php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53976 running phpunit causes seg fault in php garbage collection
Submitted: 2011-02-09 23:43 UTC Modified: 2011-02-13 04:38 UTC
Votes:23
Avg. Score:4.3 ± 0.9
Reproduced:20 of 22 (90.9%)
Same Version:4 (20.0%)
Same OS:6 (30.0%)
From: matthew dot scott dot day at gmail dot com Assigned:
Status: Open Package: Reproducible crash
PHP Version: 5.3.5 OS: ubuntu 10.10
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-02-09 23:43 UTC] matthew dot scott dot day at gmail dot com
Description:
------------
FIRST TEST
-------------------


root@matthewbox:/pool/www/www.example.com/tests# USE_ZEND_ALLOC=0 gdb php
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/php...done.
(gdb) run -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
Starting program: /usr/local/bin/php -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
[Thread debugging using libthread_db enabled]
PHPUnit 3.5.10 by Sebastian Bergmann.

[New Thread 0x7ffff24a6700 (LWP 17827)]
[Thread 0x7ffff24a6700 (LWP 17827) exited]
....................

Time: 26 seconds, Memory: 0.25Mb

OK (20 tests, 20 assertions)

Generating code coverage report, this may take a moment.

Program received signal SIGSEGV, Segmentation fault.
gc_remove_zval_from_buffer (zv=<value optimized out>) at /home/matthew/src/php-5.3.5/Zend/zend_gc.c:265
265		GC_REMOVE_FROM_BUFFER(root_buffer);







(gdb) run -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/local/bin/php -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
[Thread debugging using libthread_db enabled]
PHPUnit 3.5.10 by Sebastian Bergmann.

[New Thread 0x7ffff24a6700 (LWP 17839)]
[Thread 0x7ffff24a6700 (LWP 17839) exited]
....................

Time: 25 seconds, Memory: 0.25Mb

OK (20 tests, 20 assertions)

Generating code coverage report, this may take a moment.

Program received signal SIGSEGV, Segmentation fault.
0x000000000075a571 in gc_zval_possible_root (zv=0x37dadf0) at /home/matthew/src/php-5.3.5/Zend/zend_gc.c:143
143			GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x000000000075a571 in gc_zval_possible_root (zv=0x37dadf0) at /home/matthew/src/php-5.3.5/Zend/zend_gc.c:143
#1  0x000000000074912b in zend_hash_destroy (ht=0x37daf50) at /home/matthew/src/php-5.3.5/Zend/zend_hash.c:529
#2  0x000000000075bb89 in zend_object_std_dtor (object=0x37edb00) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:45
#3  0x000000000075bba9 in zend_objects_free_object_storage (object=0x37dadf0) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:126
#4  0x000000000075f888 in zend_objects_store_del_ref_by_handle_ex (handle=<value optimized out>, handlers=<value optimized out>) at /home/matthew/src/php-5.3.5/Zend/zend_objects_API.c:220
#5  0x000000000075f8a3 in zend_objects_store_del_ref (zobject=0x37dee20) at /home/matthew/src/php-5.3.5/Zend/zend_objects_API.c:172
#6  0x000000000073072d in _zval_dtor (zval_ptr=0x3814058) at /home/matthew/src/php-5.3.5/Zend/zend_variables.h:35
#7  _zval_ptr_dtor (zval_ptr=0x3814058) at /home/matthew/src/php-5.3.5/Zend/zend_execute_API.c:443
#8  0x000000000074912b in zend_hash_destroy (ht=0x3814160) at /home/matthew/src/php-5.3.5/Zend/zend_hash.c:529
#9  0x000000000073c2cf in _zval_dtor_func (zvalue=0x37decb0) at /home/matthew/src/php-5.3.5/Zend/zend_variables.c:43
#10 0x000000000073072d in _zval_dtor (zval_ptr=0x3779148) at /home/matthew/src/php-5.3.5/Zend/zend_variables.h:35
#11 _zval_ptr_dtor (zval_ptr=0x3779148) at /home/matthew/src/php-5.3.5/Zend/zend_execute_API.c:443
#12 0x000000000074912b in zend_hash_destroy (ht=0x36ff340) at /home/matthew/src/php-5.3.5/Zend/zend_hash.c:529
#13 0x000000000075bb89 in zend_object_std_dtor (object=0x367e300) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:45
#14 0x000000000075bba9 in zend_objects_free_object_storage (object=0x37dadf0) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:126
#15 0x000000000075f3a8 in zend_objects_store_free_object_storage (objects=0xef86b8) at /home/matthew/src/php-5.3.5/Zend/zend_objects_API.c:92
#16 0x0000000000730b25 in shutdown_executor () at /home/matthew/src/php-5.3.5/Zend/zend_execute_API.c:302
#17 0x000000000073d042 in zend_deactivate () at /home/matthew/src/php-5.3.5/Zend/zend.c:890
#18 0x00000000006ea665 in php_request_shutdown (dummy=<value optimized out>) at /home/matthew/src/php-5.3.5/main/main.c:1633
#19 0x00000000007c60cc in main (argc=<value optimized out>, argv=<value optimized out>) at /home/matthew/src/php-5.3.5/sapi/cli/php_cli.c:1374
(gdb) 


















