php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65372 Segfault in gc_zval_possible_root when return reference fails
Submitted: 2013-08-01 19:18 UTC Modified: 2013-08-02 16:23 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: sreed at ontraport dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 5.4Git-2013-08-01 (Git) OS: Fedora
Private report: No CVE-ID:
 [2013-08-01 19:18 UTC] sreed at ontraport dot com
Description:
------------
PHP is segfaulting during shutdown in gc_zval_possible_root. This bug appears to 
have appeared in version 5.4: http://3v4l.org/qLqe3.


Test script:
---------------
https://gist.github.com/sreed-ontraport/6134324

Expected result:
----------------
Script executes and PHP exits cleanly

Actual result:
--------------
0x00000000006a0032 in gc_zval_possible_root (zv=0x7ffff7fc5108) at /tmp/php5.4-
201308011830/Zend/zend_gc.c:143
143			GC_ZOBJ_CHECK_POSSIBLE_ROOT(zv);

(gdb) bt
#0  0x00000000006a0032 in gc_zval_possible_root (zv=0x7ffff7fc5108) at 
/tmp/php5.4-201308011830/Zend/zend_gc.c:143
#1  0x00000000006a1c47 in zend_object_std_dtor (object=0x7ffff7fc8970) at 
/tmp/php5.4-201308011830/Zend/zend_objects.c:54
#2  0x00000000006a1c79 in zend_objects_free_object_storage 
(object=0x7ffff7fc8970) at /tmp/php5.4-201308011830/Zend/zend_objects.c:137
#3  0x00000000006a74c8 in zend_objects_store_free_object_storage 
(objects=0xd8a0a0 <executor_globals+960>) at /tmp/php5.4-
201308011830/Zend/zend_objects_API.c:92
#4  0x000000000067396b in shutdown_executor () at /tmp/php5.4-
201308011830/Zend/zend_execute_API.c:295
#5  0x0000000000681aa6 in zend_deactivate () at /tmp/php5.4-
201308011830/Zend/zend.c:938
#6  0x000000000062417d in php_request_shutdown (dummy=dummy@entry=0x0) at 
/tmp/php5.4-201308011830/main/main.c:1803
#7  0x0000000000726094 in do_cli (argc=2, argv=0x7fffffffe148) at /tmp/php5.4-
201308011830/sapi/cli/php_cli.c:1172
#8  0x00000000004255ca in main (argc=2, argv=0x7fffffffe148) at /tmp/php5.4-
201308011830/sapi/cli/php_cli.c:1365

Patches

bug65372.patch (last revision 2013-08-02 01:59 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-02 01:08 UTC] laruence@php.net
-Status: Open +Status: Verified
 [2013-08-02 01:59 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug65372.patch
Revision:   1375408763
URL:        https://bugs.php.net/patch-display.php?bug=65372&patch=bug65372.patch&revision=1375408763
 [2013-08-02 10:33 UTC] laruence@php.net
-Summary: Segfault in gc_zval_possible_root +Summary: Segfault in gc_zval_possible_root when return reference fails
 [2013-08-02 16:23 UTC] laruence@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: laruence
 [2013-08-02 16:23 UTC] laruence@php.net
fixed in http://git.php.net/?p=php-
src.git;a=commitdiff;h=ce9169e360701ea3b1ab2366171c24d4de5e78e3
 [2013-08-06 07:39 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a831499b4a1029118dc45375e62af42043110ade
Log: Re-fix Bug #65372 (Segfault in gc_zval_possible_root when return reference fails)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 20:02:01 2014 UTC