php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72829 SegFault When Leaving a Loop that Creates an Array of Objects
Submitted: 2016-08-13 22:12 UTC Modified: 2016-08-14 12:25 UTC
From: Chad dot Sikorra at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.0beta2 OS: Ubuntu 16.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2016-08-13 22:12 UTC] Chad dot Sikorra at gmail dot com 
Description:
------------
Just starting with PHP 7.1 beta2 (this did not happen in beta1), some tests for a library I maintain started to segfault in the same exact location. I narrowed the spot down to a loop that creates an array of objects. However, it isn't a specific part of my code causing the segfault, as it happens just as the loop exits and before my method returns.

The loop it fails directly after:

https://github.com/ldaptools/ldaptools/blob/master/src/LdapTools/Schema/Parser/SchemaYamlParser.php#L111

The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000898ac3 in zval_addref_p (pz=0x7fffec1f7ca0) at /home/chad/trace/php-src/Zend/zend_types.h:829
829		return ++GC_REFCOUNT(Z_COUNTED_P(pz));
(gdb) bt
#0  0x0000000000898ac3 in zval_addref_p (pz=0x7fffec1f7ca0) at /home/chad/trace/php-src/Zend/zend_types.h:829
#1  0x00000000008aab6f in zif_array_column (execute_data=0x7fffec616dd0, return_value=0x7fffec616d40) at /home/chad/trace/php-src/ext/standard/array.c:3607
#2  0x0000000000a76ae1 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:876
#3  0x0000000000a758c6 in execute_ex (ex=0x7fffec616570) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#4  0x00000000009faa6a in zend_call_function (fci=0x7fffffff9e70, fci_cache=0x7fffffff9e40) at /home/chad/trace/php-src/Zend/zend_execute_API.c:837
#5  0x00000000008b8b41 in zif_call_user_func_array (execute_data=0x7fffec616500, return_value=0x7fffec616480)
    at /home/chad/trace/php-src/ext/standard/basic_functions.c:4844
#6  0x0000000000a76ae1 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:876
#7  0x0000000000a758c6 in execute_ex (ex=0x7fffec6160b0) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#8  0x00000000009faa6a in zend_call_function (fci=0x7fffffffa120, fci_cache=0x7fffffffa0f0) at /home/chad/trace/php-src/Zend/zend_execute_API.c:837
#9  0x00000000008b8b41 in zif_call_user_func_array (execute_data=0x7fffec616040, return_value=0x7fffec616010)
    at /home/chad/trace/php-src/ext/standard/basic_functions.c:4844
#10 0x0000000000a76ae1 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:876
#11 0x0000000000a758c6 in execute_ex (ex=0x7fffec615f00) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#12 0x00000000009faa6a in zend_call_function (fci=0x7fffffffa410, fci_cache=0x7fffffffa3e0) at /home/chad/trace/php-src/Zend/zend_execute_API.c:837
#13 0x0000000000838b0b in zim_reflection_method_invokeArgs (execute_data=0x7fffec615e90, return_value=0x7fffffffa480)
    at /home/chad/trace/php-src/ext/reflection/php_reflection.c:3379
#14 0x0000000000a76f71 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/chad/trace/php-src/Zend/zend_vm_execute.h:970
#15 0x0000000000a758c6 in execute_ex (ex=0x7fffec614030) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:429
#16 0x0000000000a759d7 in zend_execute (op_array=0x7fffec686000, return_value=0x0) at /home/chad/trace/php-src/Zend/zend_vm_execute.h:474
#17 0x0000000000a12cd4 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/chad/trace/php-src/Zend/zend.c:1447
#18 0x0000000000979191 in php_execute_script (primary_file=0x7fffffffcb40) at /home/chad/trace/php-src/main/main.c:2533
#19 0x0000000000afaa8a in do_cli (argc=4, argv=0x1460700) at /home/chad/trace/php-src/sapi/cli/php_cli.c:990
#20 0x0000000000afbc5d in main (argc=4, argv=0x1460700) at /home/chad/trace/php-src/sapi/cli/php_cli.c:1378

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-14 06:35 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2016-08-14 06:35 UTC] laruence@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2016-08-14 08:36 UTC] nikic@php.net 
I suspect that PHP 7 beta2 was branched off while array_column() was completely broken (array was not properly initialized). Can you check if just using the current snapshot already fixes the issue?
 [2016-08-14 08:39 UTC] nikic@php.net 
Just checked, https://github.com/php/php-src/commit/fea2042a47dbda7210306c881a9f0a82b8503a45 is in beta 2, while https://github.com/php/php-src/commit/cf017ce17f2577db987b44822cd6214378e53277 is not. So this is probably already resolved.
 [2016-08-14 12:24 UTC] Chad dot Sikorra at gmail dot com
-Status: Feedback +Status: Open
 [2016-08-14 12:24 UTC] Chad dot Sikorra at gmail dot com 
Yep, I just confirmed it's working now. I recompiled based off the PHP-7.1 branch and now it works fine. Guess this can be closed. Thanks for checking this!
 [2016-08-14 12:25 UTC] Chad dot Sikorra at gmail dot com
-Status: Open +Status: Closed
 [2016-08-14 12:25 UTC] Chad dot Sikorra at gmail dot com 
Marking as closed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Apr 29 14:01:30 2024 UTC