php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60457 gc_zval_possible_root SIGSEGV
Submitted: 2011-12-07 14:05 UTC Modified: 2013-08-30 07:43 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (66.7%)
From: Sjon at hortensius dot net Assigned: maarten
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.8 OS: Linux
Private report: No CVE-ID:
 [2011-12-07 14:05 UTC] Sjon at hortensius dot net
Description:
------------
Our application segfaults after completely finishing the request.

Unfortunately I cannot provide a script to reproduce this as it occurs in an 
application consisting of many classes. I have been poking at this with gdb for a 
while, but can't find the cause for this problem.

How can I supply you with the information you need to resolve this? We can 'fix' 
the problem by die()-ing in the __destruct of the class that seems to cause this

Actual result:
--------------
#0  0x00000000005bf0e9 in gc_zval_possible_root (zv=0x1985580) at 
/usr/src/debug/php-5.3.8/Zend/zend_gc.c:143
#1  0x00000000005aeb28 in zend_hash_destroy (ht=0x1363998) at 
/usr/src/debug/php-5.3.8/Zend/zend_hash.c:529
#2  0x00000000005c0609 in zend_object_std_dtor (object=0x1363970) at 
/usr/src/debug/php-5.3.8/Zend/zend_objects.c:45
#3  0x00000000005c0629 in zend_objects_free_object_storage (object=0x1985580) at 
/usr/src/debug/php-5.3.8/Zend/zend_objects.c:126
#4  0x00000000005c46d6 in zend_objects_store_free_object_storage 
(objects=0x91bef8) at /usr/src/debug/php-5.3.8/Zend/zend_objects_API.c:92
#5  0x0000000000595757 in shutdown_executor () at /usr/src/debug/php-
5.3.8/Zend/zend_execute_API.c:304
#6  0x00000000005a1fc2 in zend_deactivate () at /usr/src/debug/php-
5.3.8/Zend/zend.c:891
#7  0x000000000054f2ce in php_request_shutdown (dummy=<value optimized out>) at 
/usr/src/debug/php-5.3.8/main/main.c:1640
#8  0x000000000062b10f in main (argc=3, argv=0x7fffffffea88) at 
/usr/src/debug/php-5.3.8/sapi/cli/php_cli.c:1363

(gdb) frame 2
#2  0x00000000005c0609 in zend_object_std_dtor (object=0x1363970) at 
/usr/src/debug/php-5.3.8/Zend/zend_objects.c:45
45			zend_hash_destroy(object->properties);

(gdb) print *object->ce 
$1 = {type = 2 '\002', name = 0xcdce30 "React_Introspection_Controller", 
name_length = 30, parent = 0xcb3e78, refcount = 1, constants_updated = 1 '\001', 
ce_flags = 0, function_table = {nTableSize = 32, 
    nTableMask = 31, nNumOfElements = 27, nNextFreeElement = 0, pInternalPointer 
= 0xcde7b0, pListHead = 0xcde7b0, pListTail = 0xce9d10, arBuckets = 0xce8fa8, 
pDestructor = 0x599450 <zend_function_dtor>, 
    persistent = 0 '\000', nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}, 
default_properties = {nTableSize = 8, nTableMask = 7, nNumOfElements = 5, 
nNextFreeElement = 0, pInternalPointer = 0xce74c8, 
    pListHead = 0xce74c8, pListTail = 0xce7660, arBuckets = 0xcdcf50, 
pDestructor = 0x595420 <_zval_ptr_dtor>, persistent = 0 '\000', nApplyCount = 0 
'\000', bApplyProtection = 0 '\000'}, properties_info = {
    nTableSize = 8, nTableMask = 7, nNumOfElements = 5, nNextFreeElement = 0, 
pInternalPointer = 0xce76c8, pListHead = 0xce76c8, pListTail = 0xce7850, 
arBuckets = 0xcde670, 
    pDestructor = 0x586190 <zend_destroy_property_info>, persistent = 0 '\000', 
nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}, default_static_members = 
{nTableSize = 8, nTableMask = 7, 
    nNumOfElements = 0, nNextFreeElement = 0, pInternalPointer = 0x0, pListHead 
= 0x0, pListTail = 0x0, arBuckets = 0xcde6c0, pDestructor = 0x595420 
<_zval_ptr_dtor>, persistent = 0 '\000', 
    nApplyCount = 0 '\000', bApplyProtection = 0 '\000'}, static_members = 0x0, 
constants_table = {nTableSize = 8, nTableMask = 7, nNumOfElements = 0, 
nNextFreeElement = 0, pInternalPointer = 0x0, 
    pListHead = 0x0, pListTail = 0x0, arBuckets = 0xcde710, pDestructor = 
0x595420 <_zval_ptr_dtor>, persistent = 0 '\000', nApplyCount = 0 '\000', 
bApplyProtection = 0 '\000'}, builtin_functions = 0x0, 
  constructor = 0xca2160, destructor = 0x0, clone = 0x0, __get = 0x0, __set = 
0x0, __unset = 0x0, __isset = 0x0, __call = 0x0, __callstatic = 0x0, __tostring 
= 0x0, serialize_func = 0x0, 
  unserialize_func = 0x0, iterator_funcs = {funcs = 0x0, zf_new_iterator = 0x0, 
zf_valid = 0x0, zf_current = 0x0, zf_key = 0x0, zf_next = 0x0, zf_rewind = 0x0}, 
create_object = 0, get_iterator = 0, 
  interface_gets_implemented = 0, get_static_method = 0, serialize = 0, 
unserialize = 0, interfaces = 0xcde368, num_interfaces = 1, 
  filename = 0xcde018 "[...]/Introspection/Controller.php", line_start = 2, 
line_end = 82, doc_comment = 0x0, 
  doc_comment_len = 0, module = 0x0}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-11 19:41 UTC] arekm at maven dot pl
Isn't this something similar to last comments of #40479 (there is 
reproduction script there).
 [2011-12-12 15:58 UTC] Sjon at hortensius dot net
I am afraid not, gc_disable() doesn't solve this segfault unfortunately
 [2012-01-04 07:31 UTC] no at snaxor dot com
I may be bumping into this one as well, Similarly, I cannot provide a script to 
reproduce it since it happens in a project with many classes, but I'll see if I 
can narrow it down and create one. 

It is very inconsistent. It will die one the same page but with different data 
it will be fine. What seems to be sparking it in my case is Smarty, with lots of 
sub-template files. The content is rendered correctly, but during Smarty's 
cleanup is when it dies.

It is trigger-able via php command line or apache module. 

gc_disable() doesn't unfortunately have any effect.

PHP Version: 5.3.8 on OSX.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000003dca9fd2f1
0x0000000100359618 in gc_zval_possible_root ()
(gdb) bt
#0  0x0000000100359618 in gc_zval_possible_root ()
#1  0x000000010034a765 in zend_hash_destroy ()
#2  0x000000010035c86c in zend_object_std_dtor ()
#3  0x000000010035c4f8 in zend_objects_free_object_storage ()
#4  0x000000010035faae in zend_objects_store_del_ref_by_handle_ex ()
#5  0x000000010035fb64 in zend_objects_store_del_ref ()
#6  0x0000000100334e2d in _zval_ptr_dtor ()
#7  0x000000010034a765 in zend_hash_destroy ()
#8  0x000000010033f1b0 in _zval_dtor_func ()
#9  0x0000000100334e2d in _zval_ptr_dtor ()
#10 0x000000010034a765 in zend_hash_destroy ()
#11 0x000000010035c86c in zend_object_std_dtor ()
#12 0x000000010035c4f8 in zend_objects_free_object_storage ()
#13 0x000000010035f6eb in zend_objects_store_free_object_storage ()
#14 0x0000000100337750 in shutdown_executor ()
#15 0x000000010033feae in zend_deactivate ()
#16 0x00000001002f08b1 in php_request_shutdown ()
#17 0x00000001003ba366 in main ()
#18 0x00000001000010ec in start ()
 [2012-01-04 08:26 UTC] Sjon at hortensius dot net
For anyone interested, this bug is not related to a single class, but we have 
worked around, and seen this bug occur again, in many different places.

I have also been reproducing this in 5.3.6 / 5.3.5 / 5.3.4 and 5.3.3
 [2012-01-20 13:37 UTC] sjon at hortensius dot net
This bug has been solved in a more specific bug which includes a patch: https://bugs.php.net/bug.php?id=60701
 [2012-01-27 13:19 UTC] no at snaxor dot com
It appears that the bug #60701 referenced by Sjon at hortensius dot net was the 
responsible for the crashes in my application.
 [2013-08-30 07:43 UTC] maarten@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: maarten
 [2013-08-30 07:43 UTC] maarten@php.net
Fixed in related issue :)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 04:01:55 2014 UTC