PHP :: Bug #64111 :: Segfault in gc_zval_possible

Bug #64111

Segfault in gc_zval_possible_root

Submitted:

2013-01-31 11:23 UTC

Modified:

2020-12-06 04:22 UTC

Votes:	12
Avg. Score:	4.4 ± 0.8
Reproduced:	12 of 12 (100.0%)
Same Version:	3 (25.0%)
Same OS:	3 (25.0%)

From:

remi@php.net

Assigned:

cmb (profile)

Status:

No Feedback

Package:

*General Issues

PHP Version:

5.4.11

OS:

GNU/Linux (Fedora 18)

Private report:

CVE-ID:

None

View Developer Edit

[2013-01-31 11:23 UTC] remi@php.net

Description:
------------
Running a lot test suite (using phpunit)

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 gc_zval_possible_root at /usr/src/debug/php-5.4.11/Zend/zend_gc.c:143
 #1 zend_hash_destroy at /usr/src/debug/php-5.4.11/Zend/zend_hash.c:560
 #2 _zval_dtor_func at /usr/src/debug/php-5.4.11/Zend/zend_variables.c:45
 #3 _zval_dtor at /usr/src/debug/php-5.4.11/Zend/zend_variables.h:35
 #4 _zval_ptr_dtor at /usr/src/debug/php-5.4.11/Zend/zend_execute_API.c:438
 #6 destroy_zend_class at /usr/src/debug/php-5.4.11/Zend/zend_opcode.c:278
 #7 zend_hash_apply_deleter at /usr/src/debug/php-5.4.11/Zend/zend_hash.c:650
 #8 zend_hash_reverse_apply at /usr/src/debug/php-5.4.11/Zend/zend_hash.c:804
 #9 shutdown_executor at /usr/src/debug/php-5.4.11/Zend/zend_execute_API.c:305
 #10 zend_deactivate at /usr/src/debug/php-5.4.11/Zend/zend.c:938


At first look, I was thinking to a regression introduced by fix for #63635, but reverting the fix doesn't resolve the issue.

Full traceback, php 5.4.10:
https://bugzilla.redhat.com/attachment.cgi?id=684984

Full traceback, php 5.4.11:
https://bugzilla.redhat.com/attachment.cgi?id=685073

Short traceback, php 5.4.11 with lot extension disable:
https://bugzilla.redhat.com/attachment.cgi?id=686607

Sorry to not being able to produce a simple reproducer, but I could easily create a test build and ask the initial reporter to test it.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-03-04 08:19 UTC] jaredsmith at jaredsmith dot net

I'm seeing this as well, on PHP 5.3.3 on RHEL 6.4 using Drupal as the main web application.  See https://bugzilla.redhat.com/show_bug.cgi?id=915138 for more details, including links to core files, backtraces, etc.

Also, if a developer would like direct access to a server to help debug, I'd be willing to help facilitate access.

[2013-03-04 16:51 UTC] jaredsmith at jaredsmith dot net

I'm also seeing this on PHP 5.4.12, for what it's worth.

Program terminated with signal 11, Segmentation fault.
#0  0x00007fce6f4635b9 in gc_zval_possible_root (zv=0x7fce7e2cbbd8)
    at /usr/src/debug/php-5.4.12/Zend/zend_gc.c:143
143			GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);

Full backtrace at http://web2.jaredsmith.net/core.6360.backtrace.txt, and core file at http://web2.jaredsmith.net/core.6360.backtrace.txt.

Again, if a PHP developer is interested in looking more closely, I'm happy to help facilitate access to a server.

[2013-10-17 15:22 UTC] djonline at djonline dot ru

Same on 5.3.13

[2014-08-05 16:50 UTC] mike@php.net

Automatic comment on behalf of mike
Revision: http://git.php.net/?p=pecl/http/pecl_http.git;a=commit;h=58410541834f8f897291c290d38e7a505dbb93c1
Log: fix bug #64111

[2014-08-05 16:50 UTC] mike@php.net

-Status: Open +Status: Closed

[2014-08-05 17:00 UTC] mike@php.net

-Status: Closed +Status: Re-Opened

[2014-08-05 17:00 UTC] mike@php.net

commit typo

[2014-10-14 10:27 UTC] valery dot tereshko at gmail dot com

I have same issue in php-5.5.15

Core was generated by `/usr/bin/php -q /home/moodlee/public_html/admin/cli/cron.php'.
Program terminated with signal 11, Segmentation fault.
#0  0x0844d25f in gc_zval_possible_root (zv=0xa60b9e8) at /home/cpeasyapache/src/php-5.5.15/Zend/zend_gc.c:143
143			GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);
(gdb) bt
#0  0x0844d25f in gc_zval_possible_root (zv=0xa60b9e8) at /home/cpeasyapache/src/php-5.5.15/Zend/zend_gc.c:143
#1  0x084501f8 in zend_object_std_dtor (object=0xa4d0644) at /home/cpeasyapache/src/php-5.5.15/Zend/zend_objects.c:54
#2  0x08450232 in zend_objects_free_object_storage (object=0xa4d0644) at /home/cpeasyapache/src/php-5.5.15/Zend/zend_objects.c:137
#3  0x08455858 in zend_objects_store_free_object_storage (objects=0x87fb0e0) at /home/cpeasyapache/src/php-5.5.15/Zend/zend_objects_API.c:97
#4  0x084239f1 in shutdown_executor () at /home/cpeasyapache/src/php-5.5.15/Zend/zend_execute_API.c:293
#5  0x0842fe23 in zend_deactivate () at /home/cpeasyapache/src/php-5.5.15/Zend/zend.c:935
#6  0x083d2ab2 in php_request_shutdown (dummy=0x0) at /home/cpeasyapache/src/php-5.5.15/main/main.c:1808
#7  0x084d15d9 in main (argc=3, argv=0xbfeaa914) at /home/cpeasyapache/src/php-5.5.15/sapi/cgi/cgi_main.c:2505

[2014-12-16 07:58 UTC] eugene at zhegan dot in

Same problem on 5.4.16.

