php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60837 Segmentation fail, if use trait
Submitted: 2012-01-22 08:34 UTC Modified: 2012-02-12 08:20 UTC
From: piphon at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4SVN-2012-01-22 (SVN) OS: Ubuntu 11.10 64bit
Private report: No CVE-ID: None
View Developer Edit
 [2012-01-22 08:34 UTC] piphon at gmail dot com 
Description:
------------
Hello.

From first build (RC1), on my computer PHP 5.4 (all RC and last SVN version) mysteriously crushed on clean up phase, if used trait. It not reproduces with small scripts, only if application has all havy libraries: Doctrine2, Zend Framework 2 and many others.

It not serious error, if use application from console of open page in Firefox, but Chrome often interrupts drawing of content.

Traits has attributes, abstract or static methods.

Actual result:
--------------
Valgrind output:
----------------

==18829== Invalid read of size 8
==18829==    at 0x7622E9: zend_mm_remove_from_free_list (zend_alloc.c:811)
==18829==    by 0x7624FD: _zend_mm_free_int (zend_alloc.c:2106)
==18829==    by 0x79693D: zend_hash_destroy (zend_hash.c:565)
==18829==    by 0x77F11B: destroy_zend_class (zend_opcode.c:295)
==18829==    by 0x79530B: zend_hash_apply_deleter (zend_hash.c:650)
==18829==    by 0x796E20: zend_hash_reverse_apply (zend_hash.c:804)
==18829==    by 0x77A5D5: shutdown_executor (zend_execute_API.c:305)
==18829==    by 0x788F64: zend_deactivate (zend.c:934)
==18829==    by 0x72939E: php_request_shutdown (main.c:1782)
==18829==    by 0x831053: do_cli (php_cli.c:1169)
==18829==    by 0x431A52: main (php_cli.c:1356)
==18829==  Address 0xd0bdd0b0d080d1b5 is not stack'd, malloc'd or (recently) free'd
==18829== 
==18829== 
==18829== Process terminating with default action of signal 11 (SIGSEGV)
==18829==  General Protection Fault
==18829==    at 0x7622E9: zend_mm_remove_from_free_list (zend_alloc.c:811)
==18829==    by 0x7624FD: _zend_mm_free_int (zend_alloc.c:2106)
==18829==    by 0x79693D: zend_hash_destroy (zend_hash.c:565)
==18829==    by 0x77F11B: destroy_zend_class (zend_opcode.c:295)
==18829==    by 0x79530B: zend_hash_apply_deleter (zend_hash.c:650)
==18829==    by 0x796E20: zend_hash_reverse_apply (zend_hash.c:804)
==18829==    by 0x77A5D5: shutdown_executor (zend_execute_API.c:305)
==18829==    by 0x788F64: zend_deactivate (zend.c:934)
==18829==    by 0x72939E: php_request_shutdown (main.c:1782)
==18829==    by 0x831053: do_cli (php_cli.c:1169)
==18829==    by 0x431A52: main (php_cli.c:1356)
==18829== 
==18829== HEAP SUMMARY:
==18829==     in use at exit: 16,535,737 bytes in 19,198 blocks
==18829==   total heap usage: 23,697 allocs, 4,499 frees, 17,668,454 bytes allocated
==18829== 
==18829== LEAK SUMMARY:
==18829==    definitely lost: 0 bytes in 0 blocks
==18829==    indirectly lost: 0 bytes in 0 blocks
==18829==      possibly lost: 0 bytes in 0 blocks
==18829==    still reachable: 16,535,737 bytes in 19,198 blocks
==18829==         suppressed: 0 bytes in 0 blocks
==18829== Reachable blocks (those to which a pointer was found) are not shown.
==18829== To see them, rerun with: --leak-check=full --show-reachable=yes
==18829== 
==18829== For counts of detected and suppressed errors, rerun with: -v
==18829== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 10 from 6)

