php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78010 Segmentation fault during GC
Submitted: 2019-05-14 12:37 UTC Modified: 2019-05-15 11:04 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: valera dot ymnik at gmail dot com Assigned:
Status: Verified Package: Reproducible crash
PHP Version: 7.3.5 OS: Debian 9 && Ubuntu 18.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-05-14 12:37 UTC] valera dot ymnik at gmail dot com
Description:
------------
Reproduced on "PHP 7.3.5-1+0~20190503093827.38+stretch~1.gbp60a41b (cli) (built: May  3 2019 09:38:28) ( NTS )" and "PHP 7.3.5-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: May  3 2019 10:00:24) ( NTS )"

Test script:
---------------
<?php

class Test {

	private $data;
	private $values;

	public function __construct()
	{
		$this->data = new stdClass;
		$this->data->context = $this;

		$this->values = new stdClass;
		$this->values->store = [];

		for ($i = 0; $i < 526; $i++) {
			$obj = new stdClass;
			$obj->data = new stdClass;
			$obj->z = new stdClass;
			$obj->z->a = new stdClass;
			$obj->z->b = new stdClass;

			$this->values->store[] = $obj;
		}
	}
}

$data = [array_fill(0, 400, []), array_fill(0, 400, [])];

foreach ($data as $row_id => $values) {
	foreach ($values as $id => &$params) {
		$params["store"] = new Test;
	}
	unset($params);
}

echo "Completed\n";

Expected result:
----------------
Completed

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-14 12:43 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-05-14 12:43 UTC] nikic@php.net
First valgrind warning:

==21347== Invalid read of size 4
==21347==    at 0x94623D: zend_gc_collect_cycles (zend_gc.c:1529)
==21347==    by 0x9436EA: gc_possible_root_when_full (zend_gc.c:579)
==21347==    by 0x943996: gc_possible_root (zend_gc.c:629)
==21347==    by 0x970CF4: zend_assign_to_variable (zend_execute.h:146)
==21347==    by 0x9E99E5: ZEND_ASSIGN_SPEC_CV_VAR_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:48960)
==21347==    by 0x9FBA14: execute_ex (zend_vm_execute.h:65005)
==21347==    by 0x9FC649: zend_execute (zend_vm_execute.h:65726)
==21347==    by 0x908A98: zend_execute_scripts (zend.c:1661)
==21347==    by 0x8518DA: php_execute_script (main.c:2676)
==21347==    by 0x9FF646: do_cli (php_cli.c:985)
==21347==    by 0xA00965: main (php_cli.c:1375)
==21347==  Address 0x2661b414 is 4 bytes inside a block of size 40 free'd
==21347==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21347==    by 0x8C7FC4: _efree (zend_alloc.c:2497)
==21347==    by 0x96619B: zend_objects_store_del (zend_objects_API.c:198)
==21347==    by 0x902E4E: rc_dtor_func (zend_variables.c:57)
==21347==    by 0x91C30D: i_zval_ptr_dtor (zend_variables.h:44)
==21347==    by 0x921881: zend_array_destroy (zend_hash.c:1589)
==21347==    by 0x95DBA1: zend_object_std_dtor (zend_objects.c:53)
==21347==    by 0x966137: zend_objects_store_del (zend_objects_API.c:194)
==21347==    by 0x902E4E: rc_dtor_func (zend_variables.c:57)
==21347==    by 0x91C30D: i_zval_ptr_dtor (zend_variables.h:44)
==21347==    by 0x921881: zend_array_destroy (zend_hash.c:1589)
==21347==    by 0x902E4E: rc_dtor_func (zend_variables.c:57)
==21347==  Block was alloc'd at
==21347==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21347==    by 0x8C8F07: __zend_malloc (zend_alloc.c:2889)
==21347==    by 0x8C7E9C: _emalloc (zend_alloc.c:2483)
==21347==    by 0x95E27A: zend_objects_new (zend_objects.c:195)
==21347==    by 0x90FFCE: _object_and_properties_init (zend_API.c:1356)
==21347==    by 0x9100AE: object_init_ex (zend_API.c:1379)
==21347==    by 0x992655: ZEND_NEW_SPEC_CONST_UNUSED_HANDLER (zend_vm_execute.h:9173)
==21347==    by 0x9F7273: execute_ex (zend_vm_execute.h:60503)
==21347==    by 0x9FC649: zend_execute (zend_vm_execute.h:65726)
==21347==    by 0x908A98: zend_execute_scripts (zend.c:1661)
==21347==    by 0x8518DA: php_execute_script (main.c:2676)
==21347==    by 0x9FF646: do_cli (php_cli.c:985)
 [2019-05-15 11:04 UTC] nikic@php.net
-Summary: Segmentation fault +Summary: Segmentation fault during GC
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Jun 20 19:01:26 2019 UTC