php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71973 Segfault in garbage collector
Submitted: 2016-04-06 08:00 UTC Modified: 2016-04-07 03:31 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: peters at yandex dot ru Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 7.0.5 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: peters at yandex dot ru
New email:
PHP Version: OS:

 

 [2016-04-06 08:00 UTC] peters at yandex dot ru 
Description:
------------
Segmentation fault happens when grabage collector tries to clean up doubly linked list like structure of objects.

Initially we've caught this bug when tried to run a test from lrucache/lrucache package using php 7. Then I've managed to create a minimal reproducible example, which leads to segfault in php 5.6, php 7.0.5 on different linux systems (ubuntu, fedora, centos)

Test script:
---------------
<?php
// Whether segfault will happen depends on number of cycles, 1M should be enough for all systems
class Node {
        public $next;
        public $previous;
}
$head = new Node();
$tail = new Node();
$head->next = $tail;
$tail->previous = $head;
for ($i = 0; $i < 1000000; $i++) {
        $node = new Node();
        $node->previous = $head;
        $node->next = $head->next;
        $node->next->previous = $node;
        $head->next = $node;
}

Expected result:
----------------
Script should exit silently whithout errors

Actual result:
--------------
Segmentation fault

Backtrace
----
#0  0x0000000000a85809 in gc_mark_grey (ref=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:410
#1  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c310) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#2  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c380) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#3  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c3f0) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#4  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c460) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#5  0x0000000000a859a0 in gc_mark_grey (ref=0x7ffff030c4d0) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
........
........
#65451 0x0000000000a859a0 in gc_mark_grey (ref=0x7fffebaca3f0) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#65452 0x0000000000a859a0 in gc_mark_grey (ref=0x7fffebaca460) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:444
#65453 0x0000000000a85cb3 in gc_mark_roots () at /home/petr/build/php-7.0.5/Zend/zend_gc.c:531
#65454 0x0000000000a86d8e in zend_gc_collect_cycles () at /home/petr/build/php-7.0.5/Zend/zend_gc.c:1003
#65455 0x0000000000a85221 in gc_possible_root (ref=0x7fffebaca540) at /home/petr/build/php-7.0.5/Zend/zend_gc.c:243
#65456 0x0000000000aa6887 in zend_assign_to_variable (variable_ptr=0x7ffff02130c0, value=0x7ffff0213170, value_type=4 '\004') at /home/petr/build/php-7.0.5/Zend/zend_execute.h:109
#65457 0x0000000000af9ad7 in ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (execute_data=0x7ffff0213030) at /home/petr/build/php-7.0.5/Zend/zend_vm_execute.h:33475
#65458 0x0000000000aaec50 in execute_ex (ex=0x7ffff0213030) at /home/petr/build/php-7.0.5/Zend/zend_vm_execute.h:417
#65459 0x0000000000aaed7a in zend_execute (op_array=0x7ffff0285000, return_value=0x7fffffffc980) at /home/petr/build/php-7.0.5/Zend/zend_vm_execute.h:458
#65460 0x0000000000a3c986 in zend_eval_stringl (str=0x146d180 "class Node {\n        public $next;\n        public $previous;\n}\n$head = new Node();\n$tail = new Node();\n$head->next = $tail;\n$tail->previous = $head;\nfor ($i = 0; $i < 1000000; $i++) {\n        $node = "..., str_len=349, retval_ptr=0x0, string_name=0x10d1744 "Command line code") at /home/petr/build/php-7.0.5/Zend/zend_execute_API.c:1132
#65461 0x0000000000a3cb66 in zend_eval_stringl_ex (str=0x146d180 "class Node {\n        public $next;\n        public $previous;\n}\n$head = new Node();\n$tail = new Node();\n$head->next = $tail;\n$tail->previous = $head;\nfor ($i = 0; $i < 1000000; $i++) {\n        $node = "..., str_len=349, retval_ptr=0x0, string_name=0x10d1744 "Command line code", handle_exceptions=1) at /home/petr/build/php-7.0.5/Zend/zend_execute_API.c:1173
#65462 0x0000000000a3cc01 in zend_eval_string_ex (str=0x146d180 "class Node {\n        public $next;\n        public $previous;\n}\n$head = new Node();\n$tail = new Node();\n$head->next = $tail;\n$tail->previous = $head;\nfor ($i = 0; $i < 1000000; $i++) {\n        $node = "..., retval_ptr=0x0, string_name=0x10d1744 "Command line code", handle_exceptions=1) at /home/petr/build/php-7.0.5/Zend/zend_execute_API.c:1184
#65463 0x0000000000b1a32d in do_cli (argc=3, argv=0x146d110) at /home/petr/build/php-7.0.5/sapi/cli/php_cli.c:1005
#65464 0x0000000000b1b373 in main (argc=3, argv=0x146d110) at /home/petr/build/php-7.0.5/sapi/cli/php_cli.c:1344
-----

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-07 03:31 UTC] laruence@php.net
-Status: Open +Status: Wont fix
 [2016-04-07 03:31 UTC] laruence@php.net 
this is a stack overflow, you can verify it by set a bigger stack size like:

ulimit -s 102400, then run it again.

thanks
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 12:01:30 2024 UTC