PHP :: Bug #69464 :: Segfault in zend_hash

Bug #69464	Segfault in zend_hash_destroy() during shutdown
Submitted:	2015-04-15 15:28 UTC	Modified:	2015-04-20 14:09 UTC
From:	berdir@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	master-Git-2015-04-15 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	berdir@php.net
New email:
PHP Version:		OS:

New Comment:

[2015-04-15 15:28 UTC] berdir@php.net

Description:
------------
This is part of our efforts to get Drupal 8 green on PHP 7, see https://www.drupal.org/node/2454439.

I've been trying to test with the latest PHP 7 build, but I'm now getting a lot of segfaults during the installer and running any web test.

You can see the backtrace and code where it happens here: https://gist.githubusercontent.com/Berdir/f93e56c8a2643501ce51/raw/653fa8fea95d322f9f7836838177951db7fe57db/gistfile1.txt

I'll try to bisect this down to a certain commit, but I had troubles the last time I tried to do something like that.


Test script:
---------------
To debug, get drupal and drush (from https://github.com/drush-ops/drush), then:

gdb --args '/path/to/php7' '/path/to/drush.php' '--db-url=mysql://user:pass@localhost/db' 'si' '-y' 'standard' '-v' '-d'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-04-15 15:41 UTC] berdir@php.net

https://gist.github.com/Berdir/f93e56c8a2643501ce51 has a more up to date debug output now, which shows which object is causing the crash, based on instructions from @ircmaxell

[2015-04-15 21:16 UTC] dmitry@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: dmitry

[2015-04-15 21:16 UTC] dmitry@php.net

I didn't get how to reproduce this.
Please provide a detailed instruction: what to download, which commands to run, etc.

[2015-04-16 07:32 UTC] berdir@php.net

Not exactly sure what you need.

You need to get drupal and drush:

git clone http://git.drupal.org/project/drupal.git
git clone https://github.com/drush-ops/drush.git
cd drupal
gdb --args '/path/to/php7' '../drush/drush.php' '--db-url=mysql://user:pass@localhost/db' 'si' '-y' 'standard' '-v' '-d'

Update the path to php7 and use a valid mysql username/password and that should install drupal (which takes a while... ) and at the end, it crashes with the mentioned segfault.

[2015-04-16 09:29 UTC] dmitry@php.net

this doesn't work for me. I followed your instruction + made `composer update`.
Anyway, I get a error (that I expect), but not any memory corruptions.

Error: Cannot use Drupal\Component\Utility\String as String because 'String' is a special class name in ...

I probably need some branch of drupal adopted for PHP7.
Also, do you use any external extension (e.g. xdebug)?

[2015-04-17 00:33 UTC] dmitry@php.net

-Status: Feedback +Status: Assigned

[2015-04-17 00:33 UTC] dmitry@php.net

I fixed two problems triggered by Drupal-8, however I see at least one unfixed GC related problem. It may be reproduced with simple script. The problem must be visible with valgrind.

<?php
class A {
	public $a;
	public $x;
	function __destruct() {
		unset($this->x);
	}
}
$a = new A;
$a->a = $a;
$a->x = [];
$a->x[] =& $a->x;
$a->x[] = $a;
var_dump($a);
var_dump(gc_collect_cycles());
unset($a);
var_dump(gc_collect_cycles());
var_dump(gc_collect_cycles());
?>

The problem that __destructor() breaks the garbage graph, and it's destroyed only partially, and the remaining part still keeps references to deallocated data.

[2015-04-17 15:41 UTC] dmitry@php.net

-Status: Assigned +Status: Feedback

[2015-04-17 15:41 UTC] dmitry@php.net

I hope I fixed the GC problem. At least I can't reproduce it any more. Could you please retest.

[2015-04-18 07:20 UTC] berdir@php.net

Yes, the installer works again!

I have some new issues, though...

In certain places, I get zend_mm_heap corrupted errors in the apache logs and empty responses. For example at /aggregator/sources/add (after enabling the aggregator module with drush en -y aggregator or on /admin/modules. What's weird is that they go away when I disable opcache.

I also got another segfault, but I wasn't able to identify when exactly that happened:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  i_free_compiled_variables (execute_data=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_execute.c:1810
1810				if (!Z_DELREF_P(cv)) {
(gdb) bt
#0  i_free_compiled_variables (execute_data=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_execute.c:1810
#1  zend_leave_helper_SPEC () at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:445
#2  0x00007f870e6957bb in execute_ex (ex=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:394
#3  0x00007f870e64674e in zend_call_function (fci=fci@entry=0x7fffc29b51d0, fci_cache=<optimized out>, fci_cache@entry=0x7fffc29b51a0) at /home/berdir/tools/php-src/Zend/zend_execute_API.c:840
#4  0x00007f870e575d71 in zif_call_user_func_array (execute_data=0x7f8704e13520, return_value=0x7f8704e13510) at /home/berdir/tools/php-src/ext/standard/basic_functions.c:4787
#5  0x00007f870e6eaa2d in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:691
#6  0x00007f870e6957bb in execute_ex (ex=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:394
#7  0x00007f870e64674e in zend_call_function (fci=fci@entry=0x7fffc29b5410, fci_cache=<optimized out>, fci_cache@entry=0x7fffc29b53e0) at /home/berdir/tools/php-src/Zend/zend_execute_API.c:840
#8  0x00007f870e575d71 in zif_call_user_func_array (execute_data=0x7f8704e12150, return_value=0x7f8704e11fe0) at /home/berdir/tools/php-src/ext/standard/basic_functions.c:4787
#9  0x00007f870e6eaa2d in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:691
#10 0x00007f870e6957bb in execute_ex (ex=<optimized out>) at /home/berdir/tools/php-src/Zend/zend_vm_execute.h:394
#11 0x00007f870e655b15 in zend_execute_scripts (type=8, retval=0x10, retval@entry=0x0, file_count=3) at /home/berdir/tools/php-src/Zend/zend.c:1398
#12 0x00007f870e5f8600 in php_execute_script (primary_file=primary_file@entry=0x7fffc29b7940) at /home/berdir/tools/php-src/main/main.c:2468
#13 0x00007f870e6ef68a in php_handler (r=<optimized out>) at /home/berdir/tools/php-src/sapi/apache2handler/sapi_apache2.c:673
#14 0x00007f8712f4ceb0 in ap_run_handler ()
#15 0x00007f8712f4d3f9 in ap_invoke_handler ()
#16 0x00007f8712f62bac in ap_internal_redirect ()

I have no idea if they are related, feel free to just close this bug report if you think not, I'll open new issues when I do more testing next week.

[2015-04-19 21:51 UTC] berdir@php.net

I've opened https://bugs.php.net/bug.php?id=69484 for the opcache related errors. I've also had another segfault that I reported there as well, as it happened in the same test and might be related.

[2015-04-20 14:09 UTC] dmitry@php.net

-Status: Feedback +Status: Closed

[2015-04-20 14:09 UTC] dmitry@php.net

The GC bug is fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 19:01:28 2025 UTC