[root@pitchblack php-fpm.cores]# gdb /usr/sbin/php-fpm core-php-fpm.25014 
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-51.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/php-fpm...Reading symbols from /usr/sbin/php-fpm...(no debugging symbols found)...done.
(no debugging symbols found)...done.
[New LWP 25014]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `php-fpm: pool www              '.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f4d38cca289 in gc_zval_possible_root ()
Missing separate debuginfos, use: debuginfo-install php-fpm-5.4.16-23.el7_0.3.x86_64
(gdb) bt
#0  0x00007f4d38cca289 in gc_zval_possible_root ()
#1  0x00007f4d38cb7d38 in zend_hash_destroy ()
#2  0x00007f4d38ca8b0b in _zval_dtor_func ()
#3  0x00007f4d38c9a42a in _zval_ptr_dtor ()
#4  0x00007f4d38cb66c5 in zend_hash_apply_deleter ()
#5  0x00007f4d38cb7ef8 in zend_hash_graceful_reverse_destroy ()
#6  0x00007f4d38c9abbe in shutdown_executor ()
#7  0x00007f4d38ca9bb5 in zend_deactivate ()
#8  0x00007f4d38c495d5 in php_request_shutdown ()
#9  0x00007f4d38b08934 in main ()
(gdb) quit

[2016-02-11 08:05 UTC] de at plista dot com

Same issue on latest 5.5.32

root@foo:[/var/tmp/core-dumps] # gdb /usr/sbin/php5-fpm core-php5-fpm.25079
Reading symbols from /usr/sbin/php5-fpm...Reading symbols from /usr/lib/debug/.build-id/ae/59c542ebeaa2fb26d4b6dcffd52eb1c63e76bb.debug...done.
done.
[New LWP 25079]
b[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                                       '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000006f1651 in gc_zval_possible_root (zv=0x3a60050) at /build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend_gc.c:143
143	/build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend_gc.c: No such file or directory.
tTraceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
    from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
(gdb)
(gdb)
(gdb) bt
#0  0x00000000006f1651 in gc_zval_possible_root (zv=0x3a60050) at /build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend_gc.c:143
#1  0x00000000006f4587 in zend_object_std_dtor (object=0x35829e0) at /build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend_objects.c:54
#2  0x00000000006f45b9 in zend_objects_free_object_storage (object=0x35829e0) at /build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend_objects.c:137
#3  0x00000000006f9fb7 in zend_objects_store_free_object_storage (objects=objects@entry=0xe6b6a0 <executor_globals+928>) at /build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend_objects_API.c:97
#4  0x00000000006c2663 in shutdown_executor () at /build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend_execute_API.c:290
#5  0x00000000006d1ce2 in zend_deactivate () at /build/php5-uqo5AS/php5-5.5.32+dfsg/Zend/zend.c:946
#6  0x0000000000672572 in php_request_shutdown (dummy=dummy@entry=0x0) at /build/php5-uqo5AS/php5-5.5.32+dfsg/main/main.c:1813
#7  0x0000000000461c54 in main (argc=<optimized out>, argv=<optimized out>) at /build/php5-uqo5AS/php5-5.5.32+dfsg/sapi/fpm/fpm/fpm_main.c:1981
(gdb) quit

root@foo:[/var/tmp/core-dumps] # php -v
PHP 5.5.32-1+deb.sury.org~trusty+1 (cli) (built: Feb  5 2016 10:07:16) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

[2016-07-09 12:29 UTC] razvanphp at yahoo dot com

Same on 5.6.22, debian jessie, xdebug enabled

razvan@www2:~$ sudo gdb /usr/sbin/php5-fpm /tmp/core.php5-fpm.406
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/php5-fpm...(no debugging symbols found)...done.
[New LWP 406]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                                       '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000070de89 in gc_zval_possible_root ()
(gdb) bt
#0  0x000000000070de89 in gc_zval_possible_root ()
#1  0x00000000006fae98 in zend_hash_destroy ()
#2  0x00000000006eb83b in _zval_dtor_func ()
#3  0x00000000006dba80 in _zval_ptr_dtor ()
#4  0x00000000006e047c in zend_cleanup_user_class_data ()
#5  0x00000000006fb3f3 in zend_hash_reverse_apply ()
#6  0x00000000006dc21f in shutdown_executor ()
#7  0x00000000006ec936 in zend_deactivate ()
#8  0x0000000000688887 in php_request_shutdown ()
#9  0x0000000000464627 in main ()
(gdb)
razvan@www2:~$ php -v
PHP 5.6.22-0+deb8u1 (cli) (built: Jun  9 2016 07:14:06)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
    with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans

[2020-11-26 16:57 UTC] cmb@php.net

-Status: Re-Opened +Status: Feedback -Assigned To: +Assigned To: cmb

[2020-11-26 16:57 UTC] cmb@php.net

Since there has not been any feedback regarding PHP 7, I'm
assuming this issue has been resolved.  Or can anybody still
reproduce?

[2020-12-06 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 19 22:00:02 2025 UTC