php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64868 segfault in zval_mark_grey(), Zend/zend_gc.c:421
Submitted: 2013-05-17 10:47 UTC Modified: 2013-10-15 11:54 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: martin dot schuette at icans-gmbh dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.4.15 OS: Debian Linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-05-17 10:47 UTC] martin dot schuette at icans-gmbh dot com
Description:
------------
As part of a PHPUnit test suite I get this segfault.
Interestingly it depends on phpunit's command line options.
Segfault with "phpunit -c app/phpunit.xml.dist --log-junit /dev/null"

No problem with "phpunit -c app/phpunit.xml.dist" and "phpunit -c app/phpunit.xml.dist --log-junit /dev/null --debug"

Without GC it works as well: "php -dzend.enable_gc=0 /usr/bin/phpunit -c app/phpunit.xml.dist --log-junit /dev/null"


Expected result:
----------------
complete PHPUnit run

Actual result:
--------------
deploy@jenkins:/tmp/git>php -v
PHP 5.4.4-14 (cli) (built: Mar  4 2013 14:08:43) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
deploy@jenkins:/tmp/git>gdb --args php /usr/bin/phpunit -c app/phpunit.xml.dist --log-junit /dev/null
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...Reading symbols from /usr/lib/debug/usr/bin/php5...done.
done.
(gdb) run
Starting program: /usr/bin/php /usr/bin/phpunit -c app/phpunit.xml.dist --log-junit /dev/null
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525/mysql.so" does not match "/usr/lib/php5/20100525/mysql.so" (CRC mismatch).

warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525/mysql.so" does not match "/usr/lib/php5/20100525/mysql.so" (CRC mismatch).

warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525/mysqli.so" does not match "/usr/lib/php5/20100525/mysqli.so" (CRC mismatch).

warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525/mysqli.so" does not match "/usr/lib/php5/20100525/mysqli.so" (CRC mismatch).

warning: the debug information found in "/usr/lib/debug//usr/lib/php5/20100525/pdo_mysql.so" does not match "/usr/lib/php5/20100525/pdo_mysql.so" (CRC mismatch).

warning: the debug information found in "/usr/lib/debug/usr/lib/php5/20100525/pdo_mysql.so" does not match "/usr/lib/php5/20100525/pdo_mysql.so" (CRC mismatch).

[New Thread 0x7fffe80d8700 (LWP 27679)]
[Thread 0x7fffe80d8700 (LWP 27679) exited]
PHPUnit 3.7.10 by Sebastian Bergmann.

Configuration read from /tmp/git/app/phpunit.xml.dist

.............................................................   61 / 3421 (  1%)
...........................................................S.  122 / 3421 (  3%)
.............................................................  183 / 3421 (  5%)
.............................................................  244 / 3421 (  7%)
.............................................................  305 / 3421 (  8%)
.............................................................  366 / 3421 ( 10%)
.............................................................  427 / 3421 ( 12%)
.............................................................  488 / 3421 ( 14%)
.............................................................  549 / 3421 ( 16%)
.............................................................  610 / 3421 ( 17%)
.............................................................  671 / 3421 ( 19%)
.............................................................  732 / 3421 ( 21%)
.............................................................  793 / 3421 ( 23%)
.............................................................  854 / 3421 ( 24%)
.............................................................  915 / 3421 ( 26%)
.............................................................  976 / 3421 ( 28%)
............................................................. 1037 / 3421 ( 30%)
............................................................. 1098 / 3421 ( 32%)
............................................................. 1159 / 3421 ( 33%)
............................................................. 1220 / 3421 ( 35%)
............................................................. 1281 / 3421 ( 37%)
............................................................. 1342 / 3421 ( 39%)
............................................................. 1403 / 3421 ( 41%)
............................................................. 1464 / 3421 ( 42%)
.................
Program received signal SIGSEGV, Segmentation fault.
zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421
421	/tmp/buildd/php5-5.4.4/Zend/zend_gc.c: No such file or directory.
(gdb) bt full
#0  zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421
        p = 0xcf1fd58
#1  0x00000000006bcbdc in zval_mark_grey (pz=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:432
        p = 0xcf1fd58
#2  0x00000000006bda55 in gc_collect_cycles () at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:501
        current = 0x7ffff4306f30
        q = 0x7ffff4306f30
        orig_free_list = 0x0
        orig_next_to_free = 0x2
#3  0x00000000006bdde4 in gc_zval_possible_root (zv=0xcf1fa60) at /tmp/buildd/php5-5.4.4/Zend/zend_gc.c:166
        newRoot = 0x0
#4  0x00000000006ac968 in zend_hash_destroy (ht=0xcf1fa08) at /tmp/buildd/php5-5.4.4/Zend/zend_hash.c:560
No locals.
#5  0x000000000069dba7 in _zval_dtor_func (zvalue=0xcf09770) at /tmp/buildd/php5-5.4.4/Zend/zend_variables.c:43
No locals.
#6  0x0000000000476c78 in php_pcre_match_impl (pce=0x0, subject=0x40faa20 "\340\026\221\006", subject_len=217094144, return_value=0x2, 
    subpats=0xcf09770, global=1, use_flags=4682104, flags=0, start_offset=0) at /tmp/buildd/php5-5.4.4/Zend/zend_variables.h:35
        result_set = 0x50cf09c70
        match_sets = 0x7fffffffb1e8
        extra = 0xcf1fe08
        extra_data = {flags = 3, study_data = 0x12, match_limit = 68135456, callout_data = 0xf4240, tables = 0xcf09e18 "\235\065", 
          match_limit_recursion = 1, mark = 0x186a0, executable_jit = 0x7fffe729bff0}
        exoptions = 1
        offsets = 0x1
        num_subpats = 32767
        matched = 0
        g_notempty = 2
        stringlist = 0x3000000010
        subpat_names = 0x6ad3d0
        rc = 0
        subpats_order = 332
        offset_capture = 2
        start_offset = 0
#7  0x0000000000477178 in php_do_pcre_match.isra.8 (ht=3, return_value=0xcf1fe08, global=1) at /tmp/buildd/php5-5.4.4/ext/pcre/php_pcre.c:520
        regex = 0x14c00000043 <Address 0x14c00000043 out of bounds>
        subject = 0xcefe7d8 "/@requires\\s+(?P<name>function|extension)\\s(?P<value>([^ ]+))\\r?$/m"
        regex_len = 6785162
        subject_len = 0
        pce = 0x0
        subpats = 0xcf09800
        flags = 217094000
        start_offset = 0
#8  0x0000000000746bd2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7e4ce50) at /tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:642
        ret = 0x7ffff52ae3f0
        opline = 0x7fffe73cbd40
        should_change_scope = 0 '\000'
        fbc = 0xddc650
#9  0x0000000000700447 in execute (op_array=0x7fffe73c9918) at /tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:410
        ret = 0
        execute_data = 0x7ffff7e4ce50
        nested = 1 '\001'
        original_in_execution = 0 '\000'
#10 0x00000000006a028e in zend_execute_scripts (type=8, retval=0x7ffff7e74f60, file_count=3) at /tmp/buildd/php5-5.4.4/Zend/zend.c:1279
        files = 0x7fffffffb3a0
        i = 1
        file_handle = <incomplete type>
        orig_op_array = 0xdb8898
        orig_retval_ptr_ptr = 0x0
#11 0x000000000063f863 in php_execute_script (primary_file=0x74696d6d6f632d68) at /tmp/buildd/php5-5.4.4/main/main.c:2473
---Type <return> to continue, or q <return> to quit---
        __orig_bailout = 0x6170736b726f772f
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 1, 0, 7053200, 0}, __mask_was_saved = 1, __saved_mask = {__val = {14386368, 0, 6328, 0, 0, 2, 14, 0, 1, 
                0, 0, 0, 4294943848, 32767, 14, 0}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, 
              mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}}, 
          free_filename = 0 '\000'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 6996323, fp = 0x6ac163, stream = {
              handle = 0x6ac163, isatty = -23247, mmap = {len = 0, pos = 0, map = 0xce8ffb0, buf = 0x7fffffffa551 "", old_handle = 0x7fffffffada0, 
                old_closer = 0x7fffffffa3e8}, reader = 0x6b9aa0 <d2b+208>, fsizer = 0xceca668, closer = 0x1500000000}}, free_filename = 0 '\000'}
        retval = 0
#12 0x00000000007491b3 in do_cli (argc=0, argv=0x7fffffffee07) at /tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:988
        __orig_bailout = 0x7fffffffebb8
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 508161992, 3784896587, 0, 0}, __mask_was_saved = 455471048, __saved_mask = {__val = {0, 0, 10978083, 0, 
                10978107, 0, 10892777, 0, 10892798, 0, 10978120, 0, 10978140, 0, 10978157, 0}}}}
        file_handle = {type = 6538160, filename = 0x4 <Address 0x4 out of bounds>, opened_path = 0x7fffffffee07 "/usr/bin/phpunit", handle = {fd = 0, 
            fp = 0x0, stream = {handle = 0x0, isatty = -135835472, mmap = {len = 0, pos = 2018, map = 0x0, buf = 0x7ffff7e3e000 "\023", 
                old_handle = 0x7ffff7e3e00f, old_closer = 0x10dd230}, reader = 0x6b4c10 <zend_stream_stdio_closer>, 
              fsizer = 0x6b4d00 <zend_stream_stdio_reader>, closer = 0x6b4c40 <zend_stream_stdio_fsizer>}}, free_filename = 144 '\220'}
        behavior = 1
        reflection_what = 0x0
        request_started = 6609936
        exit_status = 0
        php_optarg = 0x200000002 <Address 0x200000002 out of bounds>
        php_optind = 1
        exec_direct = 0x0
        exec_run = 0x7fffffffe9d0 ""
        exec_begin = 0x0
        exec_end = 0x0
        arg_excp = 0x7fffffffebc0
        interactive = 0
        lineno = 0
        param_error = 0x7fffffffebc0 "\a\356\377\377\377\177"
        hide_argv = 0
#13 0x000000000043110a in main (argc=32767, argv=0xdb9230) at /tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:1361
        __bailout = {{__jmpbuf = {0, 0, 0, 0, 508161992, 3784896587, 0, 0}, __mask_was_saved = 98693064, __saved_mask = {__val = {0, 0, 0, 0, 3, 0, 0, 
                0, 4147400704, 32767, 4158564850, 32767, 1, 0, 0, 0}}}}
        c = 0
        exit_status = 0
        module_started = 0
        sapi_started = 0
        php_optarg = 0x100000000 <Address 0x100000000 out of bounds>
        php_optind = 32767
        use_extended_info = 0
        ini_ignore = 0
        sapi_module = 0x6ffffea30
(gdb) info frame 0
Stack frame at 0x7fffffffaf80:
 rip = 0x6bcc17 in zval_mark_grey (/tmp/buildd/php5-5.4.4/Zend/zend_gc.c:421); saved rip 0x6bcbdc
 called by frame at 0x7fffffffafc0
 source language c.
 Arglist at 0x7fffffffaf38, args: pz=0xcf1fa60
 Locals at 0x7fffffffaf38, Previous frame's sp is 0x7fffffffaf80
 Saved registers:
  rbx at 0x7fffffffaf58, rbp at 0x7fffffffaf60, r12 at 0x7fffffffaf68, r13 at 0x7fffffffaf70, rip at 0x7fffffffaf78
(gdb) p pz
$1 = (zval *) 0xcf1fa60
(gdb) p *pz
$2 = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 217184848}, ht = 0x0, obj = {handle = 0, handlers = 0xcf1fa50}}, refcount__gc = 4294967295, 
  type = 4 '\004', is_ref__gc = 0 '\000'}
(gdb) 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-17 10:57 UTC] laruence@php.net
could you please provide a reproduce test script?

