php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64960 Segfault in gc_zval_possible_root
Submitted: 2013-06-03 11:48 UTC Modified: 2013-06-05 08:57 UTC
From: arjen at react dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5.4.15 OS: Archlinux
Private report: No CVE-ID:
 [2013-06-03 11:48 UTC] arjen at react dot com
Description:
------------
Affects >= 5.3.0, including 5.4.16.

See http://3v4l.org/dTDPH#v536

Combination of custom exception handler and error handler, custom property with a 
debug_backtrace defined to an exception and calling ob_end_clean while 
ob_end_flush was called.

Wasn't able to reduce this further.

Test script:
---------------
// this makes ob_end_clean raise an error
ob_end_flush();

class ExceptionHandler {
	public function __invoke (Exception $e)
	{
		// this triggers the custom error handler
		ob_end_clean();
	}
}

// this must be a class, closure does not trigger segfault
set_exception_handler(new ExceptionHandler());

// exception must be throwed from error handler.
set_error_handler(function()
{
	$e = new Exception;
	$e->_trace = debug_backtrace();
	
	throw $e;
});

// trigger error handler
$a['waa'];

Expected result:
----------------
No segfault.

Actual result:
--------------
#0  0x0000000000648779 in gc_zval_possible_root ()
#1  0x0000000000637168 in zend_hash_destroy ()
#2  0x0000000000628c0b in _zval_dtor_func ()
#3  0x000000000061abd9 in _zval_ptr_dtor ()
#4  0x0000000000637168 in zend_hash_destroy ()
#5  0x0000000000628c0b in _zval_dtor_func ()
#6  0x000000000061abd9 in _zval_ptr_dtor ()
#7  0x000000000064a437 in zend_object_std_dtor ()
#8  0x000000000064a469 in zend_objects_free_object_storage ()
#9  0x000000000064fe16 in zend_objects_store_free_object_storage ()
#10 0x000000000061b123 in ?? ()
#11 0x0000000000629bc2 in ?? ()
#12 0x00000000005cc04d in php_request_shutdown ()
#13 0x0000000000426004 in ?? ()
#14 0x00007f9a6fddba15 in __libc_start_main () from /usr/lib/libc.so.6
#15 0x0000000000426db9 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-04 15:28 UTC] laruence@php.net
I can not reproduce the "segfault"
 [2013-06-04 19:25 UTC] arjen at react dot com
Verified it's not an Archlinux issue:

~$ php -v
PHP 5.3.10-1ubuntu3.6 with Suhosin-Patch (cli) (built: Mar 11 2013 14:31:48) 

~$ php segfault.php 
PHP Notice:  ob_end_flush(): failed to delete and flush buffer. No buffer to 
delete or flush in /home/arjen/segfault.php on line 3
PHP Fatal error:  Uncaught exception 'Exception' in /home/arjen/segfault.php:19
Stack trace:
#0 [internal function]: {closure}(8, 'ob_end_clean():...', '/home/arjen/seg...', 
9, Array)
#1 /home/arjen/segfault.php(9): ob_end_clean()
#2 [internal function]: ExceptionHandler->__invoke(Object(Exception))
#3 {main}
  thrown in /home/arjen/segfault.php on line 19
Segmentation fault (core dumped)
 [2013-06-05 03:10 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2013-06-05 03:10 UTC] laruence@php.net
please disable Suhosin patch and try again.
 [2013-06-05 07:58 UTC] arjen at react dot com
-Status: Feedback +Status: Open
 [2013-06-05 07:58 UTC] arjen at react dot com
Centos 6.3 with Zend Server PHP (no Suhosin):

# php -v
PHP 5.3.14 (cli) (built: Jun 19 2012 03:47:42) 

Archlinux (from repo, no Suhosin)
$ php -v
PHP 5.4.15 (cli) (built: May 12 2013 13:11:23) 

Are you sure you're not testing with a debug build? The segfault does not happen 
in debug 
builds.
 [2013-06-05 08:17 UTC] pajoye@php.net
This is what we actually support:

http://www.php.net/downloads.php

or using:

https://github.com/php/php-src (use the 5.4 branch).

External patched versions like the one in ZendServer are not supported, while 
this possible bug may happen in these versions, we need to reproduce it with our 
code base.
 [2013-06-05 08:54 UTC] arjen at react dot com
Archlinux fetches src tarballs from http://www.php.net/downloads.php and does not apply any 
patch to the code. I tried the other versions to show it's not an Archlinux problem.

I manually verified by building it from src:

wget http://www.php.net/distributions/php-5.4.15.tar.gz
tar xf php-5.4.15.tar.gz
cd php-5.4.15
./configure
make

sapi/cli/php segfault.php

Fatal error: Uncaught exception 'Exception' in segfault.php:20
Stack trace:
#0 [internal function]: {closure}(8, 'ob_end_clean():...', 'segfault.php', 10, Array)
#1 segfault.php(10): ob_end_clean()
#2 [internal function]: ExceptionHandler->__invoke(Object(Exception))
#3 {main}
  thrown in segfault.php on line 20
Segmentation fault (core dumped)

sapi/cli/php -v
PHP 5.4.15 (cli) (built: Jun  5 2013 10:36:25) 
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies

and again, when compiling from src (php.net tarball) with ./configure --enable-debug the 
segfault does not occur.
 [2013-06-05 08:57 UTC] laruence@php.net
ah, thanks, I can verify it. and got a fix. will commit soon.

thanks
 [2013-06-05 09:25 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c87945c95c9c31986e690bb046c70e58c8d8896
Log: Fixed bug #64960 (Segfault in gc_zval_possible_root)
 [2013-06-05 09:25 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2013-06-05 09:29 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c87945c95c9c31986e690bb046c70e58c8d8896
Log: Fixed bug #64960 (Segfault in gc_zval_possible_root)
 [2013-06-05 09:31 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c87945c95c9c31986e690bb046c70e58c8d8896
Log: Fixed bug #64960 (Segfault in gc_zval_possible_root)
 [2013-06-05 09:34 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3c87945c95c9c31986e690bb046c70e58c8d8896
Log: Fixed bug #64960 (Segfault in gc_zval_possible_root)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC