|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78752 Segfault if GC triggered while generator stack frame is being destroyed
Submitted: 2019-10-25 23:17 UTC Modified: 2019-10-28 09:24 UTC
From: Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.2.24 OS: Linux
Private report: No CVE-ID: None
 [2019-10-25 23:17 UTC]

Run composer install

Run vendor/bin/phpunit

Note: The version paths below indicate 7.3.9, but the same applies to 7.3.11. It's not 100% reproducible, but most runs result in a segfault.

Expected result:
No segfault.

Actual result:

➜ phpgdb              
phpenv v0.0.4-dev

GNU gdb (Ubuntu
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/kelunik/.phpenv/versions/7.3.9/bin/php...
(gdb) r Quit
(gdb) r vendor/bin/phpunit
Starting program: /home/kelunik/.phpenv/versions/7.3.9/bin/php vendor/bin/phpunit
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
[Detaching after vfork from child process 1591]
PHPUnit 8.4.1 by Sebastian Bergmann and contributors.

.........................[Detaching after fork from child process 1594]
.[Detaching after fork from child process 1625]
[Detaching after fork from child process 1627]
.........E...........................  63 / 128 ( 49%)
.......[Detaching after fork from child process 1663]
Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=17, size=336, heap=0x7ffff4000040)
    at /home/kelunik/.php-build/release/Zend/zend_alloc.c:1289
1289    /home/kelunik/.php-build/release/Zend/zend_alloc.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  zend_mm_alloc_small (bin_num=17, size=336, heap=0x7ffff4000040)
    at /home/kelunik/.php-build/release/Zend/zend_alloc.c:1289
#1  zend_mm_alloc_heap (size=336, heap=0x7ffff4000040)
    at /home/kelunik/.php-build/release/Zend/zend_alloc.c:1360
#2  _emalloc (size=size@entry=336) at /home/kelunik/.php-build/release/Zend/zend_alloc.c:2500
#3  0x0000555555b0116b in zend_string_alloc (persistent=0, len=308)
    at /home/kelunik/.php-build/release/Zend/zend_string.h:155
#4  zend_string_init (persistent=0, len=308, 
    str=0x7ffff7fb001b "/**\n * This Logger can be used to avoid conditional log calls.\n *\n * Logging should always be optional, and if no logger is provided to your\n * library creating a NullLogger instance to have something"...) at /home/kelunik/.php-build/release/Zend/zend_string.h:155
#5  lex_scan (zendlval=zendlval@entry=0x7fffffff8e70, elem=0x7fffffff8ef8)
    at Zend/zend_language_scanner.l:2108
#6  0x0000555555b14bda in zendlex (elem=elem@entry=0x7fffffff8ef8)
    at /home/kelunik/.php-build/release/Zend/zend_compile.c:1702
#7  0x0000555555afa45e in zendparse ()
    at /home/kelunik/.php-build/release/Zend/zend_language_parser.c:4215
#8  0x0000555555afc95a in zend_compile (type=type@entry=2) at Zend/zend_language_scanner.l:586
#9  0x0000555555afe13a in compile_file (file_handle=0x7fffffff9be0, type=2)
    at Zend/zend_language_scanner.l:636
#10 0x00005555559bc692 in phar_compile_file (file_handle=0x7fffffff9be0, type=2)
    at /home/kelunik/.php-build/release/ext/phar/phar.c:3347
#11 0x0000555555afe1e2 in compile_filename (type=type@entry=2, 
    filename=filename@entry=0x7ffff40230d0) at Zend/zend_language_scanner.l:661
#12 0x0000555555b77315 in zend_include_or_eval (inc_filename=0x7ffff40230d0, type=2)
    at /home/kelunik/.php-build/release/Zend/zend_execute.c:3192
#13 0x0000555555bad8ba in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER ()
    at /home/kelunik/.php-build/release/Zend/zend_vm_execute.h:37419
#14 0x0000555555bb24ed in execute_ex (ex=0x3e5d0e0)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-28 08:29 UTC]
-Status: Open +Status: Verified
 [2019-10-28 08:29 UTC]

==12362== Invalid read of size 4
==12362==    at 0x9FAA38: i_zval_ptr_dtor (zend_variables.h:48)
==12362==    by 0x9FCDC9: _zval_ptr_dtor (zend_execute_API.c:533)
==12362==    by 0xA52F97: zend_closure_free_storage (zend_closures.c:442)
==12362==    by 0xA6C2E0: zend_objects_store_del (zend_objects_API.c:190)
==12362==    by 0xA14695: _zval_dtor_func (zend_variables.c:56)
==12362==    by 0xA2A969: i_zval_ptr_dtor (zend_variables.h:49)
==12362==    by 0xA2ECE1: zend_array_destroy (zend_hash.c:1306)
==12362==    by 0xA1463F: _zval_dtor_func (zend_variables.c:43)
==12362==    by 0xA2A969: i_zval_ptr_dtor (zend_variables.h:49)
==12362==    by 0xA2ECE1: zend_array_destroy (zend_hash.c:1306)
==12362==    by 0xA1463F: _zval_dtor_func (zend_variables.c:43)
==12362==    by 0xA2A969: i_zval_ptr_dtor (zend_variables.h:49)
==12362==  Address 0x11ea0630 is 0 bytes inside a block of size 344 free'd
==12362==    at 0x4C30D3B: free (in /usr/lib/valgrind/
==12362==    by 0x9DD0AE: _efree (zend_alloc.c:2451)
==12362==    by 0xA51624: zend_gc_collect_cycles (zend_gc.c:1210)
==12362==    by 0xA34174: zif_gc_collect_cycles (zend_builtin_functions.c:356)
==12362==    by 0xA7D05A: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:577)
==12362==    by 0xB03BD9: execute_ex (zend_vm_execute.h:59763)
==12362==    by 0xB08FE5: zend_execute (zend_vm_execute.h:63792)
==12362==    by 0xA186A1: zend_execute_scripts (zend.c:1498)
==12362==    by 0x97BDB3: php_execute_script (main.c:2599)
==12362==    by 0xB0BC8D: do_cli (php_cli.c:1011)
==12362==    by 0xB0CE4B: main (php_cli.c:1403)
==12362==  Block was alloc'd at
==12362==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/
==12362==    by 0x9DDD18: __zend_malloc (zend_alloc.c:2835)
==12362==    by 0x9DD007: _emalloc (zend_alloc.c:2436)
==12362==    by 0xA65338: zend_objects_new (zend_objects.c:162)
==12362==    by 0xA1E8CF: _object_and_properties_init (zend_API.c:1325)
==12362==    by 0xA1E98C: _object_init_ex (zend_API.c:1340)
==12362==    by 0xA84182: ZEND_NEW_SPEC_CONST_HANDLER (zend_vm_execute.h:3235)
==12362==    by 0xB03FDE: execute_ex (zend_vm_execute.h:59961)
==12362==    by 0xA58ABE: zend_generator_resume (zend_generators.c:850)
==12362==    by 0xA59589: zim_Generator_send (zend_generators.c:1040)
==12362==    by 0xA7E6E6: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1036)
==12362==    by 0xB03C34: execute_ex (zend_vm_execute.h:59784)
 [2019-10-28 09:04 UTC]
Possibly unrelated, but here's an assertion failure:

function gen(&$gen) {
    $a = new stdClass;
    $a->a = $a;
    $b = new stdClass;
    $b->b = $b;
    yield 1;

$gen = gen($gen);
for ($i = 0; $i < 9999; $i++) {
    $a = new stdClass;
    $a->a = $a;

This happens if GC is triggered while the generator is already being destroyed.
 [2019-10-28 09:24 UTC]
-Summary: Segfault in lex_scan +Summary: Segfault if GC triggered while generator stack frame is being destroyed
 [2019-10-28 09:24 UTC]
Fixing that seems to fix the http-client issue as well.
 [2019-10-28 09:28 UTC]
Automatic comment on behalf of
Log: Fix bug #78752
 [2019-10-28 09:28 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Oct 05 00:01:24 2023 UTC