PHP :: Bug #63134 :: garbage collector segfault

Bug #63134

garbage collector segfault

Submitted:

2012-09-21 17:02 UTC

Modified:

2013-02-18 00:36 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

vegeta at tuxpowered dot net

Assigned:

Status:

No Feedback

Package:

*General Issues

PHP Version:

5.3.17

OS:

Debian 6.0.5 x86_64

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	vegeta at tuxpowered dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-09-21 17:02 UTC] vegeta at tuxpowered dot net

Description:
------------
There is an application which creates a rather complicated graph structure. Some of objects used in this structure have __destruct() method where they replace their own properties with new array()s.

Most of the code runs fine, apart from the very end, where php runs the garbage collector. At this moment there is a segfault. Debian packages come with suhosin therefore I tested the issue also with custom built packages without it. I tested multiple php versions both of 5.3 and 5.4 ranges including 5.3.17, with and without suhosin and with USE_ZEND_ALLOC=1 and =0.

Calling gc_disable() at the end of the script causes it to terminate properly. Modifying __destruct() so it does not try to "clean" itself also solves the issue.

I attach results of 5.3.13 built without suhosin.

Expected result:
----------------
I expect the script to finish in natural way without segfault.

Actual result:
--------------
$ gdb --arg /opt/php5-nosuhosin/php5 install/broken_script.php

warning: Can not parse XML syscalls information; XML support was disabled at compile time.
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/php5-nosuhosin/php5...Reading symbols from /usr/lib/debug/opt/php5-nosuhosin/php5...done.
(no debugging symbols found)...done.
(gdb) run
Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
zend_mm_remove_from_free_list (heap=0xe9f290, mm_block=0x7fffd850f728) at /usr/src/php/Zend/zend_alloc.c:830
830                             ZEND_MM_CHECK_TREE(mm_block);
(gdb) bt
#0  zend_mm_remove_from_free_list (heap=0xe9f290, mm_block=0x7fffd850f728) at /usr/src/php/Zend/zend_alloc.c:830
#1  0x00000000006a7c76 in _zend_mm_free_int (heap=0xe9f290, p=0x7fffd850f9d0) at /usr/src/php/Zend/zend_alloc.c:2034
#2  0x00000000006d1b31 in zend_hash_destroy (ht=0x7fffd8523b48) at /usr/src/php/Zend/zend_hash.c:534
#3  0x00000000006e4839 in zend_object_std_dtor (object=0x7fffd8bf0740) at /usr/src/php/Zend/zend_objects.c:45
#4  0x00000000006e4859 in zend_objects_free_object_storage (object=0x7fffd8bf0740) at /usr/src/php/Zend/zend_objects.c:126
#5  0x00000000006e80bc in zend_objects_store_free_object_storage (objects=0xe9dc18) at /usr/src/php/Zend/zend_objects_API.c:92
#6  0x00000000006b8feb in shutdown_executor () at /usr/src/php/Zend/zend_execute_API.c:304
#7  0x00000000006c59d2 in zend_deactivate () at /usr/src/php/Zend/zend.c:891
#8  0x00000000006714c5 in php_request_shutdown (dummy=0xe9f290) at /usr/src/php/main/main.c:1661
#9  0x0000000000752cd0 in main (argc=-4856, argv=0x7ffff7fece18) at /usr/src/php/sapi/cli/php_cli.c:1363
(gdb) l
825                                     rp = cp;
826                             }
827                             *rp = NULL;
828
829     subst_block:
830                             ZEND_MM_CHECK_TREE(mm_block);
831                             *mm_block->parent = prev;
832                             prev->parent = mm_block->parent;
833                             if ((prev->child[0] = mm_block->child[0])) {
834                                     ZEND_MM_CHECK_TREE(prev->child[0]);
(gdb) print mm_block
$1 = (zend_mm_free_block *) 0x7fffd850f728
(gdb) print *mm_block 
$2 = {info = {_size = 664, _prev = 97}, prev_free_block = 0x1a21af0, next_free_block = 0x1c682a8, parent = 0xffffffff, child = {0x0, 0x0}}




$ USE_ZEND_ALLOC=0 gdb --arg /opt/php5-nosuhosin/php5 install/broken_script.php

warning: Can not parse XML syscalls information; XML support was disabled at compile time.
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/php5-nosuhosin/php5...Reading symbols from /usr/lib/debug/opt/php5-nosuhosin/php5...done.
(no debugging symbols found)...done.
(gdb) run
Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php
[Thread debugging using libthread_db enabled]

Program exited normally.
(gdb) run
Starting program: /opt/php5-nosuhosin/php5 install/broken_script.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0x1fbfc20) at /usr/src/php/Zend/zend_gc.c:372
372                             pz = *(zval**)p->pData;
(gdb) backtrace
#0  zval_mark_grey (pz=0x1fbfc20) at /usr/src/php/Zend/zend_gc.c:372
#1  0x00000000006e2fa5 in gc_collect_cycles () at /usr/src/php/Zend/zend_gc.c:435
#2  0x00000000006c5aa5 in zend_deactivate () at /usr/src/php/Zend/zend.c:901
#3  0x00000000006714c5 in php_request_shutdown (dummy=0x1fbfc20) at /usr/src/php/main/main.c:1661
#4  0x0000000000752cd0 in main (argc=-4888, argv=0x7ffff7fece18) at /usr/src/php/sapi/cli/php_cli.c:1363
(gdb) l
367                             } else {
368                                     p = Z_ARRVAL_P(pz)->pListHead;
369                             }
370                     }
371                     while (p != NULL) {
372                             pz = *(zval**)p->pData;
373                             if (Z_TYPE_P(pz) != IS_ARRAY || Z_ARRVAL_P(pz) != &EG(symbol_table)) {
374                                     pz->refcount__gc--;
375                             }
376                             if (p->pListNext == NULL) {
(gdb) print p
$1 = (Bucket *) 0x500000000
(gdb) print *(zval**)p->pData
Cannot access memory at address 0x500000010
(gdb) print p
$2 = (Bucket *) 0x500000000
(gdb) print pz.value.ht->pListHead
$3 = (Bucket *) 0x500000000
(gdb) print *pz.value.ht
$4 = {nTableSize = 872480768, nTableMask = 943208497, nNumOfElements = 49, nNextFreeElement = 33273840, pInternalPointer = 0x13d3490, pListHead = 0x500000000, pListTail = 0x0, arBuckets = 0x190,
  pDestructor = 0x60, persistent = 16 '\020', nApplyCount = 67 'C', bApplyProtection = 61 '='}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-09-22 03:28 UTC] laruence@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Could you please try to make a single reproduceable script? thanks

[2012-09-22 03:28 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2013-02-18 00:36 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 07:01:29 2024 UTC