php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72286 Segmentation fault (segfault) During Garbage Collection
Submitted: 2016-05-30 02:49 UTC Modified: 2017-01-02 14:07 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: php at mattlight dot biz Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.23 OS: CentOS Linux release 7.2.1511
Private report: No CVE-ID: None
 [2016-05-30 02:49 UTC] php at mattlight dot biz
Description:
------------
A segmentation fault occurs during garbage collection when the following criteria are all met:
 - Object "A" stores a reference to itself in an instance variable
 - Object "A" also stores another object, Object "B" in another instance variable (instance of stdClass is fine)
 - The destructor of object "A" attempts to reference object "B" only after check that object "B" is still set
 - Object "A" is instantiated from some other object

The issue affects PHP 5.6 and 5.5 (and 5.4), but not 7.0. I have set the test case up in Travis CI: https://travis-ci.org/lightster/php-circular-reference-segfault

The scenario I presented is a simplified scenario of an issue I encountered when using phpamqplib. Other people have reported this issue to phpamqplib but since the library is written purely in PHP it cannot be responsible for preventing a segmentation fault: https://github.com/php-amqplib/php-amqplib/issues/261

My bug report might be the same issue that was reported in https://bugs.php.net/bug.php?id=71958 but I was unable to confirm one way or another.

Test script:
---------------
https://raw.githubusercontent.com/lightster/php-circular-reference-segfault/master/segfault.php

Expected result:
----------------
I would expect either "the object exists" or "will not get here" to be output. I know the order that destructors is called is documented to be undefined, so either output is probably acceptable.

Actual result:
--------------
PHP exits with a segmentation fault:

Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => filter
    [8] => hash
    [9] => pcntl
    [10] => readline
    [11] => Reflection
    [12] => SPL
    [13] => session
    [14] => standard
    [15] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-30 03:05 UTC] php at mattlight dot biz
In case it might be useful, here is the gdb output:

(gdb) bt
#0  0x00007f5966ac5e98 in zend_std_object_get_class ()
#1  0x00007f5966ac5ec5 in zend_std_get_debug_info ()
#2  0x00007f5966a16e83 in php_var_dump ()
#3  0x00007f5966a1730a in zif_var_dump ()
#4  0x00007f5966a8ce1b in dtrace_execute_internal ()
#5  0x00007f5966b468e4 in zend_do_fcall_common_helper_SPEC ()
#6  0x00007f5966adac28 in execute_ex ()
#7  0x00007f5966a8ccf9 in dtrace_execute_ex ()
#8  0x00007f5966a8eaf3 in zend_call_function ()
#9  0x00007f5966ab6838 in zend_call_method ()
#10 0x00007f5966ac5929 in zend_objects_destroy_object ()
#11 0x00007f5966abf04a in gc_collect_cycles ()
#12 0x00007f5966aaf889 in zif_gc_collect_cycles ()
#13 0x00007f5966a8ce1b in dtrace_execute_internal ()
#14 0x00007f5966b468e4 in zend_do_fcall_common_helper_SPEC ()
#15 0x00007f5966adac28 in execute_ex ()
#16 0x00007f5966a8ccf9 in dtrace_execute_ex ()
#17 0x00007f5966a9fa6b in zend_execute_scripts ()
#18 0x00007f5966a3aea2 in php_execute_script ()
#19 0x00007f5966b487e8 in do_cli ()
#20 0x00007f5966918f6a in main ()
 [2016-07-14 09:25 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
 [2016-07-14 09:25 UTC] dmitry@php.net
The bug seems to be fixed in PHP-5.5.
I can reproduce it with PHP-5.4, but not with PHP-5.5 and above.
Please verify and re-open, if it's still reproducible for you.
 [2016-07-14 15:34 UTC] php at mattlight dot biz
-Status: Closed +Status: Assigned -PHP Version: 5.6.22 +PHP Version: 5.6.23
 [2016-07-14 15:34 UTC] php at mattlight dot biz
This error is still reproducible on my end with the latest version of PHP 5.6 (5.6.23).

Here is the output I produced as of a few minutes ago:
[boxkeeper@macaroon-dev php-circular-reference-segfault]$ php segfault.php 
Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => filter
    [8] => hash
    [9] => pcntl
    [10] => readline
    [11] => Reflection
    [12] => SPL
    [13] => session
    [14] => standard
    [15] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault


[boxkeeper@macaroon-dev php-circular-reference-segfault]$ echo $?
139


[boxkeeper@macaroon-dev php-circular-reference-segfault]$ php --version
PHP 5.6.23 (cli) (built: Jun 22 2016 08:56:52) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
[boxkeeper@macaroon-dev php-circular-reference-segfault]$
 [2016-07-14 15:56 UTC] dmitry@php.net
Got it. it's reproducible on PHP-5.* with opcache disabled.

$ USE_ZEND_ALLOC=0 valgrind php5.6/CGI-DEBUG/sapi/cli/php -n bug72286.php

==9892== Invalid read of size 4
==9892==    at 0x8642AC4: zend_std_object_get_class (zend_object_handlers.c:1528)
==9892==    by 0x86159DD: zend_get_class_entry (zend_API.c:238)
==9892==    by 0x863E671: zend_std_get_debug_info (zend_object_handlers.c:140)
==9892==    by 0x84D26C7: php_var_dump (var.c:129)
==9892==    by 0x84D29EA: zif_var_dump (var.c:183)
==9892==    by 0x8649A92: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==9892==    by 0x864E037: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==9892==    by 0x864936C: execute_ex (zend_vm_execute.h:363)
==9892==    by 0x86493CD: zend_execute (zend_vm_execute.h:388)
==9892==    by 0x86048E1: zend_call_function (zend_execute_API.c:829)
==9892==    by 0x862CD3F: zend_call_method (zend_interfaces.c:97)
==9892==    by 0x863DBDA: zend_objects_destroy_object (zend_objects.c:123)
==9892==  Address 0xffffffff is not stack'd, malloc'd or (recently) free'd

PHP-7.0 works fine.
 [2016-07-14 19:40 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c84b55adea936b065a20102202bea3d1d243225
Log: Fixed bug #72286 (Segmentation fault During Garbage Collection)
 [2016-07-14 19:40 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2016-07-16 21:03 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=171c759d791f809ebc31711fd0b0b5bb632cd2cc
Log: Revert "Fixed bug #72286 (Segmentation fault During Garbage Collection)"
 [2016-07-16 21:04 UTC] nikic@php.net
-Status: Closed +Status: Re-Opened
 [2016-07-16 21:04 UTC] nikic@php.net
Commit reverted due to segfaults.
 [2016-10-17 10:11 UTC] bwoebi@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=171c759d791f809ebc31711fd0b0b5bb632cd2cc
Log: Revert "Fixed bug #72286 (Segmentation fault During Garbage Collection)"
 [2016-10-17 10:11 UTC] bwoebi@php.net
-Status: Re-Opened +Status: Closed
 [2016-10-17 10:11 UTC] bwoebi@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c84b55adea936b065a20102202bea3d1d243225
Log: Fixed bug #72286 (Segmentation fault During Garbage Collection)
 [2016-10-17 13:27 UTC] nikic@php.net
-Status: Closed +Status: Re-Opened
 [2016-10-17 13:27 UTC] nikic@php.net
Someone messed the repo again, reopening.
 [2017-01-02 14:07 UTC] nikic@php.net
-Status: Re-Opened +Status: Closed
 [2017-01-02 14:07 UTC] nikic@php.net
Closing this bug, as the issue is fixed in PHP 7.0 and PHP 5.6 is going out of active support.
 [2017-04-25 08:00 UTC] olivierberaud at free dot fr
PHP Version is 5.6.30
Just launch your segfault.php script and I got:

Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => bcmath
    [8] => bz2
    [9] => calendar
    [10] => ctype
    [11] => dba
    [12] => dom
    [13] => hash
    [14] => fileinfo
    [15] => filter
    [16] => ftp
    [17] => gettext
    [18] => SPL
    [19] => iconv
    [20] => mbstring
    [21] => pcntl
    [22] => session
    [23] => posix
    [24] => Reflection
    [25] => standard
    [26] => shmop
    [27] => SimpleXML
    [28] => soap
    [29] => sockets
    [30] => Phar
    [31] => exif
    [32] => sysvmsg
    [33] => sysvsem
    [34] => sysvshm
    [35] => tokenizer
    [36] => wddx
    [37] => xml
    [38] => xmlreader
    [39] => xmlwriter
    [40] => zip
    [41] => PDO
    [42] => curl
    [43] => gd
    [44] => json
    [45] => mcrypt
    [46] => mysql
    [47] => mysqli
    [48] => pdo_mysql
    [49] => readline
    [50] => ssh2
    [51] => xmlrpc
    [52] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault (core dumped)
 [2017-04-25 08:01 UTC] olivierberaud at free dot fr
PHP Version is 5.6.30
Just launch your segfault.php script and I got:

Array
(
    [0] => Core
    [1] => date
    [2] => ereg
    [3] => libxml
    [4] => openssl
    [5] => pcre
    [6] => zlib
    [7] => bcmath
    [8] => bz2
    [9] => calendar
    [10] => ctype
    [11] => dba
    [12] => dom
    [13] => hash
    [14] => fileinfo
    [15] => filter
    [16] => ftp
    [17] => gettext
    [18] => SPL
    [19] => iconv
    [20] => mbstring
    [21] => pcntl
    [22] => session
    [23] => posix
    [24] => Reflection
    [25] => standard
    [26] => shmop
    [27] => SimpleXML
    [28] => soap
    [29] => sockets
    [30] => Phar
    [31] => exif
    [32] => sysvmsg
    [33] => sysvsem
    [34] => sysvshm
    [35] => tokenizer
    [36] => wddx
    [37] => xml
    [38] => xmlreader
    [39] => xmlwriter
    [40] => zip
    [41] => PDO
    [42] => curl
    [43] => gd
    [44] => json
    [45] => mcrypt
    [46] => mysql
    [47] => mysqli
    [48] => pdo_mysql
    [49] => readline
    [50] => ssh2
    [51] => xmlrpc
    [52] => mhash
)
string(24) "we are about to segfault"
string(15) "segfaults here:"
Segmentation fault (core dumped)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 11 22:01:45 2024 UTC