php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70805 Segmentation faults whilst running Drupal 8 test suite
Submitted: 2015-10-28 13:07 UTC Modified: 2015-11-03 19:55 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: alex dot a dot pott at gmail dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0RC5 OS: OS X & Linux
Private report: No CVE-ID:
 [2015-10-28 13:07 UTC] alex dot a dot pott at gmail dot com
Description:
------------
When running certain Drupal 8 tests on PHP7 we get a segmentation fault. This does not occur on PHP5.*

* thread #1: tid = 0x0000, 0x00000001055c6264 php`_emalloc_56 + 36 at zend_alloc.c:1291, stop reason = signal SIGSTOP
    frame #0: 0x00000001055c6264 php`_emalloc_56 + 36 at zend_alloc.c:1291
   1288
   1289		if (EXPECTED(heap->free_slot[bin_num] != NULL)) {
   1290			zend_mm_free_slot *p = heap->free_slot[bin_num];
-> 1291			heap->free_slot[bin_num] = p->next_free_slot;
   1292			return (void*)p;
   1293		} else {
   1294			return zend_mm_alloc_small_slow(heap, bin_num ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);


  * frame #0: 0x00000001055c6264 php`_emalloc_56 + 36 at zend_alloc.c:1291
    frame #1: 0x00000001055c6240 php`_emalloc_56 + 16 at zend_alloc.c:2361
    frame #2: 0x0000000105601f36 php`zend_array_dup(source=0x0000000106d208c0) + 22 at zend_hash.c:1716
    frame #3: 0x000000010566b840 php`ZEND_ASSIGN_DIM_SPEC_VAR_UNUSED_HANDLER(execute_data=0x000000010681aee0) + 112 at zend_vm_execute.h:18975
    frame #4: 0x0000000105630298 php`execute_ex(ex=<unavailable>) + 40 at zend_vm_execute.h:417
    frame #5: 0x00000001056306be php`zend_execute(op_array=<unavailable>, return_value=<unavailable>) + 1038 at zend_vm_execute.h:458
    frame #6: 0x00000001055ef3ab php`zend_execute_scripts(type=8, retval=0x0000000000000000, file_count=3) + 315 at zend.c:1428
    frame #7: 0x000000010558b7f4 php`php_execute_script(primary_file=0x00007fff5a9f82b0) + 852 at main.c:2471
    frame #8: 0x0000000105682b60 php`do_cli(argc=<unavailable>, argv=<unavailable>) + 4048 at php_cli.c:974
    frame #9: 0x0000000105681a17 php`main(argc=<unavailable>, argv=<unavailable>) + 1399 at php_cli.c:1345
    frame #10: 0x00007fff8a9e65c9 libdyld.dylib`start + 1

Test script:
---------------
1. Install Drupal 8 from https://www.drupal.org/node/3060 (you will need a lamp stack or equivalent)
2. create the directory sites/simpletest
3. Enable the simpletest module once you have installed Drupal 8 (http://YOURSITE/admin/modules)
4a. Run the BasicAuthTest test from http://YOURSITE/admin/config/development/testing
OR
4b. Run from the command line using php ./core/scripts/run-tests.sh --color --non-html --url http://YOURSITE/ --verbose --class 'Drupal\basic_auth\Tests\Authentication\BasicAuthTest'



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-28 15:01 UTC] neclimdul at gmail dot com
The exact line trigging this is _really_ deep which is making it hard to simplify. I've tried a couple things but haven't made headway.

The code is in Symfony and is making a graph of services. The exact line on the test I was looking at was:

<?php
    public function addOutEdge(ServiceReferenceGraphEdge $edge)
    {
        $this->outEdges[] = $edge;
    }
?>

I can setup a test environment and give someone access if they want to step through the failure.
 [2015-10-28 17:57 UTC] fabian at tag1consulting dot com
I just confirmed that this is a GC problem:

a) The graph implementation, which is really simple leaks memory - so directed references are not resolved correctly.

b) Disabling the GC via disable_gc() during the graph operation fixes the segfault.

I assume this is just happening very late in a process, because we first garbage collect wrongly, so memory is leaked and then we suddenly garbage collect _during_ the graph creation and that wracks havoc, which also means the backtrace makes sense.
 [2015-10-28 18:03 UTC] fabian at tag1consulting dot com
A simple gc_collect_cycles() before the affected code also "solves" the problem.
 [2015-10-29 16:32 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2015-10-29 16:32 UTC] ab@php.net
Were it possible to extract a reproduce case? I currently have a trouble reproducing it as the test fails to execute:

An AJAX HTTP error occurred.
HTTP Result Code: 500
Debugging information follows.
Path: /drupal-8.0.0-rc2/index.php/batch?id=6&op=do_nojs&op=do
StatusText: Internal Server Error
ResponseText: {"message":"A fatal error occurred: SQLSTATE[HY000]: General error: 14 unable to open database: sites\/default\/files\/.ht.sqlite-simpletest813778: ATTACH DATABASE :database AS :prefix; Array\n(\n    [:database] =\u003E sites\/default\/files\/.ht.sqlite-simpletest813778\n    [:prefix] =\u003E simpletest813778\n)\n"}

Or maybe you have a tip how to overrule it?

Thanks.
 [2015-10-29 16:52 UTC] neclimdul at gmail dot com
Sounds like the web user doesn't have access to your sites directory. Changing that should fix the error.
 [2015-10-29 17:08 UTC] ab@php.net
-Status: Feedback +Status: Verified
 [2015-10-29 17:08 UTC] ab@php.net
Yeah, I've just switched to MySQL to fix that. Now only can reproduce with APache, the dev server just hangs. But tested also on Windows and can confirm the BT

>	php7ts.dll!_emalloc(unsigned __int64 size) Line 2442	C
 	php7ts.dll!zend_array_dup(_zend_array * source) Line 1717	C
 	php7ts.dll!_zval_copy_ctor_func(_zval_struct * zvalue) Line 222	C
 	php7ts.dll!object_properties_init(_zend_object * object, _zend_class_entry * class_type) Line 1180	C
 	php7ts.dll!_object_and_properties_init(_zval_struct * arg, _zend_class_entry * class_type, _zend_array * properties) Line 1285	C
 	php7ts.dll!ZEND_NEW_SPEC_CONST_HANDLER(_zend_execute_data * execute_data) Line 3356	C
 	php7ts.dll!execute_ex(_zend_execute_data * ex) Line 417	C
 	php7ts.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 855	C
 	php7ts.dll!zif_call_user_func_array(_zend_execute_data * execute_data, _zval_struct * return_value) Line 4809	C
 	php7ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data) Line 723	C
 	php7ts.dll!execute_ex(_zend_execute_data * ex) Line 417	C
 	php7ts.dll!zend_call_function(_zend_fcall_info * fci, _zend_fcall_info_cache * fci_cache) Line 855	C
 	php7ts.dll!zif_call_user_func_array(_zend_execute_data * execute_data, _zval_struct * return_value) Line 4809	C
 	php7ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data) Line 723	C
 	php7ts.dll!execute_ex(_zend_execute_data * ex) Line 417	C
 	php7ts.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 459	C
 	php7ts.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1429	C
 	php7ts.dll!php_execute_script(_zend_file_handle * primary_file) Line 2471	C

Thanks.
 [2015-10-29 17:14 UTC] ab@php.net
-Status: Verified +Status: Feedback
 [2015-10-29 17:14 UTC] ab@php.net
@neclimdul, still having a reproduce code were the preferable way. I've a question to ask yet.

Is call_user_func_array() called recursively? From the later backtrace, it might be good the case. But such recursive calls are often causing stack overflow and there's no protection against such stuff in PHP (I mean even in PHP5 and earlier). Could you guys please analyze this part? If it is possible to extract a synthetic repro case, that would rock.

Thanks.
 [2015-10-29 18:11 UTC] fabian at tag1consulting dot com
It is possible that call_user_func_array() calls a class or function that itself calls call_user_func_array() again after a while.

Especially with Dependency Injection that can happen quite easily.

--

I would love to have an easier repro case, but already simple changes like removing one of the passes that affect the graph lead to the problem no longer being reproducible.

--

If you are using that channel could you invite 'Fabianx', 'neclimdul' and 'alexpott' to #php on FreeNode?

It would be great to discuss this bug more in real time ...
 [2015-10-29 18:45 UTC] fabian at tag1consulting dot com
Some more information:

By setting:

#define GC_ROOT_BUFFER_MAX_ENTRIES 20001

in zend_gc.c the bug occurs way way earlier in the test run.

Also a normal call of index.php did give:

zend_gc_collect_cycles
php: /home/ubuntu/php7/php-src/Zend/zend_gc.c:226: gc_possible_root: Assertion `(ref)->gc.u.v.type == 7 || (ref)->gc.u.v.type == 8' failed.
Aborted (core dumped)

Not sure if this is helpful yet, but getting closer to a reproducible script.
 [2015-10-29 19:17 UTC] fabian at tag1consulting dot com
Together with setting:

   #define GC_ROOT_BUFFER_MAX_ENTRIES 20001

the following script produces a segfault: A different backtrace, but it seems related so posting here, as I hope that the fix for this script might also fix this issue here.

---
<?php

class Foo {

  protected $list = [];

  protected function doSomething($var) {
    $var->ref = $this;
    $this->list[] = $var;
  }

  public function init() {
      $array = [];
      for ($i = 0; $i < 19000; $i++) {
        $array[] = new \StdClass();
      }

      foreach ($array as $value) {
        $this->doSomething($value);
      }

      $this->list = [];
      $array = [];
  }
}

$foo = new Foo();
$foo->init();
---

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000009a3dce in gc_remove_from_roots (root=0x7f72b10e9050) at /home/ubuntu/php7/php-src/Zend/zend_gc.c:120
120		root->prev->next = root->next;
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
    from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
(gdb) bt
#0  0x00000000009a3dce in gc_remove_from_roots (root=0x7f72b10e9050) at /home/ubuntu/php7/php-src/Zend/zend_gc.c:120
#1  0x00000000009a4326 in gc_remove_from_buffer (ref=0x7f72a87d9fa0) at /home/ubuntu/php7/php-src/Zend/zend_gc.c:286
#2  0x00000000009bd0d8 in zend_objects_store_del (object=0x7f72a87d9fa0) at /home/ubuntu/php7/php-src/Zend/zend_objects_API.c:190
#3  0x000000000096f190 in _zval_dtor_func_for_ptr (p=0x7f72a87d9fa0, __zend_filename=0xfc9940 "/home/ubuntu/php7/php-src/Zend/zend_hash.c", 
    __zend_lineno=1261) at /home/ubuntu/php7/php-src/Zend/zend_variables.c:109
#4  0x000000000098354e in i_zval_ptr_dtor (zval_ptr=0x7f72a7542fe8, __zend_filename=0xfc9940 "/home/ubuntu/php7/php-src/Zend/zend_hash.c", 
    __zend_lineno=1261) at /home/ubuntu/php7/php-src/Zend/zend_variables.h:58
#5  0x00000000009870a8 in zend_array_destroy (ht=0x7f72a8659540) at /home/ubuntu/php7/php-src/Zend/zend_hash.c:1261
#6  0x000000000096f13a in _zval_dtor_func_for_ptr (p=0x7f72a8659540, __zend_filename=0xfcec40 "/home/ubuntu/php7/php-src/Zend/zend_execute.h", 
    __zend_lineno=103) at /home/ubuntu/php7/php-src/Zend/zend_variables.c:96
#7  0x00000000009c4fc3 in zend_assign_to_variable (variable_ptr=0x7f72a8614150, value=0x7f72a8674410, value_type=1 '\001')
    at /home/ubuntu/php7/php-src/Zend/zend_execute.h:103
#8  0x0000000000a0fbfc in ZEND_ASSIGN_SPEC_CV_CONST_HANDLER () at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:31718
#9  0x00000000009cd2ff in execute_ex (ex=0x7f72a8614030) at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:414
#10 0x00000000009cd411 in zend_execute (op_array=0x7f72a867e000, return_value=0x0) at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:458
#11 0x0000000000972c42 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/ubuntu/php7/php-src/Zend/zend.c:1428
#12 0x00000000008e048d in php_execute_script (primary_file=0x7ffd2b501520) at /home/ubuntu/php7/php-src/main/main.c:2471
#13 0x0000000000a31509 in do_cli (argc=2, argv=0x252fe40) at /home/ubuntu/php7/php-src/sapi/cli/php_cli.c:974
#14 0x0000000000a326cd in main (argc=2, argv=0x252fe40) at /home/ubuntu/php7/php-src/sapi/cli/php_cli.c:1345
 [2015-10-29 19:19 UTC] ab@php.net
@Fabian thanks for the further investigation. Seems that we really need a stable case to reproduce. Right now it's really tedious as the most time is spent to setup Drupal and still no good understanding what happens :(

