php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78752 Segfault if GC triggered while generator stack frame is being destroyed
Submitted: 2019-10-25 23:17 UTC Modified: 2019-10-28 09:24 UTC
From: kelunik@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.2.24 OS: Linux
Private report: No CVE-ID: None
 [2019-10-25 23:17 UTC] kelunik@php.net
Description:
------------
Clone https://github.com/amphp/http-client/tree/f0facd7100b240407ce7aec9817d56febf97618e

Run composer install

Run vendor/bin/phpunit

Note: The version paths below indicate 7.3.9, but the same applies to 7.3.11. It's not 100% reproducible, but most runs result in a segfault.

Expected result:
----------------
No segfault.

Actual result:
--------------
Segfault: https://travis-ci.org/amphp/http-client/builds/603057296

➜ phpgdb              
phpenv v0.0.4-dev

GNU gdb (Ubuntu 8.2.91.20190405-0ubuntu3) 8.2.91.20190405-git
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/kelunik/.phpenv/versions/7.3.9/bin/php...
(gdb) r Quit
(gdb) r vendor/bin/phpunit
Starting program: /home/kelunik/.phpenv/versions/7.3.9/bin/php vendor/bin/phpunit
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after vfork from child process 1591]
PHPUnit 8.4.1 by Sebastian Bergmann and contributors.

.........................[Detaching after fork from child process 1594]
.[Detaching after fork from child process 1625]
[Detaching after fork from child process 1627]
.........E...........................  63 / 128 ( 49%)
.......[Detaching after fork from child process 1663]
...
Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=17, size=336, heap=0x7ffff4000040)
    at /home/kelunik/.php-build/release/Zend/zend_alloc.c:1289
1289    /home/kelunik/.php-build/release/Zend/zend_alloc.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  zend_mm_alloc_small (bin_num=17, size=336, heap=0x7ffff4000040)
    at /home/kelunik/.php-build/release/Zend/zend_alloc.c:1289
#1  zend_mm_alloc_heap (size=336, heap=0x7ffff4000040)
    at /home/kelunik/.php-build/release/Zend/zend_alloc.c:1360
#2  _emalloc (size=size@entry=336) at /home/kelunik/.php-build/release/Zend/zend_alloc.c:2500
#3  0x0000555555b0116b in zend_string_alloc (persistent=0, len=308)
    at /home/kelunik/.php-build/release/Zend/zend_string.h:155
#4  zend_string_init (persistent=0, len=308, 
    str=0x7ffff7fb001b "/**\n * This Logger can be used to avoid conditional log calls.\n *\n * Logging should always be optional, and if no logger is provided to your\n * library creating a NullLogger instance to have something"...) at /home/kelunik/.php-build/release/Zend/zend_string.h:155
#5  lex_scan (zendlval=zendlval@entry=0x7fffffff8e70, elem=0x7fffffff8ef8)
    at Zend/zend_language_scanner.l:2108
#6  0x0000555555b14bda in zendlex (elem=elem@entry=0x7fffffff8ef8)
    at /home/kelunik/.php-build/release/Zend/zend_compile.c:1702
#7  0x0000555555afa45e in zendparse ()
    at /home/kelunik/.php-build/release/Zend/zend_language_parser.c:4215
#8  0x0000555555afc95a in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:586
#9  0x0000555555afe13a in compile_file (file_handle=0x7fffffff9be0, type=2)
    at Zend/zend_language_scanner.l:636
#10 0x00005555559bc692 in phar_compile_file (file_handle=0x7fffffff9be0, type=2)
    at /home/kelunik/.php-build/release/ext/phar/phar.c:3347
#11 0x0000555555afe1e2 in compile_filename (type=type@entry=2, 
    filename=filename@entry=0x7ffff40230d0) at Zend/zend_language_scanner.l:661
#12 0x0000555555b77315 in zend_include_or_eval (inc_filename=0x7ffff40230d0, type=2)
    at /home/kelunik/.php-build/release/Zend/zend_execute.c:3192
#13 0x0000555555bad8ba in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:37419
#14 0x0000555555bb24ed in execute_ex (ex=0x3e5d0e0)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-28 08:29 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2019-10-28 08:29 UTC] nikic@php.net
Valgrind:

==12362== Invalid read of size 4
==12362==    at 0x9FAA38: i_zval_ptr_dtor (zend_variables.h:48)
==12362==    by 0x9FCDC9: _zval_ptr_dtor (zend_execute_API.c:533)
==12362==    by 0xA52F97: zend_closure_free_storage (zend_closures.c:442)
==12362==    by 0xA6C2E0: zend_objects_store_del (zend_objects_API.c:190)
==12362==    by 0xA14695: _zval_dtor_func (zend_variables.c:56)
==12362==    by 0xA2A969: i_zval_ptr_dtor (zend_variables.h:49)
==12362==    by 0xA2ECE1: zend_array_destroy (zend_hash.c:1306)
==12362==    by 0xA1463F: _zval_dtor_func (zend_variables.c:43)
==12362==    by 0xA2A969: i_zval_ptr_dtor (zend_variables.h:49)
==12362==    by 0xA2ECE1: zend_array_destroy (zend_hash.c:1306)
==12362==    by 0xA1463F: _zval_dtor_func (zend_variables.c:43)
==12362==    by 0xA2A969: i_zval_ptr_dtor (zend_variables.h:49)
==12362==  Address 0x11ea0630 is 0 bytes inside a block of size 344 free'd
==12362==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12362==    by 0x9DD0AE: _efree (zend_alloc.c:2451)
==12362==    by 0xA51624: zend_gc_collect_cycles (zend_gc.c:1210)
==12362==    by 0xA34174: zif_gc_collect_cycles (zend_builtin_functions.c:356)
==12362==    by 0xA7D05A: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:577)
==12362==    by 0xB03BD9: execute_ex (zend_vm_execute.h:59763)
==12362==    by 0xB08FE5: zend_execute (zend_vm_execute.h:63792)
==12362==    by 0xA186A1: zend_execute_scripts (zend.c:1498)
==12362==    by 0x97BDB3: php_execute_script (main.c:2599)
==12362==    by 0xB0BC8D: do_cli (php_cli.c:1011)
==12362==    by 0xB0CE4B: main (php_cli.c:1403)
==12362==  Block was alloc'd at
==12362==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12362==    by 0x9DDD18: __zend_malloc (zend_alloc.c:2835)
==12362==    by 0x9DD007: _emalloc (zend_alloc.c:2436)
==12362==    by 0xA65338: zend_objects_new (zend_objects.c:162)
==12362==    by 0xA1E8CF: _object_and_properties_init (zend_API.c:1325)
==12362==    by 0xA1E98C: _object_init_ex (zend_API.c:1340)
==12362==    by 0xA84182: ZEND_NEW_SPEC_CONST_HANDLER (zend_vm_execute.h:3235)
==12362==    by 0xB03FDE: execute_ex (zend_vm_execute.h:59961)
==12362==    by 0xA58ABE: zend_generator_resume (zend_generators.c:850)
==12362==    by 0xA59589: zim_Generator_send (zend_generators.c:1040)
==12362==    by 0xA7E6E6: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1036)
==12362==    by 0xB03C34: execute_ex (zend_vm_execute.h:59784)
 [2019-10-28 09:04 UTC] nikic@php.net
Possibly unrelated, but here's an assertion failure:

<?php
  
function gen(&$gen) {
    $a = new stdClass;
    $a->a = $a;
    $b = new stdClass;
    $b->b = $b;
    yield 1;
}

$gen = gen($gen);
var_dump($gen->current());
for ($i = 0; $i < 9999; $i++) {
    $a = new stdClass;
    $a->a = $a;
}
$gen->next();

This happens if GC is triggered while the generator is already being destroyed.
 [2019-10-28 09:24 UTC] nikic@php.net
-Summary: Segfault in lex_scan +Summary: Segfault if GC triggered while generator stack frame is being destroyed
 [2019-10-28 09:24 UTC] nikic@php.net
Fixing that seems to fix the http-client issue as well.
 [2019-10-28 09:28 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16c49108763db251151b350e433dde6d1a076250
Log: Fix bug #78752
 [2019-10-28 09:28 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 05:01:26 2019 UTC