php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69521 Segfault in gc_collect_cycles().
Submitted: 2015-04-24 07:53 UTC Modified: 2015-05-08 07:55 UTC
From: arjen at react dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-04-24 (Git) OS: Linux
Private report: No CVE-ID: None
 [2015-04-24 07:53 UTC] arjen at react dot com
Description:
------------
USE_ZEND_ALLOC=0 valgrind --vgdb=yes --tool=memcheck --smc-check=all --track-origins=yes --error-limit=no --leak-check=full sapi/cli/php runTests.php

Internal testsuite crashes when gc_collect_cycles is called.

Fix in https://github.com/php/php-src/commit/6718b56e4563b899ccc115f451f2d3623f528919 indeed not complete.

Could not find a status report for it. Any progress yet? Do you have a testcase available or can I help by finding one?

Test script:
---------------
Internal testsuite.

Expected result:
----------------
No segfault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000968a65 in gc_mark_grey (ref=0x0) at /home/arjen/phpng/php-src/Zend/zend_gc.c:478
478				GC_REFCOUNT(ref)--;

#0  0x0000000000968a65 in gc_mark_grey (ref=0x0) at /home/arjen/phpng/php-src/Zend/zend_gc.c:478
#1  0x0000000000968aba in gc_mark_roots () at /home/arjen/phpng/php-src/Zend/zend_gc.c:490
#2  0x0000000000969a5b in zend_gc_collect_cycles () at /home/arjen/phpng/php-src/Zend/zend_gc.c:911
#3  0x0000000000950d85 in zif_gc_collect_cycles (execute_data=0xc57d320, return_value=0xc57d150)
    at /home/arjen/phpng/php-src/Zend/zend_builtin_functions.c:378
#4  0x000000000098e81f in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/arjen/phpng/php-src/Zend/zend_vm_execute.h:558
#5  0x000000000098e25e in execute_ex (ex=0xc57b0b0) at /home/arjen/phpng/php-src/Zend/zend_vm_execute.h:394
#6  0x000000000098e374 in zend_execute (op_array=0xc5c55b0, return_value=0x0)
    at /home/arjen/phpng/php-src/Zend/zend_vm_execute.h:434
#7  0x00000000009379da in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/arjen/phpng/php-src/Zend/zend.c:1389
#8  0x00000000008ac790 in php_execute_script (primary_file=0xffeffff30)
    at /home/arjen/phpng/php-src/main/main.c:2468
#9  0x00000000009f6c0d in do_cli (argc=4, argv=0xbf604c0)
    at /home/arjen/phpng/php-src/sapi/cli/php_cli.c:967
#10 0x00000000009f7bb6 in main (argc=4, argv=0xbf604c0)
    at /home/arjen/phpng/php-src/sapi/cli/php_cli.c:1334

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-24 11:39 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-04-24 11:39 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2015-04-24 12:14 UTC] arjen at react dot com
Let me quote myself: "Do you have a testcase available or can I help by finding one?"

I recompiled with -DZEND_GC_DEBUG=2 and got the following:

[0xfdbe400] rc=1 addr=0 black array(1) ->purple
[...]
[0xfdbe400] rc=1 addr=2947 purple array(-1019662895) ->grey

After the last line, the segfault occurs. These are the only occurences of 0xfdbe400
 [2015-04-24 13:35 UTC] rasmus@php.net
But which test is triggering it?
 [2015-04-29 13:05 UTC] arjen at react dot com
-Status: Feedback +Status: Open
 [2015-04-29 13:05 UTC] arjen at react dot com
Testcase and output @ https://gist.github.com/arjenschol/a640117e58935572cf87
 [2015-05-08 07:55 UTC] arjen at react dot com
PR @ https://github.com/php/php-src/pull/1266
 [2015-06-24 08:19 UTC] arjen at react dot com
PR with fix and phpt testcase waiting at https://github.com/php/php-src/pull/1266

Could someone pull this for 7.0alpha2?
 [2015-07-02 10:47 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=72b0627315e6606310c1042a51dad6e835620bab
Log: Fixed bug #69521 (Segfault in gc_collect_cycles()).
 [2015-07-02 10:47 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=72b0627315e6606310c1042a51dad6e835620bab
Log: Fixed bug #69521 (Segfault in gc_collect_cycles()).
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=72b0627315e6606310c1042a51dad6e835620bab
Log: Fixed bug #69521 (Segfault in gc_collect_cycles()).
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC