php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74632 Segmentation fault on php_request_shutdown
Submitted: 2017-05-22 14:01 UTC Modified: 2017-11-02 20:26 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: adam dot rosadzinski at home dot net dot pl Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.30 OS: Arch Linux, kernel 4.0.6 x86_64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: adam dot rosadzinski at home dot net dot pl
New email:
PHP Version: OS:

 

 [2017-05-22 14:01 UTC] adam dot rosadzinski at home dot net dot pl 
Description:
------------
PHP version: 5.6.30
Configure line: ./configure --disable-rpath --with-layout=GNU --with-pic --enable-static=no --prefix=/usr --with-pear=/usr/lib/pear --datarootdir=/usr/share --with-config-file-path=/usr/etc --with-config-file-scan-dir=/usr/etc/conf.d

I'd like to report possible bug in Zend MM, which causes crash on request shutdown.
This issue is easily reproducible if you try to allocate more memory than specified in memory_limit directive.

Tested also on Mac OS X 10.12.4 (Sierra) with same result.

Test script:
---------------
<?php
error_reporting(E_ALL);
ini_set('display_errors', 0);
ini_set('memory_limit', '512M');

for($x=0;$x<100000000;$x++)
        $array[$x]=$x;

?>

Expected result:
----------------
No output on stdout
Script exited with code 0

Actual result:
--------------
Output on stdout: Segmentation fault
Script exited with code 139

Valgrind output:
==28140== Invalid read of size 4
==28140==    at 0xA8C634: zval_delref_p (zend.h:411)
==28140==    by 0xA8C634: i_zval_ptr_dtor (zend_execute.h:76)
==28140==    by 0xA8C634: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Address 0x2a1ec220 is 261,984 bytes inside a block of size 262,144 free'd
==28140==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA71740: zend_mm_del_segment (zend_alloc.c:928)
==28140==    by 0xA71740: _zend_mm_free_int (zend_alloc.c:2115)
==28140==    by 0xA71740: _efree (zend_alloc.c:2440)
==28140==    by 0xAAF7FD: zend_hash_destroy (zend_hash.c:553)
==28140==    by 0xA9DD8A: _zval_dtor_func (zend_variables.c:45)
==28140==    by 0xA8C67F: _zval_dtor (zend_variables.h:35)
==28140==    by 0xA8C67F: i_zval_ptr_dtor (zend_execute.h:79)
==28140==    by 0xA8C67F: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Block was alloc'd at
==28140==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA6E8FF: _zend_mm_alloc_int (zend_alloc.c:1982)
==28140==    by 0xAE7DDA: ZEND_POST_INC_SPEC_CV_HANDLER (zend_vm_execute.h:30867)
==28140==    by 0xADFA1D: execute_ex (zend_vm_execute.h:363)
==28140==    by 0x167162E6: zend_oe (in /usr/local/php56/modules/ZendGuardLoader.so)
==28140==    by 0x164B3BEB: ??? (in /usr/local/php56/modules/ioncube_loader_lin_5.6.so)
==28140==    by 0xAA0770: zend_execute_scripts (zend.c:1341)
==28140==    by 0xA2FFF2: php_execute_script (main.c:2613)
==28140==    by 0xB58D2E: do_cli (php_cli.c:998)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==
==28140== Invalid write of size 4
==28140==    at 0xA8C63C: zval_delref_p (zend.h:411)
==28140==    by 0xA8C63C: i_zval_ptr_dtor (zend_execute.h:76)
==28140==    by 0xA8C63C: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Address 0x2a1ec220 is 261,984 bytes inside a block of size 262,144 free'd
==28140==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA71740: zend_mm_del_segment (zend_alloc.c:928)
==28140==    by 0xA71740: _zend_mm_free_int (zend_alloc.c:2115)
==28140==    by 0xA71740: _efree (zend_alloc.c:2440)
==28140==    by 0xAAF7FD: zend_hash_destroy (zend_hash.c:553)
==28140==    by 0xA9DD8A: _zval_dtor_func (zend_variables.c:45)
==28140==    by 0xA8C67F: _zval_dtor (zend_variables.h:35)
==28140==    by 0xA8C67F: i_zval_ptr_dtor (zend_execute.h:79)
==28140==    by 0xA8C67F: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Block was alloc'd at
==28140==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA6E8FF: _zend_mm_alloc_int (zend_alloc.c:1982)
==28140==    by 0xAE7DDA: ZEND_POST_INC_SPEC_CV_HANDLER (zend_vm_execute.h:30867)
==28140==    by 0xADFA1D: execute_ex (zend_vm_execute.h:363)
==28140==    by 0x167162E6: zend_oe (in /usr/local/php56/modules/ZendGuardLoader.so)
==28140==    by 0x164B3BEB: ??? (in /usr/local/php56/modules/ioncube_loader_lin_5.6.so)
==28140==    by 0xAA0770: zend_execute_scripts (zend.c:1341)
==28140==    by 0xA2FFF2: php_execute_script (main.c:2613)
==28140==    by 0xB58D2E: do_cli (php_cli.c:998)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==
==28140== Invalid read of size 1
==28140==    at 0xA8C665: gc_zval_check_possible_root (zend_gc.h:182)
==28140==    by 0xA8C665: i_zval_ptr_dtor (zend_execute.h:86)
==28140==    by 0xA8C665: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Address 0x2a1ec224 is 261,988 bytes inside a block of size 262,144 free'd
==28140==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA71740: zend_mm_del_segment (zend_alloc.c:928)
==28140==    by 0xA71740: _zend_mm_free_int (zend_alloc.c:2115)
==28140==    by 0xA71740: _efree (zend_alloc.c:2440)
==28140==    by 0xAAF7FD: zend_hash_destroy (zend_hash.c:553)
==28140==    by 0xA9DD8A: _zval_dtor_func (zend_variables.c:45)
==28140==    by 0xA8C67F: _zval_dtor (zend_variables.h:35)
==28140==    by 0xA8C67F: i_zval_ptr_dtor (zend_execute.h:79)
==28140==    by 0xA8C67F: _zval_ptr_dtor (zend_execute_API.c:424)
==28140==    by 0xAAFB4F: i_zend_hash_bucket_delete (zend_hash.c:182)
==28140==    by 0xAAFB4F: zend_hash_bucket_delete (zend_hash.c:192)
==28140==    by 0xAAFB4F: zend_hash_graceful_reverse_destroy (zend_hash.c:613)
==28140==    by 0xA8CC55: shutdown_executor (zend_execute_API.c:244)
==28140==    by 0xA9EE55: zend_deactivate (zend.c:960)
==28140==    by 0xA2EB6F: php_request_shutdown (main.c:1899)
==28140==    by 0xB5807E: do_cli (php_cli.c:1181)
==28140==    by 0x463542: main (php_cli.c:1382)
==28140==  Block was alloc'd at
==28140==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28140==    by 0xA6E8FF: _zend_mm_alloc_int (zend_alloc.c:1982)
==28140==    by 0xAE7DDA: ZEND_POST_INC_SPEC_CV_HANDLER (zend_vm_execute.h:30867)
==28140==    by 0xADFA1D: execute_ex (zend_vm_execute.h:363)
==28140==    by 0x167162E6: zend_oe (in /usr/local/php56/modules/ZendGuardLoader.so)
==28140==    by 0x164B3BEB: ??? (in /usr/local/php56/modules/ioncube_loader_lin_5.6.so)
==28140==    by 0xAA0770: zend_execute_scripts (zend.c:1341)
==28140==    by 0xA2FFF2: php_execute_script (main.c:2613)
==28140==    by 0xB58D2E: do_cli (php_cli.c:998)
==28140==    by 0x463542: main (php_cli.c:1382)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-11-02 20:26 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2017-11-02 20:26 UTC] nikic@php.net 
This no longer reproduces on PHP 7.0 and I remember that some issues relating to memory limit bailouts have been fixed. As PHP 5.6 is out of active support, I'm closing this issue.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Nov 04 02:00:01 2025 UTC