php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54266 crash on shutdown when destroying circular references in object
Submitted: 2011-03-16 04:48 UTC Modified: 2017-10-24 05:22 UTC
Votes:3
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: stas@php.net Assigned: dmitry (profile)
Status: Assigned Package: Reproducible crash
PHP Version: 5.3SVN-2011-03-16 (snap) OS: MacOS X 10.6.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: stas@php.net
New email:
PHP Version: OS:

 

 [2011-03-16 04:48 UTC] stas@php.net
Description:
------------
Reported by Christian Holler on mailing list, the example code produces crash on 
engine shutdown.

Test script:
---------------
<?php

class Person {
        public $dad;
        public function __destruct() {
                $this->dad = null; /* no segfault if this is commented out */
        }
}

class Dad extends Person {
        public $son;
        public function __construct() {
                $this->son = new Person;
                $this->son->dad = $this; /* no segfault if this is commented out */
        }
        public function __destruct() {
                $dad = new dad;
                parent::__destruct(); /* segfault here */
        }
}

$o = new Dad;
unset($o);
echo "ok\n";


Actual result:
--------------
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x005310bd in gc_remove_from_buffer [inlined] () at /Users/smalyshev/php-
src/branches/PHP_5_3/Zend/zend_gc.h:265
265		GC_REMOVE_FROM_BUFFER(root_buffer);
(gdb) bt
#0  0x005310bd in gc_remove_from_buffer [inlined] () at /Users/smalyshev/php-
src/branches/PHP_5_3/Zend/zend_gc.h:265
#1  0x005310bd in gc_remove_zval_from_buffer (zv=0x2424dd8) at 
/Users/smalyshev/php-5.3/Zend/zend_gc.c:265
#2  0x004ffe56 in _zval_ptr_dtor (zval_ptr=0x2425154) at /Users/smalyshev/php-
5.3/Zend/zend_execute_API.c:442
#3  0x0051d7b7 in zend_hash_destroy (ht=0x24250f0) at /Users/smalyshev/php-
5.3/Zend/zend_hash.c:529
#4  0x00533700 in zend_object_std_dtor (object=0x24250c0) at 
/Users/smalyshev/php-5.3/Zend/zend_objects.c:45
#5  0x00533af0 in zend_objects_free_object_storage (object=0x24250c0) at 
/Users/smalyshev/php-5.3/Zend/zend_objects.c:126
#6  0x00538002 in zend_objects_store_free_object_storage (objects=0xa97d90) at 
/Users/smalyshev/php-5.3/Zend/zend_objects_API.c:92
#7  0x004ff84b in shutdown_executor () at /Users/smalyshev/php-
5.3/Zend/zend_execute_API.c:302
#8  0x0050fdf9 in zend_deactivate () at /Users/smalyshev/php-5.3/Zend/zend.c:890
#9  0x0049bea7 in php_request_shutdown (dummy=0x0) at /Users/smalyshev/php-
5.3/main/main.c:1635
#10 0x005d359f in main (argc=2, argv=0xbffff864) at /Users/smalyshev/php-
5.3/sapi/cli/php_cli.c:1374


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-16 06:04 UTC] stas@php.net
-Type: Bug +Type: Security -Private report: N +Private report: Y
 [2011-04-13 19:32 UTC] stas@php.net
-Assigned To: +Assigned To: dmitry
 [2011-04-19 08:55 UTC] dmitry@php.net
The crash occurs after memory overflow error detection, because some internal data structures were not completely initialized. It's probably possible to fix such initialization in a single place, but analysing each memory allocation in PHP code would take enormous time.

I don't see a good may to fix such crashes.
 [2011-04-19 08:56 UTC] dmitry@php.net
-Status: Assigned +Status: Analyzed
 [2014-02-12 18:48 UTC] tyrael@php.net
is this still valid?
with 5.3 I still get a segfault, but with 5.4 and upwards the segfault doesn't occur.
 [2014-06-09 05:39 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-10-24 05:22 UTC] kalle@php.net
-Status: Analyzed +Status: Assigned
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC