php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72286 Segmentation fault (segfault) During Garbage Collection
Submitted: 2016-05-30 02:49 UTC Modified: 2017-01-02 14:07 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: php at mattlight dot biz Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.23 OS: CentOS Linux release 7.2.1511
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at mattlight dot biz
New email:
PHP Version: OS:

 

 [2016-05-30 02:49 UTC] php at mattlight dot biz 
Description:
------------
A segmentation fault occurs during garbage collection when the following criteria are all met:
 - Object "A" stores a reference to itself in an instance variable
 - Object "A" also stores another object, Object "B" in another instance variable (instance of stdClass is fine)
 - The destructor of object "A" attempts to reference object "B" only after check that object "B" is still set
 - Object "A" is instantiated from some other object

The issue affects PHP 5.6 and 5.5 (and 5.4), but not 7.0. I have set the test case up in Travis CI: https://travis-ci.org/lightster/php-circular-reference-segfault

The scenario I presented is a simplified scenario of an issue I encountered when using phpamqplib. Other people have reported this issue to phpamqplib but since the library is written purely in PHP it cannot be responsible for preventing a segmentation fault: https://github.com/php-amqplib/php-amqplib/issues/261

My bug report might be the same issue that was reported in https://bugs.php.net/bug.php?id=71958 but I was unable to confirm one way or another.

Test script:
---------------
https://raw.githubusercontent.com/lightster/php-circular-reference-segfault/master/segfault.php

Expected result:
----------------
I would expect either "the object exists" or "will not get here" to be output. I know the order that destructors is called is documented to be undefined, so either output is probably acceptable.

Actual result:
--------------
PHP exits with a segmentation fault:

Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => filter
    [8] => hash
    [9] => pcntl
    [10] => readline
    [11] => Reflection
    [12] => SPL
    [13] => session
    [14] => standard
    [15] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-30 03:05 UTC] php at mattlight dot biz 
In case it might be useful, here is the gdb output:

(gdb) bt
#0  0x00007f5966ac5e98 in zend_std_object_get_class ()
#1  0x00007f5966ac5ec5 in zend_std_get_debug_info ()
#2  0x00007f5966a16e83 in php_var_dump ()
#3  0x00007f5966a1730a in zif_var_dump ()
#4  0x00007f5966a8ce1b in dtrace_execute_internal ()
#5  0x00007f5966b468e4 in zend_do_fcall_common_helper_SPEC ()
#6  0x00007f5966adac28 in execute_ex ()
#7  0x00007f5966a8ccf9 in dtrace_execute_ex ()
#8  0x00007f5966a8eaf3 in zend_call_function ()
#9  0x00007f5966ab6838 in zend_call_method ()
#10 0x00007f5966ac5929 in zend_objects_destroy_object ()
#11 0x00007f5966abf04a in gc_collect_cycles ()
#12 0x00007f5966aaf889 in zif_gc_collect_cycles ()
#13 0x00007f5966a8ce1b in dtrace_execute_internal ()
#14 0x00007f5966b468e4 in zend_do_fcall_common_helper_SPEC ()
#15 0x00007f5966adac28 in execute_ex ()
#16 0x00007f5966a8ccf9 in dtrace_execute_ex ()
#17 0x00007f5966a9fa6b in zend_execute_scripts ()
#18 0x00007f5966a3aea2 in php_execute_script ()
#19 0x00007f5966b487e8 in do_cli ()
#20 0x00007f5966918f6a in main ()
 [2016-07-14 09:25 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
 [2016-07-14 09:25 UTC] dmitry@php.net 
The bug seems to be fixed in PHP-5.5.
I can reproduce it with PHP-5.4, but not with PHP-5.5 and above.
Please verify and re-open, if it's still reproducible for you.
 [2016-07-14 15:34 UTC] php at mattlight dot biz
-Status: Closed +Status: Assigned -PHP Version: 5.6.22 +PHP Version: 5.6.23
 [2016-07-14 15:34 UTC] php at mattlight dot biz 
This error is still reproducible on my end with the latest version of PHP 5.6 (5.6.23).

Here is the output I produced as of a few minutes ago:
[boxkeeper@macaroon-dev php-circular-reference-segfault]$ php segfault.php 
Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => filter
    [8] => hash
    [9] => pcntl
    [10] => readline
    [11] => Reflection
    [12] => SPL
    [13] => session
    [14] => standard
    [15] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault


[boxkeeper@macaroon-dev php-circular-reference-segfault]$ echo $?
139


[boxkeeper@macaroon-dev php-circular-reference-segfault]$ php --version
PHP 5.6.23 (cli) (built: Jun 22 2016 08:56:52) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
[boxkeeper@macaroon-dev php-circular-reference-segfault]$
 [2016-07-14 15:56 UTC] dmitry@php.net 
Got it. it's reproducible on PHP-5.* with opcache disabled.

