php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72179 Segfault in gc_possible_root on CLI
Submitted: 2016-05-09 14:04 UTC Modified: 2016-10-20 09:38 UTC
Votes:5
Avg. Score:3.8 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:1 (20.0%)
From: webmaster at tom-geiger dot de Assigned: laruence (profile)
Status: Assigned Package: Reproducible crash
PHP Version: 7.0.12 OS: Ubuntu 16.10
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-05-09 14:04 UTC] webmaster at tom-geiger dot de
Description:
------------
PHP CLI segfaults during a loop handling events from a database. At some point the GC segfaults the script.

Adding gc_disable() at the start of the script will let it run through without error.

gdb bt attached.

See filed Ubuntu Bug: https://bugs.launchpad.net/bugs/1559693

"Segmentation fault (core dumped) while running an CLI "daemon" script that does a multitude of database operations onto a mysql database. (mysqli)

Happens randomly, and not always at the same position of test data after processing multiple thousand different SQL queries (Select, insert, update, delete).

Restarting the script after crash will successfully complete all test data.

Test data sadly can't be published because of privacy concerns."

StacktraceTop:
 gc_possible_root (ref=0x7f1599693620) at /build/php7.0-XlnpcA/php7.0-7.0.4/Zend/zend_gc.c:262
 zend_assign_to_variable (value_type=16 '\020', value=0x7f15996f4980, variable_ptr=0x7f15afc15b30) at /build/php7.0-XlnpcA/php7.0-7.0.4/Zend/zend_execute.h:109
 ZEND_FE_FETCH_R_SPEC_VAR_HANDLER () at /build/php7.0-XlnpcA/php7.0-7.0.4/Zend/zend_vm_execute.h:15938
 execute_ex (ex=ex@entry=0x7f15afc15ab0) at /build/php7.0-XlnpcA/php7.0-7.0.4/Zend/zend_vm_execute.h:414
 dtrace_execute_ex (execute_data=0x7f15afc15ab0) at /build/php7.0-XlnpcA/php7.0-7.0.4/Zend/zend_dtrace.c:83

Expected result:
----------------
No segfault.

Actual result:
--------------
0x000055c1fb3dcabf in execute_ex ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000055c1fb3c54bf in gc_possible_root ()
(gdb) bt
#0  0x000055c1fb3c54bf in gc_possible_root ()
#1  0x000055c1fb3e3870 in ?? ()
#2  0x000055c1fb3dcacb in execute_ex ()
#3  0x000055c1fb38c511 in dtrace_execute_ex ()
#4  0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf4168c0) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#5  0x000055c1fb4215ad in ?? ()
#6  0x000055c1fb3dcacb in execute_ex ()
#7  0x000055c1fb38c511 in dtrace_execute_ex ()
#8  0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf416580) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#9  0x000055c1fb4215ad in ?? ()
#10 0x000055c1fb3dcacb in execute_ex ()
#11 0x000055c1fb38c511 in dtrace_execute_ex ()
#12 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf4164c0) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#13 0x000055c1fb4215ad in ?? ()
#14 0x000055c1fb3dcacb in execute_ex ()
#15 0x000055c1fb38c511 in dtrace_execute_ex ()
#16 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf4163f0) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#17 0x000055c1fb4215ad in ?? ()
#18 0x000055c1fb3dcacb in execute_ex ()
#19 0x000055c1fb38c511 in dtrace_execute_ex ()
#20 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf415db0) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#21 0x000055c1fb4215ad in ?? ()
#22 0x000055c1fb3dcacb in execute_ex ()
#23 0x000055c1fb38c511 in dtrace_execute_ex ()
#24 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf415b60) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#25 0x000055c1fb4215ad in ?? ()
#26 0x000055c1fb3dcacb in execute_ex ()
#27 0x000055c1fb38c511 in dtrace_execute_ex ()
#28 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf415280) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#29 0x000055c1fb4215ad in ?? ()
#30 0x000055c1fb3dcacb in execute_ex ()
#31 0x000055c1fb38c511 in dtrace_execute_ex ()
#32 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf414ae0) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#33 0x000055c1fb4215ad in ?? ()
#34 0x000055c1fb3dcacb in execute_ex ()
#35 0x000055c1fb38c511 in dtrace_execute_ex ()
#36 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf4149b0) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#37 0x000055c1fb4215ad in ?? ()
#38 0x000055c1fb3dcacb in execute_ex ()
#39 0x000055c1fb38c511 in dtrace_execute_ex ()
#40 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf414650) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#41 0x000055c1fb4215ad in ?? ()
#42 0x000055c1fb3dcacb in execute_ex ()
#43 0x000055c1fb38c511 in dtrace_execute_ex ()
#44 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf4144d0) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#45 0x000055c1fb4215ad in ?? ()
#46 0x000055c1fb3dcacb in execute_ex ()
#47 0x000055c1fb38c511 in dtrace_execute_ex ()
#48 0x00007fe1ceb434ef in xdebug_execute_ex (execute_data=0x7fe1cf414030) at /build/xdebug-QTCpEl/xdebug-2.4.0/build-7.0/xdebug.c:1890
#49 0x000055c1fb430537 in zend_execute ()
---Type <return> to continue, or q <return> to quit---bt
#50 0x000055c1fb39c713 in zend_execute_scripts ()
#51 0x000055c1fb33d130 in php_execute_script ()
#52 0x000055c1fb4321f7 in ?? ()
#53 0x000055c1fb221f64 in main ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-09 14:06 UTC] webmaster at tom-geiger dot de
The Stacktrace says 7.0.4, but the problem persists using the 7.0.6 packages from Ondrejs PPA.
 [2016-05-09 14:48 UTC] laruence@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: laruence
 [2016-05-09 14:48 UTC] laruence@php.net
please try with valgrind, and see if there is any info useful

USE_ZEND_ALLOC=0 valgrind php your-script.php

thanks
 [2016-05-12 13:23 UTC] webmaster at tom-geiger dot de
-Status: Feedback +Status: Assigned
 [2016-05-12 13:23 UTC] webmaster at tom-geiger dot de
Running valgrind gives me this: I'll check if I can get more information with different valgrind parameters:

==3856== Invalid read of size 8
==3856==    at 0x38F4BF: gc_possible_root (in /usr/bin/php7.0)
==3856==    by 0x2F608F: var_destroy (in /usr/bin/php7.0)
==3856==    by 0x2E8967: zif_unserialize (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==  Address 0x20f901c0 is 16 bytes before a block of size 288 free'd
==3856==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3856==    by 0x3778F1: zend_array_destroy (in /usr/bin/php7.0)
==3856==    by 0x37795E: zend_array_destroy (in /usr/bin/php7.0)
==3856==    by 0x364A58: _zval_dtor_func_for_ptr (in /usr/bin/php7.0)
==3856==    by 0x3F90C2: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==  Block was alloc'd at
==3856==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3856==    by 0x37422C: _zend_hash_str_update (in /usr/bin/php7.0)
==3856==    by 0x3695BE: add_assoc_str_ex (in /usr/bin/php7.0)
==3856==    by 0x380CFE: zend_fetch_debug_backtrace (in /usr/bin/php7.0)
==3856==    by 0x3811FC: ??? (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856== 
==3856== Invalid write of size 8
==3856==    at 0x38F4DB: gc_possible_root (in /usr/bin/php7.0)
==3856==    by 0x2F608F: var_destroy (in /usr/bin/php7.0)
==3856==    by 0x2E8967: zif_unserialize (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==  Address 0x20f901b0 is 32 bytes before a block of size 288 in arena "client"
==3856== 
==3856== Invalid write of size 8
==3856==    at 0x38F4E2: gc_possible_root (in /usr/bin/php7.0)
==3856==    by 0x2F608F: var_destroy (in /usr/bin/php7.0)
==3856==    by 0x2E8967: zif_unserialize (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==  Address 0x20f901b8 is 24 bytes before a block of size 288 free'd
==3856==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3856==    by 0x3778F1: zend_array_destroy (in /usr/bin/php7.0)
==3856==    by 0x37795E: zend_array_destroy (in /usr/bin/php7.0)
==3856==    by 0x364A58: _zval_dtor_func_for_ptr (in /usr/bin/php7.0)
==3856==    by 0x3F90C2: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==  Block was alloc'd at
==3856==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3856==    by 0x37422C: _zend_hash_str_update (in /usr/bin/php7.0)
==3856==    by 0x3695BE: add_assoc_str_ex (in /usr/bin/php7.0)
==3856==    by 0x380CFE: zend_fetch_debug_backtrace (in /usr/bin/php7.0)
==3856==    by 0x3811FC: ??? (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856== 
==3856== Invalid write of size 8
==3856==    at 0x38F4EA: gc_possible_root (in /usr/bin/php7.0)
==3856==    by 0x2F608F: var_destroy (in /usr/bin/php7.0)
==3856==    by 0x2E8967: zif_unserialize (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==  Address 0x20f901c0 is 16 bytes before a block of size 288 free'd
==3856==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3856==    by 0x3778F1: zend_array_destroy (in /usr/bin/php7.0)
==3856==    by 0x37795E: zend_array_destroy (in /usr/bin/php7.0)
==3856==    by 0x364A58: _zval_dtor_func_for_ptr (in /usr/bin/php7.0)
==3856==    by 0x3F90C2: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==  Block was alloc'd at
==3856==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3856==    by 0x37422C: _zend_hash_str_update (in /usr/bin/php7.0)
==3856==    by 0x3695BE: add_assoc_str_ex (in /usr/bin/php7.0)
==3856==    by 0x380CFE: zend_fetch_debug_backtrace (in /usr/bin/php7.0)
==3856==    by 0x3811FC: ??? (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856== 
==3856== 
==3856== Process terminating with default action of signal 11 (SIGSEGV)
==3856==  Bad permissions for mapped region at address 0x706870
==3856==    at 0x38F4DB: gc_possible_root (in /usr/bin/php7.0)
==3856==    by 0x2F608F: var_destroy (in /usr/bin/php7.0)
==3856==    by 0x2E8967: zif_unserialize (in /usr/bin/php7.0)
==3856==    by 0x356679: dtrace_execute_internal (in /usr/bin/php7.0)
==3856==    by 0x9AE1E7D: xdebug_execute_internal (xdebug.c:2035)
==3856==    by 0x3EB46F: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856==    by 0x9AE14EE: xdebug_execute_ex (xdebug.c:1890)
==3856==    by 0x3EB5AC: ??? (in /usr/bin/php7.0)
==3856==    by 0x3A6ACA: execute_ex (in /usr/bin/php7.0)
==3856==    by 0x356510: dtrace_execute_ex (in /usr/bin/php7.0)
==3856== 
==3856== HEAP SUMMARY:
==3856==     in use at exit: 99,178,289 bytes in 499,578 blocks
==3856==   total heap usage: 65,129,443 allocs, 64,629,865 frees, 6,570,319,776 bytes allocated
==3856== 
==3856== LEAK SUMMARY:
==3856==    definitely lost: 1,688 bytes in 31 blocks
==3856==    indirectly lost: 8,352 bytes in 29 blocks
==3856==      possibly lost: 85,691,756 bytes in 392,542 blocks
==3856==    still reachable: 13,476,493 bytes in 106,976 blocks
==3856==         suppressed: 0 bytes in 0 blocks
==3856== Rerun with --leak-check=full to see details of leaked memory
 [2016-05-19 13:24 UTC] webmaster at tom-geiger dot de
Compiled PHP myself from the GIT repository.

The segfault still persists, when running gdb I get this error:

Program received signal SIGSEGV, Segmentation fault.
0x000000000085cf75 in gc_possible_root (ref=0x7fffeafb02a0) at /home/geiger/git/php/Zend/zend_gc.c:234
234			GC_G(unused) = newRoot->prev;

I have also during testing the compile had the same error in line 262 once,

both lines use GC_G(unused) = newRoot->prev;
 [2016-05-19 13:40 UTC] webmaster at tom-geiger dot de
Also, another valgrind with the manually built version:

==14634== Invalid read of size 8
==14634==    at 0x85CF75: gc_possible_root (zend_gc.c:234)
==14634==    by 0x82429E: gc_check_possible_root (zend_gc.h:136)
==14634==    by 0x82434E: i_zval_ptr_dtor (zend_variables.h:50)
==14634==    by 0x824A29: _zval_ptr_dtor_wrapper (zend_variables.c:203)
==14634==    by 0x83CC1D: _zend_hash_del_el_ex (zend_hash.c:1026)
==14634==    by 0x83D411: zend_hash_index_del (zend_hash.c:1228)
==14634==    by 0x667ABD: zif_array_shift (array.c:2706)
==14634==    by 0x889F65: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:785)
==14634==    by 0x8891C4: execute_ex (zend_vm_execute.h:426)
==14634==    by 0x8892D5: zend_execute (zend_vm_execute.h:471)
==14634==    by 0x827C90: zend_execute_scripts (zend.c:1427)
==14634==    by 0x78EB25: php_execute_script (main.c:2492)
==14634==  Address 0x6364376232363742 is not stack'd, malloc'd or (recently) free'd
==14634== 
==14634== 
==14634== Process terminating with default action of signal 11 (SIGSEGV)
==14634==  General Protection Fault
==14634==    at 0x85CF75: gc_possible_root (zend_gc.c:234)
==14634==    by 0x82429E: gc_check_possible_root (zend_gc.h:136)
==14634==    by 0x82434E: i_zval_ptr_dtor (zend_variables.h:50)
==14634==    by 0x824A29: _zval_ptr_dtor_wrapper (zend_variables.c:203)
==14634==    by 0x83CC1D: _zend_hash_del_el_ex (zend_hash.c:1026)
==14634==    by 0x83D411: zend_hash_index_del (zend_hash.c:1228)
==14634==    by 0x667ABD: zif_array_shift (array.c:2706)
==14634==    by 0x889F65: ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:785)
==14634==    by 0x8891C4: execute_ex (zend_vm_execute.h:426)
==14634==    by 0x8892D5: zend_execute (zend_vm_execute.h:471)
==14634==    by 0x827C90: zend_execute_scripts (zend.c:1427)
==14634==    by 0x78EB25: php_execute_script (main.c:2492)
==14634== 
==14634== HEAP SUMMARY:
==14634==     in use at exit: 99,412,531 bytes in 488,147 blocks
==14634==   total heap usage: 17,687,831 allocs, 17,199,684 frees, 3,341,087,194 bytes allocated
==14634== 
==14634== LEAK SUMMARY:
==14634==    definitely lost: 3,472 bytes in 62 blocks
==14634==    indirectly lost: 17,856 bytes in 62 blocks
==14634==      possibly lost: 88,267,081 bytes in 390,950 blocks
==14634==    still reachable: 11,124,122 bytes in 97,073 blocks
==14634==         suppressed: 0 bytes in 0 blocks
 [2016-07-20 20:05 UTC] ccovey14 at gmail dot com
I am still seeing this in 7.0.8. We see it in our functional test suite, always in the same test, although running just the test it fails on passes as expected. I can also confirm calling gc_disable does in fact allow the test suite to pass. gdb backtrace and php modules below.

#gdb Backtrace

#0  gc_possible_root (ref=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_gc.c:262
#1  0x0000000000575d14 in var_destroy (var_hashx=<value optimized out>) at /usr/src/debug/php-7.0.8/ext/standard/var_unserializer.c:160
#2  0x0000000000564848 in zif_unserialize (execute_data=<value optimized out>, return_value=0x7f7524e1a530) at /usr/src/debug/php-7.0.8/ext/standard/var.c:1087
#3  0x00000000005d5029 in dtrace_execute_internal (execute_data=<value optimized out>, return_value=<value optimized out>)
    at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:107
#4  0x000000000065b522 in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e1a4d0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:844
#5  0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#6  0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e1a4d0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#7  0x000000000066867d in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER (execute_data=0x7f7524e1a0a0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:29337
#8  0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#9  0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e1a0a0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#10 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e193a0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#11 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#12 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e193a0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#13 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e19220) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#14 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#15 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e19220) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#16 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e18d50) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#17 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#18 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e18d50) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#19 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e18a50) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#20 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#21 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e18a50) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#22 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e18610) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#23 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#24 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e18610) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#25 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e18390) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#26 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#27 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e18390) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#28 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e181d0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#29 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#30 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e181d0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#31 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e176e0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#32 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#33 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e176e0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#34 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e17650) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#35 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#36 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e17650) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#37 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e16ea0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#38 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#39 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e16ea0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#40 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e16300) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#41 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#42 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e16300) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#43 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e158a0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#44 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#45 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e158a0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#46 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e152c0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
---Type <return> to continue, or q <return> to quit---
#47 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#48 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e152c0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#49 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e14ce0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#50 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#51 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e14ce0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#52 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e136b0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#53 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#54 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e136b0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#55 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e13290) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#56 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#57 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e13290) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#58 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e131a0) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#59 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#60 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e131a0) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#61 0x000000000065b39a in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7f7524e13030) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:800
#62 0x00000000006231d0 in execute_ex (ex=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:417
#63 0x00000000005d516e in dtrace_execute_ex (execute_data=0x7f7524e13030) at /usr/src/debug/php-7.0.8/Zend/zend_dtrace.c:83
#64 0x000000000067689b in zend_execute (op_array=0x7f7524e85000, return_value=<value optimized out>) at /usr/src/debug/php-7.0.8/Zend/zend_vm_execute.h:458
#65 0x00000000005e3b03 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-7.0.8/Zend/zend.c:1427
#66 0x0000000000585180 in php_execute_script (primary_file=0x7ffdbd74a970) at /usr/src/debug/php-7.0.8/main/main.c:2494
#67 0x000000000067ab9a in do_cli (argc=9, argv=0x1e1bd50) at /usr/src/debug/php-7.0.8/sapi/cli/php_cli.c:974
#68 0x000000000067b39a in main (argc=9, argv=0x1e1bd50) at /usr/src/debug/php-7.0.8/sapi/cli/php_cli.c:1344


# PHP modules installed 

[PHP Modules]
apc
apcu
bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
igbinary
imagick
imap
intl
json
ldap
libxml
mbstring
mongodb
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
redis
Reflection
session
shmop
SimpleXML
soap
sockets
solr
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache
 [2016-10-20 09:38 UTC] webmaster at tom-geiger dot de
-Operating System: Ubuntu 16.04 +Operating System: Ubuntu 16.10 -PHP Version: 7.0.6 +PHP Version: 7.0.12
 [2016-10-20 09:38 UTC] webmaster at tom-geiger dot de
Issue still occurs with PHP 7.0.12.

I managed to work around the issue a bit more. The following pseudo code describes the issue further:

--- Segfaulting code ---
whie (true) {
    fetchEventFromDatabase();
    handleEvent();   // Somewhere here the GC starts and segfaults
}
--- End Code ---

Disabling GC: 

--- NOT- Segfaulting code ---
gc_disable();
whie (true) {
    fetchEventFromDatabase();
    handleEvent();   // GC never starts, so no segfault
--- End Code ---

Optimized workaround:
--- SOMETIMES- Segfaulting code ---
define(DO_GC, 50);
gc_disable();
whie (true) {
    fetchEventFromDatabase();
    handleEvent();
    if(rand(1, DO_GC) == DO_GC) {
    gc_collect_cycles();  // This segfaults depending on DO_GC
}
--- End Code ---

In my environment, having DO_GC < 20 will keep the script from segfaulting.
Above 20 I will have segfaults when executing gc_collect_cycles().

Ths leads me to assume that gc_collect_cycles() will segfault depending on the amount of cycles it has to collect.

I hope this helps to further isolate the issue.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC