php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55665 Segmentation fault in gc_mark_roots()
Submitted: 2011-09-10 11:17 UTC Modified: 2017-01-02 13:01 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: mbeccati@php.net Assigned: mbeccati (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3SVN-2011-09-10 (SVN) OS: FreeBSD 6.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mbeccati@php.net
New email:
PHP Version: OS:

 

 [2011-09-10 11:17 UTC] mbeccati@php.net 
Description:
------------
As usual with bugs related to garbage collection, I don't have a short reproduce code. The segmentation fault happens when running a pretty heavy integration test and is currently reproducible on PHP 5.3 (tested 5.3.4, 5.3.6RC3, 5.3.8 and PHP_5_3 svn HEAD). Unfortunately garbage collection is a bit too much for me to be able to make sense of it and debug the issue.

Interestingly enough I couldn't reproduce it on PHP 5.2 or PHP 5.4.

Happens both with gcc 3.4.6 and 4.2.5 with -O0.

SSH Access to the machine is available for anyone interested in investigating.



Actual result:
--------------
Here is the relevant portion of backtrace and some other gdb commands:

#0  0x000000000094a060 in gc_mark_roots () at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:434
434                             if (GC_ZVAL_GET_COLOR(current->u.pz) == GC_PURPLE) {
(gdb) bt full
#0  0x000000000094a060 in gc_mark_roots () at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:434
        current = (gc_root_buffer *) 0x11121a0
#1  0x000000000094a90c in gc_collect_cycles () at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:664
        p = (zval_gc_info *) 0x1e8fbd0
        q = (zval_gc_info *) 0x7fffffffccd8
        orig_free_list = (zval_gc_info *) 0x377c42d8edc99ee
        orig_next_to_free = (zval_gc_info *) 0x901e88190
        count = 0
#2  0x00000000009495c2 in gc_zval_possible_root (zv=0x3e37620) at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:166
        newRoot = (gc_root_buffer *) 0x0
#3  0x00000000009bb104 in ZEND_FETCH_DIM_W_SPEC_VAR_CV_HANDLER (execute_data=0x1390810) at zend_gc.h:183
        opline = (zend_op *) 0x1e8fbf8
        free_op1 = {var = 0x0}
        dim = (zval *) 0x3e37708
        container = (zval **) 0x3057850
#4  0x0000000000953c58 in execute (op_array=0x1e8be08) at zend_vm_execute.h:107
        ret = 0
        execute_data = (zend_execute_data *) 0x1390810
        nested = 1 '\001'
        original_in_execution = 0 '\0'
...
(gdb) print current->u.pz
$1 = (zval *) 0x3e9fd38
(gdb) print *current->u.pz
Cannot access memory at address 0x3e9fd38
(gdb) frame 4
#4  0x0000000000953c58 in execute (op_array=0x1e8be08) at zend_vm_execute.h:107
107                     if ((ret = EX(opline)->handler(execute_data TSRMLS_CC)) > 0) {
(gdb) dump_bt executor_globals.current_execute_data
[0x01390810] addItem() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container.php:153
[0x013905c0] addItem() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container.php:108
[0x01390450] createItem() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container.php:196
[0x01390008] createDirective() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container/PHPArray.php:113
[0x0138fbc0] _parseArray() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container/PHPArray.php:111
[0x0138f5a0] _parseArray() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config/Container/PHPArray.php:75
[0x0138ef48] parseDatasrc() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/pear/Config.php:197
[0x0138ebd8] parseConfig() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OA/Admin/Settings.php:364
[0x0138b9b0] writeConfigArrayToFile() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OA/Admin/Settings.php:173
[0x0138b7a0] writeConfigChange() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OX/Plugin/PluginManager.php:870
[0x0138ac18] _setPackage() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/OX/Plugin/PluginManager.php:518
[0x0138a0e8] enablePackage() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/testClasses/TestEnv.php:183
[0x01389198] installPluginPackage() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/plugins_repo/apRetargetingDriverExternal/plugins/apRetargeting/lib/Dal/Drivers/tests/integration/External.plg.test.php:28
[0x01388f80] setUp() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/invoker.php:67
[0x01388e50] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/invoker.php:126
[0x01388878] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/errors.php:48
[0x01388748] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/invoker.php:126
[0x01388228] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/exceptions.php:42
[0x01387a28] invoke() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/test_case.php:135
[0x013873e0] run() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/test_case.php:588
[0x01386d98] run() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/lib/simpletest/test_case.php:591
[0x01386b08] run() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/testClasses/TestRunner.php:411
[0x01386320] runCase() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/testClasses/TestRunner.php:194
[0x01385040] runFile() /usr/local/bamboo/test-home/xml-data/build-dir/RET-TRUNK-PHPBUG/tests/run.php:123

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-27 00:00 UTC] tyrael@php.net 
is it still reproducible with 5.3.8?
 [2011-09-29 06:07 UTC] mbeccati@php.net 
Hi Tyrael,

I've switched the test runs to use php 5.3.8 and I got segmentation faults again. I will try to investigate during the weekend, but generally speaking it should be possible to trigger some. The most recent core file shows a SIGSEGV at:

#0  0x000000000094a10c in zval_scan (pz=0x0)
    at /array1/compile/php-src/php/php-src/branches/PHP_5_3/Zend/zend_gc.c:450
450             if (GC_ZVAL_GET_COLOR(pz) == GC_GREY) {
 [2013-06-28 07:33 UTC] shm@php.net 
Any updates?
 [2013-06-28 07:49 UTC] mbeccati@php.net 
The FreeBSD box I was using back then has been discontinued. I'll try to trigger it again on the newer (Ubuntu) build box.
 [2017-01-02 12:21 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2017-01-02 12:21 UTC] nikic@php.net 
Does this problem still exist in PHP 7?
 [2017-01-02 13:00 UTC] mbeccati@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: mbeccati
 [2017-01-02 13:00 UTC] mbeccati@php.net 
Still getting random segmentation faults on 5.6 with that test suite. None whatsoever with PHP7+. I think we can safely mark this as closed.

Thanks!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 06:01:29 2024 UTC