Core dump (gdb)
---------------

$ gdb /usr/local/bin/php  /home/alurin/temp/php/cores/core-php.19181
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
This GDB was configured as "x86_64-linux-gnu".
Reading symbols from /usr/local/bin/php...done.
[New LWP 19181]

warning: Can't read pathname for load map: Ошибка ввода/вывода.
[Thread debugging using libthread_db enabled]
Core was generated by `php www/index.php'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000007622e9 in zend_mm_remove_from_free_list (heap=0x298d2e0, mm_block=0x7f3a2281ff30) at /home/alurin/temp/php/php-src-5.4/Zend/zend_alloc.c:811
811				while (*(cp = &(prev->child[prev->child[1] != NULL])) != NULL) {
(gdb) bt
#0  0x00000000007622e9 in zend_mm_remove_from_free_list (heap=0x298d2e0, mm_block=0x7f3a2281ff30) at /home/alurin/temp/php/php-src-5.4/Zend/zend_alloc.c:811
#1  0x00000000007624fe in _zend_mm_free_int (heap=0x298d2e0, p=0x7f3a2281ffe0) at /home/alurin/temp/php/php-src-5.4/Zend/zend_alloc.c:2106
#2  0x000000000079693e in zend_hash_destroy (ht=0x7f3a2281fad8) at /home/alurin/temp/php/php-src-5.4/Zend/zend_hash.c:565
#3  0x000000000077f0f6 in destroy_zend_class (pce=<optimized out>) at /home/alurin/temp/php/php-src-5.4/Zend/zend_opcode.c:293
#4  0x000000000079530c in zend_hash_apply_deleter (ht=0x298dc40, p=0x2bc1550) at /home/alurin/temp/php/php-src-5.4/Zend/zend_hash.c:650
#5  0x0000000000796e21 in zend_hash_reverse_apply (ht=0x298dc40, apply_func=0x779e90 <clean_non_persistent_class>) at /home/alurin/temp/php/php-src-5.4/Zend/zend_hash.c:804
#6  0x000000000077a5d6 in shutdown_executor () at /home/alurin/temp/php/php-src-5.4/Zend/zend_execute_API.c:305
#7  0x0000000000788f65 in zend_deactivate () at /home/alurin/temp/php/php-src-5.4/Zend/zend.c:934
#8  0x000000000072939f in php_request_shutdown (dummy=<optimized out>) at /home/alurin/temp/php/php-src-5.4/main/main.c:1782
#9  0x0000000000831054 in do_cli (argc=2, argv=0x7fff793746b8) at /home/alurin/temp/php/php-src-5.4/sapi/cli/php_cli.c:1169
#10 0x0000000000431a53 in main (argc=2, argv=0x7fff793746b8) at /home/alurin/temp/php/php-src-5.4/sapi/cli/php_cli.c:1356

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-22 09:57 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2012-01-22 09:57 UTC] pajoye@php.net 
Do you have a reproduce code by any chance?
 [2012-01-22 11:40 UTC] gron@php.net 
zend_opcode.c:295 is zend_hash_destroy(&ce->function_table);

I don't see why the function table would be problematic, but I will try to look 
into it today.
 [2012-01-22 12:30 UTC] piphon at gmail dot com
-Status: Feedback +Status: Open
 [2012-01-22 12:30 UTC] piphon at gmail dot com 
> Do you have a reproduce code by any chance?

Yes. Finally recreated it.

Small example with dependencies (zf, doctrine, e.t.c) on github.com: git@github.com:alurin/zend-bug.git

Files:
  - Example/IdentityTrait.php - trait, add id field
  - Example/Temp.php - entity, used IdentityTrait
  - library/ - vendors libraries (submodules)
  - bootstrap.php - setup doctrine
  - script.php - Console interface for doctrine (if update or create data scheme).
  - index.php  - Test example

$ php script.php orm:schema-tool:create
ATTENTION: This operation should not be executed in a production environment.

Creating database schema...
Database schema created successfully!
Segmentation fail (core dumped)

$ php index.php
zend_mm_heap corrupted


All code in two files

index.php
---------
<?php

use Doctrine\ORM\EntityManager,
    Doctrine\ORM\Configuration;

define('PATH_TO_VENDORS', realpath(__DIR__ . '/library'));

// Подключение автозагрузки классов библотек
require_once PATH_TO_VENDORS . '/zf2/library/Zend/Loader/AutoloaderFactory.php';
Zend\Loader\AutoloaderFactory::factory(
    array(
        'Zend\Loader\StandardAutoloader' => array(
            'namespaces' => array(
                'Zend'                      => PATH_TO_VENDORS . '/zf2/library/Zend',
                'Doctrine\ORM'              => PATH_TO_VENDORS . '/doctrine2/lib/Doctrine/ORM',
                'Doctrine\Common'           => PATH_TO_VENDORS . '/doctrine2-common/lib/Doctrine/Common',
                'Doctrine\DBAL'             => PATH_TO_VENDORS . '/doctrine2-dbal/lib/Doctrine/DBAL',
                'Symfony\Component\Console' => PATH_TO_VENDORS . '/symfony-console',
                'Symfony\Component\Yaml'    => PATH_TO_VENDORS . '/symfony-yaml',
            )
        )
    )
);

function create_doctrine() {
    $cache = new \Doctrine\Common\Cache\ArrayCache;

    $config = new Configuration;
    $config->setMetadataCacheImpl($cache);
    $driverImpl = $config->newDefaultAnnotationDriver(__DIR__ . '/Example');
    $config->setMetadataDriverImpl($driverImpl);
    $config->setQueryCacheImpl($cache);
    $config->setProxyDir('/path/to/myproject/lib/MyProject/Proxies');
    $config->setProxyNamespace('MyProject\Proxies');
    $config->setAutoGenerateProxyClasses(false);

    $connectionOptions = array(
        'driver'   => 'pdo_mysql',        /* Your DB driver here   */
        'host'     => 'localhost',        /* Your DB host here     */
        'user'     => 'php_bug',          /* Your DB user here     */
        'password' => 'A8haaWUH7wxjhfrn', /* Your DB user password */
        'dbname'   => 'php_bug',          /* Your DB name here     */
        'driverOptions' => array(
            1002 => "SET NAMES 'UTF8'"
        ),
    );

    $em = EntityManager::create($connectionOptions, $config);
    return $em;
}

$main = function() {
    $em = create_doctrine();

    include 'full-compounds.php';
    $temp = new Example\Temp();
    $em->persist($temp);
    $em->flush();

    $repo = $em->getRepository('Example\Temp');
    $temp = $repo->find(1);
    $temp->events()->attach('init', function() {
        echo "Init\n";
    });
};

call_user_func_array($main, array());

full-compunds.php
-----------------
<?php

namespace Example;

use Zend\EventManager\ProvidesEvents;

trait EntityTrait {

}

trait IdentityTrait {
    use EntityTrait;

    /**
     * Уникальный идентификатор объекта в БД
     *
     * @Id @Column(type="integer")
     * @GeneratedValue(strategy="AUTO")
     * @since 0.1
     * @var int
     */
    private $id           = null;

    /**
     * Получить уникальный идентификатор объекта в БД
     *
     * @return int
     * @since 0.1
     */
    public function getID() {
        return $this->id;
    }
}


/**
 * Модель описывающая статическую страницу сайта
 *
 * @Entity
 */
class Temp {
    use IdentityTrait;
    use ProvidesEvents;
}
 [2012-01-22 19:34 UTC] rasmus@php.net
-Status: Open +Status: Critical
 [2012-01-23 03:24 UTC] laruence@php.net 
I can not reproduce this... everything works well here.. (both svn-trunk and 5.4 
branch)
 [2012-01-23 07:40 UTC] piphon at gmail dot com 
Check last commits for RC in SVN:

PHP 5.4.0 RC5 - fail (https://svn.php.net/repository/php/php-src/tags/php_5_4_0RC5)
PHP 5.4.0 RC6 - fail (https://svn.php.net/repository/php/php-src/tags/php_5_4_0RC6)
PHP 5.4.0 RC7-dev - worked in last commits (https://svn.php.net/repository/php/php-src/branches/PHP_5_4)

I'm unable to verify trunk (PHP 5.5 dev), because PDO is not installed or is not compiled.

P.S. My English bad...
 [2012-01-23 07:54 UTC] gron@php.net 
Hi, I was not able to reproduce the problem, because I do not have the necessary 
setup. Think, I got as far as that PDO complains about a missing database table, 
but I also changed the db driver from mysql to sqlite.

The only thing I saw was that on an old checkout, the bug with doccomments #60809 
caused segfaults. But, that seems unrelated to the stacktrace below.
 [2012-01-23 08:38 UTC] piphon at gmail dot com 
In Zend/zend_comile.c changed behavior of traits. Perhaps this is corrected bug. My original point of view (when I first met this bug): a mistake in reflection for classes that used traits). I removed comment in trait and all successful worked (RC1 or 2, i don't remember).
 [2012-01-23 08:41 UTC] laruence@php.net 
maybe dmitry's fix has also fixed this problem: http://svn.php.net/viewvc?
view=revision&revision=322495
 [2012-01-23 08:43 UTC] gron@php.net 
The stack trace you provided points at a corrupted function table, I would say.
That might still be something different than the comment bug.

What exactly did you do with the reflection API? Perhaps, there was something 
going wrong? At least it should not mess up the function tables.
 [2012-01-23 08:51 UTC] piphon at gmail dot com 
> What exactly did you do with the reflection API? Perhaps, there was something 
going wrong? At least it should not mess up the function tables.

Unknown. Reflection used only by Doctrine Annotations driver. However in older code, I'm used static method in trait, which stored in value static property.

P.S. Mystery...
 [2012-01-24 03:00 UTC] laruence@php.net
-Status: Critical +Status: Feedback
 [2012-01-24 03:00 UTC] laruence@php.net 
piphon,  can you verify that whether this issues still existing in svn head now?
I am doubt that this issues was fixed by dmitry in http://svn.php.net/viewvc?
view=revision&revision=322495
 [2012-01-24 04:27 UTC] piphon at gmail dot com
-Status: Feedback +Status: Open
 [2012-01-24 04:27 UTC] piphon at gmail dot com 
PHP 5.5.0-dev (cli) from https://svn.php.net/repository/php/php-src/trunk  worked.
 [2012-01-24 05:32 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-01-24 05:32 UTC] laruence@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

could you plz also try with 5.4 branch head? thanks very much :)
 [2012-01-24 06:27 UTC] piphon at gmail dot com
-Status: Feedback +Status: Open
 [2012-01-24 06:27 UTC] piphon at gmail dot com 
Snapshot PHP 5.4.0RC7-dev (cli) (built: Jan 24 2012 11:49:24) worked.

Sorry, can't try SVN branch (https://svn.php.net/repository/php/php-src/branches/PHP_5_4@322646). Could not compile sources for test issue. Modules (pdo, pdo_mysql) not compiled as static libraries (multiple definition of `get_module') or pdo_mysql not linked as shared library (mysqlnd_debug_std_no_trace_funcs not found). And debugging and normal. I'll try again.
 [2012-01-24 06:46 UTC] piphon at gmail dot com 
I check svn head, when https://bugs.php.net/bug.php?id=60840 fixed
 [2012-01-26 01:15 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2012-01-26 01:15 UTC] laruence@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-01-26 01:16 UTC] laruence@php.net
-Status: Closed +Status: Re-Opened
 [2012-01-26 01:16 UTC] laruence@php.net 
oh, I mis-read  your words, re-opened.
 [2012-01-26 01:16 UTC] laruence@php.net
-Assigned To: laruence +Assigned To:
 [2012-02-12 07:14 UTC] piphon at gmail dot com 
Sorry. SVN branch so far not compiled, but last snapshots, e.g PHP 5.4.0RC7 Feb 10 2012, worked normal without this bug. You can probably close this issue.
 [2012-02-12 08:20 UTC] laruence@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

okey, closed
 [2012-02-12 08:20 UTC] laruence@php.net
-Status: Re-Opened +Status: Closed -Assigned To: +Assigned To: laruence
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jul 04 16:01:36 2025 UTC