THIRD TEST
---------------------

(gdb) run -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/local/bin/php -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
[Thread debugging using libthread_db enabled]
PHPUnit 3.5.10 by Sebastian Bergmann.

[New Thread 0x7ffff24a6700 (LWP 17857)]
[Thread 0x7ffff24a6700 (LWP 17857) exited]
....................

Time: 25 seconds, Memory: 0.25Mb

OK (20 tests, 20 assertions)

Generating code coverage report, this may take a moment.

Program exited normally.
(gdb) bt
No stack.
(gdb) 










FOURTH TEST
--------------------------


(gdb) run -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
Starting program: /usr/local/bin/php -dzend.enable_gc=0 /usr/local/bin/phpunit --coverage-html ../public/tests/
[Thread debugging using libthread_db enabled]
PHPUnit 3.5.10 by Sebastian Bergmann.

[New Thread 0x7ffff24a6700 (LWP 17864)]
[Thread 0x7ffff24a6700 (LWP 17864) exited]
....................

Time: 25 seconds, Memory: 0.25Mb

OK (20 tests, 20 assertions)

Generating code coverage report, this may take a moment.

Program received signal SIGSEGV, Segmentation fault.
gc_remove_zval_from_buffer (zv=<value optimized out>) at /home/matthew/src/php-5.3.5/Zend/zend_gc.c:265
265		GC_REMOVE_FROM_BUFFER(root_buffer);
(gdb) bt
#0  gc_remove_zval_from_buffer (zv=<value optimized out>) at /home/matthew/src/php-5.3.5/Zend/zend_gc.c:265
#1  0x0000000000730775 in _zval_ptr_dtor (zval_ptr=0x38da7e8) at /home/matthew/src/php-5.3.5/Zend/zend_execute_API.c:442
#2  0x000000000074912b in zend_hash_destroy (ht=0x38dd850) at /home/matthew/src/php-5.3.5/Zend/zend_hash.c:529
#3  0x000000000075bb89 in zend_object_std_dtor (object=0x388ee90) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:45
#4  0x000000000075bba9 in zend_objects_free_object_storage (object=0x38d4a00) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:126
#5  0x000000000075f888 in zend_objects_store_del_ref_by_handle_ex (handle=<value optimized out>, handlers=<value optimized out>) at /home/matthew/src/php-5.3.5/Zend/zend_objects_API.c:220
#6  0x000000000075f8a3 in zend_objects_store_del_ref (zobject=0x38dc630) at /home/matthew/src/php-5.3.5/Zend/zend_objects_API.c:172
#7  0x000000000073072d in _zval_dtor (zval_ptr=0x38dbcf8) at /home/matthew/src/php-5.3.5/Zend/zend_variables.h:35
#8  _zval_ptr_dtor (zval_ptr=0x38dbcf8) at /home/matthew/src/php-5.3.5/Zend/zend_execute_API.c:443
#9  0x000000000074912b in zend_hash_destroy (ht=0x38dbb00) at /home/matthew/src/php-5.3.5/Zend/zend_hash.c:529
#10 0x000000000073c2cf in _zval_dtor_func (zvalue=0x388f1f0) at /home/matthew/src/php-5.3.5/Zend/zend_variables.c:43
#11 0x000000000073072d in _zval_dtor (zval_ptr=0x3867fb8) at /home/matthew/src/php-5.3.5/Zend/zend_variables.h:35
#12 _zval_ptr_dtor (zval_ptr=0x3867fb8) at /home/matthew/src/php-5.3.5/Zend/zend_execute_API.c:443
#13 0x000000000074912b in zend_hash_destroy (ht=0x37ca770) at /home/matthew/src/php-5.3.5/Zend/zend_hash.c:529
#14 0x000000000075bb89 in zend_object_std_dtor (object=0x37ca7e0) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:45
#15 0x000000000075bba9 in zend_objects_free_object_storage (object=0x38d4a00) at /home/matthew/src/php-5.3.5/Zend/zend_objects.c:126
#16 0x000000000075f3a8 in zend_objects_store_free_object_storage (objects=0xef86b8) at /home/matthew/src/php-5.3.5/Zend/zend_objects_API.c:92
#17 0x0000000000730b25 in shutdown_executor () at /home/matthew/src/php-5.3.5/Zend/zend_execute_API.c:302
#18 0x000000000073d042 in zend_deactivate () at /home/matthew/src/php-5.3.5/Zend/zend.c:890
#19 0x00000000006ea665 in php_request_shutdown (dummy=<value optimized out>) at /home/matthew/src/php-5.3.5/main/main.c:1633
#20 0x00000000007c60cc in main (argc=<value optimized out>, argv=<value optimized out>) at /home/matthew/src/php-5.3.5/sapi/cli/php_cli.c:1374
(gdb)

Test script:
---------------
So far I have not been able to reproduce this with a small amount of code. This crash involves phpunit, xdebug, and zend framework but it is crashing (read the GDB BT above) due to zend garbage collection

Expected result:
----------------
run phpunit with code coverage (which uses xdebug)

Actual result:
--------------
segmentation fault, see gdb backtrace in description

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-11 22:35 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2011-02-11 22:35 UTC] felipe@php.net
Try disabling xdebug.
 [2011-02-11 23:19 UTC] matthew dot scott dot day at gmail dot com
-Status: Feedback +Status: Open
 [2011-02-11 23:19 UTC] matthew dot scott dot day at gmail dot com
you can't run phpunit with code coverage without xdebug. i already posted this to the xdebug bug tracker and he said it's php garbage collection that's causing the seg fault.
 [2011-02-13 04:38 UTC] cataphract@php.net
This is nigh-impossible to debug without a reproducing script; the stack trace is the most generic crash on shutdown you can get. The fact the crash doesn't happen on xdebug code doesn't mean it wasn't xdebug that corrupted the state and ultimately caused the crash on shutdown.
 [2011-07-24 18:32 UTC] zhengxiang dot pan at alcatel-lucent dot com
I observed this program too.
mongodb PHP driver unit test testEnsureUniqueIndex in MongoCollectionTest.php can reproduce this program. I run php 5.3.6 on Ubuntu.
 [2011-08-23 07:57 UTC] francesco dot monte at gmail dot com
I'm expecting the same issue. Did you got what caused it?
 [2011-10-28 14:10 UTC] deviantintegral at gmail dot com
I'm running into this with running phpunit for symfony2 tests on Ubuntu 10.04. If I disable garbage collection by running phpunit with "-dzend.enable_gc=0" everything runs fine.
 [2012-02-07 19:42 UTC] rasta at lj dot sk
i am having the same problem.

running phpunit -dzend.enable_gc=0 works without failure
 [2012-06-27 17:22 UTC] fidian at rumkin dot com
I'm using Ubuntu 12.04 with PHP 5.3.14 (from ppa:team-mayhem/ppa), xdebug 2.2.0 
(again from the ppa) and phpunit 3.6.11.  PHP from the ppa has the stock Debian 
patches in it, but applied against the newer source version.  xdebug 2.2.0 in 
the ppa is compiled with three lines commented out (a potential fix for this 
bug, but we were wrong and it should get reverted soon).  We've written our own 
coverage collection tools instead of using the one built into phpunit.

This elusive problem happens randomly across machines and will spontaneously 
stop happening every now and then.  Trying to do various things to the machine, 
like rebooting, have mixed results.  Trying to do bisects with git repos of PHP 
and xDebug have proved ineffective since I can get false passes with a version 
that just failed a dozen times in a row.

According to the backtrace, the offensive code looks like this:
    root->next->prev = root->prev;

Since it's a segmentation fault, I assume that root->next isn't pointing to 
memory that is allocated to PHP (eg. NULL).  Here's part of our backtrace, in 
the hopes that it helps:


Program received signal SIGSEGV, Segmentation fault.
0x00000000006b9440 in gc_remove_zval_from_buffer (zv=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_gc.h:189
189 /build/buildd/php5-5.3.14/Zend/zend_gc.h: No such file or directory.
    in /build/buildd/php5-5.3.14/Zend/zend_gc.h
(gdb) bt full
#0  0x00000000006b9440 in gc_remove_zval_from_buffer (zv=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_gc.h:189
        root_buffer = 0x7ffff497ae84
#1  0x000000000068d613 in _zval_ptr_dtor (zval_ptr=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_execute_API.c:446
        zv = 0x7fffffff7570
#2  0x00000000006a9900 in zend_hash_destroy (ht=0x4a3af20)
    at /build/buildd/php5-5.3.14/Zend/zend_hash.c:729
No locals.
#3  0x000000000069afdf in _zval_dtor_func (zvalue=0x4a33b50)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.c:46
No locals.
#4  0x000000000068d621 in _zval_ptr_dtor (zval_ptr=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.h:35
        zv = 0x4a33b50
#5  0x00000000006a9900 in zend_hash_destroy (ht=0x4acb800)
    at /build/buildd/php5-5.3.14/Zend/zend_hash.c:729
No locals.
#6  0x000000000069afdf in _zval_dtor_func (zvalue=0x4acb7b0)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.c:46
No locals.
#7  0x000000000068d621 in _zval_ptr_dtor (zval_ptr=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.h:35
        zv = 0x4acb7b0
#8  0x00000000006a9900 in zend_hash_destroy (ht=0x4acb698)
    at /build/buildd/php5-5.3.14/Zend/zend_hash.c:729
No locals.
#9  0x000000000069afdf in _zval_dtor_func (zvalue=0x4a402c8)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.c:46
No locals.

#10 0x000000000068d621 in _zval_ptr_dtor (zval_ptr=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.h:35
        zv = 0x4a402c8
#11 0x00000000006a9900 in zend_hash_destroy (ht=0x4ac9638)
    at /build/buildd/php5-5.3.14/Zend/zend_hash.c:729
No locals.
#12 0x000000000069afdf in _zval_dtor_func (zvalue=0x4ac9890)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.c:46
No locals.
#13 0x000000000068d621 in _zval_ptr_dtor (zval_ptr=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.h:35
        zv = 0x4ac9890
#14 0x00000000006a9900 in zend_hash_destroy (ht=0x49484e8)
    at /build/buildd/php5-5.3.14/Zend/zend_hash.c:729
No locals.
#15 0x00000000006bd0f9 in zend_object_std_dtor (object=0x4ac9920)
    at /build/buildd/php5-5.3.14/Zend/zend_objects.c:45
No locals.
#16 0x00000000006bd119 in zend_objects_free_object_storage (object=0x4ac9920)
---Type <return> to continue, or q <return> to quit---
    at /build/buildd/php5-5.3.14/Zend/zend_objects.c:126
No locals.

#17 0x00000000006c10ff in zend_objects_store_del_ref_by_handle_ex (
    handle=80060752, handlers=0x1b80775c085)
    at /build/buildd/php5-5.3.14/Zend/zend_objects_API.c:220
        __orig_bailout = <incomplete type>
        __bailout = {{__jmpbuf = {4294936880, 32767, 76854688, 0, 3129251656,
              3229462939, 74648968, 0}, __mask_was_saved = 465475400,
            __saved_mask = {__val = {0, 0, 4159544400, 32767, 4159542736,
                32767, 7060918, 0, 0, 0, 3219008960, 3493151322, 78464592, 0,
                7060918, 0}}}}
        obj = 0x1f480
        failure = 0
#18 0x00000000006c1123 in zend_objects_store_del_ref (zobject=0x494b5a0)
    at /build/buildd/php5-5.3.14/Zend/zend_objects_API.c:172
        handle = 4294931824
#19 0x000000000068d621 in _zval_ptr_dtor (zval_ptr=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.h:35
        zv = 0x494b5a0
#20 0x00000000006a9900 in zend_hash_destroy (ht=0x46e5fc0)
    at /build/buildd/php5-5.3.14/Zend/zend_hash.c:729
No locals.
#21 0x00000000006bd0f9 in zend_object_std_dtor (object=0x4773440)
    at /build/buildd/php5-5.3.14/Zend/zend_objects.c:45
No locals.
#22 0x00000000006bd119 in zend_objects_free_object_storage (object=0x4773440)
    at /build/buildd/php5-5.3.14/Zend/zend_objects.c:126
No locals.

#23 0x00000000006c10ff in zend_objects_store_del_ref_by_handle_ex (
    handle=80059216, handlers=0x1b80775c085)
    at /build/buildd/php5-5.3.14/Zend/zend_objects_API.c:220
        __orig_bailout = <incomplete type>
        __bailout = {{__jmpbuf = {4294949504, 32767, 78957200, 0, 574920520,
              1065506460, 18355672, 0}, __mask_was_saved = 465475400,
            __saved_mask = {__val = {0, 32767, 4103582289, 32767, 0, 0, 0, 0,
                727, 0, 4159542024, 32767, 0, 0, 61724704, 0}}}}
        obj = 0x1ee80
        failure = 0
#24 0x00000000006c1123 in zend_objects_store_del_ref (zobject=0x4b4ca90)
    at /build/buildd/php5-5.3.14/Zend/zend_objects_API.c:172
        handle = 4294931824
#25 0x000000000068d621 in _zval_ptr_dtor (zval_ptr=0x7fffffff7570)
    at /build/buildd/php5-5.3.14/Zend/zend_variables.h:35
        zv = 0x4b4ca90
#26 0x00000000006c66ee in zend_leave_helper_SPEC (execute_data=0x7ffff7ed9308)
    at /build/buildd/php5-5.3.14/Zend/zend_vm_execute.h:160
        cv = 0x7ffff7ed93a0
        end = 0x7ffff7ed93b0
        nested = 160 '\240'
---Type <return> to continue, or q <return> to quit---
        op_array = 0x11815d8

#27 0x00000000006ed2e8 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (
    execute_data=0x7ffff7ed9308)
    at /build/buildd/php5-5.3.14/Zend/zend_vm_execute.h:683
        op_num = 11
        catch_op_num = 18355672
        catched = 0
        restored_error_reporting = {value = {lval = 4159542024,
            dval = 6.9533491169375569e-310, str = {
              val = 0x7ffff7ed9308 "\200", <incomplete sequence \345>,
              len = -29984}, ht = 0x7ffff7ed9308, obj = {handle = 4159542024,
              handlers = 0x1007fffffff8ae0}}, refcount__gc = 4103494072,
          type = 255 '\377', is_ref__gc = 127 '\177'}
        stack_frame = 0x0
#28 0x00000000006c1e6b in execute (op_array=0x11815d8)
    at /build/buildd/php5-5.3.14/Zend/zend_vm_execute.h:107
        ret = -191385980
        execute_data = 0x7ffff7ed9308
        nested = 0 '\000'
        original_in_execution = 1 '\001'
#29 0x00007ffff4963f2d in xdebug_execute (op_array=0x11815d8)
    at /build/buildd/xdebug-2.2.0/build-php5/xdebug.c:1390
        dummy = 0x6bbdb6
        edata = 0x7fffffff8cb0
        fse = 0x25be230
        xfse = 0x6c66ee
        magic_cookie = 0x0
        do_return = 0
        function_nr = 3410608
        le = 0xe56f20
        eval_id = 0
        clear = 0
        return_val = 0x0
 [2012-11-05 18:42 UTC] njh at aelius dot com
I am having the same problem on Mac OS v10.7.5, php v5.3.15, Xdebug v2.2.1, 
PHPUnit 3.7.8.

"-dzend.enable_gc=0" also solves it for me.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 20:01:57 2014 UTC