php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70631 Another Segfault in gc_remove_from_buffer()
Submitted: 2015-10-04 02:56 UTC Modified: -
From: laruence@php.net Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.6.14 OS: all
Private report: No CVE-ID:
 [2015-10-04 02:56 UTC] laruence@php.net
Description:
------------
this bug only can be triggered with concurrent requests. 

like using ab -n 1000 -c 50 

Test script:
---------------
<?php

function x($x = array(1)) {}

$func = new ReflectionFunction('x');
$params = $func->getParameters();
echo $params[0]->getDefaultValue();
?>


Expected result:
----------------
none segfault

Actual result:
--------------
segfault
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000091a4a7 in gc_remove_from_buffer (root=0x7f7b2f69e5e8) at /home/huixinchen/opensource/php-5.6/Zend/zend_gc.h:189
189		root->next->prev = root->prev;
(gdb) bt
#0  0x000000000091a4a7 in gc_remove_from_buffer (root=0x7f7b2f69e5e8) at /home/huixinchen/opensource/php-5.6/Zend/zend_gc.h:189
#1  0x000000000091acc3 in gc_remove_zval_from_buffer (zv=0x7f7b2f69e630) at /home/huixinchen/opensource/php-5.6/Zend/zend_gc.c:260
#2  0x00000000008d744a in i_zval_ptr_dtor (zval_ptr=0x7f7b2f69e630, __zend_filename=0xdcd070 "/home/huixinchen/opensource/php-5.6/Zend/zend_variables.c", __zend_lineno=188) at /home/huixinchen/opensource/php-5.6/Zend/zend_execute.h:78
#3  0x00000000008d86c5 in _zval_ptr_dtor (zval_ptr=0x7f7b3644b590, __zend_filename=0xdcd070 "/home/huixinchen/opensource/php-5.6/Zend/zend_variables.c", __zend_lineno=188)
    at /home/huixinchen/opensource/php-5.6/Zend/zend_execute_API.c:424
#4  0x00000000008ec15a in _zval_ptr_dtor_wrapper (zval_ptr=0x7f7b3644b590) at /home/huixinchen/opensource/php-5.6/Zend/zend_variables.c:188
#5  0x0000000000901823 in zend_hash_destroy (ht=0x7f7b3644b440) at /home/huixinchen/opensource/php-5.6/Zend/zend_hash.c:548
#6  0x00000000008ebcf9 in _zval_dtor_func (zvalue=0x7f7b3644b3c8, __zend_filename=0xdd1ab8 "/home/huixinchen/opensource/php-5.6/Zend/zend_execute.h", __zend_lineno=95) at /home/huixinchen/opensource/php-5.6/Zend/zend_variables.c:45
#7  0x000000000092e9c6 in _zval_dtor (zvalue=0x7f7b3644b3c8, __zend_filename=0xdd1ab8 "/home/huixinchen/opensource/php-5.6/Zend/zend_execute.h", __zend_lineno=95) at /home/huixinchen/opensource/php-5.6/Zend/zend_variables.h:35
#8  0x000000000092eb66 in i_zval_ptr_dtor_nogc (zval_ptr=0x7f7b3644b3c8, __zend_filename=0xdd2130 "/home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h", __zend_lineno=13044)
    at /home/huixinchen/opensource/php-5.6/Zend/zend_execute.h:95
#9  0x0000000000950397 in ZEND_ECHO_SPEC_VAR_HANDLER (execute_data=0x7f7b36419ca8) at /home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h:13044
#10 0x00000000009342b2 in execute_ex (execute_data=0x7f7b36419ca8) at /home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h:363
#11 0x000000000093433b in zend_execute (op_array=0x7f7b3644a910) at /home/huixinchen/opensource/php-5.6/Zend/zend_vm_execute.h:388
#12 0x00000000008ef790 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/huixinchen/opensource/php-5.6/Zend/zend.c:1341
#13 0x000000000085596f in php_execute_script (primary_file=0x7fff762650b0) at /home/huixinchen/opensource/php-5.6/main/main.c:2597
#14 0x00000000009b0b60 in main (argc=1, argv=0x7fff76267418) at /home/huixinchen/opensource/php-5.6/sapi/fpm/fpm/fpm_main.c:1964


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-04 06:17 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4744eec753786e18b28887463bdcb3f1e91efb60
Log: Fixed bug #70631 (Another Segfault in gc_remove_from_buffer())
 [2015-10-04 06:17 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-10-13 10:12 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4744eec753786e18b28887463bdcb3f1e91efb60
Log: Fixed bug #70631 (Another Segfault in gc_remove_from_buffer())
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Jun 24 05:01:39 2017 UTC