|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47343 gc_collect_cycles causes a segfault when called within a destructor in one case
Submitted: 2009-02-08 22:39 UTC Modified: 2009-02-18 12:03 UTC
From: geoffers+phpbugs at gmail dot com Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.3CVS-2009-02-08 (CVS) OS: Debian Etch
Private report: No CVE-ID:
 [2009-02-08 22:39 UTC] geoffers+phpbugs at gmail dot com
When running PHP a segfault occurs when trying to call 
gc_collect_cycles() within the destructor in the included code. Removing 
any line from that code (with the exception of the DONE echo) causes the 
segfault to not occur.

This is on Debian Etch, with everything apart from PHP 5.3 from the 
Debian stable repositories. PHP 5.3 was compiled with:

'./configure' '--enable-bcmath' '--enable-calendar' '--with-zlib-
dir=/usr' '--with-gd' '--with-apxs2=/usr/bin/apxs2' '--with-curl=/usr' 
'--without-pear' '--enable-mbstring' '--enable-debug'

I have only tested through the CLI.

Reproduce code:

class A
	public function __destruct()
	public function getB()
		$this->data['foo'] = new B($this);
		$this->data['bar'] = new B($this);
		// Return either of the above
		return $this->data['foo'];

class B
	public function B($A)
		$this->A = $A;

	public function __destruct()

for ($i = 0; $i < 2; $i++)
	$Aobj = new A;
	$Bobj = $Aobj->getB();

echo "DONE\n";

Expected result:


Actual result:

Segmentation fault (core dumped)


#0  0x0844a0b0 in gc_collect_cycles () at 
#1  0x08439ab6 in zif_gc_collect_cycles (ht=0, 
return_value=0xb79767d8, return_value_ptr=0x0, this_ptr=0x0, 
    at /root/php5/Zend/zend_builtin_functions.c:336
#2  0x084536bd in zend_do_fcall_common_helper_SPEC 
(execute_data=0xb77d604c) at /root/php5/Zend/zend_vm_execute.h:313
(execute_data=0xb77d604c) at /root/php5/Zend/zend_vm_execute.h:1564
#4  0x08452afa in execute (op_array=0xb7979664) at 
#5  0x0841a08a in zend_call_function (fci=0xbfe69304, 
fci_cache=0xbfe692d4) at /root/php5/Zend/zend_execute_API.c:928
#6  0x08441628 in zend_call_method (object_pp=0xbfe69394, 
obj_ce=0xb7977e94, fn_proxy=0xbfe69398, function_name=0x8902ee6 
    function_name_len=10, retval_ptr_ptr=0x0, param_count=0, arg1=0x0, 
arg2=0x0) at /root/php5/Zend/zend_interfaces.c:89
#7  0x0844bb8d in zend_objects_destroy_object (object=0xb7979054, 
handle=1) at /root/php5/Zend/zend_objects.c:106
#8  0x084502d3 in zend_objects_store_call_destructors 
(objects=0x8939d80) at /root/php5/Zend/zend_objects_API.c:57
#9  0x08417947 in shutdown_destructors () at 
#10 0x08427ce5 in zend_call_destructors () at 
#11 0x083bbcf4 in php_request_shutdown (dummy=0x0) at 
#12 0x084b9825 in main (argc=2, argv=0xbfe69924) at 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-08 23:46 UTC]
#0  0x081efd6c in gc_collect_cycles () at /home/scott/dev/php53/Zend/zend_gc.c:551
551				if (Z_TYPE(p->z) == IS_OBJECT) {
(gdb) print p
$1 = (zval_gc_info *) 0xfffffffc
(gdb) print count
$2 = 4
 [2009-02-18 12:03 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 12:01:43 2017 UTC