php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70007 Segmentation fault in gc_remove_zval_from_buffer
Submitted: 2015-07-07 09:29 UTC Modified: 2018-01-13 14:18 UTC
Votes:14
Avg. Score:4.8 ± 0.6
Reproduced:14 of 14 (100.0%)
Same Version:9 (64.3%)
Same OS:11 (78.6%)
From: pdecat at gmail dot com Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 5.6.10 OS: Debian GNU/Linux 7.8
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pdecat at gmail dot com
New email:
PHP Version: OS:

 

 [2015-07-07 09:29 UTC] pdecat at gmail dot com 
Description:
------------
Under heavy load, we eventually get a SIGSEGV on a single PHP script.
Other scripts continue to work.
The same script will always segfault until the php5-fpm service is restarted.

This is with php5 packages version 5.6.10-1~dotdeb+7.3 from http://packages.dotdeb.org/dists/wheezy-php56/php5/binary-amd64/

Looks similar to https://bugs.php.net/bug.php?id=67314


Test script:
---------------
<?php

// Here is a suspicious code snippet that results to segfaults under heavy load

final class Test {
    const IDS = [
        1,
        2,
        3,
        4,
        ];

        public static function is($id) {
            return in_array($id, self::IDS);
        }
}


for($i = 0; $i <= 1000000; $i++) {
    Test::is($i%10);
}

Expected result:
----------------
Never segfault.

Possible workaround:

@@ -1,7 +1,7 @@
 <?php
 
 final class Test {
-    const IDS = [
+    public static $IDS = [
         1,
         2,
         3,
@@ -9,7 +9,7 @@ final class Test {
         ];
 
         public static function is($id) {
-            return in_array($id, self::IDS);
+            return in_array($id, self::$IDS);
         }
 }


Actual result:
--------------
[05-Jul-2015 19:05:16] NOTICE: fpm is running, pid 12824
[05-Jul-2015 19:05:16] NOTICE: ready to handle connections
[06-Jul-2015 09:23:35] WARNING: [pool mypool] child 18436 exited on signal 11 (SIGSEGV - core dumped) after 5408.796888 seconds from start
[06-Jul-2015 09:23:35] NOTICE: [pool mypool] child 19100 started
[06-Jul-2015 09:23:35] WARNING: [pool mypool] child 19031 exited on signal 11 (SIGSEGV - core dumped) after 523.790290 seconds from start
[06-Jul-2015 09:23:35] NOTICE: [pool mypool] child 19101 started
[06-Jul-2015 09:23:35] WARNING: [pool mypool] child 17563 exited on signal 11 (SIGSEGV - core dumped) after 11632.329569 seconds from start
[06-Jul-2015 09:23:35] NOTICE: [pool mypool] child 19103 started
[06-Jul-2015 09:23:35] NOTICE: Finishing ...
[06-Jul-2015 09:24:05] NOTICE: Terminating ...
[06-Jul-2015 09:24:07] NOTICE: exiting, bye-bye!
[06-Jul-2015 09:24:07] NOTICE: fpm is running, pid 19129

Here is the backtrace:

(gdb) bt
#0  gc_remove_from_buffer (root=0x4) at /usr/src/builddir/Zend/zend_gc.h:189
#1  gc_remove_zval_from_buffer (zv=zv@entry=0x7f405dedb490) at /usr/src/builddir/Zend/zend_gc.c:260
#2  0x00000000007306b8 in i_zval_ptr_dtor (zval_ptr=0x7f405dedb490) at /usr/src/builddir/Zend/zend_execute.h:78
#3  _zval_ptr_dtor (zval_ptr=<optimized out>) at /usr/src/builddir/Zend/zend_execute_API.c:424
#4  0x000000000074f578 in zend_hash_destroy (ht=0x3bdf738) at /usr/src/builddir/Zend/zend_hash.c:548
#5  0x0000000000740393 in _zval_dtor_func (zvalue=0x3ed5458) at /usr/src/builddir/Zend/zend_variables.c:45
#6  0x00000000007e56f0 in _zval_dtor (zvalue=0x3ed5458) at /usr/src/builddir/Zend/zend_variables.h:35
#7  i_zval_ptr_dtor (zval_ptr=0x3ed5458) at /usr/src/builddir/Zend/zend_execute.h:79
#8  zend_vm_stack_clear_multiple (nested=0) at /usr/src/builddir/Zend/zend_execute.h:308
#9  zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a44b0) at /usr/src/builddir/Zend/zend_vm_execute.h:650
#10 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a44b0) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#11 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#12 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#13 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#14 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a4388) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#15 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a4388) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#16 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#17 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#18 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#19 0x0000000000732106 in zend_call_function (fci=fci@entry=0x7fff5732c490, fci_cache=0x33c6c60, fci_cache@entry=0x7fff5732c460) at /usr/src/builddir/Zend/zend_execute_API.c:829
#20 0x000000000066022f in zif_call_user_func_array (ht=<optimized out>, return_value=0x3ed4f78, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/builddir/ext/standard/basic_functions.c:4784
#21 0x00000000007304f9 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:97
#22 0x00000000007e56d1 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a4190) at /usr/src/builddir/Zend/zend_vm_execute.h:560
#23 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a4190) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#24 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#25 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#26 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#27 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a4030) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#28 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a4030) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#29 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#30 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#31 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#32 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a3eb8) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#33 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a3eb8) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#34 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#35 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#36 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#37 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a3d80) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#38 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a3d80) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#39 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#40 0x00007f408c2653bd in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1051
#41 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#42 0x00000000007e5d08 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f40978a3c48) at /usr/src/builddir/Zend/zend_vm_execute.h:592
#43 0x00000000007aa848 in execute_ex (execute_data=0x7f40978a3c48) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#44 0x00000000007303cd in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#45 0x00007f408c2655f2 in nr_php_execute_enabled () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:899
#46 0x00007f408c265b52 in nr_php_execute () at /home/hudson/slave-workspace/workspace/PHP_Release_Agent/label/centos5-64-nrcamp/agent/php_execute.c:1162
#47 0x0000000000742d28 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#48 0x00000000006de3c2 in php_execute_script (primary_file=primary_file@entry=0x7fff5732f510) at /usr/src/builddir/main/main.c:2597
#49 0x0000000000474b12 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/builddir/sapi/fpm/fpm/fpm_main.c:1964

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-19 15:52 UTC] crahobzy at ukr dot net 
In addition I would say that if const array is empty the bug is not reproducible as well
 [2018-01-13 14:18 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2018-01-13 14:18 UTC] nikic@php.net 
Based on code and backtrace I'm pretty sure that this is the same as bug #70601, which was fixed in 5.6.15.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Feb 05 21:01:34 2025 UTC