Btw. the most of the core devs sit in #php.pecl on EFnet, it doesn't require special rights to join.

Thanks.
 [2015-10-29 19:28 UTC] ab@php.net
Hm, but the script doesn't crash with the original case. We'd better have a reproducer for the unchanged PHP to reproduce the original case as base.

Thanks.
 [2015-10-29 19:57 UTC] fabian at tag1consulting dot com
I managed to simplify, Still need the 20001 entry, but getting the original backtrace now:

1. Download Drupal 8
2. Install Drupal via LAMP stack (Still trying to avoid that)
3. Copy the following into front.php and run it:

<?php

use Drupal\Core\DrupalKernel;
use Symfony\Component\HttpFoundation\Request;

$autoloader = require_once 'autoload.php';

$request = Request::createFromGlobals();
$kernel = DrupalKernel::createFromRequest($request, $autoloader, 'prod', FALSE);
$kernel->boot();
$kernel->rebuildContainer();
print "OK".PHP_EOL;

Creates the usual backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000093ca6a in zend_mm_alloc_small (heap=0x7fffef400040, size=88, bin_num=9, 
    __zend_filename=0xfc9940 "/home/ubuntu/php7/php-src/Zend/zend_hash.c", __zend_lineno=1716, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/ubuntu/php7/php-src/Zend/zend_alloc.c:1291
1291			heap->free_slot[bin_num] = p->next_free_slot;
(gdb) bt
#0  0x000000000093ca6a in zend_mm_alloc_small (heap=0x7fffef400040, size=88, bin_num=9, 
    __zend_filename=0xfc9940 "/home/ubuntu/php7/php-src/Zend/zend_hash.c", __zend_lineno=1716, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/ubuntu/php7/php-src/Zend/zend_alloc.c:1291
#1  0x000000000093ccc1 in zend_mm_alloc_heap (heap=0x7fffef400040, size=88, __zend_filename=0xfc9940 "/home/ubuntu/php7/php-src/Zend/zend_hash.c", 
    __zend_lineno=1716, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/ubuntu/php7/php-src/Zend/zend_alloc.c:1359
#2  0x000000000093f724 in _emalloc (size=56, __zend_filename=0xfc9940 "/home/ubuntu/php7/php-src/Zend/zend_hash.c", __zend_lineno=1716,
 [2015-10-30 09:04 UTC] laruence@php.net
I can not reproduce the segfualt :<

$ php7 ./core/scripts/run-tests.sh --color --non-html --url http://drupal.jx-lj-hxc.lianjia.com:8000/ --verbose --class 'Drupal\basic_auth\Tests\Authentication\BasicAuthTest'

Drupal test run
---------------

Tests to be run:
  - Drupal\basic_auth\Tests\Authentication\BasicAuthTest

Test run started:
  Friday, October 30, 2015 - 09:02

Test summary
------------

Drupal\basic_auth\Tests\Authentication\BasicAuthTest          81 passes                           20 messages

Test run duration: 1 min 5 sec

Detailed test results
---------------------


---- Drupal\basic_auth\Tests\Authentication\BasicAuthTest ----


Status    Group      Filename          Line Function
--------------------------------------------------------------------------------
Pass      Other      run-tests.sh       656 simpletest_script_run_one_test()
    Enabled modules: basic_auth, router_test, locale
Pass      User login BasicAuthTest.php   41 Drupal\basic_auth\Tests\Authenticat
    User created with name jXw1KEde and pass 7MK6dpzWSz
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    200 (7.08 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Other      BasicAuthTest.php   45 Drupal\basic_auth\Tests\Authenticat
    Account name is displayed.
Pass      Browser    BasicAuthTest.php   46 Drupal\basic_auth\Tests\Authenticat
    HTTP response is OK
Pass      Other      BasicAuthTest.php   48 Drupal\basic_auth\Tests\Authenticat
    Value false is FALSE.
Pass      Other      BasicAuthTest.php   49 Drupal\basic_auth\Tests\Authenticat
    Cache-Control is not set to public
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Other      BasicAuthTest.php   52 Drupal\basic_auth\Tests\Authenticat
    Bad basic auth credentials do not authenticate the user.
Pass      Browser    BasicAuthTest.php   53 Drupal\basic_auth\Tests\Authenticat
    Access is not granted.
Pass      Browser    BasicAuthTest.php   56 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    401 (6.21 KB).
Pass      Browser    BasicAuthTest.php   56 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Other      BasicAuthTest.php   57 Drupal\basic_auth\Tests\Authenticat
    Value 'Basic realm="Drupal"' is equal to value 'Basic realm="Drupal"'.
Pass      Browser    BasicAuthTest.php   58 Drupal\basic_auth\Tests\Authenticat
    Not authenticated on the route that allows only basic_auth. Prompt to
    authenticate received.
Pass      Browser    BasicAuthTest.php   60 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/admin returned 403 (6.22 KB).
Pass      Browser    BasicAuthTest.php   60 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on "http://drupal.jx-lj-hxc.lianjia.com:8000/admin"
Pass      Browser    BasicAuthTest.php   61 Drupal\basic_auth\Tests\Authenticat
    No authentication prompt for routes not explicitly defining authentication
    providers.
Pass      Role       BasicAuthTest.php   63 Drupal\basic_auth\Tests\Authenticat
    Created role ID 'gqgspyxm' with name 'H26<>&$0'.
Pass      Role       BasicAuthTest.php   63 Drupal\basic_auth\Tests\Authenticat
    Created permissions: access administration pages
Pass      User login BasicAuthTest.php   63 Drupal\basic_auth\Tests\Authenticat
    User created with name ytJJEDdB and pass cnVErhuQKY
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/admin returned 403 (7.23 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on "http://drupal.jx-lj-hxc.lianjia.com:8000/admin"
Pass      Other      BasicAuthTest.php   66 Drupal\basic_auth\Tests\Authenticat
    User is not logged in
Pass      Browser    BasicAuthTest.php   67 Drupal\basic_auth\Tests\Authenticat
    No basic authentication for routes not explicitly defining authentication
    providers.
Pass      Browser    BasicAuthTest.php   73 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test10 returned
    200 (6.13 KB).
Pass      Browser    BasicAuthTest.php   73 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test10"
Pass      Other      BasicAuthTest.php   74 Drupal\basic_auth\Tests\Authenticat
    Value 'MISS' is equal to value 'MISS'.
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test10 returned
    200 (7.08 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test10"
Pass      Other      BasicAuthTest.php   76 Drupal\basic_auth\Tests\Authenticat
    Value false is FALSE.
Pass      Other      BasicAuthTest.php   77 Drupal\basic_auth\Tests\Authenticat
    No page cache response when requesting a cached page with basic auth
    credentials.
Pass      Other      run-tests.sh       656 simpletest_script_run_one_test()
    Enabled modules: basic_auth, router_test, locale
Pass      User login BasicAuthTest.php   90 Drupal\basic_auth\Tests\Authenticat
    User created with name kQu49mcT and pass yvk3xMjnTp
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTest.php  102 Drupal\basic_auth\Tests\Authenticat
    Access is blocked because of IP based flood prevention.
Pass      Other      run-tests.sh       656 simpletest_script_run_one_test()
    Enabled modules: basic_auth, router_test, locale
Pass      User login BasicAuthTest.php  115 Drupal\basic_auth\Tests\Authenticat
    User created with name vSctJJ2H and pass 6AVPqgEVLs
Pass      User login BasicAuthTest.php  118 Drupal\basic_auth\Tests\Authenticat
    User created with name btMyybqw and pass jkaZ94GgYt
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    200 (7.08 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTest.php  126 Drupal\basic_auth\Tests\Authenticat
    Per user flood prevention gets reset on a successful login.
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTest.php  135 Drupal\basic_auth\Tests\Authenticat
    The user account is blocked due to per user flood prevention.
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    200 (7.08 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTest.php  140 Drupal\basic_auth\Tests\Authenticat
    Per user flood prevention does not block access for other users.
Pass      Other      run-tests.sh       656 simpletest_script_run_one_test()
    Enabled modules: basic_auth, router_test, locale
Pass      User login BasicAuthTest.php  150 Drupal\basic_auth\Tests\Authenticat
    User created with name cLudjJSG and pass NyejYH6UwE
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    200 (7.09 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Other      BasicAuthTest.php  154 Drupal\basic_auth\Tests\Authenticat
    Account name is displayed.
Pass      Browser    BasicAuthTest.php  155 Drupal\basic_auth\Tests\Authenticat
    HTTP response is OK
Pass      Other      run-tests.sh       656 simpletest_script_run_one_test()
    Enabled modules: basic_auth, router_test, locale
Pass      User login BasicAuthTest.php  163 Drupal\basic_auth\Tests\Authenticat
    User created with name moXVg44t and pass 5MScKsJPAW
Pass      Browser    BasicAuthTest.php  167 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    401 (6.21 KB).
Pass      Browser    BasicAuthTest.php  167 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTest.php  168 Drupal\basic_auth\Tests\Authenticat
    The user is blocked when no credentials are passed.
Pass      Other      BasicAuthTest.php  169 Drupal\basic_auth\Tests\Authenticat
    No raw exception is displayed on the page.
Pass      Other      BasicAuthTest.php  170 Drupal\basic_auth\Tests\Authenticat
    A user friendly access unauthorized message is displayed.
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTest.php  174 Drupal\basic_auth\Tests\Authenticat
    The user is blocked when empty credentials are passed.
Pass      Other      BasicAuthTest.php  175 Drupal\basic_auth\Tests\Authenticat
    A user friendly access denied message is displayed
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    GET http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11 returned
    403 (6.22 KB).
Pass      Browser    BasicAuthTestTrai   31 Drupal\basic_auth\Tests\Authenticat
    Valid HTML found on
    "http://drupal.jx-lj-hxc.lianjia.com:8000/router_test/test11"
Pass      Browser    BasicAuthTest.php  179 Drupal\basic_auth\Tests\Authenticat
    The user is blocked when wrong credentials are passed.
Pass      Other      BasicAuthTest.php  180 Drupal\basic_auth\Tests\Authenticat
    A user friendly access denied message is displayed

thanks
 [2015-10-30 09:27 UTC] fabian at tag1consulting dot com
Yes, this bug is really fragile, try the following one:

php7 ./core/scripts/run-tests.sh --color --non-html --url http://drupal.jx-lj-hxc.lianjia.com:8000/ --verbose --class 'Drupal\node\Tests\NodeSaveTest'

I am also in IRC again - if you want to chat.
 [2015-10-30 10:07 UTC] ab@php.net
After the further investigation, I can now reproduce the crash with Apache/mod_php on Windows almost always and it gives the backtrice I've posted above. Can confirm that it always has to do with the Symfony\\Component\\DependencyInjection\\Compiler\\ServiceReferenceGraphNode component and related Drupal code. However it is only reproducible with the complete Drupal\basic_auth\Tests\Authentication\BasicAuthTest test, running parts of it like Drupal\basic_auth\Tests\Authentication\BasicAuthTest::testBasicAuth doesn't reproduce. It seems that it's only reproducible when some criticall mass was reached and has less to do with the concrete codes. So guess it'll be quite hard to write a reproduce script :( But it'd be great to at least simplify it, like getting rid of the server part. Digging further.

Thanks.
 [2015-10-30 18:38 UTC] fabian at tag1consulting dot com
Another test that often fails is:

Drupal\\config\\Tests\\ConfigEntityListTest

And yes it needs several runs of creating and destroying ContainerBuilder instances, which really makes it hard to reproduce.
 [2015-11-01 10:08 UTC] laruence@php.net
@alex , maybe you can grant me a ssh access to the reproducible box? (via mail)

thanks
 [2015-11-02 09:45 UTC] ab@php.net
I've managed to get a bit more concrete BT

 	ntdll.dll!00007ff9b8e54b74()	Unknown
 	ucrtbase.dll!free() + 27 bytes	Unknown
>	php7ts.dll!zend_gc_collect_cycles() Line 1124	C
 	php7ts.dll!gc_possible_root(_zend_refcounted * ref=0x000000d059641220) Line 244	C
 	php7ts.dll!zend_leave_helper_SPEC(_zend_execute_data * execute_data=0x000000d056501040) Line 497	C
 	php7ts.dll!execute_ex(_zend_execute_data * ex) Line 417	C
 	php7ts.dll!zend_call_function(_zend_fcall_info * fci=0x000000d05602d950, _zend_fcall_info_cache * fci_cache=0x000000d05602d9a0) Line 855	C
 	php7ts.dll!zif_call_user_func_array(_zend_execute_data * execute_data=0x000000d0564fd990, _zval_struct * return_value=0x000000d0564fd980) Line 4809	C
 	php7ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data=0x000000d0564fd8c0) Line 723	C
 	php7ts.dll!execute_ex(_zend_execute_data * ex) Line 417	C
 	php7ts.dll!zend_call_function(_zend_fcall_info * fci=0x000000d05602dbc0, _zend_fcall_info_cache * fci_cache=0x000000d05602dc10) Line 855	C
 	php7ts.dll!zif_call_user_func_array(_zend_execute_data * execute_data=0x000000d0564fd3d0, _zval_struct * return_value=0x000000d0564fd260) Line 4809	C
 	php7ts.dll!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER(_zend_execute_data * execute_data=0x000000d0564fcfa0) Line 723	C
 	php7ts.dll!execute_ex(_zend_execute_data * ex) Line 417	C
 	php7ts.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value=0x0000000000000000) Line 459	C
 	php7ts.dll!zend_execute_scripts(int type=8, _zval_struct * retval=0x0000000000000000, int file_count=3, ...) Line 1429	C
 	php7ts.dll!php_execute_script(_zend_file_handle * primary_file=0x000000d05602f2b0) Line 2471	C
 	php7apache2_4.dll!php_handler(request_rec * r=0x000000d05916e278) Line 679	C

It looks indeed like a GC issue, most likely function args passed to call_user_func_array() are double free'd. 

Thanks.
 [2015-11-02 14:31 UTC] fabian at tag1consulting dot com
I provided laruence with a EC2 instance, where the segfault happens.
 [2015-11-03 15:42 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-11-03 19:55 UTC] dmitry@php.net
unset($a) or unser($GLOBAL["a"]) triggered GC and destructors calls that tried to release the same global variable $a  once again. As result it's reference counter was decremented twice and this caused use-after-free, double-free, etc.

The proposed cumulative fix for all related problems:

https://gist.github.com/dstogov/7aa9d24876e2b3fce8c5
 [2015-11-04 01:56 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f2653aa7758cd586f1daff288146740dd5fa61b
Log: Fixed bug #70805 (Segmentation faults whilst running Drupal 8 test suite)
 [2015-11-04 01:56 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2015-11-09 18:12 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46bb5a8cc957f2a12a25b51a90e0975713f75834
Log: Fixed bug #70805 (Segmentation faults whilst running Drupal 8 test suite)
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f2653aa7758cd586f1daff288146740dd5fa61b
Log: Fixed bug #70805 (Segmentation faults whilst running Drupal 8 test suite)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 21 14:01:44 2017 UTC