php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76050 Segfault in new GC implementation
Submitted: 2018-03-05 12:52 UTC Modified: 2018-03-05 17:31 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kelunik@php.net Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2018-03-05 (Git) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kelunik@php.net
New email:
PHP Version: OS:

 

 [2018-03-05 12:52 UTC] kelunik@php.net 
Description:
------------
Seems like the new GC implementation isn't entirely free of bugs, yet.

I'm getting segfaults in various situations, but haven't been able to write a minimal script, yet.

Running any `composer update` 100% reproduces the problem for me, though.

Expected result:
----------------
No segfault.

Actual result:
--------------
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f0b1d193f5d in __GI_abort () at abort.c:90
#2  0x00007f0b1d189f17 in __assert_fail_base (fmt=<optimized out>, 
    assertion=assertion@entry=0x55c617b01629 "addr", 
    file=file@entry=0x55c617b014b8 "/home/kelunik/.php-build/release/Zend/zend_gc.c", 
    line=line@entry=602, 
    function=function@entry=0x55c617b016b0 <__PRETTY_FUNCTION__.10643> "gc_remove_from_buffer") at assert.c:92
#3  0x00007f0b1d189fc2 in __GI___assert_fail (assertion=0x55c617b01629 "addr", 
    file=0x55c617b014b8 "/home/kelunik/.php-build/release/Zend/zend_gc.c", line=602, 
    function=0x55c617b016b0 <__PRETTY_FUNCTION__.10643> "gc_remove_from_buffer")
    at assert.c:101
#4  0x000055c6172b3a17 in gc_remove_from_buffer (ref=0x7f0b08c10820)
    at /home/kelunik/.php-build/release/Zend/zend_gc.c:602
#5  0x000055c6172d089e in zend_objects_store_del (object=0x7f0b08c10820)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:193
#6  0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b08c10820, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=146868256) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#7  0x000055c61727769a in _zval_dtor_func (p=0x7f0b08c10820, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#8  0x000055c6172c9391 in i_zval_ptr_dtor (zval_ptr=0x7f0b07ac02c8, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#9  0x000055c6172c9523 in zend_object_std_dtor (object=0x7f0b07ac0280)
    at /home/kelunik/.php-build/release/Zend/zend_objects.c:57
#10 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b07ac0280)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#11 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b07ac0280, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=128713344) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#12 0x000055c61727769a in _zval_dtor_func (p=0x7f0b07ac0280, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=356) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#13 0x000055c61725cef9 in i_zval_ptr_dtor (zval_ptr=0x7ffe38457400, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=356) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#14 0x000055c61725f26d in _zval_ptr_dtor (zval_ptr=0x7ffe38457400, 
    __zend_filename=0x55c617aac2d8 "/home/kelunik/.php-build/release/ext/spl/spl_dllist.c", 
    __zend_lineno=356) at /home/kelunik/.php-build/release/Zend/zend_execute_API.c:532
#15 0x000055c61703a111 in spl_dllist_object_free_storage (object=0x7f0b07aab660)
    at /home/kelunik/.php-build/release/ext/spl/spl_dllist.c:356
#16 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b07aab660)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#17 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b07aab660, 
    __zend_filename=0x55c617afea78 "/home/kelunik/.php-build/release/Zend/zend_hash.c", 
    __zend_lineno=128628320) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#18 0x000055c61727769a in _zval_dtor_func (p=0x7f0b07aab660, 
    __zend_filename=0x55c617afea78 "/home/kelunik/.php-build/release/Zend/zend_hash.c", 
    __zend_lineno=1381) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#19 0x000055c61728df6e in i_zval_ptr_dtor (zval_ptr=0x7f0b07902960, 
    __zend_filename=0x55c617afea78 "/home/kelunik/.php-build/release/Zend/zend_hash.c", 
    __zend_lineno=1381) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#20 0x000055c61729277b in zend_array_destroy (ht=0x7f0b0cd723c0)
    at /home/kelunik/.php-build/release/Zend/zend_hash.c:1381
#21 0x000055c61727782b in zend_array_destroy_wrapper (arr=0x7f0b0cd723c0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=215425984) at /home/kelunik/.php-build/release/Zend/zend_variables.c:91
#22 0x000055c61727769a in _zval_dtor_func (p=0x7f0b0cd723c0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#23 0x000055c6172c9391 in i_zval_ptr_dtor (zval_ptr=0x7f0b0cd72ce8, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#24 0x000055c6172c9523 in zend_object_std_dtor (object=0x7f0b0cd72cc0)
    at /home/kelunik/.php-build/release/Zend/zend_objects.c:57
#25 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b0cd72cc0)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#26 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b0cd72cc0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=215428288) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#27 0x000055c61727769a in _zval_dtor_func (p=0x7f0b0cd72cc0, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#28 0x000055c6172c9391 in i_zval_ptr_dtor (zval_ptr=0x7f0b1523c598, 
    __zend_filename=0x55c617b03598 "/home/kelunik/.php-build/release/Zend/zend_objects.c", 
    __zend_lineno=57) at /home/kelunik/.php-build/release/Zend/zend_variables.h:49
#29 0x000055c6172c9523 in zend_object_std_dtor (object=0x7f0b1523c500)
    at /home/kelunik/.php-build/release/Zend/zend_objects.c:57
#30 0x000055c6172d0851 in zend_objects_store_del (object=0x7f0b1523c500)
    at /home/kelunik/.php-build/release/Zend/zend_objects_API.c:188
#31 0x000055c61727784d in zend_object_destroy_wrapper (obj=0x7f0b1523c500, 
    __zend_filename=0x55c617b051c0 "/home/kelunik/.php-build/release/Zend/zend_execute.c", 
    __zend_lineno=354665728) at /home/kelunik/.php-build/release/Zend/zend_variables.c:96
#32 0x000055c61727769a in _zval_dtor_func (p=0x7f0b1523c500, 
    __zend_filename=0x55c617b051c0 "/home/kelunik/.php-build/release/Zend/zend_execute.c", 
    __zend_lineno=2371) at /home/kelunik/.php-build/release/Zend/zend_variables.c:67
#33 0x000055c6172e0401 in i_free_compiled_variables (execute_data=0x7f0b15e22470)
    at /home/kelunik/.php-build/release/Zend/zend_execute.c:2371
#34 0x000055c6172e25b5 in zend_leave_helper_SPEC ()
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:505
#35 0x000055c61730b2b8 in ZEND_RETURN_SPEC_TMP_HANDLER ()
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:17864
#36 0x000055c617357643 in execute_ex (ex=0x7f0b15e1f030)
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:56746
#37 0x000055c61735ab5f in zend_execute (op_array=0x7f0b15e83300, return_value=0x0)
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:60126
#38 0x000055c61727b8b1 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/kelunik/.php-build/release/Zend/zend.c:1541
#39 0x000055c6171ddb18 in php_execute_script (primary_file=0x7ffe38459f50)
    at /home/kelunik/.php-build/release/main/main.c:2467
#40 0x000055c61735d7f3 in do_cli (argc=3, argv=0x55c6193e3e90)
    at /home/kelunik/.php-build/release/sapi/cli/php_cli.c:1011
#41 0x000055c61735e9b1 in main (argc=3, argv=0x55c6193e3e90)
    at /home/kelunik/.php-build/release/sapi/cli/php_cli.c:1404

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-05 13:55 UTC] dmitry@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2018-03-05 14:28 UTC] dmitry@php.net 
The problem caused by GC address compression that doesn't take into account special meaning of "zero" address.
 [2018-03-05 14:47 UTC] nikic@php.net 
Reduced repro code:

<?php
class Foo { public $foo; }

gc_disable();
$n = 128 * 1024;
for ($i = 0; $i < $n; $i++) {
    $f = new Foo;
    $f->foo = $f;
}
 [2018-03-05 17:31 UTC] dmitry@php.net 
https://github.com/php/php-src/commit/ab139b6bfdd73a29604fed978517ea96b720f21e fixed the crash but not the bug (it just became hidden).

It's possible to add another assert to disclose it:

diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c
index fe740e7a78..004c9c88d0 100644
--- a/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@ -250,7 +250,9 @@ static zend_gc_globals gc_globals;
 
 static zend_always_inline uint32_t gc_compress(uint32_t idx)
 {
-       return idx % GC_MAX_UNCOMPRESSED;
+       idx = idx % GC_MAX_UNCOMPRESSED;
+       ZEND_ASSERT(idx != 0);
+       return idx;
 }
 
 static zend_always_inline gc_root_buffer* gc_decompress(zend_refcounted *ref, uint32_t idx)
 [2018-03-06 00:31 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c060d88c3652e771628b1c14a3fe87d99e3122a4
Log: Fixed bug #76050
 [2018-03-06 00:31 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 05:01:27 2024 UTC