLazyCollection->getIterator() /Users/mcfedr/projects/kidslox/server2/vendor/doctrine/collections/lib/Doctrine/Common/Collections/AbstractLazyCollection.php:274
...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-07 19:03 UTC] mcfedr at gmail dot com 
I can potentially give access to the code to someone privately, but it is commercial code.
 [2017-07-07 20:22 UTC] mcfedr at gmail dot com 
Confirmed on 7.1.0, 7.1.7 and 7.2.0alhpa3
 [2017-07-10 10:13 UTC] laruence@php.net 
do you use any third-part extensions?

to me, this backtrace seems like a write-after-free side-affect.


thanks
 [2017-07-10 10:44 UTC] mcfedr at gmail dot com 
There were no third party extensions installed. I have tried again, with only pdo_sqlite extension installed (its required to run the tests) and the result is exactly the same. Crashes on the same line of php code, the php backtrace is the same

Having disabled all other extensions the c backtrace is slightly different, but the top is the same, crashes on a access-after-free in zend_mm_alloc_small

New result
----------

Core was generated by `php ./vendor/bin/phpunit'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000564c35fdd6ae in zend_mm_alloc_small (heap=0x7f4d7ae00040, size=200, bin_num=14, __zend_filename=0x564c3662df28 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/php/Zend/zend_alloc.c:1261
1261			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  0x0000564c35fdd6ae in zend_mm_alloc_small (heap=0x7f4d7ae00040, size=200, bin_num=14, __zend_filename=0x564c3662df28 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/php/Zend/zend_alloc.c:1261
#1  0x0000564c35fdd950 in zend_mm_alloc_heap (heap=0x7f4d7ae00040, size=200, __zend_filename=0x564c3662df28 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/php/Zend/zend_alloc.c:1332
#2  0x0000564c35fe0397 in _emalloc (size=168, __zend_filename=0x564c3662df28 "/usr/src/php/Zend/zend_string.h", __zend_lineno=122, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /usr/src/php/Zend/zend_alloc.c:2417
#3  0x0000564c35e7ee0c in zend_string_alloc (len=137, persistent=0) at /usr/src/php/Zend/zend_string.h:122
#4  0x0000564c35e7ee75 in zend_string_init (str=0x7f4d75384780 "%255B%255BC%255DKidslox%255CDevice%255CProfileBundle%255CEntity%255CWebFilterCategoryGroup%2524count%2540%255BAnnot%255D%255D%255B1%255D\n", len=137, persistent=0)
    at /usr/src/php/Zend/zend_string.h:158
#5  0x0000564c35e82db1 in zif_fgets (execute_data=0x7f4d7ae1f990, return_value=0x7f4d7ae1f830) at /usr/src/php/ext/standard/file.c:1018
#6  0x0000564c3607d1ec in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:876
#7  0x0000564c3607bfd2 in execute_ex (ex=0x7f4d7ae18c60) at /usr/src/php/Zend/zend_vm_execute.h:429
#8  0x0000564c35fff80c in zend_call_function (fci=0x7ffcb65fe4d0, fci_cache=0x7ffcb65fe4a0) at /usr/src/php/Zend/zend_execute_API.c:855
#9  0x0000564c35df1599 in reflection_method_invoke (execute_data=0x7f4d7ae18bf0, return_value=0x7f4d7ae18880, variadic=0) at /usr/src/php/ext/reflection/php_reflection.c:3331
#10 0x0000564c35df1762 in zim_reflection_method_invokeArgs (execute_data=0x7f4d7ae18bf0, return_value=0x7f4d7ae18880) at /usr/src/php/ext/reflection/php_reflection.c:3367
#11 0x0000564c3607dc2e in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/php/Zend/zend_vm_execute.h:1097
#12 0x0000564c3607bfd2 in execute_ex (ex=0x7f4d7ae14030) at /usr/src/php/Zend/zend_vm_execute.h:429
#13 0x0000564c3607c0e7 in zend_execute (op_array=0x7f4d7ae7e000, return_value=0x0) at /usr/src/php/Zend/zend_vm_execute.h:474
#14 0x0000564c36019368 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php/Zend/zend.c:1476
#15 0x0000564c35f7dfbb in php_execute_script (primary_file=0x7ffcb6600c20) at /usr/src/php/main/main.c:2537
#16 0x0000564c36102c03 in do_cli (argc=2, argv=0x564c388bd090) at /usr/src/php/sapi/cli/php_cli.c:993
#17 0x0000564c36103db8 in main (argc=2, argv=0x564c388bd090) at /usr/src/php/sapi/cli/php_cli.c:1381
 [2017-07-18 13:32 UTC] schacht at kaliber5 dot de 
Had exatly the same issue. Updating PHPUnit 4.x to 6.x (and dependent packages) solved this for me.
 [2017-07-18 14:43 UTC] mcfedr at gmail dot com 
Interesting idea that I meant to try, and now have. Exactly the same result. Seg fault in the same place in the same test.

Clearly and issue with memory management, gc_disable and memory_limit=2G and all is fine
 [2017-07-23 14:19 UTC] mcfedr at gmail dot com
-PHP Version: 7.1.7 +PHP Version: 7.2.0-beta1
 [2017-07-23 14:19 UTC] mcfedr at gmail dot com 
Still reproduces with 7.2.0-beta1
 [2017-07-24 08:24 UTC] mcfedr at gmail dot com 
Ran with USE_ZEND_ALLOC=0 - Using php 7.2 the crash is more random now, happening in different places

With valgrind and USE_ZEND_ALLOC=0 doesnt crash, reports lots of 

==440== Conditional jump or move depends on uninitialised value(s)
==440==    at 0x4082CB7: ???
==440==    by 0xEEEB977: ???
==440==    by 0xEEEB977: ???
==440==    by 0xEEEB97B: ???
==440==    by 0xFFEFFCA9F: ???
==440==    by 0x3804FEEF: ??? (mc_malloc_wrappers.c:483)
==440==
==440== Conditional jump or move depends on uninitialised value(s)
==440==    at 0x4082CE8: ???
==440==    by 0x10C0C087: ???
==440==    by 0x10C0C087: ???
==440==    by 0x10C0C0B6: ???
==440==    by 0xFFEFFCA9F: ???
==440==    by 0x27: ???

With valgrind and without USE_ZEND_ALLOC=0

Lots of these:

==431== Conditional jump or move depends on uninitialised value(s)
==431==    at 0x40AD424: ???
==431==    by 0x22E82B7F: ???
==431==    by 0x22E82B7F: ???
==431==    by 0x22E82B8B: ???
==431==    by 0xFFEFFC6DF: ???
==431==    by 0x95015708B26750FF: ???
==431==
==431== Conditional jump or move depends on uninitialised value(s)
==431==    at 0x40AAD5C: ???
==431==    by 0x232FFE27: ???
==431==    by 0x232FFE27: ???
==431==    by 0x232FFE30: ???
==431==    by 0xFFEFFC83F: ???
==431==

Then finishes with the segfault

==431== Invalid read of size 8
==431==    at 0x58AA40: _emalloc (in /usr/local/bin/php)
==431==    by 0x643899: ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER (in /usr/local/bin/php)
==431==    by 0x659291: execute_ex (in /usr/local/bin/php)
==431==    by 0x5A203B: zend_call_function (in /usr/local/bin/php)
==431==    by 0x45D6A8: reflection_method_invoke (in /usr/local/bin/php)
==431==    by 0x65F15A: execute_ex (in /usr/local/bin/php)
==431==    by 0x65F7C3: zend_execute (in /usr/local/bin/php)
==431==    by 0x5B21A2: zend_execute_scripts (in /usr/local/bin/php)
==431==    by 0x54DB27: php_execute_script (in /usr/local/bin/php)
==431==    by 0x661ABE: do_cli (in /usr/local/bin/php)
==431==    by 0x261118: main (in /usr/local/bin/php)
==431==  Address 0x2b1d018000 is not stack'd, malloc'd or (recently) free'd
==431==
==431==
==431== Process terminating with default action of signal 11 (SIGSEGV)
==431==  Access not within mapped region at address 0x2B1D018000
==431==    at 0x58AA40: _emalloc (in /usr/local/bin/php)
==431==    by 0x643899: ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER (in /usr/local/bin/php)
==431==    by 0x659291: execute_ex (in /usr/local/bin/php)
==431==    by 0x5A203B: zend_call_function (in /usr/local/bin/php)
==431==    by 0x45D6A8: reflection_method_invoke (in /usr/local/bin/php)
==431==    by 0x65F15A: execute_ex (in /usr/local/bin/php)
==431==    by 0x65F7C3: zend_execute (in /usr/local/bin/php)
==431==    by 0x5B21A2: zend_execute_scripts (in /usr/local/bin/php)
==431==    by 0x54DB27: php_execute_script (in /usr/local/bin/php)
==431==    by 0x661ABE: do_cli (in /usr/local/bin/php)
==431==    by 0x261118: main (in /usr/local/bin/php)
==431==  If you believe this happened as a result of a stack
==431==  overflow in your program's main thread (unlikely but
==431==  possible), you can try to increase the size of the
==431==  main thread stack using the --main-stacksize= flag.
==431==  The main thread stack size used in this run was 8388608
==431==
==431== HEAP SUMMARY:
==431==     in use at exit: 26,448,791 bytes in 459,135 blocks
==431==   total heap usage: 4,214,628 allocs, 3,755,493 frees, 730,515,583 bytes allocated
==431==
==431== LEAK SUMMARY:
==431==    definitely lost: 0 bytes in 0 blocks
==431==    indirectly lost: 0 bytes in 0 blocks
==431==      possibly lost: 1,635,452 bytes in 10,610 blocks
==431==    still reachable: 24,813,339 bytes in 448,525 blocks
==431==         suppressed: 0 bytes in 0 blocks
==431== Rerun with --leak-check=full to see details of leaked memory
==431==
==431== For counts of detected and suppressed errors, rerun with: -v
==431== Use --track-origins=yes to see where uninitialised values come from
==431== ERROR SUMMARY: 135 errors from 27 contexts (suppressed: 0 from 0)
Segmentation fault
 [2017-07-31 15:35 UTC] as@php.net 
I'd take a look if you can share the source code. Email if you'd like.
 [2017-09-07 06:19 UTC] mcfedr at gmail dot com 
This appears to have been fixed for me by a symfony update.
 [2017-09-07 06:57 UTC] bruno at chalopin dot fr 
Same for me. A Symfony upgrade solved the problem.
 [2021-06-09 14:26 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-06-09 14:26 UTC] cmb@php.net 
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-06-20 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 18:00:01 2025 UTC