$ USE_ZEND_ALLOC=0 valgrind php5.6/CGI-DEBUG/sapi/cli/php -n bug72286.php

==9892== Invalid read of size 4
==9892==    at 0x8642AC4: zend_std_object_get_class (zend_object_handlers.c:1528)
==9892==    by 0x86159DD: zend_get_class_entry (zend_API.c:238)
==9892==    by 0x863E671: zend_std_get_debug_info (zend_object_handlers.c:140)
==9892==    by 0x84D26C7: php_var_dump (var.c:129)
==9892==    by 0x84D29EA: zif_var_dump (var.c:183)
==9892==    by 0x8649A92: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==9892==    by 0x864E037: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==9892==    by 0x864936C: execute_ex (zend_vm_execute.h:363)
==9892==    by 0x86493CD: zend_execute (zend_vm_execute.h:388)
==9892==    by 0x86048E1: zend_call_function (zend_execute_API.c:829)
==9892==    by 0x862CD3F: zend_call_method (zend_interfaces.c:97)
==9892==    by 0x863DBDA: zend_objects_destroy_object (zend_objects.c:123)
==9892==  Address 0xffffffff is not stack'd, malloc'd or (recently) free'd

PHP-7.0 works fine.
 [2016-07-14 19:40 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c84b55adea936b065a20102202bea3d1d243225
Log: Fixed bug #72286 (Segmentation fault During Garbage Collection)
 [2016-07-14 19:40 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2016-07-14 19:42 UTC] dmitry@php.net 
Fixed in PHP-5.6.
http://git.php.net/?p=php-src.git;a=commitdiff;h=1c84b55adea936b065a20102202bea3d1d243225
PHP-7.0 is not affected.
 [2016-07-16 21:03 UTC] nikic@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=171c759d791f809ebc31711fd0b0b5bb632cd2cc
Log: Revert "Fixed bug #72286 (Segmentation fault During Garbage Collection)"
 [2016-07-16 21:04 UTC] nikic@php.net
-Status: Closed +Status: Re-Opened
 [2016-07-16 21:04 UTC] nikic@php.net 
Commit reverted due to segfaults.
 [2016-10-17 10:11 UTC] bwoebi@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=171c759d791f809ebc31711fd0b0b5bb632cd2cc
Log: Revert "Fixed bug #72286 (Segmentation fault During Garbage Collection)"
 [2016-10-17 10:11 UTC] bwoebi@php.net
-Status: Re-Opened +Status: Closed
 [2016-10-17 10:11 UTC] bwoebi@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c84b55adea936b065a20102202bea3d1d243225
Log: Fixed bug #72286 (Segmentation fault During Garbage Collection)
 [2016-10-17 13:27 UTC] nikic@php.net
-Status: Closed +Status: Re-Opened
 [2016-10-17 13:27 UTC] nikic@php.net 
Someone messed the repo again, reopening.
 [2017-01-02 12:17 UTC] nikic@php.net 
Related To: Bug #73008
 [2017-01-02 14:07 UTC] nikic@php.net
-Status: Re-Opened +Status: Closed
 [2017-01-02 14:07 UTC] nikic@php.net 
Closing this bug, as the issue is fixed in PHP 7.0 and PHP 5.6 is going out of active support.
 [2017-04-25 08:00 UTC] olivierberaud at free dot fr 
PHP Version is 5.6.30
Just launch your segfault.php script and I got:

Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => bcmath
    [8] => bz2
    [9] => calendar
    [10] => ctype
    [11] => dba
    [12] => dom
    [13] => hash
    [14] => fileinfo
    [15] => filter
    [16] => ftp
    [17] => gettext
    [18] => SPL
    [19] => iconv
    [20] => mbstring
    [21] => pcntl
    [22] => session
    [23] => posix
    [24] => Reflection
    [25] => standard
    [26] => shmop
    [27] => SimpleXML
    [28] => soap
    [29] => sockets
    [30] => Phar
    [31] => exif
    [32] => sysvmsg
    [33] => sysvsem
    [34] => sysvshm
    [35] => tokenizer
    [36] => wddx
    [37] => xml
    [38] => xmlreader
    [39] => xmlwriter
    [40] => zip
    [41] => PDO
    [42] => curl
    [43] => gd
    [44] => json
    [45] => mcrypt
    [46] => mysql
    [47] => mysqli
    [48] => pdo_mysql
    [49] => readline
    [50] => ssh2
    [51] => xmlrpc
    [52] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault (core dumped)
 [2017-04-25 08:01 UTC] olivierberaud at free dot fr 
PHP Version is 5.6.30
Just launch your segfault.php script and I got:

Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => bcmath
    [8] => bz2
    [9] => calendar
    [10] => ctype
    [11] => dba
    [12] => dom
    [13] => hash
    [14] => fileinfo
    [15] => filter
    [16] => ftp
    [17] => gettext
    [18] => SPL
    [19] => iconv
    [20] => mbstring
    [21] => pcntl
    [22] => session
    [23] => posix
    [24] => Reflection
    [25] => standard
    [26] => shmop
    [27] => SimpleXML
    [28] => soap
    [29] => sockets
    [30] => Phar
    [31] => exif
    [32] => sysvmsg
    [33] => sysvsem
    [34] => sysvshm
    [35] => tokenizer
    [36] => wddx
    [37] => xml
    [38] => xmlreader
    [39] => xmlwriter
    [40] => zip
    [41] => PDO
    [42] => curl
    [43] => gd
    [44] => json
    [45] => mcrypt
    [46] => mysql
    [47] => mysqli
    [48] => pdo_mysql
    [49] => readline
    [50] => ssh2
    [51] => xmlrpc
    [52] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault (core dumped)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Nov 24 02:01:28 2024 UTC