PHP :: Bug #71973 :: Segfault in garbage collector

Bug #71973

Segfault in garbage collector

Submitted:

2016-04-06 08:00 UTC

Modified:

2016-04-07 03:31 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

peters at yandex dot ru

Assigned:

Status:

Wont fix

Package:

Scripting Engine problem

PHP Version:

7.0.5

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	peters at yandex dot ru
New email:
PHP Version:		OS:

New Comment:

[2016-04-06 08:00 UTC] peters at yandex dot ru

Description:
------------
Segmentation fault happens when grabage collector tries to clean up doubly linked list like structure of objects.

Initially we've caught this bug when tried to run a test from lrucache/lrucache package using php 7. Then I've managed to create a minimal reproducible example, which leads to segfault in php 5.6, php 7.0.5 on different linux systems (ubuntu, fedora, centos)

Test script:
---------------
<?php
// Whether segfault will happen depends on number of cycles, 1M should be enough for all systems
class Node {
        public $next;
        public $previous;
}
$head = new Node();
$tail = new Node();
$head->next = $tail;
$tail->previous = $head;
for ($i = 0; $i < 1000000; $i++) {
        $node = new Node();
        $node->previous = $head;
        $node->next = $head->next;
        $node->next->previous = $node;
        $head->next = $node;
}

Expected result:
----------------
Script should exit silently whithout errors

Actual result:
--------------
Segmentation fault

Backtrace
----
#0  0x0000000000a85809 in gc_mark_grey (ref=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:410
#1  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c310) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#2  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c380) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#3  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c3f0) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#4  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c460) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#5  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c4d0) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
........
........
#65451 0x0000000000a859a0 in gc_mark_grey (ref=0x7fffebaca3f0) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#65452 0x0000000000a859a0 in gc_mark_grey (ref=0x7fffebaca460) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#65453 0x0000000000a85cb3 in gc_mark_roots () at /home/petr/build/php-7.0.5/Zend/zend_gc.c:531
#65454 0x0000000000a86d8e in zend_gc_collect_cycles () at /home/petr/build/php-7.0.5/Zend/zend_gc.c:1003
#65455 0x0000000000a85221 in gc_possible_root (ref=0x7fffebaca540) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:243
#65456 0x0000000000aa6887 in zend_assign_to_variable (variable_ptr=0x7ffff02130c0, value=0x7ffff0213170, value_type=4 '\004') at /home/petr/build/php-7.0.5/Zend/zend_execute.h:109
#65457 0x0000000000af9ad7 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x7ffff0213030) at /home/petr/build/php-7.0.5/Zend/zend_vm_execute.h:33475
#65458 0x0000000000aaec50 in execute_ex (ex=0x7ffff0213030) at /home/petr/build/php-7.0.5/Zend/zend_vm_execute.h:417
#65459 0x0000000000aaed7a in zend_execute (op_array=0x7ffff0285000, return_value=0x7fffffffc980) at /home/petr/build/php-7.0.5/Zend/zend_vm_execute.h:458
#65460 0x0000000000a3c986 in zend_eval_stringl (str=0x146d180 "class Node {\n        public $next;\n        public $previous;\n}\n$head = new Node();\n$tail = new Node();\n$head->next = $tail;\n$tail->previous = $head;\nfor ($i = 0; $i < 1000000; $i++) {\n        $node = "..., str_len=349, retval_ptr=0x0, string_name=0x10d1744 "Command line code") at /home/petr/build/php-7.0.5/Zend/zend_execute_API.c:1132
#65461 0x0000000000a3cb66 in zend_eval_stringl_ex (str=0x146d180 "class Node {\n        public $next;\n        public $previous;\n}\n$head = new Node();\n$tail = new Node();\n$head->next = $tail;\n$tail->previous = $head;\nfor ($i = 0; $i < 1000000; $i++) {\n        $node = "..., str_len=349, retval_ptr=0x0, string_name=0x10d1744 "Command line code", handle_exceptions=1) at /home/petr/build/php-7.0.5/Zend/zend_execute_API.c:1173
#65462 0x0000000000a3cc01 in zend_eval_string_ex (str=0x146d180 "class Node {\n        public $next;\n        public $previous;\n}\n$head = new Node();\n$tail = new Node();\n$head->next = $tail;\n$tail->previous = $head;\nfor ($i = 0; $i < 1000000; $i++) {\n        $node = "..., retval_ptr=0x0, string_name=0x10d1744 "Command line code", handle_exceptions=1) at /home/petr/build/php-7.0.5/Zend/zend_execute_API.c:1184
#65463 0x0000000000b1a32d in do_cli (argc=3, argv=0x146d110) at /home/petr/build/php-7.0.5/sapi/cli/php_cli.c:1005
#65464 0x0000000000b1b373 in main (argc=3, argv=0x146d110) at /home/petr/build/php-7.0.5/sapi/cli/php_cli.c:1344
-----

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-04-07 03:31 UTC] laruence@php.net

-Status: Open +Status: Wont fix

[2016-04-07 03:31 UTC] laruence@php.net

this is a stack overflow, you can verify it by set a bigger stack size like:

ulimit -s 102400, then run it again.

thanks

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 06 11:02:27 2025 UTC