PHP :: Bug #50519 :: segfault in garbage collection when using set_error

Bug #50519

segfault in garbage collection when using set_error_handler and DomDocument

Submitted:

2009-12-18 16:17 UTC

Modified:

2010-01-11 10:07 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

robin dot kunde at gmail dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.3, 6

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	robin dot kunde at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-12-18 16:17 UTC] robin dot kunde at gmail dot com

Description:
------------
After setting a custom class based error handler, then using DomDocument, then setting the same error handler again, without resetting it first, PHP segfaults during shutdown. A function based error handler doesn't cause the problem. Executed the three commands in any other order doesn't cause the problem.

tested with:
php-5.3.1
php5.3-200912181330 (./configure --enable-debug)
libxml2 (2.7.5)

Reproduce code:
---------------
<?php

set_error_handler(array('ErrorHandler', 'handlePhpError'));

new DomDocument();

set_error_handler(array('ErrorHandler', 'handlePhpError'));

class ErrorHandler
{
  static function handlePhpError($errno, $errstr, $errfile, $errline)
  {
    return true;
  }
}

>?

Expected result:
----------------
nothing

Actual result:
--------------
segmentation fault

backtrace:

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0x86fafec) at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:360
360				pz = *(zval**)p->pData;
(gdb) bt
#0  zval_mark_grey (pz=0x86fafec) at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:360
#1  0x082f3aed in gc_mark_roots () at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:417
#2  gc_collect_cycles () at /home/xxx/src/php5.3-200912181330/Zend/zend_gc.c:628
#3  0x082d85f5 in zend_deactivate () at /home/xxx/src/php5.3-200912181330/Zend/zend.c:900
#4  0x08287953 in php_request_shutdown (dummy=0x0) at /home/xxx/src/php5.3-200912181330/main/main.c:1606
#5  0x08357956 in main (argc=2, argv=0xbffff4c4) at /home/xxx/src/php5.3-200912181330/sapi/cli/php_cli.c:1373

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-18 16:27 UTC] johannes@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

sounds like #43918

[2009-12-18 17:32 UTC] robin dot kunde at gmail dot com

that snapshot (200912181530) seems to be identical to the one i used 
(200912181330). anyway, the problem persists.

[2009-12-18 18:41 UTC] jani@php.net

Happens with latest SVN, disabling GC makes the crash go away. Backtrace:

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0xa6cb578) at /home/jani/src/php-5.3/Zend/zend_gc.c:360
360                             pz = *(zval**)p->pData;
(gdb) bt
#0  zval_mark_grey (pz=0xa6cb578) at /home/jani/src/php-5.3/Zend/zend_gc.c:360
#1  0x082c5525 in gc_collect_cycles () at /home/jani/src/php-5.3/Zend/zend_gc.c:417
#2  0x082aa9d5 in zend_deactivate () at /home/jani/src/php-5.3/Zend/zend.c:900
#3  0x0825abcf in php_request_shutdown (dummy=0x0) at /home/jani/src/php-5.3/main/main.c:1606
#4  0x08329604 in main (argc=3, argv=0xbff82544) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1373

[2009-12-18 18:46 UTC] jani@php.net

Dmitry, check this out, it's your code crashing here. :)

[2009-12-18 18:47 UTC] jani@php.net

Quite likely same as bug #50382

[2009-12-25 13:11 UTC] svn@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=292624
Log: Fixed bug #50519 (segfault in garbage collection when using set_error_handler and DomDocument)

[2009-12-25 13:11 UTC] dmitry@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2009-12-31 18:17 UTC] jani@php.net

Dmitry, I don't know what you fixed but the example script still causes a segfault, with same backtrace I posted before..

[2009-12-31 18:21 UTC] jani@php.net

Well, you fixed it only with --enable-debug being used? :)

[2010-01-11 10:07 UTC] svn@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=293400
Log: Fixed bug #50519 (segfault in garbage collection when using set_error_handler and DomDocument)

[2010-01-11 10:07 UTC] dmitry@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2010-01-25 16:46 UTC] svn@php.net

Automatic comment from SVN on behalf of johannes
Revision: http://svn.php.net/viewvc/?view=revision&revision=294000
Log: merge -r292624: Fixed bug #50519 (segfault in garbage collection when using
set_error_handler and DomDocument (dmitry)

[2010-02-03 18:07 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=294427
Log: - Fixed bug #50519 (segfault in garbage collection when using set_error_handler an..

[2012-10-05 09:06 UTC] mplomer at gmx dot de

Hi ... we currently reproduced the segfault in the same line (zend_gc.c - "pz = *(zval**)p->pData;":

- PHP 5.4.7
- Very long running and memory intensive command line script
- Always reproducable


GDB-Backtrace:

Program terminated with signal 11, Segmentation fault.
#0  0x00000000006e7576 in zval_mark_grey (pz=0x2c36d00) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:425
425                             pz = *(zval**)p->pData;

(gdb) bt
#0  0x00000000006e7576 in zval_mark_grey (pz=0x2c36d00) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:425
#1  0x00000000006e84ce in gc_collect_cycles () at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:471
#2  0x00000000006e8864 in gc_zval_possible_root (zv=0x2c36d00) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_gc.c:166
#3  0x00000000006d5dbb in zend_hash_destroy (ht=0x1811dcb8) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_hash.c:560
#4  0x00000000006c8179 in _zval_dtor_func (zvalue=0x189270f0) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_variables.c:43
#5  0x00000000006bb29d in _zval_ptr_dtor (zval_ptr=0x2ac8cc0) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_variables.h:35
#6  0x00000000006d7f28 in _zend_hash_add_or_update (ht=0x7f27eb1873b0, arKey=0x18cb3870 "instruments", nKeyLength=12, pData=0x1,
    nDataSize=415173616, pDest=0x0, flag=6061480) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_hash.c:234
#7  0x00000000005c7da8 in T.292 (ht=0x2c36d00, arKey=0x7fff0da8a360 "\370\025\016\353'\177", nKeyLength=2, pData=0x7f27eb1a1200)
    at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_hash.h:351
#8  0x00000000005ccd66 in spl_array_write_dimension_ex (check_inherited=415524600, object=0x18c466f8, offset=0x18bf5238, value=0x6a624f7961727241)
    at /usr/src/php5.4/source/php5-5.4.7/ext/spl/spl_array.c:461
#9  0x00000000005cd3b6 in zim_spl_Array_offsetSet (ht=46361856, return_value=0x7fff0da8a360, return_value_ptr=0x2, this_ptr=0x7f27eb1874f0,
    return_value_used=415173616) at /usr/src/php5.4/source/php5-5.4.7/ext/spl/spl_array.c:713
#10 0x00007f280964206b in xdebug_execute_internal () from /usr/lib/php5/20100525/xdebug.so
#11 0x0000000000745806 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f280da03108)
    at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:644
#12 0x0000000000732978 in execute (op_array=0x7f27eb19e648) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:410
#13 0x00007f2809642509 in xdebug_execute () from /usr/lib/php5/20100525/xdebug.so
#14 0x0000000000745b03 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f280da01e40)
    at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:669
#15 0x0000000000732978 in execute (op_array=0x33d0240) at /usr/src/php5.4/source/php5-5.4.7/Zend/zend_vm_execute.h:410
...

[2012-10-05 09:23 UTC] nikic@php.net

@mplomer at gmx dot de:

Your issue probably isn't related to this one, could you maybe open a new bug? It would also be nice if you could attach a short reproduce script, otherwise it's very hard to guess what is going on ;)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jan 02 12:01:29 2025 UTC