php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73989 PHP 7.1 Segfaults within Symfony test suite
Submitted: 2017-01-25 00:20 UTC Modified: 2017-02-13 11:30 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: maxime dot steinhausser at gmail dot com Assigned: laruence (profile)
Status: Closed Package: *General Issues
PHP Version: 7.1Git-2017-01-24 (Git) OS: OS X 10.12.2
Private report: No CVE-ID: None
 [2017-01-25 00:20 UTC] maxime dot steinhausser at gmail dot com
Description:
------------
Hi,

As reported in https://github.com/symfony/symfony/issues/21349, we encounter segfaults when trying to run the Symfony SecurityBundle test suite on master branch, after a particular commit (7497f1c), using php 7.1.0 or 7.1.1 (tested on several OS X hosts).
Everything seems to be fine before this commit.

See following output and backtrace I get from a freshly compiled 7.1.1 PHP version with the `--enable-debug` option.

Actual result:
--------------
PHPUnit 5.7.6 by Sebastian Bergmann and contributors.

Testing src/Symfony/Bundle/SecurityBundle/
...............................................................  63 / 139 ( 45%)
..................Assertion failed: (((zend_object*)func->op_array.prototype)->gc.u.v.type == 8), function zend_call_function, file zend_execute_API.c, line 818.

---

Backtrace with lldb:

Executable module set to "/usr/local/mac-dev-env/php-7.1.0/bin/php".
Architecture set to: x86_64h-apple-macosx.
(lldb) continue
Process 25678 resuming
Process 25678 stopped
* thread #1: tid = 0xc72afd, 0x00007fffaa6e3dd6 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x00007fffaa6e3dd6 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill:
->  0x7fffaa6e3dd6 <+10>: jae    0x7fffaa6e3de0            ; <+20>
    0x7fffaa6e3dd8 <+12>: movq   %rax, %rdi
    0x7fffaa6e3ddb <+15>: jmp    0x7fffaa6dccdf            ; cerror_nocancel
    0x7fffaa6e3de0 <+20>: retq   
(lldb) bt
* thread #1: tid = 0xc72afd, 0x00007fffaa6e3dd6 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007fffaa6e3dd6 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fffaa7cf787 libsystem_pthread.dylib`pthread_kill + 90
    frame #2: 0x00007fffaa649420 libsystem_c.dylib`abort + 129
    frame #3: 0x00007fffaa610893 libsystem_c.dylib`__assert_rtn + 320
    frame #4: 0x00000001053b730d php`zend_call_function(fci=0x00007fff5af146b8, fci_cache=0x00007fff5af145e0) + 2541 at zend_execute_API.c:818
    frame #5: 0x00000001053b6917 php`_call_user_function_ex(object=0x0000000000000000, function_name=0x000000010601fdd0, retval_ptr=0x000000010601fd80, param_count=5, params=0x000000010601fe00, no_separation=1) + 215 at zend_execute_API.c:672
    frame #6: 0x0000000105414647 php`zim_Closure___invoke(execute_data=0x000000010601fdb0, return_value=0x000000010601fd80) + 135 at zend_closures.c:57
    frame #7: 0x0000000105468298 php`ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER(execute_data=0x000000010601fcd0) + 936 at zend_vm_execute.h:1097
    frame #8: 0x000000010543bbb4 php`execute_ex(ex=0x000000010601fcd0) + 100 at zend_vm_execute.h:432
    frame #9: 0x00000001053b73bb php`zend_call_function(fci=0x00007fff5af14b00, fci_cache=0x00007fff5af14a70) + 2715 at zend_execute_API.c:828
    frame #10: 0x00000001054041c2 php`zend_call_method(object=0x00007fff5af14c48, obj_ce=0x0000000107c55678, fn_proxy=0x00007fff5af14c60, function_name="__destruct", function_name_len=10, retval_ptr=0x0000000000000000, param_count=0, arg1=0x0000000000000000, arg2=0x0000000000000000) + 1234 at zend_interfaces.c:101
    frame #11: 0x0000000105429ea7 php`zend_objects_destroy_object(object=0x0000000106917600) + 839 at zend_objects.c:156
    frame #12: 0x00000001054124c6 php`zend_gc_collect_cycles + 534 at zend_gc.c:1114
    frame #13: 0x0000000105411ffc php`gc_possible_root(ref=0x0000000107991000) + 524 at zend_gc.c:293
    frame #14: 0x00000001054d8112 php`zend_object_release(obj=0x0000000107991000) + 98 at zend_objects_API.h:80
    frame #15: 0x00000001054e21a7 php`zend_leave_helper_SPEC(execute_data=0x000000010601fc40) + 231 at zend_vm_execute.h:497
    frame #16: 0x0000000105468885 php`ZEND_RETURN_SPEC_CONST_HANDLER(execute_data=0x000000010601fc40) + 213 at zend_vm_execute.h:2909
    frame #17: 0x000000010543bbb4 php`execute_ex(ex=0x000000010601d670) + 100 at zend_vm_execute.h:432
    frame #18: 0x00000001053b73bb php`zend_call_function(fci=0x00007fff5af15108, fci_cache=0x00007fff5af150e0) + 2715 at zend_execute_API.c:828
    frame #19: 0x000000010510b941 php`reflection_method_invoke(execute_data=0x000000010601d600, return_value=0x000000010601d2b0, variadic=0) + 1809 at php_reflection.c:3325
    frame #20: 0x000000010510babf php`zim_reflection_method_invokeArgs(execute_data=0x000000010601d600, return_value=0x000000010601d2b0) + 31 at php_reflection.c:3361
    frame #21: 0x0000000105468298 php`ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER(execute_data=0x000000010601d0b0) + 936 at zend_vm_execute.h:1097