thanks
 [2013-05-19 14:59 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2013-05-21 10:09 UTC] martin dot schuette at icans-gmbh dot com
So far I was unable to reproduce the crash with a smaller code sample (i.e. without requiring our complete application and test suite).
 [2013-05-21 10:09 UTC] martin dot schuette at icans-gmbh dot com
-Status: Feedback +Status: Open
 [2013-05-29 19:14 UTC] Sjon at hortensius dot net
Well pinpointing this should be easy; open PHPUnit_Util_Test and look for the 
usage of REGEX_REQUIRES (which is in your trace). Var dump the parameters and 
tell us which ones were passed that caused that caused the segfault?
 [2013-06-22 09:18 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2013-06-22 09:18 UTC] laruence@php.net
Hey, after a second look into your backtrace, seems you are running with php5.4.4?

then this segfault is very like and should be fixed in #63055 
https://github.com/php/php-src/commit/e88cdaa0

please try with the newer php version.
 [2013-07-12 10:01 UTC] ulrich dot schmidt-goertz at gmx dot de
I've experienced the same issue on Ubuntu.

$ php -v
PHP 5.4.6-1ubuntu1.2 (cli) (built: Mar 11 2013 14:57:54) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.2.1, Copyright (c) 2002-2012, by Derick Rethans
 [2013-07-12 13:41 UTC] laruence@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

please try with the newer version
 [2013-10-15 11:54 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 13:02:15 2014 UTC