PHP :: Bug #76050 :: Segfault in new GC implementation

Bug #76050

Segfault in new GC implementation

Submitted:

2018-03-05 12:52 UTC

Modified:

2018-03-05 17:31 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

kelunik@php.net

Assigned:

dmitry (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

master-Git-2018-03-05 (Git)

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	kelunik@php.net
New email:
PHP Version:		OS:

New Comment:

[2018-03-05 12:52 UTC] kelunik@php.net

Description:
------------
Seems like the new GC implementation isn't entirely free of bugs, yet.

I'm getting segfaults in various situations, but haven't been able to write a minimal script, yet.

Running any `composer update` 100% reproduces the problem for me, though.

Expected result:
----------------
No segfault.

Actual result:
--------------
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f0b1d193f5d in __GI_abort () at abort.c:90
#2  0x00007f0b1d189f17 in __assert_fail_base (fmt=<optimized out>, 
    assertion=assertion@entry=0x55c617b01629 "addr", 
    file=file@entry=0x55c617b014b8 "/home/kelunik/.php-build/release/Zend/zend_gc.c", 
    line=line@entry=602, 
    function=function@entry=0x55c617b016b0 <__PRETTY_FUNCTION__.10643> "gc_remove_from_buffer") at assert.c:92
#3  0x00007f0b1d189fc2 in __GI___assert_fail (assertion=0x55c617b01629 "addr", 
    file=0x55c617b014b8 "/home/kelunik/.php-build/release/Zend/zend_gc.c", line=602, 
    function=0x55c617b016b0 <__PRETTY_FUNCTION__.10643> "gc_remove_from_buffer")
    at assert.c:101
#4  0x000055c6172b3a17 in gc_remove_from_buffer (ref=0x7f0b08c10820)
    at /home/kelunik/.php-build/release/Zend/zend_gc.c:602
#5  0x000055c6172d089e in zend_objects_store_del (object=0x7f0b08c10820)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:193
#6  0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b08c10820, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=146868256) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#7  0x000055c61727769a in _zval_dtor_func (p=0x7f0b08c10820, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#8  0x000055c6172c9391 in i_zval_ptr_dtor (zval_ptr=0x7f0b07ac02c8, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#9  0x000055c6172c9523 in zend_object_std_dtor (object=0x7f0b07ac0280)
    at /home/kelunik/.php-build/release/Zend/zend_objects.c:57
#10 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b07ac0280)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#11 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b07ac0280, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=128713344) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#12 0x000055c61727769a in _zval_dtor_func (p=0x7f0b07ac0280, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=356) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#13 0x000055c61725cef9 in i_zval_ptr_dtor (zval_ptr=0x7ffe38457400, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=356) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#14 0x000055c61725f26d in _zval_ptr_dtor (zval_ptr=0x7ffe38457400, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=356) at /home/kelunik/.php-build/release/Zend/zend_execute_API.c:532
#15 0x000055c61703a111 in spl_dllist_object_free_storage (object=0x7f0b07aab660)
    at /home/kelunik/.php-build/release/ext/spl/spl_dllist.c:356
#16 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b07aab660)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#17 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b07aab660, 
    __zend_filename=0x55c617afea78 "/home/kelunik/.php-build/release/Zend/zend_hash.c", 
    __zend_lineno=128628320) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#18 0x000055c61727769a in _zval_dtor_func (p=0x7f0b07aab660, 
    __zend_filename=0x55c617afea78 "/home/kelunik/.php-build/release/Zend/zend_hash.c", 
    __zend_lineno=1381) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#19 0x000055c61728df6e in i_zval_ptr_dtor (zval_ptr=0x7f0b07902960, 
    __zend_filename=0x55c617afea78 "/home/kelunik/.php-build/release/Zend/zend_hash.c", 
    __zend_lineno=1381) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#20 0x000055c61729277b in zend_array_destroy (ht=0x7f0b0cd723c0)
    at /home/kelunik/.php-build/release/Zend/zend_hash.c:1381
#21 0x000055c61727782b in zend_array_destroy_wrapper (arr=0x7f0b0cd723c0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=215425984) at /home/kelunik/.php-build/release/Zend/zend_variables.c:91
#22 0x000055c61727769a in _zval_dtor_func (p=0x7f0b0cd723c0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#23 0x000055c6172c9391 in i_zval_ptr_dtor (zval_ptr=0x7f0b0cd72ce8, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#24 0x000055c6172c9523 in zend_object_std_dtor (object=0x7f0b0cd72cc0)
    at /home/kelunik/.php-build/release/Zend/zend_objects.c:57
#25 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b0cd72cc0)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#26 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b0cd72cc0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=215428288) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#27 0x000055c61727769a in _zval_dtor_func (p=0x7f0b0cd72cc0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#28 0x000055c6172c9391 in i_zval_ptr_dtor (zval_ptr=0x7f0b1523c598, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#29 0x000055c6172c9523 in zend_object_std_dtor (object=0x7f0b1523c500)
    at /home/kelunik/.php-build/release/Zend/zend_objects.c:57
#30 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b1523c500)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#31 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b1523c500, 
    __zend_filename=0x55c617b051c0 "/home/kelunik/.php-build/release/Zend/zend_execute.c", 
    __zend_lineno=354665728) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#32 0x000055c61727769a in _zval_dtor_func (p=0x7f0b1523c500, 
    __zend_filename=0x55c617b051c0 "/home/kelunik/.php-build/release/Zend/zend_execute.c", 
    __zend_lineno=2371) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#33 0x000055c6172e0401 in i_free_compiled_variables (execute_data=0x7f0b15e22470)
    at /home/kelunik/.php-build/release/Zend/zend_execute.c:2371
#34 0x000055c6172e25b5 in zend_leave_helper_SPEC ()
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:505
#35 0x000055c61730b2b8 in ZEND_RETURN_SPEC_TMP_HANDLER ()
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:17864
#36 0x000055c617357643 in execute_ex (ex=0x7f0b15e1f030)
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:56746
#37 0x000055c61735ab5f in zend_execute (op_array=0x7f0b15e83300, return_value=0x0)
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:60126
#38 0x000055c61727b8b1 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/kelunik/.php-build/release/Zend/zend.c:1541
#39 0x000055c6171ddb18 in php_execute_script (primary_file=0x7ffe38459f50)
    at /home/kelunik/.php-build/release/main/main.c:2467
#40 0x000055c61735d7f3 in do_cli (argc=3, argv=0x55c6193e3e90)
    at /home/kelunik/.php-build/release/sapi/cli/php_cli.c:1011
#41 0x000055c61735e9b1 in main (argc=3, argv=0x55c6193e3e90)
    at /home/kelunik/.php-build/release/sapi/cli/php_cli.c:1404

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-03-05 13:55 UTC] dmitry@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2018-03-05 14:28 UTC] dmitry@php.net

The problem caused by GC address compression that doesn't take into account special meaning of "zero" address.

[2018-03-05 14:47 UTC] nikic@php.net

Reduced repro code:

<?php
class Foo { public $foo; }

gc_disable();
$n = 128 * 1024;
for ($i = 0; $i < $n; $i++) {
    $f = new Foo;
    $f->foo = $f;
}

[2018-03-05 17:31 UTC] dmitry@php.net

https://github.com/php/php-src/commit/ab139b6bfdd73a29604fed978517ea96b720f21e fixed the crash but not the bug (it just became hidden).

It's possible to add another assert to disclose it:

diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
index fe740e7a78..004c9c88d0 100644
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -250,7 +250,9 @@ static zend_gc_globals gc_globals;
 
 static zend_always_inline uint32_t gc_compress(uint32_t idx)
 {
-       return idx % GC_MAX_UNCOMPRESSED;
+       idx = idx % GC_MAX_UNCOMPRESSED;
+       ZEND_ASSERT(idx != 0);
+       return idx;
 }
 
 static zend_always_inline gc_root_buffer* gc_decompress(zend_refcounted *ref, uint32_t idx)

[2018-03-06 00:31 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c060d88c3652e771628b1c14a3fe87d99e3122a4
Log: Fixed bug #76050

[2018-03-06 00:31 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 03:00:01 2025 UTC