---

frame #4: 0x00000001053b730d php`zend_call_function(fci=0x00007fff5af146b8, fci_cache=0x00007fff5af145e0) + 2541 at zend_execute_API.c:818
   815          }
   816  
   817          if (UNEXPECTED(func->op_array.fn_flags & ZEND_ACC_CLOSURE)) {
-> 818                  ZEND_ASSERT(GC_TYPE((zend_object*)func->op_array.prototype) == IS_OBJECT);
   819                  GC_REFCOUNT((zend_object*)func->op_array.prototype)++;
   820                  ZEND_ADD_CALL_FLAG(call, ZEND_CALL_CLOSURE);
   821          }
(lldb) down


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-10 09:14 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2017-02-10 09:14 UTC] laruence@php.net
this is a complicated bug, relates to gc addtional_buffers implementation limit....

I need more time to think... :<
 [2017-02-10 09:18 UTC] laruence@php.net
a simple produce script is:
class Cycle
{
    private $thing;

    public function __construct()
    {
        $obj = $this;
        $this->thing = function() use($obj) {};
    }

    public function __destruct()
    {
        ($this->thing)();
    }

}

for ($i = 0; $i < 10000; ++$i) {
    $obj = new Cycle();
}
echo "OK\n";
 [2017-02-10 17:24 UTC] maxime dot steinhausser at gmail dot com
Thanks for the update.
Note that the reproduce script you wrote does reproduce the issue using PHP 7.1.1, but doesn't using PHP 7.1.0. So it might not be the only issue as the Symfony test suite actually fails for this version too.
 [2017-02-11 04:40 UTC] laruence@php.net
yes, they are series problems, but all caused by the same root reason.
 [2017-02-11 05:36 UTC] laruence@php.net
a fix could be: https://gist.github.com/laruence/5c529dd63ed41b7f0621a5858fba662e

if you have time, you could test with it. I am not very satisfied with it(change to global struct). will keep think again later.
 [2017-02-12 14:15 UTC] maxime dot steinhausser at gmail dot com
I confirm your fix is working :)
 [2017-02-13 11:30 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2017-02-13 11:30 UTC] laruence@php.net
fix has been committed: https://github.com/php/php-src/commit/391735053181f3d166e4ebb58cf04a8acf3d1724

thanks for reporting

(PS, don't now why bug entry can not be closed automatically now?)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC