PHP :: Bug #81603 :: zend_gc_delref: Assertion failed

Bug #81603	zend_gc_delref: Assertion failed
Submitted:	2021-11-09 08:45 UTC	Modified:	2021-11-16 10:22 UTC
From:	mbeccati@php.net	Assigned:	nikic (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.4.26RC1	OS:	Ubuntu 20.04.2 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mbeccati@php.net
New email:
PHP Version:		OS:

New Comment:

[2021-11-09 08:45 UTC] mbeccati@php.net

Description:
------------
Running the test suite of phpspec main branch currently fails with a segfault and an assertion failure. No such failure on latest PHP 7.3 or PHP 8.0 from git.

Configure line was:
--with-zip --enable-gd --with-freetype --with-jpeg --with-webp --with-xpm --with-openssl --enable-debug --without-pear --with-mysql-sock=/var/run/mysqld/mysqld.sock --with-mysqli=mysqlnd --with-pgsql=/usr --enable-pdo --with-pdo-sqlite --with-pdo-mysql=mysqlnd --with-pdo-pgsql=/usr --with-zlib --with-iconv --enable-bcmath --enable-ftp --enable-mbstring --with-curl --with-gettext --enable-intl --enable-sockets --enable-shmop --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-soap --enable-fpm --enable-pcntl

Test script:
---------------
git clone git@github.com:phpspec/phpspec.git
cd phpspec
composer update --prefer-dist
php74/bin/php bin/phpspec run

Expected result:
----------------
No segfault

Actual result:
--------------
php: .../Zend/zend_types.h:1039: zend_gc_delref: Assertion `p->refcount > 0' failed.
Aborted (core dumped)


#4  0x0000555555ddc546 in zend_gc_delref (p=0x7ffff2b91ae0) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_types.h:1039
        __PRETTY_FUNCTION__ = "zend_gc_delref"
#5  0x0000555555ddd8e7 in gc_mark_grey (ref=0x7ffff2b91ae0, stack=0x7fffffff8f70) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_gc.c:872
        ht = 0x0
        p = 0x7ffff37aaf68
        end = 0x7ffff37aaf68
        zv = 0x7ffff37aaf68
        _stack = 0x7fffffff8f70
        _top = 2
#6  0x0000555555dddd25 in gc_mark_roots (stack=0x7fffffff8f70) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_gc.c:977
        current = 0x7ffff4112888
        last = 0x7ffff4112890
#7  0x0000555555ddf03e in zend_gc_collect_cycles () at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_gc.c:1452
        current = 0x16f2608630
        last = 0x555555d6fcc4 <zend_emit_op+221>
        gc_flags = 0
        idx = 0
        end = 0
        p = 0x7ffff29ef378
        stack = {prev = 0x0, next = 0x7ffff2605000, data = {0x7ffff29878c0, 0x7ffff29879b0, 0x7ffff2cb9de0, 0x7ffff30a5de0, 0x7ffff2804de0, 0x7ffff2fa94e0, 0x7ffff2b55cc0, 0x7ffff2b766c0, 0x7ffff2b95240, 0x7ffff2bdf960, 0x7ffff2fbd780, 0x7ffff2d172a0, 0x7ffff2f1d3c0, 0x7ffff2fb3000, 0x7ffff2d436c0, 0x7ffff2b3ff00,
            0x7ffff2b475a0, 0x7ffff2b21780, 0x7ffff2dda360, 0x7ffff2faccc0, 0x7ffff2d3f1e0, 0x7ffff2b77540, 0x7ffff2b93d20, 0x7ffff2b79480, 0x7ffff2fb13c0, 0x7ffff2a20690, 0x7ffff2a883c0, 0x7ffff3e8a840, 0x7ffff3f22360, 0x7ffff3f223c0, 0x7ffff3e8a8a0, 0x7ffff3e8a900, 0x7ffff3f22420, 0x7ffff3f22480, 0x7ffff3f224e0,
            0x7ffff3e8aa20, 0x7ffff3e8aae0, 0x7ffff3f22540, 0x7ffff3f225a0, 0x7ffff3e8ab40, 0x7ffff3e8aba0, 0x7ffff3e8ac00, 0x7ffff3e8ac60, 0x7ffff3f22600, 0x7ffff3f22660, 0x7ffff3f23d80, 0x7ffff3f271c0, 0x7ffff3f272a0, 0x7ffff3f23e40, 0x7ffff3f27380, 0x7ffff3f23f00, 0x7ffff3f27460, 0x7ffff3f27540, 0x7ffff3f27620,
            0x7ffff3f27700, 0x7ffff3f277e0, 0x7ffff3f278c0, 0x7ffff3f279a0, 0x7ffff3f27a80, 0x7ffff3f27b60, 0x7ffff3f27c40, 0x7ffff3f27d20, 0x7ffff3f27e00, 0x7ffff3f27ee0, 0x7ffff3f28000, 0x7ffff3f280e0, 0x7ffff3f281c0, 0x7ffff3f282a0, 0x7ffff3f28380, 0x7ffff3f28460, 0x7ffff3f28540, 0x7ffff3f28620, 0x7ffff3f29000,
            0x7ffff3f290c0, 0x7ffff3f29180, 0x7ffff3f29240, 0x7ffff3f29300, 0x7ffff3f293c0, 0x7ffff3f29480, 0x7ffff3f29540, 0x7ffff3f29600, 0x7ffff3f28700, 0x7ffff3f287e0, 0x7ffff3f296c0, 0x7ffff3f29780, 0x7ffff3f288c0, 0x7ffff3f289a0, 0x7ffff3f28a80, 0x7ffff3f28b60, 0x7ffff3f28c40, 0x7ffff3f28d20, 0x7ffff3f29840,
            0x7ffff3f28e00, 0x7ffff3f28ee0, 0x7ffff3f2a000, 0x7ffff3f2a0e0, 0x7ffff3f2a1c0, 0x7ffff3f2a2a0, 0x7ffff3f29900, 0x7ffff3f2a380, 0x7ffff3f2a460, 0x7ffff3f2a540, 0x7ffff3f2a620, 0x7ffff3f2a700, 0x7ffff3f25100, 0x7ffff3f2a7e0, 0x7ffff3f2a8c0, 0x7ffff3f299c0, 0x7ffff3f2a9a0, 0x7ffff3f2aa80, 0x7ffff3f29a80,
            0x7ffff3f2ab60, 0x7ffff3f2ac40, 0x7ffff3f29b40, 0x7ffff3f2ad20, 0x7ffff3f29c00, 0x7ffff3f2ae00, 0x7ffff3f25200, 0x7ffff3f2aee0, 0x7ffff3f2b000, 0x7ffff3f25300, 0x7ffff3f29cc0, 0x7ffff3f29d80, 0x7ffff3f29e40, 0x7ffff3f2b0e0, 0x7ffff3f29f00, 0x7ffff3f2c000, 0x7ffff3f2c0c0, 0x7ffff3f2b1c0, 0x7ffff3f25400,
            0x7ffff3f2b2a0, 0x7ffff3f2b380, 0x7ffff3f2b460, 0x7ffff3f2b540, 0x7ffff3f2b620, 0x7ffff3f2b700, 0x7ffff3f2b7e0, 0x7ffff3f2b8c0, 0x7ffff3f2b9a0, 0x7ffff3f2ba80, 0x7ffff3f2bb60, 0x7ffff3f2bc40, 0x7ffff3f2bd20, 0x7ffff3f2be00, 0x7ffff3f2bee0, 0x7ffff3f2d000, 0x7ffff3f2c180, 0x7ffff3f2d0e0, 0x7ffff3f2d1c0,
            0x7ffff3f2d2a0, 0x7ffff3f2d380, 0x7ffff3f2d460, 0x7ffff3f2d540, 0x7ffff3f2d620, 0x7ffff3f2d700, 0x7ffff3f2c240, 0x7ffff3f2d7e0, 0x7ffff3f2d8c0, 0x7ffff3f2d9a0, 0x7ffff3f2da80, 0x7ffff3f2c300, 0x7ffff3f2db60, 0x7ffff3f2c3c0, 0x7ffff3f2dc40, 0x7ffff3f2c480, 0x7ffff3f2dd20, 0x7ffff3f2c540, 0x7ffff3f2c600,
            0x7ffff3f2c6c0, 0x7ffff3f2de00, 0x7ffff3f2dee0, 0x7ffff3f2e000, 0x7ffff3f2e0e0, 0x7ffff3f2c780, 0x7ffff3f2c840, 0x7ffff3f2c900, 0x7ffff3f2c9c0, 0x7ffff3f2ca80, 0x7ffff3f2e1c0, 0x7ffff3f2cb40, 0x7ffff3f2cc00, 0x7ffff3f2ccc0, 0x7ffff3f2e2a0, 0x7ffff3f2cd80, 0x7ffff3f2ce40, 0x7ffff3f2e380, 0x7ffff3f2cf00,
            0x7ffff3f2f000, 0x7ffff3f2f0c0, 0x7ffff3f2e460, 0x7ffff3f2f180, 0x7ffff3f2f240, 0x7ffff3f2f300, 0x7ffff3f2f3c0, 0x7ffff3f2f480, 0x7ffff3f2f540, 0x7ffff3f2f600, 0x7ffff3f2f6c0, 0x7ffff3f2f780, 0x7ffff3f2f840...}}
        count = 0
#8  0x0000555555ddcd77 in gc_possible_root_when_full (ref=0x7ffff2987960) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_gc.c:592
        idx = 21845
        newRoot = 0x20
        __PRETTY_FUNCTION__ = "gc_possible_root_when_full"
#9  0x0000555555ddcf00 in gc_possible_root (ref=0x7ffff2987960) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_gc.c:642
        idx = 0
        newRoot = 0x0
        __PRETTY_FUNCTION__ = "gc_possible_root"
#10 0x0000555555db74de in gc_check_possible_root (ref=0x7ffff2987960) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_gc.h:83
No locals.
#11 0x0000555555db7530 in i_zval_ptr_dtor (zval_ptr=0x7ffff36e0ac8) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_variables.h:46
        ref = 0x7ffff2987960
#12 0x0000555555dbc8f3 in zend_array_destroy (ht=0x7ffff2b91ae0) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_hash.c:1611
        p = 0x7ffff36e0ac8
        end = 0x7ffff36e0ae8
        __PRETTY_FUNCTION__ = "zend_array_destroy"
#13 0x0000555555d9ffb8 in rc_dtor_func (p=0x7ffff2b91ae0) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_variables.c:57
        __PRETTY_FUNCTION__ = "rc_dtor_func"
#14 0x0000555555d9ff37 in i_zval_ptr_dtor (zval_ptr=0x7ffff375a588) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_variables.h:44
        ref = 0x7ffff2b91ae0
#15 0x0000555555da015d in zval_ptr_dtor (zval_ptr=0x7ffff375a588) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_variables.c:84
No locals.
#16 0x0000555555b71b87 in php_usort (execute_data=0x7ffff3e18000, return_value=0x7fffffffa220, compare_func=0x555555b71217 <php_array_user_compare>, renumber=1 '\001') at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/ext/standard/array.c:1040
        array = 0x7ffff375a588
        arr = 0x7ffff28180c0
        retval = 1 '\001'
        old_user_compare_fci = {size = 0, function_name = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}},
              type_info = 0}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}}, retval = 0x0, params = 0x0, object = 0x0, no_separation = 0 '\000', param_count = 0}
        old_user_compare_fci_cache = {function_handler = 0x0, calling_scope = 0x0, called_scope = 0x0, object = 0x0}
        __PRETTY_FUNCTION__ = "php_usort"
#17 0x0000555555b71cbb in zif_usort (execute_data=0x7ffff3e18000, return_value=0x7fffffffa220) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/ext/standard/array.c:1052
No locals.
#18 0x0000555555e198bc in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER () at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_vm_execute.h:1442
        retval = {value = {lval = 140737285029984, dval = 6.9533457622282644e-310, counted = 0x7ffff3e18060, str = 0x7ffff3e18060, arr = 0x7ffff3e18060, obj = 0x7ffff3e18060, res = 0x7ffff3e18060, ref = 0x7ffff3e18060, ast = 0x7ffff3e18060, zv = 0x7ffff3e18060, ptr = 0x7ffff3e18060, ce = 0x7ffff3e18060,
            func = 0x7ffff3e18060, ww = {w1 = 4091641952, w2 = 32767}}, u1 = {v = {type = 1 '\001', type_flags = 0 '\000', u = {extra = 0}}, type_info = 1}, u2 = {next = 32767, cache_slot = 32767, opline_num = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767, access_flags = 32767,
            property_guard = 32767, constant_flags = 32767, extra = 32767}}
        call = 0x7ffff3e18000
        fbc = 0x555556beecd0
        ret = 0x7fffffffa220
        __PRETTY_FUNCTION__ = "ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER"
#19 0x0000555555e85096 in execute_ex (ex=0x7ffff3e17b10) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_vm_execute.h:53513
        orig_opline = 0x7ffff2eb93e0
        orig_execute_data = 0x7ffff3e17940
#20 0x0000555555d8ae33 in zend_call_function (fci=0x7fffffffa590, fci_cache=0x7fffffffa570) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_execute_API.c:820
        call_via_handler = 0
        current_opline_before_exception = 0x7ffff30ca300
        i = 3
        call = 0x7ffff3e17b10
        dummy_execute_data = {opline = 0x30800000000, call = 0x7fffffffa598, return_value = 0x7ffff3e17ad0, func = 0x7ffff2e17780, This = {value = {lval = 140737488332016, dval = 6.9533558066832385e-310, counted = 0x7fffffffa4f0, str = 0x7fffffffa4f0, arr = 0x7fffffffa4f0, obj = 0x7fffffffa4f0,
              res = 0x7fffffffa4f0, ref = 0x7fffffffa4f0, ast = 0x7fffffffa4f0, zv = 0x7fffffffa4f0, ptr = 0x7fffffffa4f0, ce = 0x7fffffffa4f0, func = 0x7fffffffa4f0, ww = {w1 = 4294943984, w2 = 32767}}, u1 = {v = {type = 23 '\027', type_flags = 199 '\307', u = {extra = 21945}}, type_info = 1438238487}, u2 = {
              next = 21845, cache_slot = 21845, opline_num = 21845, lineno = 21845, num_args = 21845, fe_pos = 21845, fe_iter_idx = 21845, access_flags = 21845, property_guard = 21845, constant_flags = 21845, extra = 21845}}, prev_execute_data = 0xffffffffffffffff, symbol_table = 0x7fffffffa560,
          run_time_cache = 0xffffa4f0}
        fci_cache_local = {function_handler = 0x7fffffffa570, calling_scope = 0x7fffffffa590, called_scope = 0xffffffff, object = 0x7ffff3e17ad0}
        func = 0x7ffff2e177b8
        call_info = 33686280
        object_or_called_scope = 0x7ffff2c476c0
        __PRETTY_FUNCTION__ = "zend_call_function"
#21 0x0000555555ba2e49 in zif_call_user_func (execute_data=0x7ffff3e17a80, return_value=0x7ffff3e17a70) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/ext/standard/basic_functions.c:4935
        retval = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}}, type_info = 0}, u2 = {next = 32767,
            cache_slot = 32767, opline_num = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767, access_flags = 32767, property_guard = 32767, constant_flags = 32767, extra = 32767}}
        fci = {size = 56, function_name = {value = {lval = 140737268250496, dval = 6.9533449332114068e-310, counted = 0x7ffff2e17780, str = 0x7ffff2e17780, arr = 0x7ffff2e17780, obj = 0x7ffff2e17780, res = 0x7ffff2e17780, ref = 0x7ffff2e17780, ast = 0x7ffff2e17780, zv = 0x7ffff2e17780, ptr = 0x7ffff2e17780,
              ce = 0x7ffff2e17780, func = 0x7ffff2e17780, ww = {w1 = 4074862464, w2 = 32767}}, u1 = {v = {type = 8 '\b', type_flags = 3 '\003', u = {extra = 0}}, type_info = 776}, u2 = {next = 32767, cache_slot = 32767, opline_num = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767,
              access_flags = 32767, property_guard = 32767, constant_flags = 32767, extra = 32767}}, retval = 0x7fffffffa560, params = 0x7ffff3e17ae0, object = 0x7ffff2c476c0, no_separation = 1 '\001', param_count = 3}
        fci_cache = {function_handler = 0x7ffff2e177b8, calling_scope = 0x7ffff31cde58, called_scope = 0x7ffff31cde58, object = 0x7ffff2c476c0}
        __PRETTY_FUNCTION__ = "zif_call_user_func"
#22 0x0000555555e19c56 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_vm_execute.h:1526
        retval = {value = {lval = 140737285028272, dval = 6.9533457621436804e-310, counted = 0x7ffff3e179b0, str = 0x7ffff3e179b0, arr = 0x7ffff3e179b0, obj = 0x7ffff3e179b0, res = 0x7ffff3e179b0, ref = 0x7ffff3e179b0, ast = 0x7ffff3e179b0, zv = 0x7ffff3e179b0, ptr = 0x7ffff3e179b0, ce = 0x7ffff3e179b0,
            func = 0x7ffff3e179b0, ww = {w1 = 4091640240, w2 = 32767}}, u1 = {v = {type = 224 '\340', type_flags = 71 'G', u = {extra = 62103}}, type_info = 4070000608}, u2 = {next = 32767, cache_slot = 32767, opline_num = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767,
            access_flags = 32767, property_guard = 32767, constant_flags = 32767, extra = 32767}}
        call = 0x7ffff3e17a80
        fbc = 0x555556c281a0
        ret = 0x7ffff3e17a70
        __PRETTY_FUNCTION__ = "ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER"
#23 0x0000555555e850aa in execute_ex (ex=0x7ffff3e167f0) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_vm_execute.h:53517
        orig_opline = 0x7ffff30cb640
        orig_execute_data = 0x7ffff3e164d0
#24 0x0000555555d8ae33 in zend_call_function (fci=0x7fffffffa9d0, fci_cache=0x7fffffffa9b0) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_execute_API.c:820
        call_via_handler = 0
        current_opline_before_exception = 0x7ffff3166f20
        i = 4
        call = 0x7ffff3e167f0
        dummy_execute_data = {opline = 0x5555566b19e8, call = 0x40, return_value = 0x7fffffffa8c0, func = 0x555555d6893a <_safe_emalloc+85>, This = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0,
                w2 = 0}}, u1 = {v = {type = 74 'J', type_flags = 91 '[', u = {extra = 21974}}, type_info = 1440111434}, u2 = {next = 3113, cache_slot = 3113, opline_num = 3113, lineno = 3113, num_args = 3113, fe_pos = 3113, fe_iter_idx = 3113, access_flags = 3113, property_guard = 3113, constant_flags = 3113,
              extra = 3113}}, prev_execute_data = 0x7ffff343c780, symbol_table = 0x7ffff343c780, run_time_cache = 0x7fffffffa8d0}
        fci_cache_local = {function_handler = 0x7fffffffa880, calling_scope = 0x555555d686c3 <_emalloc+124>, called_scope = 0x0, object = 0xc2900000000}
        func = 0x7ffff343cdd0
        call_info = 33686280
        object_or_called_scope = 0x7ffff2898d90
        __PRETTY_FUNCTION__ = "zend_call_function"
#25 0x0000555555ab57c9 in reflection_method_invoke (execute_data=0x7ffff3e16780, return_value=0x7fffffffaa60, variadic=0) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/ext/reflection/php_reflection.c:3168
        retval = {value = {lval = 3328601648896, dval = 1.6445477234100404e-311, counted = 0x307001e6f00, str = 0x307001e6f00, arr = 0x307001e6f00, obj = 0x307001e6f00, res = 0x307001e6f00, ref = 0x307001e6f00, ast = 0x307001e6f00, zv = 0x307001e6f00, ptr = 0x307001e6f00, ce = 0x307001e6f00, func = 0x307001e6f00,
            ww = {w1 = 1994496, w2 = 775}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}}, type_info = 0}, u2 = {next = 32767, cache_slot = 32767, opline_num = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767, access_flags = 32767, property_guard = 32767,
            constant_flags = 32767, extra = 32767}}
        params = 0x7ffff2f47f60
        val = 0x7ffff2d6b928
        object = 0x7ffff3e167d0
        intern = 0x7ffff39830a0
        mptr = 0x7ffff343cdd0
        i = -203331616
        argc = 4
        result = -22144
        fci = {size = 56, function_name = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}}, type_info = 0}, u2 = {
              next = 21845, cache_slot = 21845, opline_num = 21845, lineno = 21845, num_args = 21845, fe_pos = 21845, fe_iter_idx = 21845, access_flags = 21845, property_guard = 21845, constant_flags = 21845, extra = 21845}}, retval = 0x7fffffffa9a0, params = 0x7ffff2f47f60, object = 0x7ffff2898d90,
          no_separation = 1 '\001', param_count = 4}
        fcc = {function_handler = 0x7ffff343cdd0, calling_scope = 0x7ffff3e167e0, called_scope = 0x7ffff343c780, object = 0x7ffff2898d90}
        obj_ce = 0x7ffff343c780
        param_array = 0x7ffff3e167e0
#26 0x0000555555ab5983 in zim_reflection_method_invokeArgs (execute_data=0x7ffff3e16780, return_value=0x7fffffffaa60) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/ext/reflection/php_reflection.c:3204
No locals.
#27 0x0000555555e1a048 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_vm_execute.h:1618
        call = 0x7ffff3e16780
        fbc = 0x555556d70680
        ret = 0x7fffffffaa60
        retval = {value = {lval = 140737488333440, dval = 6.9533558067535934e-310, counted = 0x7fffffffaa80, str = 0x7fffffffaa80, arr = 0x7fffffffaa80, obj = 0x7fffffffaa80, res = 0x7fffffffaa80, ref = 0x7fffffffaa80, ast = 0x7fffffffaa80, zv = 0x7fffffffaa80, ptr = 0x7fffffffaa80, ce = 0x7fffffffaa80,
            func = 0x7fffffffaa80, ww = {w1 = 4294945408, w2 = 32767}}, u1 = {v = {type = 1 '\001', type_flags = 0 '\000', u = {extra = 0}}, type_info = 1}, u2 = {next = 21845, cache_slot = 21845, opline_num = 21845, lineno = 21845, num_args = 21845, fe_pos = 21845, fe_iter_idx = 21845, access_flags = 21845,
            property_guard = 21845, constant_flags = 21845, extra = 21845}}
        __PRETTY_FUNCTION__ = "ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER"
#28 0x0000555555e850be in execute_ex (ex=0x7ffff3e14020) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_vm_execute.h:53521
        orig_opline = 0x0
        orig_execute_data = 0x0
#29 0x0000555555e8a05d in zend_execute (op_array=0x7ffff3e82300, return_value=0x0) at /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_vm_execute.h:57617
        execute_data = 0x7ffff3e14020
        object_or_called_scope = 0x0
        call_info = 1245184

