php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72829 SegFault When Leaving a Loop that Creates an Array of Objects
Submitted: 2016-08-13 22:12 UTC Modified: 2016-08-14 12:25 UTC
From: Chad dot Sikorra at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.0beta2 OS: Ubuntu 16.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Chad dot Sikorra at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-13 22:12 UTC] Chad dot Sikorra at gmail dot com 
Description:
------------
Just starting with PHP 7.1 beta2 (this did not happen in beta1), some tests for a library I maintain started to segfault in the same exact location. I narrowed the spot down to a loop that creates an array of objects. However, it isn't a specific part of my code causing the segfault, as it happens just as the loop exits and before my method returns.

The loop it fails directly after:

https://github.com/ldaptools/ldaptools/blob/master/src/LdapTools/Schema/Parser/SchemaYamlParser.php#L111

The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000898ac3 in zval_addref_p (pz=0x7fffec1f7ca0) at /home/chad/trace/php-src/Zend/zend_types.h:829
829		return ++GC_REFCOUNT(Z_COUNTED_P(pz));
(gdb) bt
#0  0x0000000000898ac3 in zval_addref_p (pz=0x7fffec1f7ca0) at /home/chad/trace/php-src/Zend/zend_types.h:829
#1  0x00000000008aab6f in zif_array_column (execute_data=0x7fffec616dd0, return_value=0x7fffec616d40) at /home/chad/trace/php-src/ext/standard/array.c:3607
#2  0x0000000000a76ae1 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:876
#3  0x0000000000a758c6 in execute_ex (ex=0x7fffec616570) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#4  0x00000000009faa6a in zend_call_function (fci=0x7fffffff9e70, fci_cache=0x7fffffff9e40) at /home/chad/trace/php-src/Zend/zend_execute_API.c:837
#5  0x00000000008b8b41 in zif_call_user_func_array (execute_data=0x7fffec616500, return_value=0x7fffec616480)
    at /home/chad/trace/php-src/ext/standard/basic_functions.c:4844
#6  0x0000000000a76ae1 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:876
#7  0x0000000000a758c6 in execute_ex (ex=0x7fffec6160b0) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#8  0x00000000009faa6a in zend_call_function (fci=0x7fffffffa120, fci_cache=0x7fffffffa0f0) at /home/chad/trace/php-src/Zend/zend_execute_API.c:837
#9  0x00000000008b8b41 in zif_call_user_func_array (execute_data=0x7fffec616040, return_value=0x7fffec616010)
    at /home/chad/trace/php-src/ext/standard/basic_functions.c:4844
#10 0x0000000000a76ae1 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:876
#11 0x0000000000a758c6 in execute_ex (ex=0x7fffec615f00) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#12 0x00000000009faa6a in zend_call_function (fci=0x7fffffffa410, fci_cache=0x7fffffffa3e0) at /home/chad/trace/php-src/Zend/zend_execute_API.c:837
#13 0x0000000000838b0b in zim_reflection_method_invokeArgs (execute_data=0x7fffec615e90, return_value=0x7fffffffa480)
    at /home/chad/trace/php-src/ext/reflection/php_reflection.c:3379
#14 0x0000000000a76f71 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:970
#15 0x0000000000a758c6 in execute_ex (ex=0x7fffec614030) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#16 0x0000000000a759d7 in zend_execute (op_array=0x7fffec686000, return_value=0x0) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:474
#17 0x0000000000a12cd4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/chad/trace/php-src/Zend/zend.c:1447
#18 0x0000000000979191 in php_execute_script (primary_file=0x7fffffffcb40) at /home/chad/trace/php-src/main/main.c:2533
#19 0x0000000000afaa8a in do_cli (argc=4, argv=0x1460700) at /home/chad/trace/php-src/sapi/cli/php_cli.c:990
#20 0x0000000000afbc5d in main (argc=4, argv=0x1460700) at /home/chad/trace/php-src/sapi/cli/php_cli.c:1378

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-14 06:35 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2016-08-14 06:35 UTC] laruence@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2016-08-14 08:36 UTC] nikic@php.net 
I suspect that PHP 7 beta2 was branched off while array_column() was completely broken (array was not properly initialized). Can you check if just using the current snapshot already fixes the issue?
 [2016-08-14 08:39 UTC] nikic@php.net 
Just checked, https://github.com/php/php-src/commit/fea2042a47dbda7210306c881a9f0a82b8503a45 is in beta 2, while https://github.com/php/php-src/commit/cf017ce17f2577db987b44822cd6214378e53277 is not. So this is probably already resolved.
 [2016-08-14 12:24 UTC] Chad dot Sikorra at gmail dot com
-Status: Feedback +Status: Open
 [2016-08-14 12:24 UTC] Chad dot Sikorra at gmail dot com 
Yep, I just confirmed it's working now. I recompiled based off the PHP-7.1 branch and now it works fine. Guess this can be closed. Thanks for checking this!
 [2016-08-14 12:25 UTC] Chad dot Sikorra at gmail dot com
-Status: Open +Status: Closed
 [2016-08-14 12:25 UTC] Chad dot Sikorra at gmail dot com 
Marking as closed.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 15 05:01:33 2025 UTC