php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47343 gc_collect_cycles causes a segfault when called within a destructor in one case
Submitted: 2009-02-08 22:39 UTC Modified: 2009-02-18 12:03 UTC
From: geoffers+phpbugs at gmail dot com Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.3CVS-2009-02-08 (CVS) OS: Debian Etch
Private report: No CVE-ID:
 [2009-02-08 22:39 UTC] geoffers+phpbugs at gmail dot com
Description:
------------
When running PHP a segfault occurs when trying to call 
gc_collect_cycles() within the destructor in the included code. Removing 
any line from that code (with the exception of the DONE echo) causes the 
segfault to not occur.

This is on Debian Etch, with everything apart from PHP 5.3 from the 
Debian stable repositories. PHP 5.3 was compiled with:

'./configure' '--enable-bcmath' '--enable-calendar' '--with-zlib-
dir=/usr' '--with-gd' '--with-apxs2=/usr/bin/apxs2' '--with-curl=/usr' 
'--without-pear' '--enable-mbstring' '--enable-debug'

I have only tested through the CLI.

Reproduce code:
---------------
<?php

class A
{
	public function __destruct()
	{
		gc_collect_cycles();
	}
	
	public function getB()
	{
		$this->data['foo'] = new B($this);
		$this->data['bar'] = new B($this);
		// Return either of the above
		return $this->data['foo'];
	}
}

class B
{
	public function B($A)
	{
		$this->A = $A;
	}

	public function __destruct()
	{
	}
}

for ($i = 0; $i < 2; $i++)
{
	$Aobj = new A;
	$Bobj = $Aobj->getB();
	unset($Bobj);
	unset($Aobj);
}

echo "DONE\n";


Expected result:
----------------
Output:

DONE

Actual result:
--------------
Output:

DONE
Segmentation fault (core dumped)

Backtrace:

#0  0x0844a0b0 in gc_collect_cycles () at 
/root/php5/Zend/zend_gc.c:551
#1  0x08439ab6 in zif_gc_collect_cycles (ht=0, 
return_value=0xb79767d8, return_value_ptr=0x0, this_ptr=0x0, 
return_value_used=0)
    at /root/php5/Zend/zend_builtin_functions.c:336
#2  0x084536bd in zend_do_fcall_common_helper_SPEC 
(execute_data=0xb77d604c) at /root/php5/Zend/zend_vm_execute.h:313
#3  0x08458202 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0xb77d604c) at /root/php5/Zend/zend_vm_execute.h:1564
#4  0x08452afa in execute (op_array=0xb7979664) at 
/root/php5/Zend/zend_vm_execute.h:104
#5  0x0841a08a in zend_call_function (fci=0xbfe69304, 
fci_cache=0xbfe692d4) at /root/php5/Zend/zend_execute_API.c:928
#6  0x08441628 in zend_call_method (object_pp=0xbfe69394, 
obj_ce=0xb7977e94, fn_proxy=0xbfe69398, function_name=0x8902ee6 
"__destruct", 
    function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0, 
arg2=0x0) at /root/php5/Zend/zend_interfaces.c:89
#7  0x0844bb8d in zend_objects_destroy_object (object=0xb7979054, 
handle=1) at /root/php5/Zend/zend_objects.c:106
#8  0x084502d3 in zend_objects_store_call_destructors 
(objects=0x8939d80) at /root/php5/Zend/zend_objects_API.c:57
#9  0x08417947 in shutdown_destructors () at 
/root/php5/Zend/zend_execute_API.c:221
#10 0x08427ce5 in zend_call_destructors () at 
/root/php5/Zend/zend.c:867
#11 0x083bbcf4 in php_request_shutdown (dummy=0x0) at 
/root/php5/main/main.c:1506
#12 0x084b9825 in main (argc=2, argv=0xbfe69924) at 
/root/php5/sapi/cli/php_cli.c:1340

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-08 23:46 UTC] scottmac@php.net
#0  0x081efd6c in gc_collect_cycles () at /home/scott/dev/php53/Zend/zend_gc.c:551
551				if (Z_TYPE(p->z) == IS_OBJECT) {
(gdb) print p
$1 = (zval_gc_info *) 0xfffffffc
(gdb) print count
$2 = 4
 [2009-02-18 12:03 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC