php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60598 cli/apache sapi segfault on objects manipulation
Submitted: 2011-12-22 22:33 UTC Modified: 2013-08-29 15:25 UTC
Votes:13
Avg. Score:4.6 ± 0.7
Reproduced:12 of 12 (100.0%)
Same Version:5 (41.7%)
Same OS:7 (58.3%)
From: arekm at maven dot pl Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.0RC3 OS: Linux
Private report: No CVE-ID: None
 [2011-12-22 22:33 UTC] arekm at maven dot pl
Description:
------------
[arekm@ixion-pld php-5.4.0RC3]$ export LC_ALL=C
[arekm@ixion-pld php-5.4.0RC3]$ ./sapi/cli/php -n ~/a.php
If you see this, try to increase OBJECT_COUNT to 100,000Segmentation fault
[arekm@ixion-pld php-5.4.0RC3]$ ./sapi/cli/php -n --version
PHP 5.4.0RC3 (cli) (built: Dec 22 2011 23:19:37)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2011 Zend Technologies

Test script:
---------------
<?
define('OBJECT_COUNT', 130000);

class Object {
    private static $world = array();
    private static $maxGuid = 0;
    protected $_guid = null;
    public function __construct() {
         self::$world[$this->_guid = self::$maxGuid++] = $this;
    }
    public function __destruct() {
         unset(self::$world[$this->_guid]);
    }
}

for ($i = 0; $i < OBJECT_COUNT; ++$i) {
    new Object();
}

// You probably won't see this because of the "zend_mm_heap corrupted"
echo 'If you see this, try to increase OBJECT_COUNT to 100,000';
?>

Expected result:
----------------
cli not segfaulting

Actual result:
--------------
Starting program: /home/users/arekm/rpm/BUILD/php-5.4.0RC3/sapi/cli/.libs/php -n 
/home/users/arekm/a.php
[Thread debugging using libthread_db enabled]
If you see this, try to increase OBJECT_COUNT to 100,000
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a462b9 in gc_zval_possible_root (zv=0x7ffff5677420) at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_gc.c:143
143                     GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x00007ffff7a462b9 in gc_zval_possible_root (zv=0x7ffff5677420) at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_gc.c:143
#1  0x00007ffff7a48ba2 in zend_object_std_dtor (object=0x7ffff56773d0) at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_objects.c:54
#2  0x00007ffff7a48bd9 in zend_objects_free_object_storage 
(object=0x7ffff56773d0) at /home/users/arekm/rpm/BUILD/php-
5.4.0RC3/Zend/zend_objects.c:137
#3  0x00007ffff7a4e56f in zend_objects_store_free_object_storage 
(objects=0x7ffff7dda700)
    at /home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_objects_API.c:92
#4  0x00007ffff7a18c83 in shutdown_executor () at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_execute_API.c:297
#5  0x00007ffff7a27555 in zend_deactivate () at /home/users/arekm/rpm/BUILD/php-
5.4.0RC3/Zend/zend.c:934
#6  0x00007ffff79c820f in php_request_shutdown (dummy=<optimized out>) at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/main/main.c:1781
#7  0x0000000000405538 in do_cli (argc=3, argv=0x7fffffffea38) at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/sapi/cli/php_cli.c:1169
#8  0x0000000000404d4c in main (argc=3, argv=0x7fffffffea38) at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/sapi/cli/php_cli.c:1356
(gdb) frame 0
#0  0x00007ffff7a462b9 in gc_zval_possible_root (zv=0x7ffff5677420) at 
/home/users/arekm/rpm/BUILD/php-5.4.0RC3/Zend/zend_gc.c:143
143                     GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) print zv
$1 = (zval *) 0x7ffff5677420
(gdb) print *zv
$2 = {
  value = {
    lval = 140737303870936,
    dval = 6.9533466930949762e-310,
    str = {
      val = 0x7ffff500fdd8 "\270",
      len = -184485184
    },
    ht = 0x7ffff500fdd8,
    obj = {
      handle = 4110482904,
      handlers = 0x7ffff500fac0
    }
  },
  refcount__gc = 4294967295,
  type = 5 '\005',
  is_ref__gc = 0 '\000'
}
(gdb)


