|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74702 segfault in gc_zval_possible_root()
Submitted: 2017-06-06 21:03 UTC Modified: 2017-08-12 19:06 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: brian dot carpenter at gmail dot com Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 5.6.30 OS: Debian 8 x64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: brian dot carpenter at gmail dot com
New email:
PHP Version: OS:


 [2017-06-06 21:03 UTC] brian dot carpenter at gmail dot com
The attached script crashes PHP 5.6.30.

Test script:
class bad{function t(){$h[]=0;}function __destruct(){global$bar;$bar=$this;}}$foo->f=$foo=$d=new bad;unserialize(serialize($foo));gc_collect_cycles();

Expected result:
No crash.

Actual result:
==12586==ERROR: AddressSanitizer: SEGV on unknown address 0x100139182d88 (pc 0x00000198aad7 sp 0x7fffc2f3a1c0 bp 0x7fe67d2d1840 T0)
    #0 0x198aad6 in gc_zval_possible_root /root/php-5.6.30/Zend/zend_gc.c:143
    #1 0x19019d6 in zend_hash_destroy /root/php-5.6.30/Zend/zend_hash.c:548
    #2 0x19b32da in zend_object_std_dtor /root/php-5.6.30/Zend/zend_objects.c:44
    #3 0x19b3650 in zend_objects_free_object_storage /root/php-5.6.30/Zend/zend_objects.c:137
    #4 0x19e201a in zend_objects_store_del_ref_by_handle_ex /root/php-5.6.30/Zend/zend_objects_API.c:226
    #5 0x19e25b5 in zend_objects_store_del_ref /root/php-5.6.30/Zend/zend_objects_API.c:178
    #6 0x18162c7 in _zval_dtor /root/php-5.6.30/Zend/zend_variables.h:35
    #7 0x18162c7 in i_zval_ptr_dtor /root/php-5.6.30/Zend/zend_execute.h:79
    #8 0x18162c7 in _zval_ptr_dtor /root/php-5.6.30/Zend/zend_execute_API.c:424
    #9 0x1906e8e in i_zend_hash_bucket_delete /root/php-5.6.30/Zend/zend_hash.c:182
    #10 0x1906e8e in zend_hash_bucket_delete /root/php-5.6.30/Zend/zend_hash.c:192
    #11 0x1906e8e in zend_hash_reverse_apply /root/php-5.6.30/Zend/zend_hash.c:733
    #12 0x1817940 in shutdown_destructors /root/php-5.6.30/Zend/zend_execute_API.c:214
    #13 0x1898593 in zend_call_destructors /root/php-5.6.30/Zend/zend.c:944
    #14 0x15d2974 in php_request_shutdown /root/php-5.6.30/main/main.c:1840
    #15 0x1e68480 in do_cli /root/php-5.6.30/sapi/cli/php_cli.c:1181
    #16 0x456468 in main /root/php-5.6.30/sapi/cli/php_cli.c:1382
    #17 0x7fe67ae0cb44 in __libc_start_main (/lib/x86_64-linux-gnu/
    #18 0x45730e (/root/php-5.6.30/sapi/cli/php+0x45730e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.30/Zend/zend_gc.c:143 gc_zval_possible_root


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-07 10:19 UTC] andrew dot nester dot dev at gmail dot com
Since PHP 5.6+ supports only security fixes and this issue is not reproducible in PHP 7+ I guess this issue should be closed as `won't fix`
 [2017-08-12 19:06 UTC]
-Status: Open +Status: Wont fix
 [2017-08-12 19:06 UTC]
Right. There's one variation of this issue that still exists in PHP 7, but that's tracked in bug #72530.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Apr 16 10:01:29 2024 UTC