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-11-09 09:40 UTC] nikic@php.net

I wasn't able to reproduce this on current 7.4 HEAD. I tried both with and without opcache and also checked that there are no warnings under USE_ZEND_ALLOC=0 valgrind.

[2021-11-09 15:04 UTC] mbeccati@php.net

No particular warnings in valgrind here either, just the SIGABRT. Not sure if there are any other useful options I can add.

$ USE_ZEND_ALLOC=0 valgrind --tool=memcheck --num-callers=30 --track-origins=yes ~/php74/bin/php bin/phpspec run
==869939== Memcheck, a memory error detector
==869939== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==869939== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==869939== Command: /home/atlassian/php74/bin/php bin/phpspec run
==869939==
php: /home/atlassian/bamboo/local-working-dir/PHP-SRC9-BUIL/Zend/zend_types.h:1039: zend_gc_delref: Assertion `p->refcount > 0' failed.
==869939==
==869939== Process terminating with default action of signal 6 (SIGABRT)
==869939==    at 0x5CE818B: raise (raise.c:51)
==869939==    by 0x5CC7858: abort (abort.c:79)
==869939==    by 0x5CC7728: __assert_fail_base.cold (assert.c:92)
==869939==    by 0x5CD8F35: __assert_fail (assert.c:101)
==869939==    by 0x990545: zend_gc_delref (zend_types.h:1039)
==869939==    by 0x9918E6: gc_mark_grey (zend_gc.c:872)
==869939==    by 0x991D24: gc_mark_roots (zend_gc.c:977)
==869939==    by 0x99303D: zend_gc_collect_cycles (zend_gc.c:1452)
==869939==    by 0x990D76: gc_possible_root_when_full (zend_gc.c:592)
==869939==    by 0x990EFF: gc_possible_root (zend_gc.c:642)
==869939==    by 0x96B4DD: gc_check_possible_root (zend_gc.h:83)
==869939==    by 0x96B52F: i_zval_ptr_dtor (zend_variables.h:46)
==869939==    by 0x9708F2: zend_array_destroy (zend_hash.c:1611)
==869939==    by 0x953FB7: rc_dtor_func (zend_variables.c:57)
==869939==    by 0x953F36: i_zval_ptr_dtor (zend_variables.h:44)
==869939==    by 0x95415C: zval_ptr_dtor (zend_variables.c:84)
==869939==    by 0x725B86: php_usort (array.c:1040)
==869939==    by 0x725CBA: zif_usort (array.c:1052)
==869939==    by 0x9CD8BB: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1442)
==869939==    by 0xA39095: execute_ex (zend_vm_execute.h:53513)
==869939==    by 0x93EE32: zend_call_function (zend_execute_API.c:820)
==869939==    by 0x756E48: zif_call_user_func (basic_functions.c:4935)
==869939==    by 0x9CDC55: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1526)
==869939==    by 0xA390A9: execute_ex (zend_vm_execute.h:53517)
==869939==    by 0x93EE32: zend_call_function (zend_execute_API.c:820)
==869939==    by 0x6697C8: reflection_method_invoke (php_reflection.c:3168)
==869939==    by 0x669982: zim_reflection_method_invokeArgs (php_reflection.c:3204)
==869939==    by 0x9CE047: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1618)

[2021-11-16 09:17 UTC] nikic@php.net

-Status: Open +Status: Feedback

[2021-11-16 09:17 UTC] nikic@php.net

This is most likely fixed by https://github.com/php/php-src/commit/18a0d46a1b44cc67e97ccdf9f828c690d651c7f1. Could you please confirm?

[2021-11-16 09:24 UTC] mbeccati@php.net

Confirmed, the build is green now: https://revive.beccati.com/bamboo/browse/PHP-PHPSPEC-2723

[2021-11-16 09:25 UTC] nikic@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: nikic

[2021-11-16 09:25 UTC] nikic@php.net

Great, thanks for the quick confirmation!

[2021-11-16 10:22 UTC] mbeccati@php.net

Well, thank you! Great job tracking this down! :-)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 13 02:01:28 2025 UTC