Patches

bug60598 (last revision 2013-08-29 11:09 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-06 14:09 UTC] daan at react dot com
Looks alot like https://bugs.php.net/bug.php?id=39346 

Curiously, the segfault looks alot like https://bugs.php.net/bug.php?id=60457 - 
but that might just be PHPs reaction to memory corruption.
 [2012-01-08 10:26 UTC] arekm at maven dot pl
PHP 5.4.0 RC5 also dies

$ ~/test/php-test/bin/php --version
PHP 5.4.0RC5 (cli) (built: Jan  8 2012 11:23:44)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies


[arekm@ixion-pld php-5.4.0RC5]$ ~/test/php-test/bin/php ~/a.php
If you see this, try to increase OBJECT_COUNT to 100,000Segmentation fault
 [2012-03-16 15:56 UTC] eugen at kochuev dot com
We also face the similar issue in symfony 1.4 project. Issue appears in %.3 and 
5.4 versions and does not happen in 5.2. Disabling GC makes segfaults less 
frequent, but still does not solve the problem.
 [2012-11-24 17:46 UTC] manuel-php at mausz dot at
Hi,

I've tried to debug this yesterday but was unable to come up with a working fix. So I decided to share my results. Maybe someone with more in-depth knowledge of the php gc/heap can fix it more easily now.

First of all: The problem is also reproducible with 2 (and more) objects. It just doesn't crash due to phps memory heap. The corruption occurs during PHPs garbage collection which kicks in just after __destruct() but before releasing the objects. Since GC_ROOT_BUFFER_MAX_ENTRIES is 10000 per default you'll see heap memory corruption warnings starting at 9994 objects (looks like 6 other zvals are created during startup). Reducing GC_ROOT_BUFFER_MAX_ENTRIES to 8 allows to reduce OBJECT_COUNT (in the example script from arekm) to 2. Another more simple solution is to call gc_collect_cycles() in __destruct() just after unset(...).

So here comes my (stripped down) debug output (verified via valgrind + gdb):
* GC_ROOT_BUFFER_MAX_ENTRIES=default (10k)
* OBJECT_COUNT=2
* call gc_collect_cycles() in __destruct()
* abbr.: pt ...(object) properties_table

[...]
[object_properties_init]
  name=Object addr=b20d9d88 pt_addr=b20d9808
  pt[0]_addr=b20d6148 pt[0].handle=#0
[zend_std_write_property]
  name=_guid (=pt[0])
  old_addr=b20d6148 new_addr=b20d9db8 new.handle=#0

[...]
[zval_collect_white]
  adding zval to zval_to_free-list
  zval: addr=b20d9db8 refcnt=2 handle=#0
[gc_collect_cycles]
  freeing zval
  zval: addr=b20d9db8 refcnt=2 handle=#0

[...]
[zend_object_std_dtor]
  object=Object addr=b20d9d88 pt_addr=b20d9808
  calling zval_ptr_dtor for pt[0]_addr=b20d9db8 pt[0].handle=#-1307730616

[...]

Hope this helps.
 [2012-11-25 04:16 UTC] laruence@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I can not reproduce this,

could you please try with new version PHP-5.4.x?

thanks
 [2012-11-25 04:16 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-11-25 08:57 UTC] arekm at maven dot pl
Tested  http://snaps.php.net/php5.4-latest.tar.gz and still happens.

[arekm@ixion-pld ~/test/php5.4-201211250630]$ export LC_ALL=C
[arekm@ixion-pld ~/test/php5.4-201211250630]$ ./sapi/cli/php -n ./a.php
If you see this, try to increase OBJECT_COUNT to 100,000
zsh: segmentation fault  ./sapi/cli/php -n ./a.php
[arekm@ixion-pld ~/test/php5.4-201211250630]$ ./sapi/cli/php -n --version
PHP 5.5.0-dev (cli) (built: Nov 25 2012 09:37:34) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
[arekm@ixion-pld ~/test/php5.4-201211250630]$ gdb --args ./sapi/cli/php -n 
./a.php
GNU gdb (GDB) 7.4.50-0.20120120.2 (PLD Linux)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pld-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/users/arekm/test/php5.4-
201211250630/sapi/cli/php...done.
(gdb) r
Starting program: /home/users/arekm/test/php5.4-201211250630/sapi/cli/php -n 
./a.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
If you see this, try to increase OBJECT_COUNT to 100,000

Program received signal SIGSEGV, Segmentation fault.
0x00000000006810d2 in gc_zval_possible_root (zv=0x7ffff7fabe78) at 
/home/users/arekm/test/php5.4-201211250630/Zend/zend_gc.c:143
143                     GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x00000000006810d2 in gc_zval_possible_root (zv=0x7ffff7fabe78) at 
/home/users/arekm/test/php5.4-201211250630/Zend/zend_gc.c:143
#1  0x0000000000682ce7 in zend_object_std_dtor (object=0x7ffff7fabe48) at 
/home/users/arekm/test/php5.4-201211250630/Zend/zend_objects.c:54
#2  0x0000000000682d19 in zend_objects_free_object_storage 
(object=0x7ffff7fabe48) at /home/users/arekm/test/php5.4-
201211250630/Zend/zend_objects.c:137
#3  0x0000000000688398 in zend_objects_store_free_object_storage 
(objects=0xd0b260) at /home/users/arekm/test/php5.4-
201211250630/Zend/zend_objects_API.c:92
#4  0x0000000000655003 in shutdown_executor () at /home/users/arekm/test/php5.4-
201211250630/Zend/zend_execute_API.c:297
#5  0x00000000006632a6 in zend_deactivate () at /home/users/arekm/test/php5.4-
201211250630/Zend/zend.c:941
#6  0x00000000006050bd in php_request_shutdown (dummy=dummy@entry=0x0) at 
/home/users/arekm/test/php5.4-201211250630/main/main.c:1781
#7  0x00000000007072c4 in do_cli (argc=3, argv=0x7fffffffe968) at 
/home/users/arekm/test/php5.4-201211250630/sapi/cli/php_cli.c:1174
#8  0x0000000000422925 in main (argc=3, argv=0x7fffffffe968) at 
/home/users/arekm/test/php5.4-201211250630/sapi/cli/php_cli.c:1364
(gdb) l
138                      * currently running GC */
139                     return;
140             }
141
142             if (zv->type == IS_OBJECT) {
143                     GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
144                     return;
145             }
146
147             GC_BENCH_INC(zval_possible_root);
(gdb) 

built with:
./configure --prefix=$HOME/test/php5.4 --disable-dom --disable-simplexml
on a Linux x86_64

