|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78456 Segfault when serializing SplDoublyLinkedList
Submitted: 2019-08-25 20:10 UTC Modified: 2019-08-26 09:05 UTC
From: edgaras dot janusauskas at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.4.0beta4 OS: Windows, Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: edgaras dot janusauskas at gmail dot com
New email:
PHP Version: OS:


 [2019-08-25 20:10 UTC] edgaras dot janusauskas at gmail dot com
PHP 7.4 crashes while running CakePHP test suite on Travis CI.
PHP 7.3 and below is OK.

It crashes in test while unserializing class which extends IteratorIterator and implements Serializable, and also uses SplDoublyLinkedList.

I've tried to reduce test to short vanilla PHP script, I were not able.
Install cakephp/collection:3.8.2 via composer.

Test script:
composer require cakephp/collection

require 'vendor/autoload.php';

$collection = new \Cake\Collection\Collection([1, 2, 3]);
$serialized = serialize($collection);
$unserialized = unserialize($serialized); // crash

Expected result:
Object is unserialized successfully.

Actual result:
Backtrace when running on PHP 7.4.0beta4 (cli) (built: Aug 21 2019 08:53:45) ( NTS Visual C++ 2017 x64 ):

Access violation - code c0000005 (first chance)

00 php7!zend_mm_alloc_small
01 php7!zend_mm_alloc_heap
02 php7!_emalloc
03 php7!_zend_new_array
04 php7!php_var_unserialize_internal
05 php7!process_nested_data
06 php7!php_var_unserialize_internal
07 php7!process_nested_data
08 php7!object_common
09 php7!php_var_unserialize_internal
0a php7!php_var_unserialize
0b php7!zif_unserialize
0d php7!execute_ex
0e php7!zend_call_function
0f php7!zend_call_method
10 php7!zend_user_unserialize
11 php7!object_custom
12 php7!php_var_unserialize_internal
13 php7!php_var_unserialize
14 php7!zif_unserialize
16 php7!execute_ex
17 php7!zend_call_function
18 php7!zend_call_method
19 php7!zend_user_unserialize
1a php7!object_custom
1b php7!php_var_unserialize_internal
1c php7!php_var_unserialize
1d php7!zif_unserialize
1f php7!execute_ex
20 php7!zend_execute
21 php7!zend_execute_scripts
22 php7!php_execute_script
23 php!sapi_cli_single_write
24 php!sapi_cli_single_write
25 php!sapi_cli_single_write
26 KERNEL32!BaseThreadInitThunk
27 ntdll!RtlUserThreadStart


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-26 08:59 UTC]
-Status: Open +Status: Verified
 [2019-08-26 08:59 UTC]

==12831== Invalid read of size 4
==12831==    at 0x6CC564: zend_gc_addref (zend_types.h:1030)
==12831==    by 0x6CCF6F: spl_ptr_llist_pop (spl_dllist.c:258)
==12831==    by 0x6CD211: spl_dllist_object_free_storage (spl_dllist.c:353)
==12831==    by 0x9897A8: zend_objects_store_del (zend_objects_API.c:194)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x92C4B9: i_zval_ptr_dtor (zend_variables.h:44)
==12831==    by 0x92C6CB: zval_ptr_dtor (zend_variables.c:84)
==12831==    by 0x948778: zend_hash_destroy (zend_hash.c:1541)
==12831==    by 0x7AED5A: php_var_serialize_destroy (var.c:1140)
==12831==    by 0x7AF083: zif_serialize (var.c:1162)
==12831==    by 0x9A4989: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1319)
==12831==    by 0xA090C9: execute_ex (zend_vm_execute.h:53453)
==12831==  Address 0x1250a474 is 4 bytes inside a block of size 56 free'd
==12831==    at 0x4C30D3B: free (in /usr/lib/valgrind/
==12831==    by 0x8F5528: _efree_custom (zend_alloc.c:2411)
==12831==    by 0x8F5669: _efree (zend_alloc.c:2531)
==12831==    by 0x948C2A: zend_array_destroy (zend_hash.c:1637)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x9437CC: i_zval_ptr_dtor (zend_variables.h:44)
==12831==    by 0x948AC0: zend_array_destroy (zend_hash.c:1611)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x9437CC: i_zval_ptr_dtor (zend_variables.h:44)
==12831==    by 0x948AC0: zend_array_destroy (zend_hash.c:1611)
==12831==    by 0x92C536: rc_dtor_func (zend_variables.c:57)
==12831==    by 0x92C4B9: i_zval_ptr_dtor (zend_variables.h:44)
==12831==  Block was alloc'd at
==12831==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/
==12831==    by 0x8F6569: __zend_malloc (zend_alloc.c:2961)
==12831==    by 0x8F54C1: _malloc_custom (zend_alloc.c:2402)
==12831==    by 0x8F55EF: _emalloc (zend_alloc.c:2521)
==12831==    by 0x94408D: _zend_new_array (zend_hash.c:256)
==12831==    by 0x9C9ACF: ZEND_INIT_ARRAY_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:18754)
==12831==    by 0xA0ACAF: execute_ex (zend_vm_execute.h:55273)
==12831==    by 0x917723: zend_call_function (zend_execute_API.c:820)
==12831==    by 0x95D553: zend_call_method (zend_interfaces.c:103)
==12831==    by 0x95E49F: zend_user_serialize (zend_interfaces.c:441)
==12831==    by 0x7AE415: php_var_serialize_intern (var.c:987)
==12831==    by 0x7AEC2A: php_var_serialize (var.c:1114)
 [2019-08-26 09:05 UTC]
-Summary: Segfault when unserializing iterator +Summary: Segfault when serializing SplDoublyLinkedList -Status: Verified +Status: Assigned -Assigned To: +Assigned To: nikic
 [2019-08-26 09:05 UTC]
$dllist = new SplDoublyLinkedList();
$dllist->push(new stdClass);

Missing refcount increment in the __serialize() implementation...
 [2019-08-26 09:10 UTC]
Automatic comment on behalf of
Log: Fixed bug #78456
 [2019-08-26 09:10 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Jun 05 22:01:23 2020 UTC