php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #63635 Segfault in gc_collect_cycles
Submitted: 2012-11-28 11:17 UTC Modified: 2012-11-29 09:54 UTC
From: remi@php.net Assigned: dmitry (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.9 OS: GNU/Linux (Fedora 18)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: remi@php.net
New email:
PHP Version: OS:

 

 [2012-11-28 11:17 UTC] remi@php.net 
Description:
------------
When using huge object tree with circular reference,

With zend.enable_gc=0 : lot of memory consumed
With zend.enable_gc=1 : segfault

(gdb) bt
#0  0x00000000005e23d9 in gc_zval_possible_root (zv=0x19e5500) at /usr/src/debug/php-5.4.9/Zend/zend_gc.c:143
#1  0x00000000005e40f7 in zend_object_std_dtor (object=0x7fffcf6f2020) at /usr/src/debug/php-5.4.9/Zend/zend_objects.c:54
#2  0x00000000005e4129 in zend_objects_free_object_storage (object=0x7fffcf6f2020) at /usr/src/debug/php-5.4.9/Zend/zend_objects.c:137
#3  0x00000000005e9e53 in zend_objects_store_del_ref_by_handle_ex (handle=3273, handlers=<optimized out>)
    at /usr/src/debug/php-5.4.9/Zend/zend_objects_API.c:220
#4  0x00000000005e220e in gc_collect_cycles () at /usr/src/debug/php-5.4.9/Zend/zend_gc.c:832
#5  0x00000000005e2303 in gc_zobj_possible_root (zv=0x19e5500, zv@entry=0x1967560) at /usr/src/debug/php-5.4.9/Zend/zend_gc.c:221
#6  0x00000000005e23ea in gc_zval_possible_root (zv=zv@entry=0x1967560) at /usr/src/debug/php-5.4.9/Zend/zend_gc.c:143
#7  0x00000000005f2ffd in gc_zval_check_possible_root (z=0x1967560) at /usr/src/debug/php-5.4.9/Zend/zend_gc.h:183
#8  i_zval_ptr_dtor (zval_ptr=0x1967560) at /usr/src/debug/php-5.4.9/Zend/zend_execute.h:97
#9  zend_leave_helper_SPEC (execute_data=0x7ffff7f855f8) at /usr/src/debug/php-5.4.9/Zend/zend_vm_execute.h:468
#10 0x0000000000624067 in execute (op_array=0x7ffff7fbfdf8) at /usr/src/debug/php-5.4.9/Zend/zend_vm_execute.h:410
#11 0x00007ffff17e0fd2 in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#12 0x000000000066a529 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f85060) at /usr/src/debug/php-5.4.9/Zend/zend_vm_execute.h:669
#13 0x0000000000624067 in execute (op_array=0x7ffff7fbdab0) at /usr/src/debug/php-5.4.9/Zend/zend_vm_execute.h:410
#14 0x00007ffff17e0fd2 in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#15 0x00000000005c4dec in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/src/debug/php-5.4.9/Zend/zend.c:1309
#16 0x000000000056475d in php_execute_script (primary_file=primary_file@entry=0x7fffffffcbb0) at /usr/src/debug/php-5.4.9/main/main.c:2482
#17 0x000000000066ca66 in do_cli (argc=2, argv=0x7fffffffe048) at /usr/src/debug/php-5.4.9/sapi/cli/php_cli.c:988
#18 0x0000000000425b0a in main (argc=2, argv=0x7fffffffe048) at /usr/src/debug/php-5.4.9/sapi/cli/php_cli.c:1364


Test script:
---------------
<?php

class Node {
	public $parent = NULL;
	public $childs = array();
	
	function __construct(Node $parent=NULL) {
		if ($parent) {
			$parent->childs[] = $this;
		}
		$this->childs[] = $this;
	}
	
	function __destruct() {
		$this->childs = NULL;
	}	
}

define("MAX", 16);

while (true) {
	printf("Memory: %6.2fMB ->", memory_get_usage()/1024/1024);
	$top = new Node();
	for ($i=0 ; $i<MAX ; $i++) {
		$ci = new Node($top);
		for ($j=0 ; $j<MAX ; $j++) {
			$cj = new Node($ci);
			for ($k=0 ; $k<MAX ; $k++) {
				$ck = new Node($cj);
			}
		}
	}
	printf(" %6.2fMB\n", memory_get_usage()/1024/1024);
}


Expected result:
----------------
No segfault.

Actual result:
--------------
$ php -d zend.enable_gc=1 repro.ph
...
Memory:   3.40MB ->   5.62MB
Memory:   5.62MB ->   3.40MB
Memory:   3.40MB ->   5.62MB
Memory:   5.62MB ->   7.83MB
Memory:   7.83MB ->
Program received signal SIGSEGV, Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-11-28 11:18 UTC] remi@php.net
-Summary: Segfault in gc +Summary: Segfault in gc_collect_cycles
 [2012-11-28 11:38 UTC] remi@php.net 
Note: without the circular reference, no segfault.

		$this->childs[] = $this;
 [2012-11-29 09:48 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92e2f2938115d2cdae185848d535380fb7694598
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2012-11-29 09:48 UTC] dmitry@php.net
-Status: Open +Status: Closed
 [2012-11-29 09:48 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c1888f58468ff0fd7f6c20f3fd7701ed7273647
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2012-11-29 09:54 UTC] dmitry@php.net
-Assigned To: +Assigned To: dmitry
 [2012-11-29 09:54 UTC] dmitry@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-11-30 06:30 UTC] laruence@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92e2f2938115d2cdae185848d535380fb7694598
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2012-11-30 06:31 UTC] laruence@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92e2f2938115d2cdae185848d535380fb7694598
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2012-12-19 17:55 UTC] derick@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c1888f58468ff0fd7f6c20f3fd7701ed7273647
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2012-12-19 17:55 UTC] derick@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=92e2f2938115d2cdae185848d535380fb7694598
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2013-11-17 09:32 UTC] laruence@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c1888f58468ff0fd7f6c20f3fd7701ed7273647
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2014-10-07 23:21 UTC] stas@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=92e2f2938115d2cdae185848d535380fb7694598
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 [2014-10-07 23:32 UTC] stas@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=92e2f2938115d2cdae185848d535380fb7694598
Log: Fixed bug #63635 (Segfault in gc_collect_cycles)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC