php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73684 Can be segmentation fault
Submitted: 2016-12-08 11:58 UTC Modified: 2016-12-08 14:11 UTC
From: deepvavar at mail dot ru Assigned:
Status: Duplicate Package: Scripting Engine problem
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
View Developer Edit
 [2016-12-08 11:58 UTC] deepvavar at mail dot ru 
Description:
------------
Can be segmentation fault

Test script:
---------------
<?php

class a
{
    public function getNewB()
    {
        $b = new b();
        $b->a = $this;
        return $b;
    }
}
class b
{
    public $a = null;
    public $b = null;
}
class x
{
    public static $a = null;
    public static $b = null;
    public static function foo()
    {
        self::$a = new a();
        self::$b = self::$a->getNewB();
        self::bar(self::$b);
    }
    public static function bar($b)
    {
        $b->b = self::$a->getNewB();
        self::bar($b->b);
    }
}
x::foo();

Expected result:
----------------
Without segfault

Actual result:
--------------
~$ php test.php 
Segmentation fault
~$ php -v
PHP 5.6.22-0+deb8u1 (cli) (built: Jun 13 2016 07:55:54) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
~$ cat /etc/debian_version 
8.5

------------------------------------------

Fatal error: Maximum function nesting level of '100' reached, aborting!
Windows, php 5.4

------------------------------------------

> php test.php 
fish: “php test.php” terminated by signal SIGSEGV (Address boundary error)
> php -version
PHP 5.6.28 (cli) (built: Nov  9 2016 07:56:15) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

------------------------------------------

# php t.php

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130968 bytes) in /t.php on line 29
# php -v
PHP 5.6.28 (cli) (built: Dec  6 2016 22:12:29) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

With php 7.1: Fatal error: Allowed memory size

------------------------------------------

~$ php test.php
Segmentation fault
~$ php -v
PHP 7.0.13-2 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.13-2, Copyright (c) 1999-2016, by Zend Technologies

------------------------------------------

$ php test.php 
Segmentation fault
$ php -v
PHP 7.0.8-0ubuntu0.16.04.3 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.8-0ubuntu0.16.04.3, Copyright (c) 1999-2016, by Zend Technologies

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-08 12:57 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Package: *General Issues +Package: Scripting Engine problem -Assigned To: +Assigned To: cmb
 [2016-12-08 12:57 UTC] cmb@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

    public static function bar($b)
    {
        $b->b = self::$a->getNewB();
        self::bar($b->b);
    }

causes infinite recursion, what is considered to be a programming error[1]. The fact that the script terminates differently is caused by different settings. On your Windows PHP 5.4 there is Xdebug enabled, for instance.

[1] <http://php.net/manual/en/functions.user-defined.php#example-130>
 [2016-12-08 13:16 UTC] thisisabug at server dot com 
This is a bug, because OS kill php process with incorrect write to memory.
 [2016-12-08 13:29 UTC] cmb@php.net 
Yes, this is a bug, but it is not a bug in PHP, but rather in the supplied reproduce script.
 [2016-12-08 13:56 UTC] thisisabug at server dot com 
This is php bug, because php trying write data with incorrect pointer or incorrect size. Xdebug/etc. just limiter. Without xdebug can be segfault. But maybe (as you see) this issue not for all php versions/packages.
 [2016-12-08 14:03 UTC] cmb@php.net
-Status: Not a bug +Status: Re-Opened -Assigned To: cmb +Assigned To:
 [2016-12-08 14:03 UTC] cmb@php.net 
Well, simplified reproduce script:

  <?php
  function foo() {
    foo();
  }
  foo();

Crashes all PHP versions.

Anyway, as you insist this is a bug in PHP, I'm re-opening.
 [2016-12-08 14:11 UTC] nikic@php.net
-Status: Re-Opened +Status: Duplicate
 [2016-12-08 14:11 UTC] nikic@php.net 
This is a well-known issue, we probably have 100s of duplicates about this. E.g. #72568 for interaction with pthreads, but there's many others around for specific cases. This usually occurs either with magic methods or if you have extensions loaded that hook into the function call process.

We know this issue exists and there is no concrete plan to fix it. We don't want to introduce recursion limits (though if someone is sufficiently interested in this, an RFC might convince people about this) and more direct means of detecting stack overflows are heavily system dependent.

We may want to improve our support for fcall hooks to enable more extensions to operate without need to reenter the VM. This may also improve performance of profilers and debuggers, but would likely come at a cost for the case where no such extension is used.
 [2016-12-08 14:38 UTC] thisisabug at server dot com 
I don't want introduce recursion limits.

This code:

    public static function bar($b, $i = 0)
    {
        if ($i == 15396) {
            return;
        }
        $b->b = self::$a->getNewB();
        self::bar($b->b, ++$i);
    }

Says about memory limit problem. This is last good value. For $i == 15397 I get segfault. php doesn't check for availability of the memory (what return malloc/calloc/realloc) or (position) pointer? I don't believe.

Ok.

What I can for fix or check it? I just want expected behaviour.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Mar 10 21:01:30 2025 UTC