|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54266 crash on shutdown when destroying circular references in object
Submitted: 2011-03-16 04:48 UTC Modified: 2017-10-24 05:22 UTC
Avg. Score:3.0 ± 0.0
Reproduced:2 of 3 (66.7%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: Assigned: dmitry (profile)
Status: Assigned Package: Reproducible crash
PHP Version: 5.3SVN-2011-03-16 (snap) OS: MacOS X 10.6.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2011-03-16 04:48 UTC]
Reported by Christian Holler on mailing list, the example code produces crash on 
engine shutdown.

Test script:

class Person {
        public $dad;
        public function __destruct() {
                $this->dad = null; /* no segfault if this is commented out */

class Dad extends Person {
        public $son;
        public function __construct() {
                $this->son = new Person;
                $this->son->dad = $this; /* no segfault if this is commented out */
        public function __destruct() {
                $dad = new dad;
                parent::__destruct(); /* segfault here */

$o = new Dad;
echo "ok\n";

Actual result:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x005310bd in gc_remove_from_buffer [inlined] () at /Users/smalyshev/php-
265		GC_REMOVE_FROM_BUFFER(root_buffer);
(gdb) bt
#0  0x005310bd in gc_remove_from_buffer [inlined] () at /Users/smalyshev/php-
#1  0x005310bd in gc_remove_zval_from_buffer (zv=0x2424dd8) at 
#2  0x004ffe56 in _zval_ptr_dtor (zval_ptr=0x2425154) at /Users/smalyshev/php-
#3  0x0051d7b7 in zend_hash_destroy (ht=0x24250f0) at /Users/smalyshev/php-
#4  0x00533700 in zend_object_std_dtor (object=0x24250c0) at 
#5  0x00533af0 in zend_objects_free_object_storage (object=0x24250c0) at 
#6  0x00538002 in zend_objects_store_free_object_storage (objects=0xa97d90) at 
#7  0x004ff84b in shutdown_executor () at /Users/smalyshev/php-
#8  0x0050fdf9 in zend_deactivate () at /Users/smalyshev/php-5.3/Zend/zend.c:890
#9  0x0049bea7 in php_request_shutdown (dummy=0x0) at /Users/smalyshev/php-
#10 0x005d359f in main (argc=2, argv=0xbffff864) at /Users/smalyshev/php-


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-16 06:04 UTC]
-Type: Bug +Type: Security -Private report: N +Private report: Y
 [2011-04-13 19:32 UTC]
-Assigned To: +Assigned To: dmitry
 [2011-04-19 08:55 UTC]
The crash occurs after memory overflow error detection, because some internal data structures were not completely initialized. It's probably possible to fix such initialization in a single place, but analysing each memory allocation in PHP code would take enormous time.

I don't see a good may to fix such crashes.
 [2011-04-19 08:56 UTC]
-Status: Assigned +Status: Analyzed
 [2014-02-12 18:48 UTC]
is this still valid?
with 5.3 I still get a segfault, but with 5.4 and upwards the segfault doesn't occur.
 [2014-06-09 05:39 UTC]
-Type: Security +Type: Bug
 [2017-10-24 05:22 UTC]
-Status: Analyzed +Status: Assigned
 [2020-08-19 21:22 UTC] gfbarlow1 at outlook dot com
The following pull request has been associated:

Patch Name: breadcrumbs and next/prev links is now fixed as navbar
On GitHub:
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Mar 05 04:01:23 2021 UTC