[arekm@ixion-pld ~/test/php5.4-201211250630]$ gcc -v
Reading specs from /usr/lib64/gcc/x86_64-pld-linux/4.7.2/specs
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-pld-linux/4.7.2/lto-wrapper
Target: x86_64-pld-linux
Configured with: ../configure --prefix=/usr --with-local-prefix=/usr/local --
libdir=/usr/lib64 --libexecdir=/usr/lib64 --infodir=/usr/share/info --
mandir=/usr/share/man --x-libraries=/usr/lib64 --enable-bootstrap --disable-
build-with-cxx --disable-build-poststage1-with-cxx --enable-c99 --enable-
checking=release --disable-cld --enable-cloog-backend=isl --enable-cmath --
enable-decimal-float --enable-gnu-unique-object --enable-initfini-array --
enable-languages=c,c++,fortran,objc,obj-c++,ada,java,go --enable-libgomp --
enable-libitm --enable-libmudflap --enable-linker-build-id --enable-linux-futex 
--enable-long-long --enable-nls --enable-lto --enable-plugin --enable-shared --
enable-threads=posix --disable-werror --with-cloog --with-demangler-in-ld --
with-gnu-as --with-gnu-ld --with-linker-hash-style=gnu --with-long-double-128 --
with-ppl --with-slibdir=/lib64 --without-system-libunwind --with-system-zlib --
enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --
enable-libstdcxx-threads --enable-libstdcxx-time=rt --enable-libstdcxx-
visibility --enable-symvers=gnu --with-gxx-include-dir=/usr/include/c++/4.7.2 --
disable-gconf-peer --enable-gtk-cairo --enable-java-awt=xlib,gtk --enable-jni --
enable-libgcj --enable-libgcj-multifile --enable-libgcj-database --disable-
libjava-multilib --enable-static-libjava --enable-xmlj --with-pkgversion=PLD-
Linux --with-bugurl=http://bugs.pld-linux.org x86_64-pld-linux
Thread model: posix
gcc version 4.7.2 20121104 (release) (PLD-Linux)
 [2012-11-25 08:57 UTC] arekm at maven dot pl
-Status: Feedback +Status: Open
 [2012-11-25 15:07 UTC] manuel-php at mausz dot at
Same on git master:
[object_properties_init]
  name=Object addr=2e3b42b0 pt_addr=2e3b6270
  pt[0]_addr=2e3b4dc8 pt[0].handle=#0
[zend_std_write_property]
  name=_guid (=pt[0])
  old_addr=2e3b4dc8 new_addr=2e3b42f8 new.handle=#0
[object_properties_init]
  name=Object addr=2e3b6688 pt_addr=2e3b6a60
  pt[0]_addr=2e3b4dc8 pt[0].handle=#0
[zend_std_write_property]
  name=_guid (=pt[0])
  old_addr=2e3b4dc8 new_addr=2e3b66d0 new.handle=#1
[zval_collect_white]
  adding zval to zval_to_free-list
  zval: addr=2e3b42f8 refcnt=2 handle=#0
[gc_collect_cycles]
  freeing zval
  zval: addr=2e3b42f8 refcnt=2 handle=#0
             ^^ - 1st zval free
[zend_object_std_dtor]
  object=Object addr=2e3b42b0 pt_addr=2e3b6270
  calling zval_ptr_dtor for pt[0]_addr=2e3b42f8 pt[0].refcnt=1515870810
                                       ^^ - 2nd zval free
                            pt[0].handle=#1515870810
[zend_object_std_dtor]
  object=Object addr=2e3b6688 pt_addr=2e3b6a60
  calling zval_ptr_dtor for pt[0]_addr=2e3b66d0 pt[0].refcnt=1 pt[0].handle=#1

Patch for my debug output:
https://gist.github.com/095e8dc10c3e18afb3e6

I recommend enabling ZEND_MM_HEAP_PROTECTION. This is why refcnt+handle is 0x5a5a5a5a on 2nd free.
 [2013-06-05 11:51 UTC] arjen at react dot com
Problem still present in php-5.4.15 verified from php.net src.

See https://gist.github.com/anonymous/5713352 for bt.
 [2013-08-28 13:05 UTC] rasmus@php.net
-Status: Open +Status: Feedback
 [2013-08-28 13:05 UTC] rasmus@php.net
Please try again with 5.4.19. There were some fixes related to this applied in 
5.4.18.
 [2013-08-28 13:25 UTC] manuel-php at mausz dot at
Still the same with 5.4.19

# php -n test.php 
If you see this, try to increase OBJECT_COUNT to 100,000Segmentation fault
 [2013-08-29 11:09 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug60598
Revision:   1377774584
URL:        https://bugs.php.net/patch-display.php?bug=60598&patch=bug60598&revision=1377774584
 [2013-08-29 11:11 UTC] laruence@php.net
I made a patch, could you please verify it?

thanks
 [2013-08-29 11:40 UTC] manuel-php at mausz dot at
works
 [2013-08-29 13:46 UTC] andre at roaldseth dot net
Applied the patch and confirmed that the test script now works as expected.
 [2013-08-29 15:25 UTC] laruence@php.net
-Status: Feedback +Status: Assigned -Assigned To: +Assigned To: laruence
 [2013-08-29 15:25 UTC] laruence@php.net
okey, great, thanks

all tests passed 

anyway, I will double-check this later, then commit it
 [2013-08-30 03:22 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7da6498342d76c34892bfa247bc1779d8f5ee1e6
Log: Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
 [2013-08-30 03:22 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2014-08-22 07:07 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2e560a331d4e37110a211432f423647cb7d45968
Log: Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
 [2014-10-07 23:17 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7da6498342d76c34892bfa247bc1779d8f5ee1e6
Log: Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
 [2014-10-07 23:28 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7da6498342d76c34892bfa247bc1779d8f5ee1e6
Log: Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
 [2016-07-20 11:41 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2e560a331d4e37110a211432f423647cb7d45968
Log: Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 03 16:01:27 2024 UTC