php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55665 Segmentation fault in gc_mark_roots()
Submitted: 2011-09-10 11:17 UTC Modified: 2017-01-02 13:01 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: mbeccati@php.net Assigned: mbeccati (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3SVN-2011-09-10 (SVN) OS: FreeBSD 6.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mbeccati@php.net
New email:
PHP Version: OS:

 

 [2011-09-10 11:17 UTC] mbeccati@php.net 
Description:
------------
As usual with bugs related to garbage collection, I don't have a short reproduce code. The segmentation fault happens when running a pretty heavy integration test and is currently reproducible on PHP 5.3 (tested 5.3.4, 5.3.6RC3, 5.3.8 and PHP_5_3 svn HEAD). Unfortunately garbage collection is a bit too much for me to be able to make sense of it and debug the issue.

Interestingly enough I couldn't reproduce it on PHP 5.2 or PHP 5.4.

Happens both with gcc 3.4.6 and 4.2.5 with -O0.

SSH Access to the machine is available for anyone interested in investigating.



Actual result:
--------------
Here is the relevant portion of backtrace and some other gdb commands:

#0  0x000000000094a060 in gc_mark_roots () at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:434
434                             if (GC_ZVAL_GET_COLOR(current->u.pz) == GC_PURPLE) {
(gdb) bt full
#0  0x000000000094a060 in gc_mark_roots () at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:434
        current = (gc_root_buffer *) 0x11121a0
#1  0x000000000094a90c in gc_collect_cycles () at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:664
        p = (zval_gc_info *) 0x1e8fbd0
        q = (zval_gc_info *) 0x7fffffffccd8
        orig_free_list = (zval_gc_info *) 0x377c42d8edc99ee
        orig_next_to_free = (zval_gc_info *) 0x901e88190
        count = 0
#2  0x00000000009495c2 in gc_zval_possible_root (zv=0x3e37620) at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:166
        newRoot = (gc_root_buffer *) 0x0
#3  0x00000000009bb104 in ZEND_FETCH_DIM_W_SPEC_VAR_CV_HANDLER (execute_data=0x1390810) at zend_gc.h:183
        opline = (zend_op *) 0x1e8fbf8
        free_op1 = {var = 0x0}
        dim = (zval *) 0x3e37708
        container = (zval **) 0x3057850
#4  0x0000000000953c58 in execute (op_array=0x1e8be08) at zend_vm_execute.h:107
        ret = 0
        execute_data = (zend_execute_data *) 0x1390810
        nested = 1 '\001'
        original_in_execution = 0 '\0'
...
(gdb) print current->u.pz
$1 = (zval *) 0x3e9fd38
(gdb) print *current->u.pz
Cannot access memory at address 0x3e9fd38
(gdb) frame 4
#4  0x0000000000953c58 in execute (op_array=0x1e8be08) at zend_vm_execute.h:107
107                     if ((ret = EX(opline)->handler(execute_data TSRMLS_CC)) > 0) {
(gdb) dump_bt executor_globals.current_execute_data
[0x01390810] addItem() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container.php:153
[0x013905c0] addItem() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container.php:108
[0x01390450] createItem() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container.php:196
[0x01390008] createDirective() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container/PHPArray.php:113
[0x0138fbc0] _parseArray() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container/PHPArray.php:111
[0x0138f5a0] _parseArray() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container/PHPArray.php:75
[0x0138ef48] parseDatasrc() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config.php:197
[0x0138ebd8] parseConfig() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OA/Admin/Settings.php:364
[0x0138b9b0] writeConfigArrayToFile() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OA/Admin/Settings.php:173
[0x0138b7a0] writeConfigChange() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OX/Plugin/PluginManager.php:870
[0x0138ac18] _setPackage() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OX/Plugin/PluginManager.php:518
[0x0138a0e8] enablePackage() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/testClasses/TestEnv.php:183
[0x01389198] installPluginPackage() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/plugins_repo/apRetargetingDriverExternal/plugins/apRetargeting/lib/Dal/Drivers/tests/integration/External.plg.test.php:28
[0x01388f80] setUp() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/invoker.php:67
[0x01388e50] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/invoker.php:126
[0x01388878] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/errors.php:48
[0x01388748] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/invoker.php:126
[0x01388228] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/exceptions.php:42
[0x01387a28] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/test_case.php:135
[0x013873e0] run() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/test_case.php:588
[0x01386d98] run() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/test_case.php:591
[0x01386b08] run() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/testClasses/TestRunner.php:411
[0x01386320] runCase() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/testClasses/TestRunner.php:194
[0x01385040] runFile() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/run.php:123

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-27 00:00 UTC] tyrael@php.net 
is it still reproducible with 5.3.8?
 [2011-09-29 06:07 UTC] mbeccati@php.net 
Hi Tyrael,

I've switched the test runs to use php 5.3.8 and I got segmentation faults again. I will try to investigate during the weekend, but generally speaking it should be possible to trigger some. The most recent core file shows a SIGSEGV at:

#0  0x000000000094a10c in zval_scan (pz=0x0)
    at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:450
450             if (GC_ZVAL_GET_COLOR(pz) == GC_GREY) {
 [2013-06-28 07:33 UTC] shm@php.net 
Any updates?
 [2013-06-28 07:49 UTC] mbeccati@php.net 
The FreeBSD box I was using back then has been discontinued. I'll try to trigger it again on the newer (Ubuntu) build box.
 [2017-01-02 12:21 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2017-01-02 12:21 UTC] nikic@php.net 
Does this problem still exist in PHP 7?
 [2017-01-02 13:00 UTC] mbeccati@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: mbeccati
 [2017-01-02 13:00 UTC] mbeccati@php.net 
Still getting random segmentation faults on 5.6 with that test suite. None whatsoever with PHP7+. I think we can safely mark this as closed.

Thanks!
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat May 03 17:01:27 2025 UTC