php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60457 gc_zval_possible_root SIGSEGV
Submitted: 2011-12-07 14:05 UTC Modified: 2013-08-30 07:43 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (66.7%)
From: Sjon at hortensius dot net Assigned: maarten (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.8 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2011-12-07 14:05 UTC] Sjon at hortensius dot net 
Description:
------------
Our application segfaults after completely finishing the request.

Unfortunately I cannot provide a script to reproduce this as it occurs in an 
application consisting of many classes. I have been poking at this with gdb for a 
while, but can't find the cause for this problem.

How can I supply you with the information you need to resolve this? We can 'fix' 
the problem by die()-ing in the __destruct of the class that seems to cause this

Actual result:
--------------
#0  0x00000000005bf0e9 in gc_zval_possible_root (zv=0x1985580) at 
/usr/src/debug/php-5.3.8/Zend/zend_gc.c:143
#1  0x00000000005aeb28 in zend_hash_destroy (ht=0x1363998) at 
/usr/src/debug/php-5.3.8/Zend/zend_hash.c:529
#2  0x00000000005c0609 in zend_object_std_dtor (object=0x1363970) at 
/usr/src/debug/php-5.3.8/Zend/zend_objects.c:45
#3  0x00000000005c0629 in zend_objects_free_object_storage (object=0x1985580) at 
/usr/src/debug/php-5.3.8/Zend/zend_objects.c:126
#4  0x00000000005c46d6 in zend_objects_store_free_object_storage 
(objects=0x91bef8) at /usr/src/debug/php-5.3.8/Zend/zend_objects_API.c:92
#5  0x0000000000595757 in shutdown_executor () at /usr/src/debug/php-
5.3.8/Zend/zend_execute_API.c:304
#6  0x00000000005a1fc2 in zend_deactivate () at /usr/src/debug/php-
5.3.8/Zend/zend.c:891
#7  0x000000000054f2ce in php_request_shutdown (dummy=<value optimized out>) at 
/usr/src/debug/php-5.3.8/main/main.c:1640
#8  0x000000000062b10f in main (argc=3, argv=0x7fffffffea88) at 
/usr/src/debug/php-5.3.8/sapi/cli/php_cli.c:1363

(gdb) frame 2
#2  0x00000000005c0609 in zend_object_std_dtor (object=0x1363970) at 
/usr/src/debug/php-5.3.8/Zend/zend_objects.c:45
45			zend_hash_destroy(object->properties);

(gdb) print *object->ce 
$1 = {type = 2 '\002', name = 0xcdce30 "React_Introspection_Controller", 
name_length = 30, parent = 0xcb3e78, refcount = 1, constants_updated = 1 '\001', 
ce_flags = 0, function_table = {nTableSize = 32, 
    nTableMask = 31, nNumOfElements = 27, nNextFreeElement = 0, pInternalPointer 
= 0xcde7b0, pListHead = 0xcde7b0, pListTail = 0xce9d10, arBuckets = 0xce8fa8, 
pDestructor = 0x599450 <zend_function_dtor>, 
    persistent = 0 '\000', nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}, 
default_properties = {nTableSize = 8, nTableMask = 7, nNumOfElements = 5, 
nNextFreeElement = 0, pInternalPointer = 0xce74c8, 
    pListHead = 0xce74c8, pListTail = 0xce7660, arBuckets = 0xcdcf50, 
pDestructor = 0x595420 <_zval_ptr_dtor>, persistent = 0 '\000', nApplyCount = 0 
'\000', bApplyProtection = 0 '\000'}, properties_info = {
    nTableSize = 8, nTableMask = 7, nNumOfElements = 5, nNextFreeElement = 0, 
pInternalPointer = 0xce76c8, pListHead = 0xce76c8, pListTail = 0xce7850, 
arBuckets = 0xcde670, 
    pDestructor = 0x586190 <zend_destroy_property_info>, persistent = 0 '\000', 
nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}, default_static_members = 
{nTableSize = 8, nTableMask = 7, 
    nNumOfElements = 0, nNextFreeElement = 0, pInternalPointer = 0x0, pListHead 
= 0x0, pListTail = 0x0, arBuckets = 0xcde6c0, pDestructor = 0x595420 
<_zval_ptr_dtor>, persistent = 0 '\000', 
    nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}, static_members = 0x0, 
constants_table = {nTableSize = 8, nTableMask = 7, nNumOfElements = 0, 
nNextFreeElement = 0, pInternalPointer = 0x0, 
    pListHead = 0x0, pListTail = 0x0, arBuckets = 0xcde710, pDestructor = 
0x595420 <_zval_ptr_dtor>, persistent = 0 '\000', nApplyCount = 0 '\000', 
bApplyProtection = 0 '\000'}, builtin_functions = 0x0, 
  constructor = 0xca2160, destructor = 0x0, clone = 0x0, __get = 0x0, __set = 
0x0, __unset = 0x0, __isset = 0x0, __call = 0x0, __callstatic = 0x0, __tostring 
= 0x0, serialize_func = 0x0, 
  unserialize_func = 0x0, iterator_funcs = {funcs = 0x0, zf_new_iterator = 0x0, 
zf_valid = 0x0, zf_current = 0x0, zf_key = 0x0, zf_next = 0x0, zf_rewind = 0x0}, 
create_object = 0, get_iterator = 0, 
  interface_gets_implemented = 0, get_static_method = 0, serialize = 0, 
unserialize = 0, interfaces = 0xcde368, num_interfaces = 1, 
  filename = 0xcde018 "[...]/Introspection/Controller.php", line_start = 2, 
line_end = 82, doc_comment = 0x0, 
  doc_comment_len = 0, module = 0x0}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-11 19:41 UTC] arekm at maven dot pl 
Isn't this something similar to last comments of #40479 (there is 
reproduction script there).
 [2011-12-12 15:58 UTC] Sjon at hortensius dot net 
I am afraid not, gc_disable() doesn't solve this segfault unfortunately
 [2012-01-04 07:31 UTC] no at snaxor dot com 
I may be bumping into this one as well, Similarly, I cannot provide a script to 
reproduce it since it happens in a project with many classes, but I'll see if I 
can narrow it down and create one. 

It is very inconsistent. It will die one the same page but with different data 
it will be fine. What seems to be sparking it in my case is Smarty, with lots of 
sub-template files. The content is rendered correctly, but during Smarty's 
cleanup is when it dies.

It is trigger-able via php command line or apache module. 

gc_disable() doesn't unfortunately have any effect.

PHP Version: 5.3.8 on OSX.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000003dca9fd2f1
0x0000000100359618 in gc_zval_possible_root ()
(gdb) bt
#0  0x0000000100359618 in gc_zval_possible_root ()
#1  0x000000010034a765 in zend_hash_destroy ()
#2  0x000000010035c86c in zend_object_std_dtor ()
#3  0x000000010035c4f8 in zend_objects_free_object_storage ()
#4  0x000000010035faae in zend_objects_store_del_ref_by_handle_ex ()
#5  0x000000010035fb64 in zend_objects_store_del_ref ()
#6  0x0000000100334e2d in _zval_ptr_dtor ()
#7  0x000000010034a765 in zend_hash_destroy ()
#8  0x000000010033f1b0 in _zval_dtor_func ()
#9  0x0000000100334e2d in _zval_ptr_dtor ()
#10 0x000000010034a765 in zend_hash_destroy ()
#11 0x000000010035c86c in zend_object_std_dtor ()
#12 0x000000010035c4f8 in zend_objects_free_object_storage ()
#13 0x000000010035f6eb in zend_objects_store_free_object_storage ()
#14 0x0000000100337750 in shutdown_executor ()
#15 0x000000010033feae in zend_deactivate ()
#16 0x00000001002f08b1 in php_request_shutdown ()
#17 0x00000001003ba366 in main ()
#18 0x00000001000010ec in start ()
 [2012-01-04 08:26 UTC] Sjon at hortensius dot net 
For anyone interested, this bug is not related to a single class, but we have 
worked around, and seen this bug occur again, in many different places.

I have also been reproducing this in 5.3.6 / 5.3.5 / 5.3.4 and 5.3.3
 [2012-01-20 13:37 UTC] sjon at hortensius dot net 
This bug has been solved in a more specific bug which includes a patch: https://bugs.php.net/bug.php?id=60701
 [2012-01-27 13:19 UTC] no at snaxor dot com 
It appears that the bug #60701 referenced by Sjon at hortensius dot net was the 
responsible for the crashes in my application.
 [2013-08-30 07:43 UTC] maarten@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: maarten
 [2013-08-30 07:43 UTC] maarten@php.net 
Fixed in related issue :)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Apr 01 03:01:29 2025 UTC